nginx – How to automatically generate SSL certificates?

How could I automate the generation of SSL certificates for different subdomains? In my workflow, different subdomains ab.mydomain.com, cd.mydomain.com, ab.mynewdomain.com, etc. will point to the IP of my Nginx machine.

I want to generate SSL certificates for these subdomains configured on my Nginx. How could I automate the generation of SSL certificates? Is there a way? Is there any library that can do this for me? I can also start with free SSL certificates, that will not be a problem.

I tried to search this, but could not find any answer.

kubernetes – How to properly configure access to kubernees dashboard behind nginx ingress

I’m trying to configure nginx ingress to access several services, like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-monit
spec:
  rules:
  - host: grafana.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: prometheus-grafana
          servicePort: 80
  - host: kubernetes-dashboard.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 80

I’ve access to the grafana service without any problems, my issue is with kubernetes-dashboard.
I’ve already configured kubernetes-dashboard to allow HTTP traffic with this configuration

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: monit
spec:
  ports:
    - port: 80
      targetPort: 9090
  selector:
    k8s-app: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: monit
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.0-beta8
          imagePullPolicy: Always
          ports:
            - containerPort: 9090
              protocol: TCP
          args:
            - --namespace=monit
            - --insecure-bind-address=0.0.0.0
            - --insecure-port=9090
            - --enable-insecure-login
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 9090
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "beta.kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

I;ve also a valid token which I can use to access kubernetes dashboard when I use ClusterIP.
However when I access it through ngress I cannot go over the login page even with valid token (see screenshot).

enter image description here

I looked into Nginx logs for problems/errors but everything seemed fine

$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-6nl9h  -f
192.168.65.3 - - (03/Jun/2020:02:03:13 +0000) "GET /api/v1/csrftoken/login HTTP/1.1" 200 85 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 479 0.001 (monit-kubernetes-dashboard-80) () 10.1.0.123:9090 85 0.001 200 59fc952888dfadf0223740c31e562ef8
192.168.65.3 - - (03/Jun/2020:02:03:13 +0000) "POST /api/v1/login HTTP/1.1" 200 1508 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1545 0.005 (monit-kubernetes-dashboard-80) () 10.1.0.123:9090 1508 0.005 200 241388246b11031765557475bea603ff
192.168.65.3 - - (03/Jun/2020:02:03:13 +0000) "GET /api/v1/plugin/config HTTP/1.1" 200 185 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 477 0.003 (monit-kubernetes-dashboard-80) () 10.1.0.123:9090 185 0.003 200 45371469793ce4f35c45dec70530bea0
192.168.65.3 - - (03/Jun/2020:02:03:13 +0000) "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 (monit-kubernetes-dashboard-80) () 10.1.0.123:9090 108 0.001 200 49171f5e9316a2d6da883d1c4f0b50df
192.168.65.3 - - (03/Jun/2020:02:03:13 +0000) "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 (monit-kubernetes-dashboard-80) () 10.1.0.123:9090 108 0.001 200 c69b9d166f1527f00e7cd175696ec8c7
192.168.65.3 - - (03/Jun/2020:02:03:13 +0000) "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 (monit-kubernetes-dashboard-80) () 10.1.0.123:9090 108 0.001 200 1f9c27ca407bca57dcc0c26bca65be58

What am I missing in my ingress configuration?

NGINX vs Apache: Which One Is More Suitable For You? | Forum Promotion

Both NGINX (pronounced as “Engine-X”) and Apache are popular open-source web servers used to deliver web pages to a user’s browser. However, which one is more suitable for you? In order to run your website more efficiently, it is very important to choose a web server according to your business needs. In this article, you will learn all about NGINX vs Apache most widely used open-source webservers.

Apache was initially released in 1995, whereas Nginx was in 2004 and both are most widely used by large fortune 500 companies all over the world. Around 50% of the traffic on the internet is served by both Apache and Nginx. In some special cases, the Nginx has a competitive edge over other web servers in terms of performance.

