I have a staging rails app running with passenger on nginx. I want to secure the connections with SSL. I have read a lot of resources online but I have yet to make it run on SSL.
So far, my server block on nginx.conf is:
server {
listen 80;
listen 443 default deferred;
server_name example.com;
root /home/deploy/app/public;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
ssl on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
}
The site is running but not on HTTPS.
I've just made the decission to go with SSL myself and found an article on the DigitalOcean site on how to do this. It might be the listen 443 default deferred;, which according to that article should be ssl not deferred.
Here's the nginx block they use;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
root /usr/share/nginx/html;
index index.html index.htm;
server_name your_domain.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
try_files $uri $uri/ =404;
}
}
UPDATE:
I now have my own site running on SSL. Along with the above I just told Rails to force SSL. In your production environment config;
# ./config/environments/production.rb
config.force_ssl = true
Optionally, you can add these setting in the nginx.conf;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
}
UPDATE: 2015-09
Since I wrote this answer I've added a few of extra things to my nginx config, which I believe everyone should also include. Add the following to your server block;
server {
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header X-Frame-Options DENY;
}
The first three lines (ssl_prefer_server_ciphers, ssl_protocols, ssl_ciphers) are the most import as they make sure you have a good strong SSL settings.
The X-Frame-Options prevents your site from being included via the <iframe> tags. I expect most people will benefit from including this setting.
Related
I have installed shopware5 in a docker container and made it to go out with a reverse proxy nginx.
After the installation, the main page of the website works, but when I click on any of it's tabs, it forwards to the container directly and changes the address in the URL to the address and the port of the container. Therefore it shows that the website cant be reached.
I am wondering if this could be something related to the nginx or the shopware itself.
Any advises will be greatly appreciated.
this is the configuration of the proxy:
server {
listen 443 ssl http2;
# listen 80 http2;
server_name domainname.com;
ssl_certificate /etc/nginx/certificates/domainname.crt;
ssl_certificate_key /etc/nginx/certificates/domainname.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_ecdh_curve secp384r1;
# root /var/www/html;
error_log /var/log/nginx/domain-error.log;
access_log /var/log/nginx/domain-access.log;
add_header Access-Control-Allow-Origin *;
location / {
proxy_pass http://localhost:8081/;
}
}
I have a site that I built using ruby on rails on nginx server with passenger. My client decided to install ssl certificate.I am a newbie to that kind of issues and I have never did it before and I need to confirm that my sites-enabled/default file is configured properly.
My current configuration is :
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name www.mysite.com;
passenger_enabled on;
rails_env production;
root /home/directory;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
and for adding ssl certificate, I will add another server block like below:
server {
listen 443;
server_name www.mysite.com;
passenger_enabled on;
rails_env production;
root /home/directory;
ssl on;
ssl_certificate /etc/ssl/my_certificate;
ssl_certificate_key /etc/ssl/my_private_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_stapling on
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
is that a right way and parameters to configure nginx or I need to combine them in one server block ?
is there any thing missing should I add to the previous config ?
in the :server_name www.mysite.com;
can I replace it with my IP address instead of the domain name ?
Thanks for your time in advance
You can have HTTP and HTTPS servers in the same server section
server {
listen 80;
listen [::]:80 ipv6only=on;
listen 443 ssl;
...
}
For complete SSL related configuration I would recommend to use Mozilla generator
Yes, but you shouldn't. Nginx will match your first server section even if you haven't set server_name properly, but such configuration is hard to support and troubleshoot
I am trying to gather some information on what could be the possible avenues to look for when nginx-reverseproxy is not forwarding request to a docker container (let's called it app-core).
I am able to access app-core by doing a curl request from nginx-reverseproxy container.
Both nginx-proxy and app-core are running. Both are on the same network.
I don't think there is anything of interest in /etc/nginx/conf.d/default.conf. Nevertheless, I have posted a snippet of it here
upstream \ app-core.com {
# app-core for docker compose
server app-core:80;
}
server {
server_name \ app-core.com;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name \ app-core.com;
proxy_connect_timeout 5m;
proxy_send_timeout 5m;
proxy_read_timeout 5m;
send_timeout 5m;
listen 443 ssl ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/app-core.com.crt;
ssl_certificate_key /etc/nginx/certs/app-core.com.key;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://\ app-core.com;
}
}
May I know what could be the possible issue here?
Docker version 17.09.0-ce, build afdb6d4
Thanks
I need to configure nginx for one of my rails application to route some pages through SSL but facing problem with configuration.
I've a SSL certificate where common name is example.com and my site is routing to example.com from www.example.com
Here is my nginx.conf:
upstream unicorn {
server unix:/tmp/unicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
return 301 $scheme://example.com$request_uri;
ssl on;
ssl_certificate /certificate path;
ssl_certificate_key /key path;
}
server {
listen 80 default deferred;
root /public path;
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
client_max_body_size 50M;
}
I've tried different configuration as well but nothing work. Any suggestion would be appreciated. Thanks in advance for that.
Not sure if this help.
I have had a same problem. I struggle with it for a longtime until I redirect from ApplicationController
In the ApplicationController:
before_filter :redirect_subdomain
def redirect_subdomain
if request.host == 'www.example.com.au'
redirect_to 'https://example.com.au' + request.fullpath
end
end
My issue has been resolved by doing modifications below, answering this as it might help someone else:
Removed ssl_certificate and ssl_certificate_key from default_server block.
Removed URL overwriting from SSL server block.
Added ssl_protocols and ssl_ciphers to SSL server block
The configuration look like below after modification:
upstream unicorn {
server unix:/tmp/unicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
listen 80 default_server;
root /example.com/current/public;
try_files $uri/index.html $uri #unicorn;
......
}
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl on;
ssl_certificate /example.com.crt;
ssl_certificate_key /example.com.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
......
}
I'm deploying a Rails application on personal server using Nginx, phusion_passenger. I've site configuration file with following server blocks. With this configuration my http://192.168.1.121 service doesn't work while https://192.168.1.121 fails with forbidden (access denied) error.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Make site accessible from http://192.168.1.121/
server_name 192.168.1.121;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443;
server_name 192.168.1.121;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
error_page 500 502 503 504 /50x.html;
location / {
try_files $uri $uri/ =404;
}
}
production.rb has force_ssl: true
Also, If I remove server {} block with https entry, application works on http just fine (of course I've to comment out force_ssl: true from production.rb). I'm very puzzled by the access denied error if the same directory is accessed from https.
- nginx version: nginx/1.6.2
- Rails 4.0
- Ruby 2.1.3
Any help is appreciated.
Try configuring the SSL on the same server block as your port 80 configuration.
Also, it's recommended to use the ssl parameter of the listen directive for port 443, instead of the ssl on directive.
So something like this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
# Use ssl parameter on the listening socket instead of the 'ssl on' directive
listen 443 ssl;
server_name 192.168.1.121;
# Rest of your ssl configuration here
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
passenger_enabled on;
rails_env production;
root /home/deploy/www/myrailsapp/current/public;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Sources and Recommended Reading:
Official nginx docs - A single HTTP/HTTPS server
Digital Ocean tutorial (may or may not be helpful for your case)