currently I have little problems to get my seafile behind nginx working. I have a custom domain and a subdomain which has a CNAME entry to my fritzbox dyndns. In the fritzbox i have opened the port 3001 to the outside. The internal server port in the fritzbox is set to 443 but was also for testing purposes on 80. When I now try to connect I got this error(firefox) : SSL_ERROR_RX_RECORD_TOO_LONG
My certifacte is from letsencrypt.
My nginx config looks like this:
server {
listen 80;
server_name XXX;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
server_tokens off;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # path to your cacert.pem
ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem; # path to your privkey.pem
server_name XXX;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256$
ssl_prefer_server_ciphers on;
proxy_set_header X-Forwarded-For $remote_addr;
That error is usually generated when the client accesses a port on the server, and the certificate on the port is not configured correctly for https.
In your case, it may be because you are using a port forward from one port number to another one. The best way to configure your server is to setup NGinx to listen on port 3001, and then, in your router, have port 3001 forwarded to 3001 on the NGinx server. Ie… External port = 3001… to internal port 3001.
If you do use an alternate port number, such as 3001, you’ll need to change your NGinx config. Here’s what you need to do:
Change this line: proxy_set_header Host $host;
to this: proxy_set_header Host $host:$server_port;
So I should remove the first part on my config where im rewriting from http to https and just keep the second server block with the https configuration? And adjust the port number there?
server {
listen 3001;
server_name XXX;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
server_tokens off;
}
And for https this:
server {
listen 3002;
ssl on;
ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # path to your cacert.pem
ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem; # path to your privkey.pem
server_name XXX;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
proxy_set_header X-Forwarded-For $remote_addr;
I have a .de domain from 1&1 and I’m using MyFritz. In the 1&1 domain control panel I have registered a subdomain cloud.XXX.de with a CNAME entry to my MyFritz address
Thanks for your help. I think this is working but i also need to change this line(http server block):
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
to: rewrite ^ https://$host$request_uri? permanent; # force redirect http to https
right? Is that fine? And one more question regarding the well known acme challenge location. Should i move that in the http server block as well or is this not important?
edit: This is not working. I can get it to work when I write the port directly in the rewrite in the http block without changing the header.
Yes, you can use the rewrite to force the redirect if you wish.
As for the well known acme challenge, it’s just another location entry. However, it may not work with an alternate port. I had problems with Letsencrypt due to using an alternate port and it wouldn’t update. Letsencrypt is very strict about how it updates, which is why I went ahead and paid for a valid certificate from my domain host. It costed me less than 9 US dollars per year. Headaches gone.
I’m not certain I understand what you mean. Can you elaborate or provide an example of what you are doing that makes it work?
I’m getting it to work in the local LAN if I use this rewrite rule in the http server block: rewrite ^ https://$http_host:3002$request_uri? permanent;
Also I changed my configuration for the port forwarding in the fritz box to open up port 3001(http) and 3002(https).
But the rewrite line above is somehow only working for the internal LAN. If I try to connect over my domain it’s not working. Got SSL Error on port 3001 and when I directly try to connect over port 3002 I got network timeout.