<div dir="ltr">Still the same issue, https not redirecting to azure for authentication. Only http redirects.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 26, 2020 at 11:47 AM HARISH KUMAR Ivaturi <<a href="mailto:harishkumarivaturi@gmail.com">harishkumarivaturi@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Try with TLSv1.2 <div dir="auto"><br></div><div dir="auto">TLSv1.3 is for http3. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu 26 Nov, 2020, 7:09 AM Pavan P, <<a href="mailto:pavan45@gmail.com" target="_blank">pavan45@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Still the same problem, enabled ssl_protocols TLSv1.3;<div><br></div><div>Is there any issue with my configuration? With the below configuration, <a href="http://ci1.altlifelab.com" rel="noreferrer" target="_blank">http://ci1.altlifelab.com</a> redirects to the authentication page, but https does not, it will directly go to the application without authentication.</div><div><br></div><div>server {<br> server_name <a href="http://ci1.altlifelab.com" rel="noreferrer" target="_blank">ci1.altlifelab.com</a>;<br><br> location / {<br> proxy_set_header Host $host:$server_port;<br> proxy_set_header X-Real-IP $remote_addr;<br> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br> proxy_set_header X-Forwarded-Proto $scheme;<br><br><br> # Fix the "It appears that your reverse proxy set up is broken" error.<br> proxy_pass <a href="http://127.0.0.1:9080" rel="noreferrer" target="_blank">http://127.0.0.1:9080</a>;<br> proxy_read_timeout 90;<br><br> proxy_redirect <a href="http://127.0.0.1:9080" rel="noreferrer" target="_blank">http://127.0.0.1:9080</a> <a href="http://www.ci1.altlifelab.com" rel="noreferrer" target="_blank">http://www.ci1.altlifelab.com</a>;<br><br> # Required for new HTTP-based CLI<br> proxy_http_version 1.1;<br> proxy_request_buffering off;<br> # workaround for <a href="https://issues.jenkins-ci1.org/browse/JENKINS-45651" rel="noreferrer" target="_blank">https://issues.jenkins-ci1.org/browse/JENKINS-45651</a><br> add_header 'X-SSH-Endpoint' '<a href="http://ci1.altlifelab.com:50022" rel="noreferrer" target="_blank">ci1.altlifelab.com:50022</a>' always;<br> }<br><br> listen 443 ssl; # managed by Certbot<br> ssl_certificate /etc/letsencrypt/live/<a href="http://ci1.altlifelab.com/fullchain.pem" rel="noreferrer" target="_blank">ci1.altlifelab.com/fullchain.pem</a>; # managed by Certbot<br> ssl_certificate_key /etc/letsencrypt/live/<a href="http://ci1.altlifelab.com/privkey.pem" rel="noreferrer" target="_blank">ci1.altlifelab.com/privkey.pem</a>; # managed by Certbot<br> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<br> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot<br> ssl_protocols TLSv1.3;<br>}<br><br>server {<br> if ($host = <a href="http://ci1.altlifelab.com" rel="noreferrer" target="_blank">ci1.altlifelab.com</a>) {<br># return 301 https://$host$request_uri;<br>return 301 <a href="https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd" rel="noreferrer" target="_blank">https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd</a>;<br> } # managed by Certbot<br><br><br> listen 80;<br>server_name <a href="http://ci1.altlifelab.com" rel="noreferrer" target="_blank">ci1.altlifelab.com</a>;<br> return 404; # managed by Certbot<br>}<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 26, 2020 at 11:24 AM Pavan P <<a href="mailto:pavan45@gmail.com" rel="noreferrer" target="_blank">pavan45@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">HI Harish,<div>But the issue I'm facing is different, when I try <a href="http://ci1.altlifelab.com" rel="noreferrer" target="_blank">http://ci1.altlifelab.com</a> it works fine, when I use <a href="https://ci1.altlifelab.com" rel="noreferrer" target="_blank">https://ci1.altlifelab.com</a> the url does not redirect to auth.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 26, 2020 at 11:12 AM HARISH KUMAR Ivaturi <<a href="mailto:harishkumarivaturi@gmail.com" rel="noreferrer" target="_blank">harishkumarivaturi@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Once try this. <div dir="auto"><br></div><div dir="auto"><a href="https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/" rel="noreferrer" target="_blank">https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/</a><br></div><div dir="auto"><br></div><div dir="auto">And configure again with auth proxy module</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu 26 Nov, 2020, 6:17 AM Pavan P, <<a href="mailto:pavan45@gmail.com" rel="noreferrer" target="_blank">pavan45@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Yes Harish, Certificate is working fine.