Apache has been the first choice of developers for 20 years because of the availability of different helpful resources. Nowadays, technology is changing day by day, so due to its certain design elements, it can’t fulfill the modern web demands. Whereas the market share of NGINX is rising and getting popularity as you can view the report by w3techs.

Read More: https://www.temok.com/blog/nginx-vs-apache/

kubernetes – ingress nginx upstream sent no valid HTTP/1.0 header while reading response header from upstream

I’m trying to setup an nginx ingress controller for services in my namespace.
One of the backend services accept HTTP traffic on port 80, the other accepts only HTTPS traffic on port 443. See the description of those both services

$ kubectl describe svc service-1 -n monit
Name:              service-1
Namespace:         monit
Labels:            app=service-1
Annotations:       <none>
Selector:          app=service-1
Type:              ClusterIP
IP:                10.104.185.173
Port:              https  443/TCP
TargetPort:        8443/TCP
Endpoints:         10.1.0.95:8443
Session Affinity:  None
Events:            <none>

$ kubectl describe svc service-2 -n monit
Name:              service-2
Namespace:         monit
Labels:            app=service-2
Annotations:       <none>
Selector:          app=service-2
Type:              ClusterIP
IP:                10.110.93.64
Port:              service  80/TCP
TargetPort:        3000/TCP
Endpoints:         10.1.0.87:3000
Session Affinity:  None
Events:            <none>

Here is my ingress configuration

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-monit
spec:
  rules:
  - host: service-2.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: service-2
          servicePort: 80
  - host: service-1.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: service-1
          servicePort: 443

When I look into the Nginx configuration things look OK

$ kubectl describe ingress ingress-monit -n monit                  
Name:             ingress-monit
Namespace:        monit
Address:          localhost
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                            Path  Backends
  ----                            ----  --------
  service-2.localhost               
                                  /   service-2:80 (10.1.0.87:3000)
  service-1.localhost  
                                  /   service-1:443 (10.1.0.95:8443)
Annotations:                      Events:
  Type                            Reason  Age   From                      Message
  ----                            ------  ----  ----                      -------
  Normal                          CREATE  31m   nginx-ingress-controller  Ingress monit/ingress-monit
  Normal                          UPDATE  30m   nginx-ingress-controller  Ingress monit/ingress-monit

Now the problem is that I can access properly my service-2, with http://service-2.localhost/ but I cannot access service-1. Visiting http://service-1.localhost/ on chrome gives me

This site can’t be reachedThe webpage at https://service-1.localhost/ might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE

When I look into Nginx logs, I see:

$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-8crdm -f
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       0.32.0
  Build:         git-446845114
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.17.10

-------------------------------------------------------------------------------
. . .
2020/06/02 22:56:47 (error) 2363#2363: *64928 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 192.168.65.3, server: service-1.localhost, request: "GET / HTTP/1.1", upstream: "http://10.1.0.95:8443/", host: "service-1.localhost"
192.168.65.3 - - (02/Jun/2020:22:58:13 +0000) "GET / HTTP/1.1" 200 7817 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 594 0.005 (monit-service-2-80) () 10.1.0.87:3000 30520 0.005 200 2baefff713047b14a81643650cb50c4c

The error seems to be related to the service-1 returning bad response upstream sent no valid HTTP/1.0 header while reading response header from upstream. The thing is if I use kubectl proxy I can properly access that service!!

Any ideas how I could figure out what’s the real issue??

brute force attacks – Block bruteforce attempts with nginx & cloudflare without rate limiting

So I discovered servers trying to bruteforce my API so I want to block them…but my specific scenario made it difficult to work with common solutions found on the internet.

1] I don't want to just rate limit, if any IP attempts to authenticate with the API and fail more than X times in ~6 hours I want to block them. No answers anymore at all. Not even 429 replies

2] I'm using cloudflare, so I need to use the CF IP header

3] I can't block the traffic based on iptables or similar solutions, since the only IPs that talk to my server are cloudflare IPs

4] The API generates nginx errors if the authentication fails with `2: no such file or directory` if that helps with something

Given my scenario, what are the possible solutions?

