Nginx Server SSL HELP site.conf

[Poet129]

I'm trying to setup a SSL cache on nginx I have configured everything (I think).

Spoiler

server {
    listen 80 default_server;
    listen [::]:80 default_server;

 

    if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
        set $year $1;
        set $month $2;
        set $day $3;
    }

 

    set $http_x_forwarded_for_filt $http_x_forwarded_for;
    if ($http_x_forwarded_for_filt ~ ([0-9]+\.[0-9]+\.[0-9]+\.)[0-9]+) {
        set $http_x_forwarded_for_filt $1???;
    }

 

    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl on;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

 

    root /var/www/html;
    port_in_redirect off;
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
        server_tokens off;
    }

 

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

 

    include /var/www/nginx[.]conf;
}

However unless I comment the following lines like so it doesn't work please help.

Spoiler

    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    # ssl on;
    # ssl_prefer_server_ciphers on;
    # ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

The current error is 404 however the cache works perfectly with just HTTP but I have to disable HTTPS for that to work.

[Jarsky]

4 hours ago, Poet129 said:

However unless I comment the following lines like so it doesn't work please help.

The current error is 404 however the cache works perfectly with just HTTP but I have to disable HTTPS for that to work.

 

You haven't defined a path to your SSL certificates (i.e ssl_certificate or ssl_certificate_key entries)

If you're going to use letsencrypt, you can just use certbot to generate your config

 

heres an example of one of my default entries with a Sectigo SSL

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    server_name_in_redirect off;
    log_not_found off;

    return 410;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;

#        ssl on;
        ssl_certificate /etc/apache2/ssl/mydomain.pem;
        ssl_certificate_key /etc/apache2/ssl/mydomain.key;

#        # Use only TLS
        ssl_protocols TLSv1.2;
#        # Tell client which ciphers are available
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD                                          5;
#        # Use our own DH params
        ssl_dhparam /etc/nginx/certs/dhparam.pem;


    server_name_in_redirect off;
    log_not_found off;

    return 410;
}

 

heres an example of one of my virtualhost entries with LetsEncrypt using Certbot

server {
    server_name www.mydomain.com mydomain.com;
#    return 301 https://mydomain.com$request_uri;


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        root /var/www/mydomain.com/;
        index index.php index.html index.htm;

        location ~ \.php$ {

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
        }

         location ~ /\.ht {
                deny all;
        }
}

server {
    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name www.mydomain.com mydomain.com;
    listen 80;
    return 404; # managed by Certbot

}

 

P.S for basic troubleshooting you should be looking at the nginx error_log at least which will tell you the issue. 

[Poet129]

50 minutes ago, Jarsky said:

 

You haven't defined a path to your SSL certificates (i.e ssl_certificate or ssl_certificate_key entries)

If you're going to use letsencrypt, you can just use certbot to generate your config

 

heres an example of one of my default entries with a Sectigo SSL

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    server_name_in_redirect off;
    log_not_found off;

    return 410;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name _;

#        ssl on;
        ssl_certificate /etc/apache2/ssl/mydomain.pem;
        ssl_certificate_key /etc/apache2/ssl/mydomain.key;

#        # Use only TLS
        ssl_protocols TLSv1.2;
#        # Tell client which ciphers are available
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD                                          5;
#        # Use our own DH params
        ssl_dhparam /etc/nginx/certs/dhparam.pem;


    server_name_in_redirect off;
    log_not_found off;

    return 410;
}

 

heres an example of one of my virtualhost entries with LetsEncrypt using Certbot

server {
    server_name www.mydomain.com mydomain.com;
#    return 301 https://mydomain.com$request_uri;


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        root /var/www/mydomain.com/;
        index index.php index.html index.htm;

        location ~ \.php$ {

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
        }

         location ~ /\.ht {
                deny all;
        }
}

server {
    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name www.mydomain.com mydomain.com;
    listen 80;
    return 404; # managed by Certbot

}

 

P.S for basic troubleshooting you should be looking at the nginx error_log at least which will tell you the issue. 

They are in the config they are added after words I'm currently working on adapting lancache to use https.

[Jarsky]

17 minutes ago, Poet129 said:

They are in the config they are added after words I'm currently working on adapting lancache to use https.

 

They are not in your config you pasted. They must be in the server {} block with your listen 443.

e.g

 

Quote

server {
    listen 80 default_server;
    listen [::]:80 default_server;

 

    if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
        set $year $1;
        set $month $2;
        set $day $3;
    }

 

    set $http_x_forwarded_for_filt $http_x_forwarded_for;
    if ($http_x_forwarded_for_filt ~ ([0-9]+\.[0-9]+\.[0-9]+\.)[0-9]+) {
        set $http_x_forwarded_for_filt $1???;
    }

 

    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl on;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ssl_certificate /etc/apache2/ssl/mydomain.pem;

    ssl_certificate_key /etc/apache2/ssl/mydomain.key;

 

    root /var/www/html;
    port_in_redirect off;
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
        server_tokens off;
    }

 

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

 

    include /var/www/nginx[.]conf;
}

 

[Poet129]

1 minute ago, Jarsky said:

 

They are not in your config you pasted. They must be in the server {} block with your listen 443.

e.g

 

 

lancache by default has a ssl config file that writes to the file before starting nginx.