<div><br></div><div>root@ip-172-31-33-18:~# nginx -V<br>nginx version: nginx/1.10.3 (Ubuntu)<br>built with OpenSSL 1.0.2g 1 Mar 2016<br>TLS SNI support enabled<br>configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads<br>(base) root@ip-172-31-33-18:~#<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 26, 2020 at 10:43 AM HARISH KUMAR Ivaturi <<a href="mailto:harishkumarivaturi@gmail.com" rel="noreferrer noreferrer" target="_blank">harishkumarivaturi@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">1) once type nginx -V and send rhe output. <div dir="auto"><br></div><div dir="auto">2) certificate - certificate.cert</div><div dir="auto">Certificate_key - certificate.key</div><div dir="auto"><br></div><div dir="auto">Once recheck the certs section and make sure that you have generated with certificates with openssl properly. </div><div dir="auto"><br></div><div dir="auto">BR</div><div dir="auto">Harish Kumar</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu 26 Nov, 2020, 5:27 AM Pavan P, <<a href="mailto:pavan45@gmail.com" rel="noreferrer noreferrer" target="_blank">pavan45@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Harish,<div>Below is the config of my nginx. Https module is configured fine. Please let me know if I have missed anything.</div><div><br></div><div>server {<br> server_name <a href="http://ci1.altlifelab.com" rel="noreferrer noreferrer noreferrer" target="_blank">ci1.altlifelab.com</a>;<br><br> location / {<br> proxy_set_header Host $host:$server_port;<br> proxy_set_header X-Real-IP $remote_addr;<br> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br> proxy_set_header X-Forwarded-Proto $scheme;<br><br><br> # Fix the "It appears that your reverse proxy set up is broken" error.<br> proxy_pass <a href="http://127.0.0.1:9080" rel="noreferrer noreferrer noreferrer" target="_blank">http://127.0.0.1:9080</a>;<br> proxy_read_timeout 90;<br><br> proxy_redirect <a href="http://127.0.0.1:9080" rel="noreferrer noreferrer noreferrer" target="_blank">http://127.0.0.1:9080</a> <a href="http://www.ci1.altlifelab.com" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.ci1.altlifelab.com</a>;<br><br> # Required for new HTTP-based CLI<br> proxy_http_version 1.1;<br> proxy_request_buffering off;<br> # workaround for <a href="https://issues.jenkins-ci1.org/browse/JENKINS-45651" rel="noreferrer noreferrer noreferrer" target="_blank">https://issues.jenkins-ci1.org/browse/JENKINS-45651</a><br> add_header 'X-SSH-Endpoint' '<a href="http://ci1.altlifelab.com:50022" rel="noreferrer noreferrer noreferrer" target="_blank">ci1.altlifelab.com:50022</a>' always;<br> }<br><br> listen 443 ssl; # managed by Certbot<br> ssl_certificate /etc/letsencrypt/live/<a href="http://ci1.altlifelab.com/fullchain.pem" rel="noreferrer noreferrer noreferrer" target="_blank">ci1.altlifelab.com/fullchain.pem</a>; # managed by Certbot<br> ssl_certificate_key /etc/letsencrypt/live/<a href="http://ci1.altlifelab.com/privkey.pem" rel="noreferrer noreferrer noreferrer" target="_blank">ci1.altlifelab.com/privkey.pem</a>; # managed by Certbot<br> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<br> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot<br><br><br>}<br><br>server {<br> if ($host = <a href="http://ci1.altlifelab.com" rel="noreferrer noreferrer noreferrer" target="_blank">ci1.altlifelab.com</a>) {<br># return 301 https://$host$request_uri;<br>return 301 <a href="https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd" rel="noreferrer noreferrer noreferrer" target="_blank">https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd</a>;<br> } # managed by Certbot<br><br><br> listen 80;<br>server_name <a href="http://ci1.altlifelab.com" rel="noreferrer noreferrer noreferrer" target="_blank">ci1.altlifelab.com</a>;<br>
return 301 <a href="https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd" rel="noreferrer noreferrer noreferrer" target="_blank">https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd</a>;
<br>}<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 26, 2020 at 5:04 AM HARISH KUMAR Ivaturi <<a href="mailto:harishkumarivaturi@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">harishkumarivaturi@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">I am not sure if you have configured nginx with https_module. Once try that. And also add proper headers in the nginx.conf like <div dir="auto"><br></div><div dir="auto">Listen 443 ssl;</div><div dir="auto">Certificates location</div><div dir="auto"><br></div><div dir="auto">BR</div><div dir="auto">Harish Kumar</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed 25 Nov, 2020, 3:53 PM Pavan P, <<a href="mailto:pavan45@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">pavan45@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div>I have configured nginx to authenticate with azure AD for login.</div><div><br></div><div>When I access the site <a href="http://abc.example.com" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">abc.example.com</a> it redirects to Azure for authentication and redirects me back once the authentication is complete.</div><div><br></div><div>How ever when I try to access the site with https <a href="http://abc.example.com" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">abc.example.com</a> it does not redirect for authentication.</div><div><br></div><div>Is there anyway I can get both http and https to redirect for azure auth.</div><div><br></div><div>Regards,</div><div>Pavan</div><div><br></div></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer noreferrer noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer noreferrer noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
</blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" rel="noreferrer" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></blockquote></div>