Nginx with ssl and subdirectory

Cone_jo · August 11, 2017, 4:26pm

Hello,

I’m running centos 7 and apache 2.4 with nginx, we have configure for run:

apache no_ssl: 8080
apache ssl: 8081
invoiceplane 1.5.3

this is my root path of the domain host:

/home/username/www

then i have installed into:

/home/username/www/invoices

when use apache work without problems but now i’m configuring nginx, this is my apache virtualhost:

<VirtualHost *:8081>
    ServerAdmin mail@internal.com
    ServerName internal.priv
    ServerAlias www.internal.priv
    DirectoryIndex index.htm index.html index.php
    DocumentRoot /home/username/www/
    ErrorLog logs/internal.priv_error_log
    CustomLog logs/internal.priv_access_log combined

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/2017/internal.priv.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/2017/internal.priv.key

<directory /home/username/www>
 Options FollowSymLinks
 AllowOverride All
 Require all granted
</directory>

This is my nginx virtualhost

server {
        listen   80;

        server_name internal.priv;

        rewrite ^ https://$server_name$request_uri? permanent;
}

server {
        listen   443;

        root /home/username/www/;
        index index.php index.html index.htm;

        server_name internal.priv;
        ssl                  on;
        ssl_certificate      /etc/pki/tls/certs/2017/internal.priv.crt;
        ssl_certificate_key  /etc/pki/tls/certs/2017/internal.priv.key;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP;
        ssl_prefer_server_ciphers   on;
        location / {
        try_files $uri $uri/ index.php;
        }

        location ~ \.php$ {

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass https://127.0.0.1:8081;
         }

         location ~ /\.ht {
                deny all;
        }
}

When login to web browers show this error:

Bad Request

Your browser sent a request that this server could not understand.

Can somebody helpme?, thank you advance.

twoup · August 21, 2017, 8:54pm

On the most basic end - have you tried accessing the site from a “Private Browsing” session (to bypass any local cache and cookies)? Existing cached files / cookies from your Apache testing can cause 40x errors (the error message you provide is the NGINX equivalent of a 400 error).

If that doesn’t clear it up, in terms of config, check your proxy_pass location. Try changing proxy_pass https://127.0.0.1:8081/ to https://internal.priv:8081 and ensure that internal.priv resolves to a working local address. You have also limited the proxying to php. This config won’t deliver images, PDFs, javascript and some other necessary pieces.

Your NGINX log file will give you the explicit cause of the error. Whilst the front-end errors are obscure and deliberately vague, the server log is quite expicit and more friendly than other logs.

Separately, are you limiting visitors to SSLv3 and TLSv1.0 for any particular reason? SSLv3 and TLSv1 are effectively dead, and are forcing you to use old and broken ciphers to boot. Unless you are building a test-rig to try out POODLE and MiTM attacks, you should review that requirement!

To get started, try the following changes to your config (remove SSL suite limitations, expand proxied document types, change proxy_pass target:

server {
    listen   443;

    root /home/username/www/;
    index index.php index.html index.htm;

    server_name internal.priv;
    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/2017/internal.priv.crt;
    ssl_certificate_key  /etc/pki/tls/certs/2017/internal.priv.key;

    ssl_session_timeout  5m;

    location / {
    try_files $uri;
    }

    location ~* ^.+\.(jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|bz2|doc|xls|pdf|ppt|txt|odt|ods|odp|odf|tar|bmp|rtf|js|html|htm)$ {

    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass https://internal.priv:8081;
     }

    location ~ /\.ht    {return 404;}
}

If this config works, slowly re-add extra statements, such as your protocols, and ciphers. If not, let me know and I will provide a known-working config :).