[Poet129]

15 minutes ago, Jarsky said:

 

They are not in your config you pasted. They must be in the server {} block with your listen 443.

e.g

 

 

 

13 minutes ago, Poet129 said:

lancache by default has a ssl config file that writes to the file before starting nginx.

What I need is a self signed cert that "validates" all addresses but * isn't working as a common name.

[Jarsky]

1 minute ago, Poet129 said:

 

What I need is a self signed cert that "validates" all addresses but * isn't working as a common name.

 

You cannot use * in a Common Name without anything succeding it. The CN needs to be a FQDN if you're creating a Wildcard cert. What you're talking about is a SAN (Subject Alternate Name) certificate. 

 

https://medium.com/@groksrc/create-an-openssl-self-signed-san-cert-in-a-single-command-627fd771f25

 

For Common Name, you'd use your FQDN...this could be Wildcard like *.local, or could be specific like myserver.local

Then in SubjectAltName, you can add (comma seperated), all the alternative names....localhost,myserver,192.168.1.234

 

I don't see why you would need this though....perhaps you're just talking about a general wildcard cert....

[Poet129]

1 minute ago, Jarsky said:

 

You cannot use * in a Common Name without anything succeding it. The CN needs to be a FQDN if you're creating a Wildcard cert. What you're talking about is a SAN (Subject Alternate Name) certificate. 

 

https://medium.com/@groksrc/create-an-openssl-self-signed-san-cert-in-a-single-command-627fd771f25

 

For Common Name, you'd use your FQDN...this could be Wildcard like *.local, or could be specific like myserver.local

Then in SubjectAltName, you can add (comma seperated), all the alternative names....localhost,myserver,192.168.1.234

 

I don't see why you would need this though....perhaps you're just talking about a general wildcard cert....

Would this work?

Spoiler

*.net
*.com
*.org
*.us
*.int
*.mil
*.edu
*.gov

 

[Jarsky]

1 minute ago, Poet129 said:

Would this work?

  Hide contents

*.net
*.com
*.org
*.us
*.int
*.mil
*.edu
*.gov

 

I don't understand your question?

 

You do not self sign for public domains. You shouldn't be using public domains unless you own them. 

I'm not sure what you're trying to achieve...

[Poet129]

Just now, Jarsky said:

I don't understand your question?

 

You do not self sign for public domains. You shouldn't be using public domains unless you own them. 

I'm not sure what you're trying to achieve...

Lancache caches "the internet" but only http I'm trying to add https functionality.

[Jarsky]

3 minutes ago, Poet129 said:

Lancache caches "the internet" but only http I'm trying to add https functionality.

 

I know what Lancache is, but you're going about this wrong. 

I think what you need is to configure SNIProxy: https://lancache.net/docs/containers/sniproxy/

 

 

[Poet129]

1 minute ago, Jarsky said:

 

I know what Lancache is, but you're going about this wrong. 

I think what you need is to configure SNIProxy: https://lancache.net/docs/containers/sniproxy/

 

 

SNIProxy doesn't cache the https traffic.

[Jarsky]

5 minutes ago, Poet129 said:

SNIProxy doesn't cache the https traffic.

My understanding is that the SNI Proxy will forward any SSL requests that Lancache cannot process, onto the real server..but I believe in cases, the content is pulled down via a non-SSL connection. I've not used Lancache, but to intercept SSL is essentially creating a MITM (Man in the Middle) attack. Perhaps you should message their support on their Discord. 

 

This is nothing to do with Nginx, and loading your own SSL's into Nginx isn't going to help.

Whatever client you're talking about, is looking for its own SSL certificate with its specific public key to do the SSL handshake...loading your own certificates will not change this. 

[Poet129]

2 minutes ago, Jarsky said:

My understanding is that the SNI Proxy will forward any SSL requests that Lancache cannot process, onto the real server..but I believe in cases, the content is pulled down via a non-SSL connection. I've not used Lancache, but to intercept SSL is essentially creating a MITM (Man in the Middle) attack. Perhaps you should message their support on their Discord. 

 

This is nothing to do with Nginx, and loading your own SSL's into Nginx isn't going to help.

Whatever client you're talking about, is looking for its own SSL certificate with its specific public key to do the SSL handshake...loading your own certificates will not change this. 

I have tried their discord however they say they won't talk about it over discord I may having them email me if they decide they can.