Nginx Configuration Issues - Certificate Obtained but not used by NGINX


#1

Took a while to get letsencrypt working on my nginx server (I’m trying it to learn more…having a hard time with it though). Once I got it, and I was redirecting traffic going to port 80 up to port 443 with a 301, suddenly the default welcome nginx page is there, not my page that was being served at http. I can’t find where this default is being called, or where to find it. Forgive my noobedness, but can anyone with nginx exp help me out? I’ll paste my sites-available conf file if you think it’s in there.


#2

etc/nginx/sites-available/default

Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name allianceinfosec.com www.allianceinfosec.com
return 301 https://$server_name$request_uri;

SSL configuration

listen 443 ssl default_server;

listen [::]:443 ssl default_server;

Note: You should disable gzip for SSL traffic.

See: https://bugs.debian.org/773332

Read up on ssl_ciphers to ensure a secure configuration.

See: https://bugs.debian.org/765782

Self signed certs generated by the ssl-cert package

Don’t use them in a production server!

include snippets/snakeoil.conf;

root /var/www/html;

Add index.php to the list if you are using PHP

index index.php index.html index.htm index.nginx-debian.html;

location ~ /.well-known {
allow all;
}

pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

#location ~ .php$ {

include snippets/fastcgi-php.conf;

# With php7.0-cgi alone:

fastcgi_pass 127.0.0.1:9000;

# With php7.0-fpm:

fastcgi_pass unix:/run/php/php7.0-fpm.sock;

#}

deny access to .htaccess files, if Apache’s document root

concurs with nginx’s one

#location ~ /.ht {

deny all;

#}
}

server {
# SSL Configuration

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-allianceinfosec.com.conf;
    include snippets/ssl-params.conf;

}


#3

What’s in those?      


#4

hi @74rku5

are you using certbot?

have a look at this site https://wiki.mozilla.org/Security/Server_Side_TLS

For some good config examples

Generally it’s a good idea to stick to well known configurations or if you are using custom configuration to explain it first so people can assist.

Andrei


#5

cat ssl-allianceinfosec.com.conf
ssl_certificate /etc/letsencrypt/live/allianceinfosec.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/allianceinfosec.com/privkey.pem;

cat ssl-params.conf

from https://cipherli.st/

and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Disable preloading HSTS for now. You can use the commented out header line that includes

the “preload” directive if you understand the implications.

#add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;


#6

I can’t find any server_name allianceinfosec.com www.allianceinfosec.com in your “SSL Configuration” server {} block.

Oh and root /var/www/html;… Like… All the things that would make up a usable server {} block are missing from the SSL server block…

No wonder nginx can’t load your HTTPS site: it isn’t configured at all. You’ve all the things correct for your site on port 80, but you left out everything important at the port 443 piece. You just added the SSL things. But by leaving all the important stuff out, like root and server_name, nginx doesn’t do anything with the ssl server block. It is never used.

You should make a “copy” of the port 80 server block and modify it for TLS by changing the listen directive and adding the SSL stuff… Not only implementing the SSL stuff, no, add the SSL stuff to all the regular directives.


#8

Osiris takes the prize.

The noob learned something today.

Thank you, Osiris!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.