Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx proxy v0.8.0 stopped 301 to https #1561

Open
ennovative-pl opened this issue Feb 21, 2021 · 1 comment
Open

nginx proxy v0.8.0 stopped 301 to https #1561

ennovative-pl opened this issue Feb 21, 2021 · 1 comment

Comments

@ennovative-pl
Copy link

ennovative-pl commented Feb 21, 2021
edited by buchdag

Hello,
I have spotted a problem in my current setup when using 0.8.0. I was able to track it down to updating from 0.4.0 to 0.8.0 on my existing configuration, that was running successfuly for over a year.
The problem is, that my websites stopped 301 when accessed over http protocol. Using curl I got 200 status and no redirect. When reverting back to 0.7.0, everyting works as before - when trying to access a site over http I am now redirected to https.

I have removed all cert data, recreated all containers, and captured configuration files for both 0.7.0 and 0.8.0 after approx 10 minutes, when all nginx-proxy and nginx-proxy-letsencrypt companion processing was finished. So these are both clean, fresh config files:

part of default.conf for 0.8.0:

server {
	server_name starter.waw.pl;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/starter.waw.pl.crt;
	ssl_certificate_key /etc/nginx/certs/starter.waw.pl.key;
	ssl_dhparam /etc/nginx/certs/starter.waw.pl.dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/starter.waw.pl.chain.pem;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://starter.waw.pl;
	}
}
server {
	server_name starter.waw.pl;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://starter.waw.pl;
	}
}
# wlaczswojezycie.pl
upstream wlaczswojezycie.pl {
				## Can be connected with "nginx-proxy" network
			# wlaczswojezycie-pl-nginx
			server 172.18.1.10:80;
}
server {
	server_name wlaczswojezycie.pl;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/wlaczswojezycie.pl.crt;
	ssl_certificate_key /etc/nginx/certs/wlaczswojezycie.pl.key;
	ssl_dhparam /etc/nginx/certs/wlaczswojezycie.pl.dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/wlaczswojezycie.pl.chain.pem;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://wlaczswojezycie.pl;
	}
}
server {
	server_name wlaczswojezycie.pl;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://wlaczswojezycie.pl;
	}
}
# www.abba.org.pl
upstream www.abba.org.pl {
				## Can be connected with "nginx-proxy" network
			# abba-org-pl-php
			server 172.18.1.5:80;
}
server {
	server_name www.abba.org.pl;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/www.abba.org.pl.crt;
	ssl_certificate_key /etc/nginx/certs/www.abba.org.pl.key;
	ssl_dhparam /etc/nginx/certs/www.abba.org.pl.dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/www.abba.org.pl.chain.pem;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://www.abba.org.pl;
	}
}

part of default.conf for 0.7.0:

# starter.waw.pl
upstream starter.waw.pl {
				## Can be connect with "nginx-proxy" network
			# starter-waw-pl-php
			server 172.18.1.24:80;
}
server {
	server_name starter.waw.pl;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name starter.waw.pl;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/starter.waw.pl.crt;
	ssl_certificate_key /etc/nginx/certs/starter.waw.pl.key;
	ssl_dhparam /etc/nginx/certs/starter.waw.pl.dhparam.pem;
	add_header Strict-Transport-Security "max-age=31536000";
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://starter.waw.pl;
	}
}
# wlaczswojezycie.pl
upstream wlaczswojezycie.pl {
				## Can be connect with "nginx-proxy" network
			# wlaczswojezycie-pl-nginx
			server 172.18.1.10:80;
}
server {
	server_name wlaczswojezycie.pl;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name wlaczswojezycie.pl;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/wlaczswojezycie.pl.crt;
	ssl_certificate_key /etc/nginx/certs/wlaczswojezycie.pl.key;
	ssl_dhparam /etc/nginx/certs/wlaczswojezycie.pl.dhparam.pem;
	add_header Strict-Transport-Security "max-age=31536000";
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://wlaczswojezycie.pl;
	}
}
@azbmb
Copy link

azbmb commented Feb 22, 2021

I had a similar issue. I'm not sure why. Somewhere I found a suggestion that nginx-proxy wasn't detecting the crt files in the certs directory and to use the CERT_NAME=sitename.com environment variable. Doing this at least made nginx-proxy generate the return 301 to the appropriate HTTPS server block.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ennovative-pl @azbmb