Nginx Subdomains: Redirect /.well-known path for Let's Encrypt - redirect

I have an Nginx Server running with two sub-domains. One of them uses a proxy_pass to redirect everything to a Meteor Application and the other sub-domain just uses Laravel but in a diffrent directory than the normal domain.
So, when I start ./letsencrypt-auto I get the following error-message for both sub-domains:
Failed authorization procedure. subdomain.mydomain.com (http-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization :: Invalid response from http://subdomain.mydomain.com/.well-known/acme-challenge/xyzxyzxy_xzyzxyxyyx_xyzyxzyxz: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
My interpretation of that is, that it doesn't work because my Laravel-Subdomain is not in /var/www/domain.com/html but in /var/www/laravel/html and my Meteor-Application is somwhere else and ngnix just does the proxy passing.
So my question is: Can I redirect /.well-known/acme-challenge for both subdomains to the real /.well-known so that letsencrypt-auto doesn't throw this error?
More Information:
I've tried
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /tmp/letsencrypt-auto;
}
but it didn't work...
Config for my Meteor sub-domain:
server {
listen 80;
listen [::]:80;
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
[…] SSL stuff […]
server_name meteor.domain.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
}
location ~ /.well-known {
allow all;
}
}
Config for my Laravel sub-domain:
server {
listen 80;
server_name laravel.domain.com;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
[…] SSL stuff […]
root /var/www/laravel/html;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ /.well-known {
allow all;
}
location ~ \.(hh|php)$ {
fastcgi_keep_conn on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

Your location ~ /.well-known blocks are regex locations and will take precedence over the prefix location you are attempting to add.
You need to delete them.
See this document on the location directive.

Okay, thanks to the tips from Richard Smith I solved it:
I kept this in the Config-Part for the domain.com-Part as described in this tutorial.
location / {
try_files $uri $uri/ =404;
}
but put that into the Config-Part for subdomain.domain.com instead:
location /.well-known/ {
root /var/www/domain.com/html;
}
What it does is handling any request to subdomain.domain.com/.well-known/[anything] as domain.com/.well-known/[anything], thus no error from letsencrypt-auto.

Related

NGINX not respecting server_name regex

I have this nginx config.. i want it to accept all domains that have the word competitions in it and end with .com.au.. I have tested with a domain name that should NOT be accepted but it reaches the application.. is the server_name being ignore because I'm using a proxy?
server {
listen 80 default_server;
server_name ~^(.+)competitions?(.+)\.com\.au;
access_log /var/log/nginx/$host.access.log;
error_log /var/log/nginx/error.log;
if ($host !~* ^www){
rewrite ^/(.*)$ https://www.$host/$1 permanent;
}
location / {
proxy_no_cache 1;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8888;
try_files $uri $uri/ #proxy;
}
location #proxy {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8888;
proxy_intercept_errors on;
recursive_error_pages on;
error_page 404 = #rewrite_proxy;
}
location #rewrite_proxy {
rewrite /(.*) /index.cfm?path=$1;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8888;
}
}
You'd have to remove the default_server from there, because this is a catch-all directive.And you still could setup another one server with the default_server directive, if required.
See How nginx processes a request for a more detailed explanation:
If its value does not match any server name, or the request does not contain this header field at all, then nginx will route the request to the default server for this port.

nginx rewrite rules for only SSL

I want to redirect evry traffic of a domain to to one target:
https://example.com
We want to change http to https and www to nonwww.
Nginx 1.8.1 is the server
This is the vhost:
server {
listen xxx.xxx.xxx.xxx:80;
listen xxx.xxx.xxx.xxx:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /www/clients/client1/web2/ssl/example.com.crt;
ssl_certificate_key /www/clients/client1/web2/ssl/example.com.key;
server_name example.com www.example.com;
root /var/www/example.com/web;
#This is a rewrite from www.example.com -> example.com
if ($http_host = "www.example.com") {
rewrite ^ $scheme://example.com$request_uri? permanent;
}
......
......
}
The Problem that we have is, that every redirects and rewrite rules we checked out, worked well for this three cases:
https://example.com --> is right target works
http://www.example.com --> https://example.com works
http://example.com --> https://example.com works
but
https://**www**.example.com ---> https://example.com don't works
In Browsers we see https://www.example.com instead the target SSL
domain https://example.com
In this case our SL Cert shows an "untrusted" - message
The configiguration of the vhost is preset by ISPConfig.
Has anybody the same experiences? And maybe a solution.
Your certificate is most likely only issued for example.com and is not valid for www.example.com. Redirections, like the one you have in your NGINX config, happen only after the TLS/ HTTPS handshake which is what your browser is complaining about.
You will need to request your certificate issuer to issue a new certificate that is valid for both example.com and www.example.com. Most issuers should have done this to begin with and do not charge any fees.
Here is what I have done with one my domain.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri$is_args$args;
root /var/www/public_html;
index index.php index.html index.htm;
server_name domain.com www.domain.com;
add_header Strict-Transport-Security "max-age=31536000";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
expires 2d;
}
}
server {
listen 443;
add_header Strict-Transport-Security "max-age=31536000";
root /var/www/public_html;
index index.php index.html index.htm;
server_name domain.com www.domain.com;
ssl on;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/myserver.key;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
client_max_body_size 20M;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
expires 30d;
}
}
By the way, This settings make my domain ssl as A+ in ssltestlab

