I have the following nginx configuration:
server {
listen 80;
server_name _;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name _;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://example.org;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I am running nginx in a docker container and it starts properly. When I execute: curl localhost I receive 301 Moved Permanently. But when I try to call from an external source curl publicIP I receive Timed out
My first thought was that the problem is from the firewall but if I start a nginx container without any configuration curl publicIP works properly I receive 200.
Can you help me figure out if it's a problem in nginx configuration?
Thanks
Related
I have nginx & docker-compose setup with the following nginx config file, here api and kibana are docker containers which are running on ports 8080 and 5601 respectively
user nobody;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events
{
worker_connections 1024;
}
http
{
server
{
listen 80;
server_name my-domain.com www.my-domain.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server
{
listen 443 ssl;
server_name my-domain.com www.my-domain.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/all/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/all/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location ^~ /
{
proxy_pass http://api:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
location ^~ /monitoring
{
proxy_pass http://kibana:5601/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
rewrite /monitoring/(.*)$ /$1 break;
}
}
}
All of my containers are up and running and everything seems fine but when i visit https://my-domain.com i get back This site can’t be reached and if i go to the non-secure http://my-domain.com/ i get nginx 404 error with the following log in the container
[error] 17#17: *13 open() "/etc/nginx/html/index.html" failed (2: No such file or directory), client: 123.456.789.101, server: my-domain.com, request: "GET / HTTP/1.1", host: "my-domain.com
Why is it looking for a file? Is there something wrong with my nginx config? pls help
Found it! 🤦🏽♂️ it should've been
proxy_set_header Host $host;
instead of
proxy_set_header Host $http_host;
Edit:
Apparently i also had to stop docker containers after running it for the first time and start again to get it to work
I have Nginx server with domain name example.com and it servers
location / => for web, running docker at port 8080
location /api => for API, running docker at port 8090
There is another backend service running in docker at port 9000, which wants to call the API https://example.com/api ... If I try it as localhost:8090 then no issue.
But using https://example.com/api via Nginx returns 301 Moved permanent error.
That is, calling from the same system to Nginx is not working.
Not sure what is wrong.
Please find the nginx conf:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/conf.d/*.conf;
server {
listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
index index.html index.htm index.nginx-debian.html;
server_name example.com;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
}
location /api/v1/socketio/ {
proxy_pass http://lb_autosys_api/socket.io/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/v1/ {
proxy_pass http://localhost:8090/;
}
gzip on;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css;
gzip_min_length 1000;
gunzip on;
gzip_vary on;
expires $expires;
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$host$request_uri;
}
I am trying to set up a home GitLab + GitLab container registry(VM ubuntu omnibus install) behind an Nginx reverse proxy(win10):
I took the Nginx config from here: https://gitlab.com/gitlab-org/gitlab-recipes/-/tree/master/web-server/nginx
server {
listen 443 ssl;
listen 5050 ssl;
#listen [::]:443 ipv6only=on ssl;
server_name my-gitlab.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl_certificate /nginx-1.18.0/my-gitlab.crt;
ssl_certificate_key /nginx-1.18.0/my-gitlab.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
location / {
client_max_body_size 0;
gzip off;
proxy_cache off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://my-gitlab-IP;
}
}
Opening GitLab on 433 works so does Docker login on 5050, but when I try to push or pull from the container registry :
Error response from daemon: error parsing HTTP 404 response body: unexpected end of JSON input: ""
tried many suggestions changing the GitLab.rb file, but non-work without the Nginx-revseproxing it Docker push/pull works so I am pretty sure it's something in my Nginx config that is missing, but not sure what.
Can anyone help?
it appears I needed a separate server block for the registry
server
{
listen 5005 ssl;
server_name my-ip:5005;
ssl_certificate /nginx-1.18.0/my-ip.crt;
ssl_certificate_key /nginx-1.18.0/my-ip.key;
location /
{
client_max_body_size 0;
proxy_pass https://my-ip:5005;
}
}
reverted back to default GitLab registry port
Is there a "proper" structure for the directives of an NGINX Reverse Proxy? I have seen 2 main differences when looking for examples of an NGINX reverse proxy.
http directive is used to house all server directives. Servers with data are listed in a pool within the upstream directive.
server directives are listed directly within the main directive.
Is there any reason for this or is this just a syntactical sugar difference?
Example of #1 within ./nginx.conf file:
upstream docker-registry {
server registry:5000;
}
http {
server {
listen 80;
listen [::]:80;
return 301 https://$host#request_uri;
}
server {
listen 443 default_server;
ssl on;
ssl_certificate external/cert.pem;
ssl_certificate_key external/key.pem;
# set HSTS-Header because we only allow https traffic
add_header Strict-Transport-Security "max-age=31536000;";
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
location / {
auth_basic "Restricted"
auth_basic_user_file external/docker-registry.htpasswd;
proxy_pass http://docker-registry; # the docker container is the domain name
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
}
Example of #2 within ./nginx.conf file:
server {
listen 80;
listen [::]:80;
return 301 https://$host#request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
error_log /var/log/nginx/error.log info;
access_log /var/log/nginx/access.log main;
ssl_certificate /etc/ssl/private/{SSL_CERT_FILENAME};
ssl_certificate_key /etc/ssl/private/{SSL_CERT_KEY_FILENAME};
location / {
proxy_pass http://app1
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr; # could also be `$proxy_add_x_forwarded_for`
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
}
}
I dont quite understand your question, but it seems to me that the second example is missing the http {}, I dont think that nginx will start without it.
unless your example2 file is included somehow in the nginx.conf that has the http{}
I have this configuration:
upstream frontend_upstream {
# FrontEnd part based on `frontend` container with React app.
server frontend:3000;
}
server {
...
listen 80;
server_name stage.example.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Define the location of the proxy server to send the request to
# Web it's a name of Docker container with a frontend.
proxy_pass https://frontend_upstream;
...
}
# Setup communication with API container.
location /api {
proxy_pass http://api:9002;
rewrite "^/api/(.*)$" /$1 break;
proxy_redirect off;
}
}
server {
listen 443 ssl;
server_name stage.example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/stage.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stage.example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://frontend_upstream;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I want to be able to connect to my application via HTTP and HTTPs, but SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream raises.
What is wrong with this configuration?
There are a lot of similar issues, but none of them helps me.
location / {
# Define the location of the proxy server to send the request to
# Web it's a name of Docker container with a frontend.
proxy_pass http://frontend_upstream;
...
}
try this.
Your upstream most likely works on http, not on https.