ssl certificate or nginx proxy server not working - docker

I have created a domain(domain.com) and subdomain (abc.domain.com), and also generated SSL certificates for both by using letsencrypt. Both the Django projects are hosted on AWS EC2 and created proxy server for them which is as follow:
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://1.2.3.4:444;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_certificate /home/domain/fullchain.pem;
proxy_ssl_certificate_key /home/domain/privkey.pem;
}
}
server {
listen 443 ssl;
server_name abc.example.com;
location / {
proxy_pass https://1.2.3.4:445;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_certificate /home/subdomain/fullchain.pem;
proxy_ssl_certificate_key /home/subdomain/privkey.pem;
}
}
I strats the proxy server and both the projects, starting not giving any problem the problem is that when i enter https://example.com on the browser it is not showing the page, but when i pull domain with port no. https://example.com:444, it starts showing the page. I do not know what I am missing.

In order to make https://example.com work you need to correctly configure Nginx with SSL configuration which include using ssl_certificate and ssl_certificate_key directives as it does not seem that you are using them.
Using proxy_ssl_certificate is for using HTTPS connection between Nginx and the Proxied Server which in your case the django application.
Using ssl_certificate is for using HTTPS connection between the user's browser and Nginx which you need to make https://example.com works as expected
For more details check configuring HTTPS servers

Related

Data not streamed from the server to the client using grpc web and nginx reverse proxy

A go GRPC server is running on an amazon Linux 2 EC2 instance. GRPC web wrapper is used, which makes the server available for a NEXTjs application. Two ports are exposed. One for regular GRPC requests and another for GRPC web requests. Nginx is configured to reverse proxy the requests, and TLS is enabled.
Regular GRPC server
server {
listen 8000 http2;
listen [::]:8000;
server_name example.org;
location / {
grpc_pass grpc://localhost:5000;
grpc_read_timeout 300;
grpc_send_timeout 300;
}
}
GRPC web server
server {
server_name example.org;
location / {
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:5001;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
}
access_log /var/log/nginx/example.org/access.log;
error_log /var/log/nginx/example.org/error.log;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
A server-side stream has been implemented. It sends an initial response soon after the connection and further responses for internal events. It works fine for regular GRPC requests but not for GRPC web.
Once the client makes a request, the status goes to pending, and once the stream closes, the client gets the response. Interim responses are not sent from the server. Requests from the client are logged in the server. They reach the server immediately. But the response it delayed. Sometimes, after 1 minute, the client gets this error - "(failed)net::ERR_INCOMPLETE_CHUNKED_ENCODING" I expect the response to be similar to regular GRPC calls.

Redirect nginx to ssl docker sevice

I have a server on Hetzner do I configured several services on doker. In this case Portainer and Node-red.
I have connected a ddns domain pointing to the server ip and configured via certbot standalone the certificates individually for each service.
I can access both correctly via the following links:
https://myfreedomain.ddns.net:9000 (portainer)
https://myfreedomain.ddns.net:1880 (node-red)
I would like to configure nginex in such a way that I can access the services via path and force an ssl redirect.
Example:
http://myfreedomain.ddns.net/portainer --> https://myfreedomain.ddns.net:9000
The certificates are loaded and configured in the individual services
NgineX site-enable configfile:
server {
listen 443 ssl;
server_name myfreedomanin.ddns.net;
ssl_certificate /etc/letsencrypt/live/myfreedomanin.ddns.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myfreedomanin.ddns.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /portainer {
proxy_pass https://myfreedomanin.ddns.net:9000;
}
location /node-red {
proxy_pass https://myfreedomanin.ddns.net:1880;
}
}
the default configuration file is also present

How to define one domain for both static webpage and shiny server app?

