I want to enable SSL on RAILS 5 applicaton.
Therefore I installed NGINX and created a server block for this web server.
server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/host.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/host.domain/chain.pem;
I want to connect together the already existing PUMA application server and the newley running SSL enabled NGINX Web Server. On the internet I find only quite expired guides HOW-TO-DO.
I'm looking for a current guide that can be followed.
E.g. https://www.pluralsight.com/guides/using-https-with-ruby-on-rails is good but it also does not explain how to connect. It keeps the NGINX SSL enabled Web Server alone.
Related
I need your help to set my Laradock (with Docker) using Nginx and SSL "fake" certificate on my local machine.
I have no idea how to setup it. Could you please help me?
Thanks
To enable SSL with the current version of laradock (as of Nov 2019) with a self signed certificate you must enable it in the nginx settings. Inside the folder nginx/sites remove the comments below line 6 "# For https" :
# For https
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
ssl_certificate /etc/nginx/ssl/default.crt;
ssl_certificate_key /etc/nginx/ssl/default.key;
restart nginx : docker-compose restart nginx
and you're ready.
If google-chrome complains you can enable the flag at chrome://flags/#allow-insecure-localhost to allow even invalid certificates.
The solution given only allows for https://localhost, however you might need to generate your own when using custom domain pointing to localhost, e.g https://testing.dev
I've written a gist to this — https://gist.github.com/r0lodex/0fe03fc8d22241d79cba65107b30868b
Hopefully this will help those who are still searching.
I have a frontend angular application running on aws ecs ec2 instance and both are connected to TCP port 443 and 80 of network load balancer. I will have many vhost configured on this nginx docker container with multiple domain names. In the ecs service the container to load balance is given as port 443. We will have to choose either port 443 or 80 of the container to load balance. https://prnt.sc/pocu41. On https the site is loading fine. But on http I am getting the error
The plain HTTP request was sent to HTTPS port
I am planning to use the ssl certificate on the docker container and not the ssl on the load balancer. If I choose ssl on the load balancer then we need to use the multidomain ssl in application load balancer default certificate and may not feasible when there are hundreds of domain.
My Nginx conf looks like this
server {
listen 80;
server_name example.com;
root /usr/share/nginx/html/docroot;
index index.html index.htm;
include /etc/nginx/mime.types;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
try_files $uri $uri/ /index.html;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/example.com/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;
server_name example.com;
root /usr/share/nginx/html/docroot;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Any idea how we can solve this scenario?
I am planning to use the ssl certificate on the docker container and
not the ssl on the load balancer. If I choose ssl on the load balancer
then we need to use the multidomain ssl in application load balancer
default certificate and may not feasible when there are hundreds of
domain.
Your this assumption does not seem correct, you can create * certificate from LB or you can configure multiple from ACM as well. you can use AWS ACM with load balancer and its totally free of cost and why I should bother to manage SSL at application level? and why I should open port 80 at application level when I can do redirect with application LB if NLB is not requirment?
AWS Certificate Manager Pricing
Public SSL/TLS certificates provisioned through AWS Certificate
Manager are free. You pay only for the AWS resources you create to run
your application.
certificate-manager-pricing
Second any special reason for using NLB? For web-application I will never go for network balancer, NLB make sense for TCP level communication, But I will go for application LB for HTTP communication which provides advance routings like host base routing, redirect and path-based routing which will remove the need of Nginx.
Containers are designed for lightweight task and AWS recommends to memory arround 300-500MB and same recommendations for CPU.
Do you know the cost of SSL termination at container level?
SSL traffic can be compute intensive since it requires encryption and decryption of traffic. SSL relies on public key cryptography to encrypt communications between the client and server sending messages safely across networks.
Advantage of SSL termination at LB level
SSL termination at load balancer is desired because decryption is resource and CPU intensive. Putting the decryption burden on the load balancer enables the server to spend processing power on application tasks, which helps improve performance. It also simplifies the management of SSL certificates.
new-tls-termination-for-network-load-balancers
ssl-termination
10-tips-to-improve-the-performance-of-your-aws-application
So base on this I am not going to asnwer your problem as suggested by #Linpy may help if you still want to go, you can this too dealing-with-nginx-400-the-plain-http-request-was-sent-to-https-port-error
I have Identity server 4 which reside behind ngnix proxy. and it support Azure AD. now if I SSO on https then it is not working for IE browser but work properly in other browser due to IWA/NTLM/Kerberos .
So change need to do in ngnix to support that.
we have default setting in nginx like this :
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
Then I have removed http2
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
so IE has issue with SSL + http2
I have created a domain(domain.com) and subdomain (abc.domain.com), and also generated SSL certificates for both by using letsencrypt. Both the Django projects are hosted on AWS EC2 and created proxy server for them which is as follow:
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://1.2.3.4:444;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_certificate /home/domain/fullchain.pem;
proxy_ssl_certificate_key /home/domain/privkey.pem;
}
}
server {
listen 443 ssl;
server_name abc.example.com;
location / {
proxy_pass https://1.2.3.4:445;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_certificate /home/subdomain/fullchain.pem;
proxy_ssl_certificate_key /home/subdomain/privkey.pem;
}
}
I strats the proxy server and both the projects, starting not giving any problem the problem is that when i enter https://example.com on the browser it is not showing the page, but when i pull domain with port no. https://example.com:444, it starts showing the page. I do not know what I am missing.
In order to make https://example.com work you need to correctly configure Nginx with SSL configuration which include using ssl_certificate and ssl_certificate_key directives as it does not seem that you are using them.
Using proxy_ssl_certificate is for using HTTPS connection between Nginx and the Proxied Server which in your case the django application.
Using ssl_certificate is for using HTTPS connection between the user's browser and Nginx which you need to make https://example.com works as expected
For more details check configuring HTTPS servers
Scenario
I am running Phusion Passenger through nginx.
I have configured nginx to use SSL and reroute all HTTP traffic to HTTPS.
Do I still need to enable the force_ssl option in my Rails app?
If so, why and what are the advantages?
If I don't enable it, what security risks do I present?
nginx config:
server {
listen 80;
server_name myapp.com
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name myapp.com;
ssl_certificate /etc/ssl/certs/nginx.pem;
ssl_certificate_key /etc/ssl/certs/nginx.key;
root /home/user/rails/app/public;
passenger_enabled on;
}
The force_ssl option accomplishes the same thing as the nginx rewrite rule, so you don't need the force_ssl option. force_ssl can give you more granularity, such as making it easier to require SSL in certain subdomains or certain deployment environments. It could also be better if you are more comfortable doing this kind of configuration in Rails rather than in nginx. It will not give you any extra security, however.