Nginx not asking for client cert when POST method with payload - javascript

I have configured nginx for ssl-client-authentication. It is working fine for GET and POST (with out payload). But when we use POST with body, client is not passing the certificate.
Either nginx is not asking for the cert
Or the client(javascript) itself is ignoring the cert i'm not sure
Nginx Configuration
upstream abc-abc.com {
ip_hash;
server 172.16.x.x:8987;
}
server {
listen 443 ssl;
client_max_body_size 100M;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate ssl/bundle.crt;
ssl_certificate_key ssl/abc.key;
ssl_verify_client optional;
ssl_client_certificate /certs/client_ca.cert;
# Use Server preference
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server_name "~^abc-(?:[A-Za-z0-9]{0,21}[A-Za-z0-9])?-?abc.com";
proxy_buffering off;
error_log /proc/self/fd/2;
access_log /proc/self/fd/1;
server_tokens off;
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
location / {
proxy_pass https://abc-abc.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 36000s;
proxy_set_header X-SSL-Serial $ssl_client_serial;
proxy_set_header X-SSL-Verify $ssl_client_verify;
proxy_set_header X-SSL-SDN $ssl_client_s_dn;
proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;
proxy_set_header X-SSL-Fingerprint $ssl_client_fingerprint;
proxy_set_header X-SSL-Start-Date $ssl_client_v_start;
proxy_set_header X-SSL-End-Date $ssl_client_v_end;
}
}
Please help, Thanks.

Related

Websocket connection issue on django production server

I am facing an issue with the WebSocket protocol. I am using Django channels/daphne. Everything is working normally on the development local server. I think the issue is with NGINX settings. The error code is 1006
Here is the reverse proxy that I am using:
location ~* \.(js|css|jpg|png|jpeg|html)$
{
try_files $uri $uri/ /;
}
location /
{
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
#Persistent connection related configuration
add_header X-Cache $upstream_cache_status;
#Set Nginx Cache
proxy_ignore_headers Set-Cookie Cache-Control expires;
add_header Cache-Control no-cache;
expires 12h;
}
location /ws/ {
proxy_pass http://127.0.0.1:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
#PROXY-END/

Socket.io not working with nginx reverse proxy?

I'm trying to use socket.io with my nginx reverse proxy server, but it seems not working..
Chrome showing this wonderful waterfall:
screenshot:
and server's response is always like this:
96:0{"sid":"UU9d1DfZL5RD29kAAACq","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}2:40
nginx.conf:
server {
listen 443 ssl;
server_name socket.my.domain;
ssl_certificate /etc/letsencrypt/live/socket.my.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/socket.my.domain/privkey.pem;
location / {
proxy_pass http://127.0.0.1:1027/;
chunked_transfer_encoding off;
proxy_buffering off;
proxy_set_header Upgrade websocket;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr; # This line.
proxy_set_header Host $host;
proxy_http_version 1.1;
}
location /socket.io/ {
proxy_pass http://127.0.0.1:1027/socket.io/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
}
}
socket.io server:
const io = require("socket.io")(1027);
io.on("connection", (socket) => {
console.log('connected');
});
front-end javascript:
let socket = io("https://socket.my.domain");
socket.on("connect", () => {
console.log(socket.id);
});
Server keep logging the message 'connected', but client doesn't log the message.
What's wrong with my code?

deploying Angular + Node Express with Nginx, return blank page

I'm trying to deploy my angular application on my EC2. I already have a Different app running on port 3000. now i'm trying to deploy my angular app on port 3030. but when i access it via the IP:3030 it works fine, but after configuring it with nginx it returns black page and with some 404 error on the Network tab.
server {
listen 443 ssl;
server_name <ABC.DOMAIN.COM>;
ssl_certificate /etc/letsencrypt/live/<ABC.DOMAIN.COM>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<ABC.DOMAIN.COM>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
proxy_pass http://localhost:3000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
location /goalmate{
rewrite /goalmate/(.*)$ /$1 break;
proxy_pass http://localhost:3030/;
}
}
}
server {
listen 80;
server_name <ABC.DOMAIN.COM>;
return 301 https://$host$request_uri;
}
Error Showing in the Networktab
can someone help me.?
should'nt the requeston the networkTab show domain.com/goalmate/assets/ other than domain.com/assests

Making Socket.io path work with NGiNX proxy_pass

I would like to use NGiNX to proxy pass the following:
https://something.com/node.js/foo/bar/baz
into this:
https://something.com:3000/foo/bar/baz
I have successfully done it with the following NGiNX config:
location ~ /node.js/(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
add_header Cache-Control "public";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:3000/$1$is_args$args;
}
location / {
try_files $uri /index.php$is_args$args;
}
The problem is the following: when I instantiate socket.io with the default path, it serves socket.io.js here:
https://something.com/node.js/socket.io/socket.io.js
So far so good, but then this javascript tells the client to make requests here, which fail for obvious reasons:
https://something.com/socket.io/...
So then I try to instantiate socket.io with the path option like so:
io.listen(server, { path: '/node.js/socket.io'} );
But the problem is that now the socket.io.js file is hosted here:
https://something.com/node.js/node.js/socket.io/socket.io.js
Is there a way to tell socket.io.js where to host the file socket.io.js but still use the given path?
What is the normal solution to this proxy_pass stuff with socket.io??
Well different ways to solve your issue but I would use below one
location ~ /node.js/(.*) {
rewrite "^/node.js/node.js/(.*)$" /node.js/$1 last;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
add_header Cache-Control "public";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:3000/$1$is_args$args;
}
location / {
try_files $uri /index.php$is_args$args;
}

NGINX reverse proxy to node HTTPS

I've got an NGINX server running a reverse-proxy server to a node app.
Now I need to get it working with https but I keep getting 502: Bad Gateway error when trying to access the site at https
server {
listen 80;
server_name MYSERVERDOMAIN;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 443 ssl;
server_name MYSERVERDOMAIN;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Your setting looks correct, so I'm not quite sure about the issue. However, I'm using below setting for my production server with additional config for static assets folder and https auto-forward - which is the ultimate settings you may want for your production servers. Hope that it can help:
server {
listen 80;
server_name example.com;
rewrite ^/(.*) https://example.com/$1 permanent;
}
server {
server_name example.com;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/certs/www.example.chained.cer;
ssl_certificate_key /etc/ssl/private/www.example.com_ssl_private_key.key;
root /var/www/example/public;
location / {
try_files $uri #proxy;
}
location #proxy {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

Categories