Nginx reverse proxy causing infinite loop

I have the following in my Nginx site config file:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.php index.html index.htm;
server_name example.com;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
server {
listen 80;
server_name example2.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://localhost/page-1/;
}
}
The issue only seems to occur when I add the proxy_set_header Host $host; line. It appears that the $host variable creates a redirect loop and the GET request from the error server logs goes something like this ...page-1/page-1/page-1/page-1... with the server responding with an internal error 500.
I'd be really grateful if anyone could tell me what I'm doing wrong. Many thanks in advance!
I had the same issue, and as suggested by Alexey Ten, the solution is to remove the Host header.

Laravel/Homestead Nginx SSL Redirect Loop

I have seen other topics like this one: Nginx configuration leads to endless redirect loop, however all of the configurations I have tried with no change.
Problem: I want to force ALL routes to https in my Laravel 4 application but they always result in a redirect loop.
The nginx config is inside a Laravel Homestead environment. Here is the config:
server {
listen 80;
server_name dev.subdomain.mysite.com;
root /home/vagrant/sites/work/dev.subdomain.mysite.com/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/dev.subdomain.mysite.com-error.log error;
error_page 404 /index.php;
sendfile off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
server {
listen 443;
server_name dev.subdomain.mysite.com;
root /home/vagrant/sites/work/dev.subdomain.mysite.com/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files / /index.php?;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/dev.subdomain.mysite.com-error.log error;
error_page 404 /index.php;
sendfile off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}
I have disabled all routes in my application, my .htaccess is the Laravel provided default. I'm not sure what else to try.
First off, Laravel Homestead uses 44300 as an alias for 443 on the vagrant box.
Your http to https redirect should also be accomplished simply by:
server {
listen 80;
server_name mysite.com;
return 301 https://example.com$request_uri;
}
server {
listen 443;
server_name example.com;
root /home/vagrant/sites/work/example.com/public;
[...] // All other Laravel-related stuff
}
Secondly, you seem to be using a dev-site with Homestead, double check that your host-file and homestead.yaml is set up accordingly and everything is on order there.
Also, when making changes to SSL-certs and nginx-files, your safest bet is always to do a vagrant reload to make sure all edits are reloaded.

Nginx redirection to https://www.domain.tld

I am trying to make my domain name only work with a https:// and www in front of it. It's important that domain.com without the www. redirects to the www, and it's also important that https:// is always enabled. I am having a lot of trouble achieving this. I've removed all the redirects from the config because they all just give me errors.
server {
listen 80;
default_type text/html;
server_name epicmc.us;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
root /usr/share/nginx/html;
index index.php index.html index.htm;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443;
default_type text/html;
server_name www.epicmc.us;
root /usr/share/nginx/html;
index index.php index.html index.htm;
ssl on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
}
EDIT: I am now using a PHP redirect, but there has to be a better option...
You should define additional virtualhost, and there redirect all clients to desired method+host.
Add to your config (tune to your taste, of course) :
# redirection vhost
server {
listen 10.1.2.3:80;
server_name www.epicmc.us epicmc.us;
access_log /logs/access.log full;
error_log /logs/error.log notice;
location / {
rewrite ^/(.*)$ https://www.epicmc.us/$1 permanent;
}
}
There are two ways of doing this, simple redirect return 301
server {
server_name www.example.com;
listen 80;
return 301 https://$host$request_uri;
}
or using rewrite rules, check the answer for this question it might be helpful
server {
listen 80;
server_name www.example.com ;
location{
rewrite ^(.*)$ https://www.example.com/$1 permanent;
}
}
check answers for this question it might be helpful
Hey guys I'm using Cloudflare's flexible SSL, so my problem was that I had to do the page rules on their site and not in my config. That's why I was getting redirect errors.