Multiple SSL certificates - nginx-dev-email-history

I

21 Oct '08

On Tue, Oct 21, 2008 at 05:09:55PM +0200, Thomas wrote:

> I have changed my config files, http works, but now https doesn't work
> anymore, firefox can't make the connection. However in my access.log I
> see some references to https://www.digiprof.fr/login, but when I
> access it myself, I don't see it get printed in the log file.

What does "nginx -t" show ?

-- 
Igor Sysoev
http://sysoev.ru/en/

share

T

Thomas

21 Oct '08

Here is the output:
--
2008/10/21 17:31:53 [info] 12626#0: the configuration file
/usr/local/nginx/conf/nginx.conf syntax is ok
2008/10/21 17:31:53 [info] 12626#0: the configuration file
/usr/local/nginx/conf/nginx.conf was tested successfully
--

Everything looks fine.

However it could the problem of IP not being configured on the host. I
did it once, and it block my connection to the server. Hopefully, I
could ssh into the VM hypervisor and then open a console and get
access to the server to remove the IP configuration.

share

R

ryo

21 Oct '08

> I have changed my config files, http works, but now https doesn't work
> anymore, firefox can't make the connection.

Maybe,443 port is closing.

# openssl s_client -connect www.digiprof.eu:443
socket: Connection refused
connect:errno=29
# openssl s_client -connect www.digiprof.fr:443
socket: Connection refused
connect:errno=29

Copy and paste all of your nginx.conf.

-- 
Ryo Sato

share

I

Igor

21 Oct '08

On Tue, Oct 21, 2008 at 05:31:06PM +0200, Thomas wrote:

> Here is the output:
> --
> 2008/10/21 17:31:53 [info] 12626#0: the configuration file
> /usr/local/nginx/conf/nginx.conf syntax is ok
> 2008/10/21 17:31:53 [info] 12626#0: the configuration file
> /usr/local/nginx/conf/nginx.conf was tested successfully
> --
> 
> Everything looks fine.
> 
> However it could the problem of IP not being configured on the host. I
> did it once, and it block my connection to the server. Hopefully, I
> could ssh into the VM hypervisor and then open a console and get
> access to the server to remove the IP configuration.

It seems that IPs are configured right:

telnet www.digiprof.fr 80 
Trying 91.121.77.156...
Connected to digiprof.fr.
Escape character is '^]'.

telnet www.digiprof.eu 80 
Trying 91.121.43.156...
Connected to digiprof.eu.
Escape character is '^]'.

However, for some reason nginx does not listen on 443:

telnet www.digiprof.fr 443
Trying 91.121.77.156...
telnet: connect to address 91.121.77.156: Connection refused
telnet: Unable to connect to remote host

telnet www.digiprof.eu 443
Trying 91.121.43.156...
telnet: connect to address 91.121.43.156: Connection refused
telnet: Unable to connect to remote host

Could you show the listen directives in config ?

-- 
Igor Sysoev
http://sysoev.ru/en/

share

T

Thomas

21 Oct '08

Port 443 is forwarded from my hypervisor to the Nginx VM. Everything
works fine if I remove the IP in the listen. It's a pretty basic
configuration of Nginx I guess.

nginx.conf:
---
# /usr/local/nginx/conf/nginx.conf

user  thomas;
worker_processes  1;

events {
 worker_connections  1024;
}

http {
 include             mime.types;
 default_type        application/octet-stream;

 # set sendfile to off on OsX
 sendfile            on;
 tcp_nopush          on;
 keepalive_timeout   65;

 # Hide Nginx version number header
 server_tokens       off;

 log_format main '$remote_addr [$time_local] '
                 '$http_host "$request" $status $body_bytes_sent
"$http_referer" '
                 '"$http_user_agent" "$http_x_forwarded_for"';

 log_format traffic '$http_host $body_bytes_sent';

 gzip                on;
 gzip_http_version   1.0;
 gzip_comp_level     2;
 gzip_proxied        any;
 gzip_types          text/plain text/html text/css
application/x-javascript text/xml application/xml application/xml+rss
text/javascript;

 ignore_invalid_headers  on;

 include /usr/local/nginx/conf/main.conf;
 include /usr/local/nginx/conf/webcit.conf;
} # End of http
---

main.conf:
---
upstream main {
 server 10.0.0.2:3100 weight=2;
 server 10.0.0.2:3101;
}

server {
 listen 80 default;
 server_name _;
 access_log  /usr/local/nginx/logs/phishing_attemps.log main;

 # Let's rewrite any mysite.com to www.mysite.com in a global catch-all way.
 if ($host !~* www\.(.*)) {
   rewrite ^(.*) http://www.$host$1 permanent;
 }

 return 404;
}

server {
 listen              80;
 server_name         www.digiprof.fr;

 set $limit_rate     130k;

