I try to set up ssl with Let’s Encrypt using this article https://medium.com/#pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
my nginx config
server {
listen 80;
server_name kcr.ttfr.ru;
server_name www.kcr.ttfr.ru;
root /var/www/k4fntr/public;
index /frontend/index.html;
client_max_body_size 128M;
gzip on; # enable gzip
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;
location / {
try_files /frontend/$uri $uri $uri/ /index.php?$args; # permalinks
client_max_body_size 128M;
}
location ~ /\. {
deny all; # deny hidden files
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all; # deny scripts
}
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max; # cache static files
try_files /frontend/$uri $uri $uri/ /index.php?$args; # permalinks
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
fastcgi_pass k4fntr_php-fpm:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_read_timeout 300;
}
location /socket.io {
proxy_pass http://k4fntr_echo:6001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location ~ /\.ht {
deny all;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/kcr.ttfr.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kcr.ttfr.ru/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /.well-known/acme-challenge/ { root /var/www/certbot; }
}
but my challenges were failed because of url /.well-known/acme-challenge/ returns 403:Forbidden
what's wrong with my nginx configuration?
change your location to something like this:
location /.well-known/acme-challenge {
root /var/www/certbot;
default_type text/plain;
}
another question. Do you want to redirect all non-http traffic to https?
In that case I would create a server block listen port 80 and another one listen on 443.
server {
listen 80;
server_name domain.io;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known/acme-challenge {
root root /var/www/certbot;
default_type text/plain;
}
}
server {
listen 443 ssl;
server_name domain.io;
add_header Strict-Transport-Security "max-age=31536000" always;
...
}
Related
I want to create autoredirect from http to https version of my site. This is my nginx config:
server {
listen 80;
server_name example.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
proxy_pass http://frontend:4200;
# return 301 https://$host$request_uri;
}
location /api {
proxy_pass http://backend:8080;
rewrite ^/api/(.*) /$1 break;
}
}
server {
listen 443 ssl;
server_name example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://example.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
If uncomment this string: # return 301 https://$host$request_uri; i see to many redirect and my site isn't work. How to right configure nging for this case.
Thanks for comment szt you are right.
This is my new config:
server {
listen 80;
server_name example.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://frontend:4200;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api {
proxy_pass http://backend:8080;
rewrite ^/api/(.*) /$1 break;
}
}
When i try to run mutiple reactapps using docker and nginx reverse proxy, iam getting an error : Upstream timed out while connecting to the upstream.
The error you can see in the below screenshot when i check the nginx logs
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
add_header 'Cache-Control' "public, max-age=31536000";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options: "nosniff";
ssl_certificate /etc/nginx/conf.d/cert.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl.key;
server_name <Domain-ip>;
location / {
proxy_pass http://domainname:3000;
#try_files $uri /index.html;
}
location /elderly {
proxy_pass http://domainname:3001;
#try_files $uri /index.html;
}
location /carer {
proxy_pass http://domainname:3002;
#try_files $uri /index.html;
}
#For gzip text compression
gzip on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/x-javascript text/xml text/css application/xml application/javascript
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
#For optimization
location ~* \.(ico|css|js|webp|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ {
expires 365d;
add_header Cache-Control "public, max-age=31536000";
}
}
I have index.php and manager.php for those 2 applications in root, setup though docker with nginx, phpfpm and some other dependencies.
This is my docker-compose file, I put only the important parts.
services:
web:
container_name: web
build:
context: ./
dockerfile: docker/nginx/Dockerfile
volumes:
- ./:/var/www
ports:
- 80
depends_on:
- app
environment:
VIRTUAL_HOST: ${VIRTUAL_HOSTS}
VIRTUAL_PORT: 80
networks:
- nginx-proxy
- my-app
app:
container_name: app
build:
context: ./
dockerfile: docker/php/Dockerfile
volumes:
- ./:/var/www
depends_on:
- mysql
ports:
- 9000
networks:
- my-app
...
And this is my vhost file, i tried everything i knew or found on the internet to make it work without success, this is final form, of course still not working.
server {
listen 80;
server_name myapplication.local;
index index.php index.html;
root /var/www;
location / {
try_files $uri $uri/ =404;
}
location /manager.php {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index manager.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
try_files $uri $uri/ /index.php;
if (!-e $request_filename){
rewrite ^/(.*)$ /index.php?/$1? last;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
sendfile off;
}
If I access application normal works just fine, if I go to
/manager.php or /manager.php/* I get 404, does any knows how I can configure nginx to work with this situation, thanks!
