0

I have been trying to get my website up after moving from apache2 to nginx on my AWS Ubuntu 20.04 server. I have translated the relevant files from apache2 over to my nginx configuration, however I can't seem to get secure https access through page. Are my configs able to be sanity checked?

I have allocated an elastic IP on the AWS end and re-routed that with an A name on our web host platform. I have been able to generate the SSL certificates by running: sudo certbot certonly --webroot --agree-tos -w /etc/letsencrypt/ --expand -d mywebsite.com,mywebsite.blah.com.

I am also able to directly load the website by entering the elastic IP address directly into my search bar and the web page loads, but with https crossed out and an invalid certificate message.

/etc/nginx/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    server_names_hash_bucket_size       128;
    include /etc/nginx/sites-enabled/*;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    #include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;


    disable_symlinks off;
}

/etc/apache2/sites-available/website.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ServerName mywebsite.com
        ServerAlias mywebsite.com mywebsite.blah.com
        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/letsencrypt/live/mywebsite.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

    RewriteEngine On

    RewriteCond %{HTTP:Upgrade} =websocket               [NC]
    RewriteRule /(.*)           ws://amazon-ec2-instance.com:8080/$1  [P,L]

        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://amazon-ec2-instance.com:8080/
        ProxyPassReverse / http://amazon-ec2-instance.com:8080/
        ProxyPassReverseCookieDomain / http://amazon-ec2-instance.com:8080/
        ProxyPassReverseCookiePath / http://amazon-ec2-instance.com:8080/

        ProxyPass /api/ws wss://amazon-ec2-instance.com:8080/
        ProxyPassReverse /api/ws wss://amazon-ec2-instance.com:8080/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <Directory />
          Options FollowSymLinks
          AllowOverride All
        </Directory>

</VirtualHost>
</IfModule>

/etc/nginx/sites-available/website.conf

server {
    if ($host = mywebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

server {
       listen 80;
        listen [::]:80;

       server_name mywebsite.com mywebsite.blah.com;

       root /var/www/html;
       index index.html;

       #passenger_enabled on;

       location / {
                rewrite ^(.*)$ https://$http_host:8080$request_uri redirect;
                try_files $uri $uri/ =404;
        }

        location !/\.ht {
                deny all;
        }

        location ~ \.php$ {
                # include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
}

/etc/apache2/sites-available/website-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ServerName mywebsite
        ServerAlias mywebsite.com mywebsite.blah.com
        SSLEngine on
        SSLProxyEngine on
        Include /etc/letsencrypt/options-ssl-apache.conf
        RewriteEngine On


        RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*) ws://amazon-ec2-instance.com:8080/$1 [P,L]

    ProxyPreserveHost On
    ProxyRequests Off
        ProxyPass / http://amazon-ec2-instance.com:8080/
        ProxyPassReverse / http://amazon-ec2-instance.com:8080/
        ProxyPassReverseCookieDomain / http://amazon-ec2-instance.com:8080/
        ProxyPassReverseCookiePath / http://amazon-ec2-instance.com:8080/

        ProxyPass /api/ws wss://amazon-ec2-instance.com:8080/
        ProxyPassReverse /api/ws wss://amazon-ec2-instance.com:8080/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <Directory />
          Options FollowSymLinks
          AllowOverride All
        </Directory>

        SSLCertificateFile /etc/letsencrypt/live/mywebsite/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite/privkey.pem
</VirtualHost>
</IfModule>

/etc/nginx/sites-available/website-ssl.conf

server {
    include                     /etc/letsencrypt/options-ssl-nginx.conf;
    listen                      443 ssl;
    server_name                 mywebsite.com;
    ssl_certificate             /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/mywebsite.com/privkey.pem;

    root                        /var/www/html ;

    location / {
        proxy_pass                      http://mywebsite.com:8080/ ;
        proxy_set_header Host           $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_cookie_domain http://mywebsite.com:8080/ $host;
        proxy_cookie_path / /;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /api/ws {
        proxy_pass http://mywebsite.com:8080/ ;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
}

/etc/apache2/sites-available/website-ssl2.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ServerName mywebsite.com
        ServerAlias mywebsite.com mywebsite.blah.com
        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/letsencrypt/live/mywebsite.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mywebsite.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

    RewriteEngine On

    RewriteCond %{HTTP:Upgrade} =websocket               [NC]
    RewriteRule /(.*)           ws://localhost:8080/$1  [P,L]

        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
        ProxyPassReverseCookieDomain / http://localhost:8080/
        ProxyPassReverseCookiePath / http://localhost:8080/

        ProxyPass /api/ws wss://localhost:8080/
        ProxyPassReverse /api/ws wss://localhost:8080/

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <Directory />
          Options FollowSymLinks
          AllowOverride All
        </Directory>

</VirtualHost>
</IfModule>

/etc/nginx/sites-available/website-ssl2.conf

server {
    include                     /etc/letsencrypt/options-ssl-nginx.conf;
    listen                      443 ssl;
    server_name                 mywebsite.com;

    ssl_certificate             /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/mywebsite.com/privkey.pem;

    location / {
        proxy_pass                      http://localhost:8080/;
        proxy_set_header Host           $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_cookie_domain http://localhost:8080/ $host;
        proxy_cookie_path / /;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }


    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Other directives specific to your configuration
    # ...
}
Improve this question
4
  • 1
    You mention I can't seem to get secure https access. How are you accessing the site and what is the error? Use tools like curl with verbose enabled. That will often tell what is wrong.
    – John Hanley
    Commented May 30, 2023 at 6:45
  • 1
    Why are you using ipv6only=on? That means that IPv4 is disabled.
    – John Hanley
    Commented May 30, 2023 at 6:47
  • @JohnHanley >>> I am also able to directly load the website by entering the elastic IP address directly into my search bar as I stated in the description. And ipv6only is commented out as per the #
    – jabroni
    Commented May 30, 2023 at 6:47
  • I've removed the ipv6 commented line to avoid confusion.
    – jabroni
    Commented May 30, 2023 at 6:49

1 Answer 1

Reset to default
0

Change the first line user nginx; of the file '/etc/nginx/nginx.conf' to user www-data;

Then Restart the nginx server

systemctl restart nginx
Improve this answer
1
  • thank you! This was it.
    – jabroni
    Commented Jun 2, 2023 at 6:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .