Saturday, February 28, 2015

ssl - Nginx https vhost capering all requests

I am trying to setup a gitlab instance along an own cloud instance on the same server. Both work fine over http, and both work fine over https if one one host is enabled.




The weird thing is that the owncloud host catches all requests to the server, even though the site config only says it should catch one ones to the appropriate domain, and thus prevents the gitlab vhost from answering.



Owncloud conf:



upstream php-handler {
# server 127.0.0.1:9000;
server unix:/var/run/php5-fpm.sock;
}

server {

listen 80;
server_name cloud.example.com;
return 301 https://$server_name$request_uri; # enforce https
}

server {
listen 443 ssl;
server_name cloud.example.com;

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;

ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

# Don't show version
server_tokens off;

# Have separate logs for this vhost
access_log /var/log/nginx/owncloud_access.log;
error_log /var/log/nginx/owncloud_error.log;

# Path to the root of your installation

root /usr/share/nginx/owncloud;

client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;

rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

index index.php;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(?:\.|data|config|db_structure\.xml|README) {

deny all;
}

location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;


rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ index.php;
}

location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_connect_timeout 120;
fastcgi_pass php-handler;
}

# Optional: set long EXPIRES header on static assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don't log access to assets

access_log off;
}

}


should only catch requests to cloud.domain.com?



GitLab config:




upstream gitlab {
server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;
}

## This is a normal HTTP host which redirects all traffic to the HTTPS host.
server {
listen *:80 default_server;
server_name git.example.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /nowhere; ## root doesn't have to be a valid path since we are redirecting

rewrite ^ https://$server_name$request_uri permanent;
}

server {
listen 443 ssl;
server_name git.example.com; ## Replace this with something like gitlab.example.com
server_tokens off;
root /home/git/gitlab/public;

## Increase this if you want to upload large attachments

## Or if you want to accept large git objects over http
client_max_body_size 512M;

## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl on;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;


## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;

location / {
## Serve static files from defined root folder.
## @gitlab is a named location for the upstream fallback, see below.
try_files $uri $uri/index.html $uri.html @gitlab;
}


## If a file, which is not found in the root folder is requested,
## then the proxy pass the request to the upsteam (gitlab unicorn).
location @gitlab {

## If you use https make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;

## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.

proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;


proxy_pass http://gitlab;
}

## Enable gzip compression as per rails guide:
## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
## WARNING: If you are using relative urls do remove the block below
## See config/application.rb under "Relative url support" for the list of
## other files that need to be changed for relative url support
location ~ ^/(assets)/ {

root /home/git/gitlab/public;
gzip_static on; # to serve pre-gzipped version
expires max;
add_header Cache-Control public;
}

error_page 502 /502.html;
}



AMEND:
For HTTP, everything works as intended, with multiple vhosts. The problems start with SSL. And yes, nginx has SNI enabled (nginx -V says so).



Thanks for any help, I know there's a guru out there who knows the answer. :)

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...