I'm trying to deploy my nginx on docker container with Cloudflare.
docker-compose.yml
version: "3.5"
services:
nginx:
image: xxx/panel-nginx:VERSION
volumes:
- type: volume
source: panel_nginx_certs
target: /etc/nginx/certs
ports:
- target: 443
published: 443
protocol: tcp
mode: host
networks:
- panel_nginx
stop_grace_period: 1m
deploy:
replicas: 1
update_config:
parallelism: 1
delay: 180s
restart_policy:
condition: on-failure
networks:
panel_nginx:
external: true
volumes:
panel_nginx_certs:
external: true
nginx.conf
upstream panel-uwsgi {
server panel_app:8000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name panel.xxx.com;
ssl_certificate /etc/nginx/certs/panel.pem;
ssl_certificate_key /etc/nginx/certs/panel.key;
location / {
include uwsgi_params;
uwsgi_pass panel-uwsgi;
}
# location /media/ {
# root /usr/share/nginx/html;
# try_files $uri $uri/;
# access_log off;
# expires 30d;
# }
location /static/ {
access_log off;
expires 30d;
}
location = /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
# error_page 404 /404.html;
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root /usr/share/nginx/html;
# }
}
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305";
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:12m;
ssl_session_tickets off;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/certs/cloudflare_origin_ecc.pem;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_names_hash_bucket_size 64;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
server_tokens off;
charset utf-8;
add_header X-Robots-Tag none;
add_header Warning 'This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized use. Unauthorized use may subject you to criminal prosecution. By accessing this system, you have agreed to the term and condition of use and your actions will be monitored and recorded.';
Deploying with this config cause 525 Error: SSL handshake failed.
I have dedicated IP and NSI. I'm using chacha-poly ciphers. I'm publishing 443 port.
Any thoughts why i'm getting this error?
Thanks
Disclaimer: Stackoverflow, please remove the warning about too much code and not enough text. Thanks
In my case, replacing OpenSSL with LibreSSL solved the problem.
If the record is gray clouded (not proxied through Cloudflare) are you able to connect to the server using SSL? It's likely an issue on the origin server int he config, but eliminating Cloudflare at least temporarily makes troubleshooting easier.
You can also try curl -Ikv --resolve panel.backupner.com:443:your.ip.address https:://panel.backupner.com for additional details which may be helpful in troubleshooting.
Actually just checked... looks like your site is working now, if you figured out the root cause it would be helpful to post what the issue was. :)
Related
I want to host multiple websites in one server with nginx reverse proxy by following this tutorial
https://www.datanovia.com/en/lessons/how-host-multiple-https-websites-on-one-server/
The Nginx proxy and each website are launched separately with Docker.
But every time I reload one of the website, it load the content of other website. For example:
Load websiteone.tk 1st time, loaded website ONE's content.
Refresh websiteone.tk , loaded website TWO's content
Refresh websiteone.tk again, loaded website THREE's content
Load websitetwo.tk 1st time, loaded website TWO content
Refresh websitetwo.tk , loaded website THREE content.
I am a beginner for both nginx and docker. I can't tell if the problem happens in nginx or docker. May anyone please kindly advise? Thank you very much.