I found the solution:
server {
listen 80;
server_name myapplication.local;
index index.php index.html manager.php;
root /var/www;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
try_files $uri $uri/ /index.php /manager.php;
if (!-e $request_filename){
rewrite ^/manager.php/(.*)$ /manager.php?/$1? last;
rewrite ^/(.*)$ /index.php?/$1? last;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
sendfile off;
}
I'm trying to set up CORS Policy on my Nginx container.
I've put this to my Nginx settings:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
location ~* \.(?:gif|jpe?g|png|jpg)$ {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 80;
server_name api.example.com;
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ~ /.well-known/acme-challenge {
allow all;
root /data/letsencrypt;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
return 301 https://www.example.com$request_uri;
}
server {
server_name www.example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
ssl on;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_bind 127.0.0.1;
proxy_pass http://localhost:11700;
}
location ~* \.(?:gif|jpe?g|png|jpg)$ {
root /some/dir;
}
}
server {
server_name api.example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
ssl on;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_bind 127.0.0.1;
proxy_pass http://localhost:11900;
}
}
server {
listen 11700;
server_name localhost;
index index.html index.htm;
charset utf-8;
root /some/other/dir;
client_max_body_size 100M;
fastcgi_read_timeout 1800;
location / {
try_files $uri $uri/ #rewrites;
}
location #rewrites {
rewrite ^(.+)$ /index.html last;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
server {
listen 11900;
server_name localhost;
root /some/another/di/r;
index index.php index.html index.htm;
charset utf-8;
client_max_body_size 100M;
fastcgi_read_timeout 1800;
location / {
rewrite ^(/.*)$ /api$1 break;
proxy_pass http://127.0.0.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
try_files $uri $uri/ /index.php?_url=$uri&$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_pass php-fpm:9000;
fastcgi_index /index.php;
include fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
when I'm trying to launch tests I'm getting XMLHttpRequest error:
Access to XMLHttpRequest at
'https://api.example.com/some/url/index?page=1' from origin
'https://www.example.com' has been blocked by CORS policy: Response
to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
What it could be?
You need to allow access from www.example.com on your api's domain api.example.com, so in the virtualhost of api.example.com add the following line under server_name or under the other add_header directives:
add_header 'Access-Control-Allow-Origin www.example.com';
For more information about CORS, you can check the following:
Cross-Origin Resource Sharing (CORS)
I want to redirect http to https automatically.
Below is my nginx conf.
upstream puma_tn{
# Path to Puma SOCK file, as defined previously
server unix:/home/deploy/tn/shared/tmp/sockets/tn-puma.sock fail_timeout=0;
}
server {
listen 80;
server_name www.tn.com.au;
#return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;
#if ($scheme = http) {
# return 301 https://$server_name$request_uri;
# }
}
server {
listen 443 default_server ssl;
server_name www.tn.com.au;
root /home/deploy/tn/current/public;
try_files $uri/index.html $uri #app;
ssl_certificate /etc/ssl/certs/tn.crt;
ssl_certificate_key /etc/ssl/private/tn.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
#securrity Changes-Start
server_tokens off;
more_set_headers 'Server: Eff_You_Script_Kiddies!';
# Securty Changes-End
# location / {
location #app {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
proxy_http_version 1.1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
proxy_set_header Connection '';
proxy_pass http://puma_tn;
}
location ~ ^/(assets|fonts|system)/|favicon.ico|robots.txt {
gzip_static on;
expires max;
add_header Cache-Control public;
}
underscores_in_headers on;
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 600;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
Assuming you're deploying it to production, Add below config to production.rb
config.force_ssl = true
force HTTPS connection inside server block
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
Or inside location / block write
location / {
return 301 https://$server_name$request_uri;
}
also i don't think we need config.force_ssl = true
I have written the following in server ssl block to make it working.
server {
listen 443 default_server ssl;
server_name www.tn.com.au;
if ($http_x_forwarded_proto = 'http') {
return 301 https://$server_name$request_uri;
}
.....other configurations
}