I have a shiny server app using aws ec2 & route53, nginx & certbot for ssl. right now my domain name is used by the app.
I would like to have a static homepage to welcome users and offer the access to login to the app.
The purpose is to have an homepage intro and so it can be indexed by google.
Can i use one domain for that (for both app and webpage)?
how should i define and manage my domain to do so?
hope i made my Q clear enough.
thanks in advance
I forgot to mention that my static website is on aws s3 bucket (and not on the ec2 +nginx server).
I'm not sure about the syntax to define the nginx.conf. the following is how the nginx.conf is working now fine:
server {
listen 80;
listen [::]:80;
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
# listen 443 means the Nginx server listens on the 443 port.
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/app.mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.mydomain/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /etc/nginx/snippets/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES12>
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/app.mydomain/chain.pem;
# Replace it with your (sub)domain name.
server_name app.mydomain;
# The reverse proxy, keep this unchanged:
location / {
proxy_pass http://localhost:3838;
proxy_redirect http://localhost:3838/ $scheme://$host/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
proxy_buffering off;
}
}
and if i understood #AlexStoneham, i need to add something like that:
server{
server_name mydomain;
location / {
proxy_pass $scheme://$host.s3-website-eu-central-1.amazonaws.com$request_uri
}
}
but that adding doesnt work. should i add to it the 443 listener block and add ssl certificate all over again?
app.mydomain is for the shiny app and working fine now.
mydomain should direct to s3 static webpage.
thanks
Use nginx server blocks with your nginx conf
and subdomains with your route53 conf
Leverage a subdomain like app.yourdomain.com to go to the shiny app configured with nginx to serve the shiny app in one server block. Set up another subdomain like www.yourdomain.com to go to the static pages configured with nginx to server the static pages in another server block.
See:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html
for the route53 details
and:
https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/
for the nginx details
The nginx.conf was ok and didn't need to add anything because the static webpage is on s3 bucket and not on nginx/ec2.
The issue was that in one of my many tries i made a certbot certificate of the "mydomain" that was the same name of the s3 bucket.
That clashed and made the problem when trying to link my s3 bucket with that domain name through route53 (the s3 endpoint is http and not https).
The solution was to delete that specific ssl certificate from my ec2 server(with nginx on it):
$ sudo certbot certificates #shows the exist certificates
$ sudo certbot delete #choose the certificate to delete, in my case: "mydomain"

Nginx Internal Server Error with docker throw error 500

I,m trying to deploy a nginx application in docker. After I have installed certificates with cerbot i have this nginx.conf:
server {
listen 80;
server_name web.com www.web.com;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
listen 443 ssl default_server;
server_name web.com www.web.com;
location / {
proxy_pass https://www.web.com;
}
ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
When I try to access to my web url the browser show 500 Internal Server Error. nginx/1.15.12
I can`t see the logs so I don't know what I have to do.
The ssl certificate works fine becaouse the lock appear in the url bar
Can you check if the container is started or not?
If container is starting, you can connect to container and then check the nginx logs (must be available /var/log/nginx/error.log).

SSL rails nginx

I am trying to install a SSL certificate that I recently acquired from GoDaddy. My web application is on Rails 4.2.6 and I am using an Ubuntu Server 14.04. I am also using Phusion Passenger 5.0.28 and Nginx. I don’t know if it makes any difference, but I launched the instance using AWS’ EC2.
I created a combined file using the two .crt files sent by GoDaddy.
When I edit my application.rb file:
config.force_ssl = true
I receive the following error:
ERR_CONNECTION_TIMED_OUT
There are two files that I have tried editing, with not success so far:
nginx.conf. The server block currently look like this:
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /var/www/primeraraiz5/primeraraiz_combined.crt;
ssl_certificate_key /var/www/primeraraiz5/primeraraiz.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
include /etc/nginx/sites-enabled/*;
rails.conf (in a sites-available directory; which is “symbolically linked” to the sites-enabled directory ). The server block looks like this:
server {
listen 443 ssl;
passenger_enabled on;
passenger_app_env production;
root /var/www/primeraraiz5/public;
server_name 52.39.200.205 primeraraiz.com;
}
server {
server_name www.primeraraiz.com;
return 301 $scheme://primeraraiz.com$request_uri;
}
I don’t know if I am doing something wrong in these files or if I should change any settings at AWS or with the company that currently hosts my domain.
Thanks a lot for your help!
There are a couple of things to do to your configuration.
The first is the server block containing the redirect. Since you haven't provided us with a server that's listening on port 80, I assume that you want to redirect all requests to http://www.primeraraiz.com; to HTTPS. If so, replace $scheme with https so that your block looks as follows:
server {
server_name www.primeraraiz.com;
return 301 https://primeraraiz.com$request_uri;
}
Next, the SSL offloading needs to happen in the server block from which you're serving. In your case, you're offloading SSL for server name localhost, and not for primeraraiz.com which is what I assume you're trying to do. So copy the SSL parameters of your first server block to the one that has server name primeraraiz.com to end up with:
server {
listen 443 ssl;
server_name 52.39.200.205 primeraraiz.com;
ssl_certificate /var/www/primeraraiz5/primeraraiz_combined.crt;
ssl_certificate_key /var/www/primeraraiz5/primeraraiz.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
passenger_enabled on;
passenger_app_env production;
root /var/www/primeraraiz5/public;
}

Resources