Nginx SSL Certification + Nextcloud +Guacamole



  • For the life of me I can't find where I went wrong with this. I'm not getting SSL with Guacamole or Nextcloud. Need some more eyes.

    Guacamole

    server {
            client_max_body_size 40M;
            listen 80;
            server_name connect.domain.com;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header N-Nginx-Proxy true;
            proxy_redirect off;
            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://192.168.1.205:8080/guacamole/;
                    proxy_redirect off;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_buffering off;
            }
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    

    Nextcloud

    server {
            client_max_body_size 40M;
            listen 80;
            server_name nc.domain.com;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header N-Nginx-Proxy true;
            proxy_redirect off;
            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://192.168.1.202:80/;
                    proxy_redirect off;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    proxy_buffering off;
            }
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/nc.domain.com-0001/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/nc.domain.com-0001/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    

    Nginx.conf

    # For more information on configuration, see:
    #   * Official English Documentation: http://nginx.org/en/docs/
    #   * Official Russian Documentation: http://nginx.org/ru/docs/
    
    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;
    
    # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;
    
    events {
        worker_connections 1024;
    }
    
    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 4096;
    
        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;
    
        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;
    
        #server {
        #    listen       80 default_server;
        #    listen       [::]:80 default_server;
        #    server_name  _;
        #    root         /usr/share/nginx/html;
    


  • You cannot listen on both http and https in the same server block.



  • Ended up being the / at the end of proxy_pass. Hours of time looking for /



  • @jaredbusch said in Nginx SSL Certification + Nextcloud +Guacamole:

    You cannot listen on both http and https in the same server block.

    0_1535118428359_1.JPG



  • @wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

    @jaredbusch said in Nginx SSL Certification + Nextcloud +Guacamole:

    You cannot listen on both http and https in the same server block.

    0_1535118428359_1.JPG

    See how much I know when I never accept HTTP to begin with.



  • @jaredbusch said in Nginx SSL Certification + Nextcloud +Guacamole:

    @wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

    @jaredbusch said in Nginx SSL Certification + Nextcloud +Guacamole:

    You cannot listen on both http and https in the same server block.

    0_1535118428359_1.JPG

    See how much I know when I never accept HTTP to begin with.

    I don't really get the use case honestly, but it's possible to do. After I test VNC tonight I'll force https.



  • @wirestyle22 maybe as a redirect to HTTPS so that rather than hitting a dead service it sends it along to the appropriate place?



  • @dustinb3403 I can understand that thought process. Have to look at some of @JaredBusch's Nextcloud guides to see how he did it.



  • I normally create two separate server blocks, one for listening port 80 and another for port 443.
    Port 80 always gets redirected to 443.



  • @black3dynamite If we use one of my configs as an example:

    server {
            client_max_body_size 40M;
            listen 80;
            server_name connect.domain.com;
            return 301 https://$host$request_uri;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header N-Nginx-Proxy true;
            proxy_redirect off;
            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://192.168.1.205:8080/guacamole/;
                    proxy_redirect off;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_buffering off;
            }
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    

    Correct? I don't think they need to be two separate server blocks. If there is some kind of benefit to doing it that way let me know.



  • @wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

    @black3dynamite If we use one of my configs as an example:

    server {
            client_max_body_size 40M;
            listen 80;
            server_name connect.domain.com;
            return 301 https://$host$request_uri;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header N-Nginx-Proxy true;
            proxy_redirect off;
            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://192.168.1.205:8080/guacamole/;
                    proxy_redirect off;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_buffering off;
            }
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    

    Correct? I don't think they need to be two separate server blocks. If there is some kind of benefit to doing it that way let me know.

    Last night you were not redirecting port 80 to 443. You are accepting both and proxying on.



  • @wirestyle22

    I just preferred to keep them separate.
    Here is one of my configs for nextcloud where I use separate server blocks.

    upstream backend-nextcloud-demo {
        server nc-demo1:80;
    }
    
    server {
            listen 80;
            listen [::]:80;
           
            server_name nc-demo.domain.com;
    
            return 301 https://$host$request_uri;
    }
    
    server {
            client_max_body_size 40M;
            listen 443 http2 ssl;
            listen [::]:443 http2 ssl;
    
            server_name nc-demo.domain.com;
    
            ssl on;
            ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
            ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
            ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
    
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_prefer_server_ciphers on;
            ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
            ssl_ecdh_curve secp384r1;
            ssl_session_cache shared:SSL:10m;
            ssl_session_tickets off;
            ssl_stapling on;
            ssl_stapling_verify on;
            resolver 1.1.1.1 8.8.8.8 valid=300s;
            resolver_timeout 5s;
            add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    #       add_header X-Content-Type-Options nosniff;
    #       add_header X-Frame-Options SAMEORIGIN;
    #       add_header X-Robots-Tag none;
    #       add_header X-XSS-Protection "1; mode=block";
    
            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://backend-nextcloud-demo;
                    proxy_redirect off;
                    proxy_connect_timeout 600;
                    proxy_send_timeout 600;
                    proxy_read_timeout 600;
                    send_timeout 600;
            }
    


  • @jaredbusch said in Nginx SSL Certification + Nextcloud +Guacamole:

    @wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

    @black3dynamite If we use one of my configs as an example:

    server {
            client_max_body_size 40M;
            listen 80;
            server_name connect.domain.com;
            return 301 https://$host$request_uri;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header N-Nginx-Proxy true;
            proxy_redirect off;
            location / {
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-NginX-Proxy true;
                    proxy_pass http://192.168.1.205:8080/guacamole/;
                    proxy_redirect off;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_buffering off;
            }
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    

    Correct? I don't think they need to be two separate server blocks. If there is some kind of benefit to doing it that way let me know.

    Last night you were not redirecting port 80 to 443. You are accepting both and proxying on.

    Right, but the quoted config is how i would redirect. I didn't change the initial post configs.



  • @black3dynamite Thanks dude



  • Hm. I can still access via http



  • @wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

    Hm. I can still access via http

    I use a rewrite

    server {
        client_max_body_size 40M;
        listen 80;
        server_name nc.domain.com;
        rewrite        ^ https://\$server_name\$request_uri? permanent;
    }
    


  • @jaredbusch Hm. I'm getting too many rewrite errors now. Some odd problems occurring. Relative pathing problem?


Log in to reply