NGINX location directive proxy_pass not reaching backend server

I am trying to route to a backend server using Nginx proxy through docker and backend services are running in docker container locally. Root location / is getting routed whereas the location with /api/ is not getting routed.

Expected http://127.0.0.1:8080/api/authservice/login to be routed to http://127.0.0.1:8085/authservice/login

      location / {
        proxy_pass http://127.0.0.1:4200;
        .....}

    location /api/ { 
        rewrite ^/api/?(.*)$ /$1 break;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header X-Content-Type-Options 'nosniff';
        add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy- 
        revalidate, max-age=0';
        server_tokens off;
        proxy_pass http://127.0.0.1:8085;
        return 200 'hello end GREET NGINX3' ;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        return 200 'hello end GREET NGINX3' ;
    }

web server – Nginx Config with multiple vhosts and general part for every hosts

I have several subdomains in one configuration file.
I was wondering if is there a way to set a general configuration part for every hosts and then configure each host separately.

Like I have this listed in

sub1.domain.com

sub2.domain.com

sub3.domain.com

location ~ /.ht {
    deny all;
}

location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 3d;
}

Is there any way to create a general part where I can list this only once and dont have to add to every section of the configuration?

nginx – reverse proxy, ssl, and load balance same connection?

Application we use has an extended path that we would want shortened to just one subfolder. The method to do this was to use nginx. Along with this was to have the SSL terminated on the proxy server and not the actual web application servers. So far so good. But after reading through docs on nginx load balancing, I do not see how this can be added on the same nginx server.

server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  ****.****.com;
    ssl_certificate "/etc/pki/tls/certs/***_****_com.crt";
    ssl_certificate_key "/etc/pki/tls/certs/ssl.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location /{
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://1.xx.xx.5;
    }

    location /LakeCityMN{
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://1.xx.xx.5/data/****/****/Lake;
        rewrite ^/Lake$ /data/****/****/Lake/ permanent;

Is there a means with nginx to load balance a 2nd proxy_pass? Adding in the 2nd proxy_pass server does not work and that is the only line that defines the backend server. So I am either lost in how to add this correctly, or this is not doable with nginx.

reverse proxy – How to redirect port 80 and 8080 to 443 using nginx for a Jenkins server

I am try to redirect anything going to port 80 and 8080 to 443 (https) using nginx. This is for a Jenkins server. I am using ubuntu. This is the nginx config I have at the moment:

server {
  listen 80;
  server_name jenkins.mydomain.com;

  location / {
    proxy_pass          http://localhost:8080;
    proxy_set_header    Host      $host;
    proxy_redirect      http://localhost:8080 https://jenkins.mydomain.com;
  }

  return 301 https://jenkins.mydomain.com$request_uri;
}

server {
  listen (::):443 ssl ipv6only=on;
  listen 443 ssl;
  server_name jenkins.mydomain.com;

  ssl on;
  ssl_certificate /path/to/wildcard.mydomain.com.crt;
  ssl_certificate_key /path/to/wildcard.mydomain.com.key;

  location / {
    add_header Cache-Control private;
    expires epoch;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $host;
    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_server_name on;

    include /etc/nginx/proxy_params;
    proxy_pass          http://localhost:8080;
    proxy_read_timeout  90s;
    proxy_redirect      http://localhost:8080 https://jenkins.mydomain.com;
  }
}

As you can see I tried adding the proxy related headers to the port 80 server block but that is not working. When I go to http://jenkins.mydomain.com or http://jenkins.mydomain.com:8080 it does not redirect to https://jenkins.mydomain.com. How do I redirect anything going to port 80 and 8080 to 443?

nginx – server name aliases not work with reverse proxy

I have a problem parking a domain to my website.
everything is OK on domain.com and when I browse domain.com, it reverse proxy my NodeJS program on domain.com well.

I just have add domain.org and everything is OK in dns service but if I browse domain.org it just show me the Nginx welcome page.
it seems like it doesn’t get domain.org as alias of my canonical domain.com and not understand the document root of that. so what should I do?

if it helps I’m on Ubuntu 18.04.
Nginx as web-server and reverse proxy of NodeJS.
bind9 as dns-service.