 # Let's set some vars to be DRY
 #set $nginx_path /usr/local/nginx/logs;
 set $rails_path /home/thomas/rails_apps;

 access_log  /usr/local/nginx/logs/traffic.log traffic;
 access_log  /usr/local/nginx/logs/access.main.log main;
 error_log /usr/local/nginx/logs/error.main.log notice;

 location / {
   root                $rails_path//public/$host;

   proxy_redirect      off;
   proxy_set_header    X-Real-IP $remote_addr;
   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header    Host $http_host;

   if (-f $request_filename) {
     break;
   }

   if (-f $request_filename/index.html) {
     rewrite (.*) $1/index.html break;
   }

   if (-f $request_filename.html) {
     rewrite (.*) $1.html break;
   }

   if (!-f $request_filename) {
     proxy_pass http://main;
     break;
   }
 } # End of the location /

 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
   root          $rails_path/public/$host;
 } # End of /50x location

} # End of server

server {
 listen              www.digiprof.fr:443;
 server_name         www.digiprof.fr;

 ssl on;
 ssl_certificate     /usr/local/nginx/conf/ssl_certificates/www.digiprof.fr.crt;
 ssl_certificate_key /usr/local/nginx/conf/ssl_certificates/server.key;
 keepalive_timeout   70; # reduce server load

 set $rails_path     /home/thomas/rails_apps;

 location / {
   # Compulsory for HTTPS
   proxy_set_header  X_FORWARDED_PROTO https;
   proxy_redirect    off;
   proxy_set_header  X-Real-IP $remote_addr;
   proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header  Host $http_host;

   root        $rails_path/public/$host;

   # Compulsory for serving relatively linked images and stylesheets
   if (!-f $request_filename) {
     proxy_pass http://main;
     break;
   }
 } # End of location /
} # End of server 443
-----

webcit.conf:
-----------
upstream webcit {
 server 10.0.0.4:2000;
}

server {
 listen        80;
 server_name   www.digiprof.eu;
 rewrite ^(.*) https://$host$1 permanent;
}

server {
 listen      www.digiprof.eu:443;
 server_name www.digiprof.eu;

 ssl on;
 ssl_certificate     /usr/local/nginx/conf/ssl_certificates/self_signed.crt;
 ssl_certificate_key /usr/local/nginx/conf/ssl_certificates/server.key;
 keepalive_timeout   70; # reduce server load

 location / {
   proxy_set_header  X_FORWARDED_PROTO https;
   proxy_redirect      off;
   proxy_set_header    X-Real-IP $remote_addr;
   proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header    Host $http_host;

   proxy_pass http://webcit;
 }
}

share

T

Thomas

21 Oct '08

Hi Igor,

I have now reverted back to the working config. So now if you go to
https://www.digiprof.fr/login in your browser, you will see the signup
page and:

telnet www.digiprof.fr 443
openssl s_client -connect www.digiprof.fr:443

share

D

Dave

21 Oct '08

Yup - that is most likely because inside your VM container, the real  
IPs for www.digiprof.eu and www.digiprof.fr are not bound. You  
mentioned before that this VM only had access to an internal nat, so  
the only IP's that could be bound were 10.0.0.0/8s. Is this correct ?

If so, you will have to port forward both IPs to SEPERATE NAT'ed IPs  
in the 10.0.0.0/8 range, then configure separate VIPs inside your  
virtualized OS to listen on those VIPs, then use those VIPs in place  
of the real IPs in your nginx config.

Are you able to do your testing on a machine with real IP's rather  
than a virtualized container, as the configuration of your container,  
not nginx, has been most of the meat of this discussion ?

Cheers

Dave

On 22/10/2008, at 2:58 AM, Thomas wrote:

> Port 443 is forwarded from my hypervisor to the Nginx VM. Everything
> works fine if I remove the IP in the listen. It's a pretty basic
> configuration of Nginx I guess.

share

T

Thomas

21 Oct '08

You know what Dave, running my application using a virtual machine
with each component running in its own VM has been a real pain in the
butt, it is still now, and it will certainly be in the future.

I'm only seeing drawbacks and no advantages.

I'm fed up for today and its getting late in my timezone. Tomorrow
I'll install Nginx directly in the supervisor domain as it will have
direct access to the IPs ready to be bound.

Thanks for your assistance.

share

T

Thomas

22 Oct '08

Yeah! I finally managed to configure Nginx to handle multiple SSL
certificates. It is exactly as Dave said, I had to forward the IPs to
my nginx VM, and it was not related to Nginx.

Thank you very much for your assistance.

share