The nginx-proxy default.conf is
map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
server_names_hash_bucket_size 128;
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss t>log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA3> ssl_prefer_server_ciphers off;
error_log /dev/stderr;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
# websiteone.tk
upstream websiteone.tk {
## Can be connected with "nginx-proxy" network
# websiteonetk_my-app_1
server 192.168.32.8:80;
}
server {
server_name websiteone.tk;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name websiteone.tk;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/websiteone.tk.crt;
ssl_certificate_key /etc/nginx/certs/websiteone.tk.key;
ssl_dhparam /etc/nginx/certs/websiteone.tk.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/websiteone.tk.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://websiteone.tk;
}
}
# websitetwo.tk
upstream websitetwo.tk {
## Can be connected with "nginx-proxy" network
# websitetwotk_my-app_1
server 192.168.32.13:80;
}
server {
server_name websitetwo.tk;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name websitetwo.tk;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/websitetwo.tk.crt;
ssl_certificate_key /etc/nginx/certs/websitetwo.tk.key;
ssl_dhparam /etc/nginx/certs/websitetwo.tk.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/websitetwo.tk.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://websitetwo.tk;
}
}
# websitethree.tk
upstream websitethree.tk {
## Can be connected with "nginx-proxy" network
# websitethreetk_my-app_1
server 192.168.32.3:80;
}
server {
server_name websitethree.tk;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let'sEncrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name websitethree.tk;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/websitethree.tk.crt;
ssl_certificate_key /etc/nginx/certs/websitethree.tk.key;
ssl_dhparam /etc/nginx/certs/websitethree.tk.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/websitethree.tk.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://websitethree.tk;
}
}
The docker-compose for the nginx proxy is
version: '3.6'
services:
nginx:
image: nginx
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
container_name: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./vhost.d:/etc/nginx/vhost.d
- ./html:/usr/share/nginx/html
- ./certs:/etc/nginx/certs:ro
nginx-gen:
image: jwilder/docker-gen
command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
container_name: nginx-gen
restart: unless-stopped
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./vhost.d:/etc/nginx/vhost.d
- ./html:/usr/share/nginx/html
- ./certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
nginx-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-letsencrypt
restart: unless-stopped
volumes:
- ./conf.d:/etc/nginx/conf.d
- ./vhost.d:/etc/nginx/vhost.d
- ./html:/usr/share/nginx/html
- ./certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_DOCKER_GEN_CONTAINER: "nginx-gen"
NGINX_PROXY_CONTAINER: "nginx"
networks:
default:
external:
name: nginx-proxy
The nginx default.conf for one of the website is
server {
root /application2;
index index.php;
location ~ \.php$ {
fastcgi_pass php-fpm:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_VALUE "error_log=/var/log/nginx/application_php_errors.log";
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
include fastcgi_params;
}
}
The docker-compose/yml for one of the website is below.
Websiteone working directory is /application1.
Websitetwo working directory is /application2. etc
version: '3.1'
services:
my-app:
image: 'nginx:alpine'
volumes:
- '.:/application2'
- './phpdocker/nginx/nginx.conf:/etc/nginx/conf.d/default.conf'
restart: always
environment:
- VIRTUAL_HOST=websitetwo.tk
- VIRTUAL_PORT=80
- LETSENCRYPT_HOST=websitetwo.tk
expose:
- 80
mailhog:
image: 'mailhog/mailhog:latest'
ports:
- '21001:8025'
php-fpm:
build: phpdocker/php-fpm
working_dir: /application2
volumes:
- '.:/application2'
- './phpdocker/php-fpm/php-ini-overrides.ini:/etc/php/8.1/fpm/conf.d/99-overrides.ini'
networks:
default:
external:
name: nginx-proxy
I've configured Coder and followed this instructions to set it up via Docker Compose.
In order to be able to use a public domain, I've configured a reverse proxy with nginx. Everything works except for the websocket connection which is used to get logs, status updates etc etc.
The error is: wss://workspaces.mydomain.io/api/private/workspaces/623ae5f6-0e4817996a28f4e5e592cb87/watch-stats' failed
The server is managed via Laravel Forge.
Here is my docker-compose.yml:
version: "3.5"
services:
coder:
image: docker.io/codercom/coder:1.28.2
container_name: coderd
restart: unless-stopped
ports:
- 7080:7080/tcp
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${HOME}/.coder:/var/run/coder
environment:
DEVURL_HOST: "*.workspaces.mydomain.io"
And here my nginx configuration:
server {
listen 80;
listen [::]:80;
server_name .workspaces.mydomain.io;
server_tokens off;
root /home/forge/workspaces.mydomain.io/coder/public;
# FORGE SSL (DO NOT REMOVE!)
# ssl_certificate;
# ssl_certificate_key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/workspaces.mydomain.io/server/*;
location / {
proxy_pass http://127.0.0.1:7080;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/workspaces.mydomain.io-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
I'm trying to set up nginx as a reverse proxy on my Ubuntu 18.04 server.
