SSL and port number [was: Rewrite -- failure]

Paul paul at stormy.ca
Tue Apr 28 18:56:09 UTC 2020


On 2020-04-22 3:14 a.m., Francis Daly wrote:
> On Tue, Apr 21, 2020 at 07:09:41PM -0400, Paul wrote:
> 
> Hi there,
> 
> I confess I'm not quite certain what you are reporting here -- if you
> can say "with *this* config, I make *this* request and I get *this*
> response, but I want *that* response instead", it may be clearer.
> 
> However, there is one thing that might be a misunderstanding here:
> 
> "listen 8000;" means that nginx will listen for http, so you must make
> requests to port 8000 using http not https.
> 
> "listen 8001 ssl;" means that nginx will listen for https, so you must
> make requests to port 8001 using https not http.
> 
> You can have both "listen" directives in the same server{}, but you
> still must use the correct protocol on each port, or there will be errors.

Hi Francis,

Thanks. I have the two sites "mostly" working now (full config below), 
but could you please expand on your comment ""listen 8001 ssl;" means 
that nginx will listen for https, so you must make requests to port 8001 
using https not http."

My problem is that app/server A (static html) is working perfectly, but 
app/server B works only if the user's browser requests specifically 
"https://... ", but returns a "400 Bad Request // The plain HTTP request 
was sent to HTTPS port // nginx" if the browser requests http (which I 
believe is the default for most browsers if you paste or type just the 
URL into them.)

In other words, the last few lines of the config. work for port 80 
(sends seamlessly the 301, then the content), but not for port 8084 
(sends only the 400.)

Many thanks -- Paul


# Combined file, two servers for myapps.example.com
# myappa "A" for static site /var/wwww/myappa on 192.168.aaa.bbb
# myappb "B" for cgi site /usr/share/myappb on 192.168.xxx.yyy

# Server A
server {

     listen 443 ssl;

     ssl_certificate 
/etc/letsencrypt/live/myapps.example.com/fullchain.pem; # managed by Certbot
     ssl_certificate_key 
/etc/letsencrypt/myapps.example.com/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

     server_name myapps.example.com;

     access_log /var/log/nginx/access.log;
     error_log  /var/log/nginx/myapp-error_log;

     proxy_buffering off;

     location / {
         proxy_pass http://myappa;
         proxy_set_header Host $host;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

# Server B
server {

     listen 8084 ssl;

     ssl_certificate 
/etc/letsencrypt/live/myapps.example.com/fullchain.pem; # managed by Certbot
     ssl_certificate_key 
/etc/letsencrypt/live/myapps.example.com/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

     server_name myapps.example.com;

     access_log /var/log/nginx/access.log;
     error_log  /var/log/nginx/myapp-error_log;

     proxy_buffering off;

     location / {
         proxy_pass http://myappb:8084;
         proxy_set_header Host $host;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

server {
     if ($host = myapps.example.com) {
         return 301 https://$host$request_uri;
     } # managed by Certbot

# automatically sets to https if someone comes in on http
     listen 80;
     listen 8084;
     server_name myapps.example.com;
     rewrite     ^   https://$host$request_uri? permanent;
}

   \\\||//
    (@ @)
ooO_(_)_Ooo__________________________________
|______|_____|_____|_____|_____|_____|_____|_____|
|___|____|_____|_____|_____|_____|_____|_____|____|
|_____|_____| mailto:paul at stormy.ca _|____|____|


More information about the nginx mailing list