I am getting "400 Bad Request The plain HTTP request was sent to HTTPS port nginx/1.13.12" upon Nginx/Docker/SSL configuration. Below is my SSL configuration inside Docker container of Nginx. Please help.
server {
listen 80;
listen 443 ssl;
server_name mydomain.com;
root /usr/share/etc/nginx;
index index.html index.htm index.php;
if ($scheme = http)
{
return 301 https://$server_name$request_uri;
}
ssl on;
ssl_certificate /etc/ssl/certs/mydomain.crt;
ssl_certificate_key /etc/ssl/private/mydomain.key;
ssl_session_timeout 5m;
location /{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_pass http://localhost;
proxy_read_timeout 180;
proxy_redirect off;
proxy_redirect http://localhost $scheme://mydomain.com;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
Related
I currently have a deployed application. https://dostoevsky.rest/
It works well with Nginx and Docker.
However, I want to get a JSON when I hit the endpoint https://dostoevsky.rest/api/rand with a subdomain.
So, I want the subdomain api.dostoevsky.rest to redirect https://dostoevsky.rest/api/rand.
I thought I could configure Nginx as a reverse proxy, so I did the following:
server {
listen 80;
listen [::]:80;
server_name api.dostoevsky.rest www.api.dostoevsky.rest;
root /var/www/api.dostoevsky.rest/html;
location / {
proxy_pass http://<IP>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/rand {
proxy_pass http://<IP>/api/rand;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
However, when I do curl api.dostoevsky.rest I get the message:
<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.21.3</center>
</body>
</html>
I'm assuming the resource isn't found?
However, if I do curl https://dostoevsky.rest/api/rand it works fine. So, I think I'm making a mistake with the reverse proxy. Any help would be appreciated. Sorry if this is a low-quality question; I'm new to using Nginx.
Deployed on a DigitalOcean droplet.
Following is my complete nginx.conf file:
server {
listen 80;
listen [::]:80;
server_name dostoevsky.rest www.dostoevsky.rest;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dostoevsky.rest www.dostoevsky.rest;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/dostoevsky.rest/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dostoevsky.rest/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
location / {
try_files $uri #nodejs;
}
location #nodejs {
proxy_pass http://nodejs:8080;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
}
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
}
server {
listen 80;
listen [::]:80;
server_name api.dostoevsky.rest www.api.dostoevsky.rest;
root /var/www/api.dostoevsky.rest/html;
location / {
proxy_pass http://<IP>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/rand {
proxy_pass http://<IP>/api/rand;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Successfully pulled an image from the official Jenkins hub and run a container with the following parameters
docker run -d --name=jenkins -p 8080:8080 -p 50000:50000 -e JENKINS_OPTS="--prefix=/build" -v jenkins_home:/var/jenkins_home jenkins/jenkins:lts
Also, I have the Nginx installed on my host (not a container!)
Instructions for Nginx
upstream jenkins {
server localhost:8080;
keepalive 16;
}
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name example.com www.example.com;
ignore_invalid_headers off;
location /build/ {
proxy_pass http://jenkins;
proxy_http_version 1.1;
proxy_redirect default;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-Proto: $scheme;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
proxy_request_buffering off;
}
access_log /var/log/nginx/jenkins.access.log;
error_log /var/log/nginx/jenkins.error.log;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
return 301 https://example.comk$request_uri;
}
Trying to access Jenkins via https://example.com/build. It asks me to input an initial admin password. After successfull submission it gives me this page
Page URL is https://example.com/build/:%20https://example:80/build/
I tried to add prefix... Tried to restart both of them but nothing changes.
Simply put set_proxy_headers strings before the proxy_pass. Such as
location /build/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-Proto: $scheme;
proxy_pass http://jenkins;
proxy_http_version 1.1;
proxy_redirect default;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
proxy_request_buffering off;
}
I have the following NGINX that works without issue for root https / . However whenever I try to change location / { to a subdomain like location /example { it breaks everything. if you go to domain.com/exmaple it takes you to a 404 error no matter where you go.
############## Jupyter ####################
server {
listen 0.0.0.0:443 ssl;
server_name domain.com
www.domain.com;
ssl_certificate /etc/nginx/self.crt;
ssl_certificate_key /etc/nginx/self.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_session_cache builtin:1000 shared:SSL:10m;
access_log /var/log/nginx/jupyter.log ;
error_log /var/log/nginx/jupyter.error.log debug;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://jupyter;
proxy_read_timeout 90;
}
location ~* /(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? {
proxy_pass http://jupyter;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
}
}
You're missing the root parameter in your nginx configuration.
You should check in the guide how to use it http://nginx.org/en/docs/beginners_guide.html
It reports you should do something like
location / {
root /var/www/webapp/public; // something like that
// .. config
}
location ~* /(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/? {
root /var/www/webapp/api; // something like that
// .. config
}
My Bitbucket instance is running in an Ubuntu server.
The initial installation was done by following the wizard and in that moment it was set the default port 7990.
Now I would like to change it to use the port 443, so as per the official documentation it can be easily done by changing the value server.port in the shared/bitbucket.properties file.
However, after that change, the server is not even listening in the new configured port.
Bitbucket is started as root user.
Why is bitbucket not taking into account the port modification?
Fixed after configuring a Nginx server which will do relay between port 7990 and 443.
Config bitbucket:
server.port=7990
server.proxy-name=******************
server.proxy-port=443
server.scheme=https
jdbc.url=jdbc\:postgresql\://localhost\:5432/bitbucket
jdbc.driver=org.postgresql.Driver
jdbc.user=******************
jdbc.password=*************
Config Nginx:
server {
location / {
proxy_pass http://localhost:7990;
proxy_redirect off;
server_tokens off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 443 default ssl http2;
server_name ******************;
ssl_certificate "******************";
ssl_certificate_key "******************";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 0;
location / {
proxy_pass http://localhost:7990;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
}
I am running Nginx server with the puma on https. I configured Letsencrypt for SSL verification. The problem is that the server is running fine but when I try to create a user through devise it throws this error
"HTTP Origin header (https://example.com) didn't match request.base_url (http://example.com)"
I tried to modify the nginx.conf configuration as specified over here
https://github.com/rails/rails/issues/22965#issuecomment-172929004
but still, no luck here is my configuration file
upstream puma {
server unix:///home/ubuntu/blue_whale/example/shared/tmp/sockets/gofickle-puma.sock;
}
server
{
listen 443 ssl default;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /home/ubuntu/blue_whale/example/current/public;
access_log /home/ubuntu/blue_whale/example/current/log/nginx.access.log;
error_log /home/ubuntu/blue_whale/example/current/log/nginx.error.log info;
add_header Strict-Transport-Security “max-age=31536000”;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://puma;
}
I have the exact same setup as you and mine is working with the below proxy config:
location #rails {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://rails_app;
}
I think it might be the X-Forwarded-Proto and SSL that might be causing your issue, it isn't necessary behind the proxy.