I've set up what I thought was correct below, but hitting http://web.service.com lands me on the default nginx welcome screen (whereas it should redirect to https:// and going to https://web.service.com I end up with a 404 error screen.
I've got the following docker-compose.yml configuration:
version: "3"
services:
web_service:
image: "test/webservice"
container_name: "webservice"
hostname: "webservice"
mysql:
image: "mysql:5.7"
container_name: "mysql"
hostname: "mysql"
nginx:
build:
context: .
dockerfile: "Dockerfile"
image: "nginx"
container_name: "nginx"
hostname: "nginx"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/nginx/data/certs:/etc/nginx/certs"
Note: web_service hosts a web page on port 8080
And I've got my default nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
And my custom web_service.conf which is build into the new nginx image.
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name www.web.server.com web.server.com;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
keepalive_timeout 75 75;
ssl_certificate /etc/nginx/certs/web_server.com.crt;
ssl_certificate_key /etc/nginx/certs/web_server.com.key;
ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=7200";
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://webservice:8080;
proxy_read_timeout 90;
proxy_redirect http://webservice:8080 https://web.service.com;
}
}
Previously I just the web_service and mysql in the compose file and I exposed port 80:8080 for web_server.
Any thoughts as to the issue?
Managed to solve my issue using the following config:
upstream docker-webapp {
server webapp:8080;
}
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name www.example.com example.com;
## Access and error logs.
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
## Keep alive timeout set to a greater value for SSL/TLS.
keepalive_timeout 75s;
## Server certificate and key.
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/certs/certificate.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://docker-webapp;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
as well as info found here: https://cipherli.st/
As a side note, the webapp I deployed needed to healthcheck itself, so I needed to install the public certificate into the webapp container's keystore. On top of that it also only supported up to TLSv1.2 hence why I added TLSv1.2 to the ssl_protocols line.
This doesn't directly answer your question, but you might give this Nginx container a try; it really makes automatically handling SSL a walk in the park.
https://hub.docker.com/r/linuxserver/letsencrypt
Due to in your image you're lacking of config of certificate, so you need to add ca-certificate to docker system certificates to use https (you can check it on the internet).
Another thing about security risk in your config file is SSLv3. You should remove it to avoid POODLE attack .
I’m trying to host an API on AWS EC2 running ubuntu and the communication need to be through HTTPS
I’m building the code in R and using Plumber to create an API and build a docker image
First I build the image:
docker build github.com/eaoestergaard/UNPIE -t eaoestergaard/unpie
And then run the image on port 8001
docker run -d -p 8001:8000 --name unpie1 eaoestergaard/unpie
Then I follow this (awesome) guide in order to set up nginx with Let's Encrypt and Certbot, but substitute the production site with my API
My docker-compose.yml look like this
version: '3.1'
services:
production-nginx-container:
container_name: 'production-nginx-container'
image: nginx:latest
ports:
- "80:80"
- "443:443"
volumes:
- ./production.conf:/etc/nginx/conf.d/default.conf
- ./production-site:/usr/share/nginx/html
- ./dh-param/dhparam-2048.pem:/etc/ssl/certs/dhparam-2048.pem
- /docker-volumes/etc/letsencrypt/live/example.com/fullchain.pem:/etc/letsencrypt/live/example.com/fullchain.pem
- /docker-volumes/etc/letsencrypt/live/example.com/privkey.pem:/etc/letsencrypt/live/example.com/privkey.pem
networks:
- docker-network
depends_on:
- unpie1
unpie1:
image: eaoestergaard/unpie
restart: always
ports:
- "7001:8000"
networks:
docker-network:
driver: bridge
And my Nginx configuration file production.conf
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
#https://example.com
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location /unpie1/ {
proxy_pass http://unpie1:8000/;
proxy_set_header Host $host;
}
return 301 https://www.example.com$request_uri;
}
#https://www.example.com
server {
server_name www.example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl on;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location / {
#security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
#CSP
add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com; img-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com; font-src 'self' data: https://maxcdn.bootstrapcdn.com; form-action 'self'; upgrade-insecure-requests;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
root /usr/share/nginx/html;
index index.html;
}
Both created with inspiration from the plumber documentation section 7.4.2
Then spin up the docker container
cd /docker/letsencrypt-docker-nginx/src/production
sudo docker-compose up -d
I can connect to the API at http (eg http://example.com:7001/fv.annuity), but unfortunately not at https - I suspect my configuration files to be incomplete, but as I'm new into this it's not clear to me what I'm missing.
