what should i do for https in nginx/express?
up vote
1
down vote
favorite
my purpose...
- client ------> 80 port.
- 80 ----------> 443 (by nginx, for https)
- 443 ---------> 3000 (by nginx)
- express server is waiting on port 3000.
When i tried connecting to the domain name, i just got cannot connect site, domain.com deny your access
nginx settings - /etc/nginx/sites-available/default
> # HTTP server {
> listen 80 default_server;
> listen [::]:80 default_server;
> server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> # redirect to https
> return 301 https://$server_name$request_uri; }
> # HTTPS server {
> listen 443 ssl;
> listen [::]:443 ssl;
> #server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> ssl on;
>
> # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
> ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
>
> ssl_session_timeout 1d;
> ssl_session_cache shared:SSL:50m;
> ssl_session_tickets off;
>
> # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
> ssl_dhparam /etc/letsencrypt/live/www.domain.com/dhparam.pem;
>
> # intermediate configuration. tweak to your needs.
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
> ssl_prefer_server_ciphers on;
>
> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months
> add_header Strict-Transport-Security max-age=15768000;
> # OCSP Stapling ---
> # fetch OCSP records from URL in ssl_certificate and cache them
> ssl_stapling on;
> ssl_stapling_verify on;
>
> # verify chain of trust of OCSP response using Root CA and Intermediate certs
> ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/chain.pem;
>
> resolver 8.8.8.8 8.8.4.4 valid=86400;
> resolver_timeout 10;
>
> location / {
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Host $host;
> proxy_set_header X-NginX-Proxy true;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> #additional settings
> proxy_read_timeout 300;
> proxy_connect_timeout 300;
>
> proxy_pass http://localhost:3000;
> proxy_redirect off;
> proxy_http_version 1.1;
> } }
nodejs settings
require('@babel/polyfill');
const app = require('./app');
const debug = require('debug')('learn-express:server');
const http = require('http');
require('dotenv').config();
const port = normalizePort(process.env.http_port);
app.listen(port, () => {
console.log('Server is running on port '+port);
});
node.js express nginx https
edited Nov 11 at 21:30
mihai
23.2k73968
asked Nov 4 at 14:13
websterking
63
add a comment |
up vote
1
down vote
favorite
my purpose...
- client ------> 80 port.
- 80 ----------> 443 (by nginx, for https)
- 443 ---------> 3000 (by nginx)
- express server is waiting on port 3000.
When i tried connecting to the domain name, i just got cannot connect site, domain.com deny your access
nginx settings - /etc/nginx/sites-available/default
> # HTTP server {
> listen 80 default_server;
> listen [::]:80 default_server;
> server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> # redirect to https
> return 301 https://$server_name$request_uri; }
> # HTTPS server {
> listen 443 ssl;
> listen [::]:443 ssl;
> #server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> ssl on;
>
> # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
> ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
>
> ssl_session_timeout 1d;
> ssl_session_cache shared:SSL:50m;
> ssl_session_tickets off;
>
> # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
> ssl_dhparam /etc/letsencrypt/live/www.domain.com/dhparam.pem;
>
> # intermediate configuration. tweak to your needs.
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
> ssl_prefer_server_ciphers on;
>
> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months
> add_header Strict-Transport-Security max-age=15768000;
> # OCSP Stapling ---
> # fetch OCSP records from URL in ssl_certificate and cache them
> ssl_stapling on;
> ssl_stapling_verify on;
>
> # verify chain of trust of OCSP response using Root CA and Intermediate certs
> ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/chain.pem;
>
> resolver 8.8.8.8 8.8.4.4 valid=86400;
> resolver_timeout 10;
>
> location / {
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Host $host;
> proxy_set_header X-NginX-Proxy true;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> #additional settings
> proxy_read_timeout 300;
> proxy_connect_timeout 300;
>
> proxy_pass http://localhost:3000;
> proxy_redirect off;
> proxy_http_version 1.1;
> } }
nodejs settings
require('@babel/polyfill');
const app = require('./app');
const debug = require('debug')('learn-express:server');
const http = require('http');
require('dotenv').config();
const port = normalizePort(process.env.http_port);
app.listen(port, () => {
console.log('Server is running on port '+port);
});
node.js express nginx https
edited Nov 11 at 21:30
mihai
23.2k73968
asked Nov 4 at 14:13
websterking
63
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
my purpose...
