I have a site that I built using ruby on rails on nginx server with passenger. My client decided to install ssl certificate.I am a newbie to that kind of issues and I have never did it before and I need to confirm that my sites-enabled/default file is configured properly.
My current configuration is :
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name www.mysite.com;
passenger_enabled on;
rails_env production;
root /home/directory;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
and for adding ssl certificate, I will add another server block like below:
server {
listen 443;
server_name www.mysite.com;
passenger_enabled on;
rails_env production;
root /home/directory;
ssl on;
ssl_certificate /etc/ssl/my_certificate;
ssl_certificate_key /etc/ssl/my_private_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_stapling on
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
is that a right way and parameters to configure nginx or I need to combine them in one server block ?
is there any thing missing should I add to the previous config ?
in the :server_name www.mysite.com;
can I replace it with my IP address instead of the domain name ?
Thanks for your time in advance
You can have HTTP and HTTPS servers in the same server section
server {
listen 80;
listen [::]:80 ipv6only=on;
listen 443 ssl;
...
}
For complete SSL related configuration I would recommend to use Mozilla generator
Yes, but you shouldn't. Nginx will match your first server section even if you haven't set server_name properly, but such configuration is hard to support and troubleshoot
Related
we have a website where each user will have his own subdomain, lets's call the domain example.com.
when user1 gets created, he should be able to access his page through user1.example.com
right now when the user access user1.example.com he gets
"Your connection is not private" error message.
We are using rails 7 and we are hosted on AWS lightsail.
the SSL certificate is created using AWS certmanager and attached to the loadbalancer.
our simple Nginx config
listen 80;
listen [::]:80;
server_name _;
root /home/ubuntu/link/to/application/public;
passenger_enabled on;
passenger_app_env production;
location /cable {
passenger_app_group_name myapp_websocket;
passenger_force_max_concurrent_requests_per_process 0;
}
# Allow uploads up to 100MB in size
client_max_body_size 5m;
location ~ ^/(assets|packs) {
expires max;
gzip_static on;
}
}
EDIT 1:
we got a new wildcard certificate from letsencrypt certbot and updated ngnix with the following:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /home/ubuntu/link/to/app/current/public;
server_name domain.com www.domain;
passenger_enabled on;
passenger_app_env production;
location /cable {
passenger_app_group_name myapp_websocket;
passenger_force_max_concurrent_requests_per_process 0;
}
# Allow uploads up to 100MB in size
client_max_body_size 5m;
location ~ ^/(assets|packs) {
expires max;
gzip_static on;
}
listen 443 ssl; # managed by Certbot
# RSA certificate
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
now both domain.com and www.domain.com has SSL certificates, but I still can have user1.domain.com to have that certificate
I have install Nginx and Passenger using How To Deploy a Rails App with Passenger and Nginx. I did everything as per the blog. But when I reload Nginx service sudo nginx -s reload it is showing nginx: [warn] conflicting server name "ip_address" on 0.0.0.0:80, ignored
/etc/site-available/default
server {
#listen 80;
#listen [::]:80 ipv6only=on;
server_name ip_address;
passenger_enabled on;
rails_env production;
root /var/www/testapp/public;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
/etc/site-available/testapp
server {
listen 80 default_server;
server_name ipaddress;
passenger_enabled on;
passenger_app_env development;
root /home/iradmin/rails_project/testapp/public;
}
I don't know what I have done wrong in here. Thanks in advance.
In your /etc/sites-available/default config you have set server_name to ipaddress and in /etc/sites-available/testapp you have also given a server_name of ipaddress.
The error message states that you have a conflict because in both files - the server name is ipaddress. To resolve this error, give your servers different names. More information on Nginx server_name can be found in the official docs here.
I'm deploying a Rails application on personal server using Nginx, phusion_passenger. I've site configuration file with following server blocks. With this configuration my http://192.168.1.121 service doesn't work while https://192.168.1.121 fails with forbidden (access denied) error.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Make site accessible from http://192.168.1.121/
server_name 192.168.1.121;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443;
server_name 192.168.1.121;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
error_page 500 502 503 504 /50x.html;
location / {
try_files $uri $uri/ =404;
}
}
production.rb has force_ssl: true
Also, If I remove server {} block with https entry, application works on http just fine (of course I've to comment out force_ssl: true from production.rb). I'm very puzzled by the access denied error if the same directory is accessed from https.
- nginx version: nginx/1.6.2
- Rails 4.0
- Ruby 2.1.3
Any help is appreciated.
