I build a new website and want to run the Keycloak in a Docker Setup with the following command:
docker run \
-v /etc/letsencrypt/live/data-mastery.com/fullchain.pem:/etc/x509/https/tls.crt \
-v /etc/letsencrypt/live/data-mastery.com/privkey.pem:/etc/x509/https/tls.key \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-e PROXY_ADDRESS_FORWARDING=true \
-p 8443:8443 jboss/keycloak
This is my nginx:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 443;
server_name data-mastery.com;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/data-mastery.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/data-mastery.com/privkey.pem; # managed by Certbot
location /auth/ {
proxy_pass https://127.0.0.1:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
if ($host = data-mastery.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name data-mastery.com;
return 404; # managed by Certbot
}
I get the follwing Error/Warning, which actually helps me to see that there is a valid SSL Setup by Keycloak:
WARN: Establishing SSL connection without server's identity
verification is not recommended
. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL
connection must be established by default if explicit option isn't
set. For compliance with existing applications no
t using SSL the verifyServerCertificate property is set to 'false'.
You need either to explicitly disable SSL by setting useSSL=false, or
set useSSL=true and provide truststore for s
erver certificate verification.
I set up all ciphers, ssl protocols and still it does not work, even though there seems to be a valid SSL Connection. However, when I access my /auth endpoint I get an error. I´m quite helpless.
ERROR [io.undertow.request] (default I/O-1) Closing SSLConduit after
exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher
suites in common
maybe you can add cipher list accepted by your configuration.
try that:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
and you can also configure wanted protocols
ssl_protocols TLSv1.2 TLSv1.3;
ERROR [io.undertow.request] (default I/O-1) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
This error tell us that your client and your server doesn't have a cipher in common to communicate.
Check cipher used by your client, and cipher used by your server. Be sure there is at least one in common
Related
I am currently working on a Nginx config to group some of my docker containers into subdomains. Some of these containers are not running permanently and prevent nginx from starting (with error host not found in upstream "somecontainer:5000" in /etc/nginx/conf.d/default.conf:48) because the host defined in the upstream is not reachable. Is there a way to set a fallback upstream server in case the first one is not running?
The config currently looks like that:
upstream somecontainer {
server somecontainer:5000;
# here i need something like: if host is unreachable
# server fallbackserver:5000
}
server {
listen 443 ssl http2;
server_name some.subdomain.com;
root /public_html/;
client_max_body_size 16384m;
ssl on;
server_tokens off;
ssl_certificate sslstuff;
ssl_certificate_key sslstuff;
ssl_buffer_size 8k;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
location / {
proxy_pass http://somecontainer;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
Unfortunately, it's because of Nginx design.
You can use variable in proxy_pass which will be resolved at runtime, so there is no such error on nginx load:
set $destination_host somecontainer;
proxy_pass http://$destination_host:5000;
But the disadvantage of the solution above is that you can not leverage nginx upstream such as specify load balancing algorithm or weighted balancing...
Additionally, You have to patch nginx if both upstream and dynamic service initialization is a need. I have a patch which change that Nginx design and was discussed here and I'm using it on production environment for a while. You can check it if patching is not a problem to you https://github.com/ZigzagAK/ngx_dynamic_upstream/issues/8#issuecomment-814702336
I'm running a docker container together with nginx as reverse proxy. With the container itself, there are no issues. After setting it up and running:
sudo lsof -i -P -n | grep LISTEN
I get (amongst other lines) the following result:
docker-pr 1063031 root 4u IPv4 1059993645 0t0 TCP 127.0.0.1:8001 (LISTEN)
My nginx configuration file for my domain (my.domain.de.conf) looks as follows:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name my.domain.de;
return 301 https://$host$request_uri;
}
# SSL configuration
server {
listen 443 ssl;
server_name my.domain.de;
ssl_certificate /etc/letsencrypt/live/my.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.de/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.de/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
If I am trying to access the (web)service I'm getting a 502 bad request error.
If something is missing to provide a valid answer, please let me know.
Thanks in advance!
