nginx plugin - force SSL not working

    • OMV 1.0

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • The nginx server tries to identify the local server via the host entry in the http header which is sent by the browser.
      On which port your nginx server is listening?
      Are you running it from web or in LAN area?
      I think there might be an issue with the subdomain not pointing to the right port.

      Openmediavault is configured to be the default server listening to the 80 / 443 ports. So either you change the config files (/etc/nginx/sites-enabled/) so both servers may listen to 80 or 443 just to different server_names, or you have to point the subdomain to another Port your server-config is running at.
    • perler wrote:

      all the name based servers created with the "websites (nginx) " plugin are listening to 443, but don't seem to have the

      listen [::]:80;

      statement - isn't that neccessary to force SSL?
      This is just the IPv6 version of

      Source Code

      1. listen 80;
      so not neccessary for SSL. For use with SSL there has to be a line like

      Source Code

      1. listen 443 ssl;
      2. listen [::]:443 ssl;


      Do you have SSH access to the server? Then please give us the content of all files in /etc/nginx/sites-enabled/ Then we might see, where the problem arises from
    • ../openmediavault-webgui

      Source Code

      1. server {
      2. server_name openmediavault-webgui;
      3. root /var/www/openmediavault;
      4. index index.php;
      5. autoindex off;
      6. server_tokens off;
      7. sendfile on;
      8. large_client_header_buffers 4 32k;
      9. client_max_body_size 25M;
      10. error_log /var/log/nginx/openmediavault-webgui_error.log error;
      11. access_log /var/log/nginx/openmediavault-webgui_access.log combined;
      12. location /extjs/ {
      13. alias /usr/share/javascript/extjs4/;
      14. }
      15. location /images/ {
      16. alias /var/www/openmediavault/images/;
      17. }
      18. location ~ \.php$ {
      19. try_files $uri = 404;
      20. fastcgi_split_path_info ^(.+\.php)(/.+)$;
      21. fastcgi_pass unix:/var/run/php5-fpm-openmediavault-webgui.sock;
      22. fastcgi_index index.php;
      23. fastcgi_read_timeout 60s;
      24. include fastcgi_params;
      25. }
      26. listen [::]:80 default_server ipv6only=off;
      27. listen [::]:443 default_server ipv6only=off ssl deferred;
      28. ssl_certificate /etc/ssl/certs/openmediavault-8a8f2078-f1bc-4fa7-a344-108502e2225c.crt;
      29. ssl_certificate_key /etc/ssl/private/openmediavault-8a8f2078-f1bc-4fa7-a344-108502e2225c.key;
      30. include /etc/nginx/openmediavault-webgui.d/*.conf;
      31. }
      Display All


      example from ../openmediavault-nginx

      Source Code

      1. server {
      2. listen [::]:443 ssl;
      3. ssl_certificate /etc/ssl/certs/openmediavault-8a8f2078-f1bc-4fa7-a344-108502e2225c.crt;
      4. ssl_certificate_key /etc/ssl/private/openmediavault-8a8f2078-f1bc-4fa7-a344-108502e2225c.key;
      5. server_name proxiedsite.domain.com;
      6. index index.html;
      7. access_log /var/log/nginx/6a9d3536-4ab8-4a3b-aed8-4387787873a9-access.log;
      8. error_log /var/log/nginx/6a9d3536-4ab8-4a3b-aed8-4387787873a9-error.log;
      9. large_client_header_buffers 4 8k;
      10. location / {
      11. proxy_pass http://localhost:8080;
      12. proxy_http_version 1.1;
      13. proxy_set_header Upgrade $http_upgrade;
      14. proxy_set_header Connection 'upgrade';
      15. proxy_set_header Host $host;
      16. proxy_cache_bypass $http_upgrade;
      17. }
      18. }
      Display All
    • Ok, as you see, the main difference is the

      Source Code

      1. ​listen [::]:443 default_server ipv6only=off ssl deferred;
      vs.

      Source Code

      1. listen [::]:443 ssl;​
      So the nginx-server is listening only to ipv6. Try to add the following line to the extra options:

      Source Code

      1. ​listen 443 ssl;
      Then nginx should listen to ipv4 ssl port also for this server.
    • this prevents an nginx restart with

      Source Code

      1. root# /etc/init.d/nginx restart
      2. Restarting nginx: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
      3. nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
      4. nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
      5. nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
      6. nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
      7. nginx: [emerg] still could not bind()
      8. nginx.


      the ../openmediavault-nginx after adding the line to the extra options looks like this:

      Source Code

      1. server {
      2. listen [::]:443 ssl;
      3. ssl_certificate /etc/ssl/certs/openmediavault-8a8f2078-f1bc-4fa7-a344-108502e2225c.crt;
      4. ssl_certificate_key /etc/ssl/private/openmediavault-8a8f2078-f1bc-4fa7-a344-108502e2225c.key;
      5. server_name sub.domain.com;
      6. index index.html;
      7. access_log /var/log/nginx/6a9d3536-4ab8-4a3b-aed8-4387787873a9-access.log;
      8. error_log /var/log/nginx/6a9d3536-4ab8-4a3b-aed8-4387787873a9-error.log;
      9. large_client_header_buffers 4 8k;
      10. location / {
      11. proxy_pass http://localhost:8080;
      12. proxy_http_version 1.1;
      13. proxy_set_header Upgrade $http_upgrade;
      14. proxy_set_header Connection 'upgrade';
      15. proxy_set_header Host $host;
      16. proxy_cache_bypass $http_upgrade;........
      17. }
      18. listen 443 ssl;
      19. }
      Display All
    • Did some reading. We can accomplish this quite easiyly right now by haveing two domains with the same name, one listening on 443 (but not on 80), delivering the content and one listening on 80 (but not on 443) wth the opton

      Source Code

      1. ​return 301 https://$server_name$request_uri;
      in the Extras option field.

      Maybe you can implement an option for this?