Try configuring the SSL on the same server block as your port 80 configuration.
Also, it's recommended to use the ssl parameter of the listen directive for port 443, instead of the ssl on directive.
So something like this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Use ssl parameter on the listening socket instead of the 'ssl on' directive
listen 443 ssl;
server_name 192.168.1.121;
# Rest of your ssl configuration here
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Sources and Recommended Reading:
Official nginx docs - A single HTTP/HTTPS server
Digital Ocean tutorial (may or may not be helpful for your case)
I have a staging rails app running with passenger on nginx. I want to secure the connections with SSL. I have read a lot of resources online but I have yet to make it run on SSL.
So far, my server block on nginx.conf is:
server {
listen 80;
listen 443 default deferred;
server_name example.com;
root /home/deploy/app/public;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
ssl on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
}
The site is running but not on HTTPS.
I've just made the decission to go with SSL myself and found an article on the DigitalOcean site on how to do this. It might be the listen 443 default deferred;, which according to that article should be ssl not deferred.
Here's the nginx block they use;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
UPDATE:
I now have my own site running on SSL. Along with the above I just told Rails to force SSL. In your production environment config;
# ./config/environments/production.rb
config.force_ssl = true
Optionally, you can add these setting in the nginx.conf;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
}
UPDATE: 2015-09
Since I wrote this answer I've added a few of extra things to my nginx config, which I believe everyone should also include. Add the following to your server block;
server {
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header X-Frame-Options DENY;
}
The first three lines (ssl_prefer_server_ciphers, ssl_protocols, ssl_ciphers) are the most import as they make sure you have a good strong SSL settings.
The X-Frame-Options prevents your site from being included via the <iframe> tags. I expect most people will benefit from including this setting.
I am totally new to nginx deployment and having problem setting up the subdomain for rails app which is running in passenger. My app structure is like this
-- sss.com (parent domain)
-- sub.sss.com (subdomain)
-- zzz.com (which will be redirected to sub.sss.com)
For more clear perspective, think of the gmail structure
-- google.com (parent domain)
- mail.google.com (subdomain)
-- gmail.com (which will be redirected to mail.google.com)
And remember sub.sss.com is not just a directory under sss, its completely a different rails app.
To setup a similar structure i have configured nginx like this
server {
listen 80;
server_name sss.com *.sss.com;
rewrite ^(.*) http://sss.com$1 permanent;
}
server {
listen 80;
server_name sss.com;
passenger_enabled on;
access_log logs/sss.log;
error_log logs/sss_error.log;
root /var/www/sss/public;
}
server {
listen 80;
server_name sub.sss.com;
passenger_enabled on;
access_log logs/sub.log;
error_log logs/sub_error.log;
root /var/www/sub/public;
}
server {
listen 80;
server_name zzz.com;
rewrite ^(.*) http://sub.sss.com$1 permanent;
}
When i start nginx i got this warning message
nginx: [warn] conflicting server name "sss.com" on 0.0.0.0:80, ignored
And got this message when tried to access the url www.sss.com
Chrome - Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.
FF - Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
But when i access zzz.com, it successfully redirects to sub.sss.com with a same error.
Seems its messed up in some kind of loop. anybody got a idea how to solve this?
In your first server you define the sss.com like server in the second too. You just need delete from first. like that :
server {
listen 80;
server_name *.sss.com;
rewrite ^(.*) http://sss.com$1 permanent;
}
server {
listen 80;
server_name sss.com;
passenger_enabled on;
access_log logs/sss.log;
error_log logs/sss_error.log;
root /var/www/sss/public;
}
server {
listen 80;
server_name sub.sss.com;
passenger_enabled on;
access_log logs/sub.log;
error_log logs/sub_error.log;
root /var/www/sub/public;
}
server {
listen 80;
server_name zzz.com;
rewrite ^(.*) http://sub.sss.com$1 permanent;
}
You have 3 domains/subdamians and there should be only 3 server blocks instead of the four you had.
Try ...
server {
# This server block serves sss.com
listen 80;
server_name sss.com;
passenger_enabled on;
access_log logs/sss.log;
error_log logs/sss_error.log;
root /var/www/sss/public;
}
server {
# This server block serves sub.sss.com
listen 80;
server_name sub.sss.com;
passenger_enabled on;
access_log logs/sub.log;
error_log logs/sub_error.log;
root /var/www/sub/public;
}
server {
# This server block redirects zzz.com to sub.sss.com
listen 80;
server_name zzz.com;
rewrite ^ http://sub.sss.com$request_uri? permanent;
}