I am trying to set up a home GitLab + GitLab container registry(VM ubuntu omnibus install) behind an Nginx reverse proxy(win10):
I took the Nginx config from here: https://gitlab.com/gitlab-org/gitlab-recipes/-/tree/master/web-server/nginx
server {
listen 443 ssl;
listen 5050 ssl;
#listen [::]:443 ipv6only=on ssl;
server_name my-gitlab.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl_certificate /nginx-1.18.0/my-gitlab.crt;
ssl_certificate_key /nginx-1.18.0/my-gitlab.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
location / {
client_max_body_size 0;
gzip off;
proxy_cache off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://my-gitlab-IP;
}
}
Opening GitLab on 433 works so does Docker login on 5050, but when I try to push or pull from the container registry :
Error response from daemon: error parsing HTTP 404 response body: unexpected end of JSON input: ""
tried many suggestions changing the GitLab.rb file, but non-work without the Nginx-revseproxing it Docker push/pull works so I am pretty sure it's something in my Nginx config that is missing, but not sure what.
Can anyone help?
it appears I needed a separate server block for the registry
server
{
listen 5005 ssl;
server_name my-ip:5005;
ssl_certificate /nginx-1.18.0/my-ip.crt;
ssl_certificate_key /nginx-1.18.0/my-ip.key;
location /
{
client_max_body_size 0;
proxy_pass https://my-ip:5005;
}
}
reverted back to default GitLab registry port
I have hit this roadblock where I am not able get the SSL Certificates from Let's encrypt.
I am using Nginx , Certbot and trying to get SSL running for my site with a node backend.
I tried to follow this post as my knowledge is limited. Any help pointers would be highly appreciated.
https://medium.com/#pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
As the post mentions , I first try to run the script to get a dummy certificate. I have modified the script to point to my domain.
But I get this error
Failed authorization procedure. example.org (http-01):
urn:ietf:params:acme:error:connection :: The server could not connect
to the client to verify the domain :: Fetching
http://example.org/.well-known/acme-challenge/Jca_rbXSDHEmXz8-y3bKKckD8g0lsuoQJgAxeSEz5Jo:
Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.org Type: connection Detail: Fetching
http://example.org/.well-known/acme-challenge/Jca_rbXSDHEmXz8-y3bKKckD8g0lsuoQJgAxeSEz5Jo:
Connection refused
This is my nginx configuration
upstream app {
server app:3000;
}
server {
listen 80;
server_name example.org;
location / {
proxy_pass http://app/;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# location /api/ {
# proxy_pass http://app/;
# proxy_redirect off;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $server_name;
# }
}
server {
listen 443 ssl;
server_name example.org;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://example.org; #for demo purposes
}
}
I'm a bit out of my element trying to deploy a Laravel (php) application via docker. Everything works great until I try to use SSL certs via Lets Encrypt, which triggers a redirect loop I'm unable to resolve.
upstream app {
server app1520925178:80;
}
server {
listen 80 default_server;
server_name app.example.com;
# handle future LE refreshes
location /.well-known {
root /var/www/html;
try_files $uri $uri/ =404;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl default_server;
server_name app.example.com;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
keepalive_timeout 300s;
ssl on;
ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;
charset utf-8;
location / {
#include proxy_params;
proxy_pass http://app;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# Handle Web Socket connections
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Any guidance is greatly appreciated.
EDIT: It "randomly" started working a few minutes after this post was created. Still not 100% sure why it would take time to "propagate", if anyone has insight into that, I'd appreciate it.
If you use Cloudflare as your DNS service (not registering domains over it, but managing your DNS records with it) and have Cloudflare's protection enabled (orange cloud symbol), this can occur.
Note the following paragraph in this support article by Cloudflare:
If the origin server happens to be configured to redirect HTTP requests to HTTPS, server responses back to Cloudflare are encrypted and since Cloudflare is expecting HTTP traffic, it keeps resending the same request, resulting in a redirect loop. This causes browsers to display "The page isn’t redirecting properly" or "ERR_TOO_MANY_REDIRECTS" errors.
So, the flexible SSL is most likely your issue. You can turn that off by going to the crypto page in your Cloudflare control panel and setting the SSL mode to "Full (strict)":
This resolved my issues on an Apache system, but I'm very confident it's the same source of problems with nginx.
Changing the crypto setting to "Full (strict)" may help: