Nginx ssl redirection and certbot - nginx-config

I have a test server with docker compose + nginx + certbot (get certificates from let's encript).
Nginx config:
server {
listen [::]:80;
listen 80;
server_name testdomain.com www.testdomain.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
server_tokens off;
# redirect http to https www
return 301 https://www.testdomain.com$request_uri;
}
#other server configs
certbot says in logs:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: testdomain.com
Type: connection
Detail: Fetching http://testdomain.com/.well-known/acme-challenge/vXDwOBgMA9DEq2IvxqUxxxxxxxxxx: Connection refused
Domain: www.testdomain.com
Type: connection
Detail: Fetching http://www.testdomain.com/.well-known/acme-challenge/shRZla5V7iFXB6D__xxxxx: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
I've put a temporary file to the /.well-known/acme-challenge/(http) but it can't be downloaded (if I try to open mydomain.com/index.html - works fine, but redirects to https version).
I think that problem is in the fact, my config tryes to redirect certbot requests to https, too. Do you have any idea how to get /.well-known/acme-challenge/ out of https rules?

I've found solution:
server {
listen [::]:80;
listen 80;
server_name testdomain.com www.testdomain.com;
location ^~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
location / {
# redirect http to https www
return 301 https://www.testdomain.com$request_uri;
}
server_tokens off;
}
Now everithing is redirecting to https excluding content of this folder /.well-known/acme-challenge

Related

nginx redirect rule is redirecting everything to https even for other ports

Hello I have this config
server {
listen 82;
server_name myapp.mydomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name myapp.mydomain.com
# ... remain of the stuff here
}
Before that I had other websites running in ports: 80, 3000 etc... now when I access http://myapp.mydomain.com automatically redirects me to my app (as is I were invoking port 82) and if I try to access another app running on 3000 port it tries to rewrite the https://myapp.mydomain.com:3000 as well... if I use the ip it works as expected (not the ssl part).
Full config can be found at:
https://gist.github.com/angvp/363f50ff8b8d345126adaf1595cd2523
Any ideas?
Ok after I start digging I had this on my nginx conf:
add_header Strict-Transport-Security max-age=15768000;
This is a security measure but that was causing all the subdomains even on different ports will try always https .. the correct way should be to have different subdomains per vhost per port..

NGINX redirect old https domain to new non-https

Yesterday I have changed my domain name hat was foobar.tk and it was running over https. For now, on my new domain foobar.eu I does not have ssl.
I have succeed with redireting using CNAME records while I am not using https, but somehow I cannot redirect https://www.example.tk to http://www.example.eu Chrome says that connection was resset. Firefox says that content cannot be validated,...
For redirection I am using these lines:
server {
listen 443; (note: i have tried with *:443, *:443 ssl, 443 ssl)
server_name www.example.tk; (i have tried with orwithout www.)
return 301 http://www.example.eu$request_uri; (i have tried to redir to $host also where then cname will handle the issue)
}
What works:
http://www.example.tk -> http://www.example.eu using CNAME (and all other subdomains)
What is not working:
https://www.example.tk -> http://www.example.eu
I still can certificates backed-up, so if it can help in some way please tell me.
Thank you
When setting up SSL on Nginx you should use ssl_certificate and ssl_certificate_key directives.
server {
listen 443 ssl;
server_name www.example.tk;
ssl_certificate /path/to/certificate; #.crt, .cert, .cer, or .pem file
ssl_certificate_key /path/to/private/key;
return 301 http://www.example.eu$request_uri;
}
These two files you can get from your Certificate Authority.
Also you should add ssl parameter to listen directive.

Nginx redirect root domain which is not in SSL certificate

I have an SSL wildcard certificate for *.example.com which is not valid for the root domain. I would like Nginx on Ubuntu 14.04 to
accept only requests for defined hosts
redirect all http requests for root domain and www subdomain to https www subdomain
return 404 for the root domain only on port 443, e.g. if reuqest is
https://example.com
I managed to achieve 1 and 2 with the configuration copied below.
server {
#listen 80;
#isten 443;
return 404;
}
server {
listen 80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl;
#certificate and key referenced in common.conf
server_name www.example.com;
root /usr/share/nginx/html/example.com;
index index.php index.html index.htm;
include common/common.conf;
}
When I remove comment marks from the second and third lines above, hoping to return 404 only for https://example.com - nothing works. For example, I get ERR_CONNECTION_CLOSED in Chrome for both https://www.example.com/ and http://ww.example.com/.
What should I do to achieve 1), 2) and 3) together?
Many thanks.
... wildcard certificate for *.example.com which is not valid for the root domain
... return 404 for the root domain only on port 443, e.g. if reuqest is https://example.com
This is not possible. With https the HTTP response is generated inside an established TLS connection for the host in the URL. Thus to return a 404 for access to https://example.com you must first have a validated TLS connection. But because example.com is not contained in your certificate you get a validation error when trying to establish the TLS connection and thus no TLS connection is successfully established and no 404 can be returned inside the connection.

Nginx: Redirect both http://example.com and http://*.example.com to https://example.com

I only have an SSL certificate for example.com and want to redirect both http://example.com and http://*.example.com to https://example.com using nginx. I'm aware of it being impossible to redirect subdomains via SSL without a certificate including all the subdomains, but at least, I should be able to redirect users who are typing www.example.com (port 80) to the SSL homepage.
My current nginx config starts as follows:
server {
# This should catch all non-HTTPS requests to example.com and *.example.com
listen 80;
server_name example.com *.example.com;
access_log off;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
# Actual server config starts here...
Requesting http://example.com will be redirected properly to https://example.com, whereas http://www.example.com leads to https://www.example.com (and of course, the browser is showing a certificate error). I think it has something to do with the processing order of the server_name values, but I haven't found any information about how to enforce a certain order.
Try to add another server {}
server {
listen 80;
server_name www.example.com
access_log off;
return 301 https://example.com$request_uri;
}
Try:
server_name example.com www.example.com *.example.com;
Taken directly from the Nginx docs.

CloudFront - CNAME doesn't match in nginx

I have a distribution with 2 CNAMES: example.com and www.example.com . My goal is redirect www.example.com to example.com
CloudFront points to a LoadBalancer, which points to a EC2 machine. This EC2 machines serves thought a nginx.
My config is:
server {
listen 80;
server_name default;
access_log /var/log/nginx/default.access.log;
root /xxxx/;
index index.html index.htm;
location /index.html {
add_header "Cache-Control" "public, must-revalidate, proxy-revalidate, max-age=0";
}
}
server {
listen 80;
server_name ~^(www\.)?(?<domain>.+)$;
return 301 https://$domain$request_uri;
}
The problem is that "server_name" receives "XXX-YYY-ZZZ-WWW.ap-northeast-1.elb.amazonaws.com", not the CNAME (so I don't have the information for get the domain).
Any solution?
You might try to enable forwarding of Host header in CloudFront (see details here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html). Then you should use Host header value in your nginx config to trigger redirect