I apologize if this seems like a deja vu. There are plenty of posts about similar issues, and I read them all (and tried them out unsuccessfully).
My setup: Rails 4, Puma, Nginx, SSL Cert for both https://www and https://
I am using a combined block so I get a redirect to SSL. However, I would like to redirect https://www.domain.com to https://domain.com
Everything works fine with the setup you will see below until I add the redirect rule (return 301 https://$host$request_uri;), then I get a redirect loop.
I added "proxy_set_header X-Forwarded-Proto $scheme;" to my #app location for force_ssl (which is set to true in the Rails config file), but that did not solve the issue.
I would really appreciate expert advise here, and please, if you see any points of improvement in my setup, beyond just fixing the redirect loop, please let me know.
nginx.conf:
user root;
worker_processes 4;
pid /var/run/nginx.pid;
#setup where nginx will log errors to
# and where the nginx process id resides
error_log /var/log/nginx/error.log error;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
accept_mutex off;
use epoll;
}
http {
include /etc/nginx/mime.types;
types_hash_max_size 2048;
default_type application/octet-stream;
#access_log /tmp/nginx.access.log combined;
# use the kernel sendfile
sendfile on;
# prepend http headers before sendfile()
tcp_nopush on;
keepalive_timeout 25;
tcp_nodelay on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/html text/xml text/css
text/comma-separated-values
text/javascript application/x-javascript
application/atom+xml;
#Hide server info
server_tokens off;
upstream app_server {
server unix:/root/sites/mina_deploy/shared/tmp/sockets/puma.sock
fail_timeout=0;
}
# configure the virtual host
server {
server_name domain.com www.domain.com 162.555.555.162;
root /root/sites/mina_deploy/current/public;
# port to listen for requests on
listen 80 default deferred;
listen 443 ssl;
####### THIS REDIRECT CAUSES A LOOP ########
#return 301 https://$host$request_uri;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/myserver.key;
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
# maximum accepted body size of client request
client_max_body_size 4G;
# the server will close connections after this time
keepalive_timeout 5;
add_header Strict-Transport-Security max-age=63072000;
#add_header X-Frame-Options DENY;
add_header Access-Control-Allow-Origin '*';
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location ~ ^/(system|assets)/ {
gzip_static on;
error_page 405 = $uri;
expires max;
add_header Cache-Control public;
break;
}
try_files $uri/index.html $uri #app;
location #app {
# pass to the upstream unicorn server mentioned above
proxy_pass http://app_server;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
}
}
The thing I did was have multiple server blocks. You mentioned that you want www.domain.com to redirect to domain.com. In this case I would do
server {
listen 80;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
Then remove your www.domain.com from your server_name in your original block. Also I would break up your redirects from 80 to 443 in separate blocks as well. So you would repeat this process if a user tried to go to https://www.domain.com you would have a server that says similar things.
server {
listen 443;
server_name www.domain.com;
return 301 https://domain.com$request_uri;
}
And one to listen for http traffic on the domain you want, but redirected to https traffic.
server {
listen 80;
server_name domain.com;
return 301 https://domain.com$request_uri;
}
Then you can listen to just port 443 in your server block where you want everyone to go and no redirects are in that block.
You can view documentation for nginx here which will show you that this is the proper way to rewrite
Replying to your comment, Use the three blocks that I have written, and in your original server block, you will need to remove
server_name domain.com www.domain.com 162.555.555.162;
and also remove
listen 80 deferred;
and add
server_name domain.com;
Also, just making sure you know that for this to work, you will have to have your domain and www subdomain pointing at your server