- client ------> 80 port.
- 80 ----------> 443 (by nginx, for https)
- 443 ---------> 3000 (by nginx)
- express server is waiting on port 3000.
When i tried connecting to the domain name, i just got cannot connect site, domain.com deny your access
nginx settings - /etc/nginx/sites-available/default
> # HTTP server {
> listen 80 default_server;
> listen [::]:80 default_server;
> server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> # redirect to https
> return 301 https://$server_name$request_uri; }
> # HTTPS server {
> listen 443 ssl;
> listen [::]:443 ssl;
> #server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> ssl on;
>
> # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
> ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
>
> ssl_session_timeout 1d;
> ssl_session_cache shared:SSL:50m;
> ssl_session_tickets off;
>
> # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
> ssl_dhparam /etc/letsencrypt/live/www.domain.com/dhparam.pem;
>
> # intermediate configuration. tweak to your needs.
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
> ssl_prefer_server_ciphers on;
>
> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months
> add_header Strict-Transport-Security max-age=15768000;
> # OCSP Stapling ---
> # fetch OCSP records from URL in ssl_certificate and cache them
> ssl_stapling on;
> ssl_stapling_verify on;
>
> # verify chain of trust of OCSP response using Root CA and Intermediate certs
> ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/chain.pem;
>
> resolver 8.8.8.8 8.8.4.4 valid=86400;
> resolver_timeout 10;
>
> location / {
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Host $host;
> proxy_set_header X-NginX-Proxy true;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> #additional settings
> proxy_read_timeout 300;
> proxy_connect_timeout 300;
>
> proxy_pass http://localhost:3000;
> proxy_redirect off;
> proxy_http_version 1.1;
> } }
nodejs settings
require('@babel/polyfill');
const app = require('./app');
const debug = require('debug')('learn-express:server');
const http = require('http');
require('dotenv').config();
const port = normalizePort(process.env.http_port);
app.listen(port, () => {
console.log('Server is running on port '+port);
});
node.js express nginx https
edited Nov 11 at 21:30
mihai
23.2k73968
asked Nov 4 at 14:13
websterking
63
my purpose...
- client ------> 80 port.
- 80 ----------> 443 (by nginx, for https)
- 443 ---------> 3000 (by nginx)
- express server is waiting on port 3000.
When i tried connecting to the domain name, i just got cannot connect site, domain.com deny your access
nginx settings - /etc/nginx/sites-available/default
> # HTTP server {
> listen 80 default_server;
> listen [::]:80 default_server;
> server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> # redirect to https
> return 301 https://$server_name$request_uri; }
> # HTTPS server {
> listen 443 ssl;
> listen [::]:443 ssl;
> #server_name domain.com www.domain.com;
>
> access_log /var/log/nginx/domain.access.log;
> error_log /var/log/nginx/error.log;
>
> ssl on;
>
> # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
> ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
> ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
>
> ssl_session_timeout 1d;
> ssl_session_cache shared:SSL:50m;
> ssl_session_tickets off;
>
> # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
> ssl_dhparam /etc/letsencrypt/live/www.domain.com/dhparam.pem;
>
> # intermediate configuration. tweak to your needs.
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
> ssl_prefer_server_ciphers on;
>
> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months
> add_header Strict-Transport-Security max-age=15768000;
> # OCSP Stapling ---
> # fetch OCSP records from URL in ssl_certificate and cache them
> ssl_stapling on;
> ssl_stapling_verify on;
>
> # verify chain of trust of OCSP response using Root CA and Intermediate certs
> ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/chain.pem;
>
> resolver 8.8.8.8 8.8.4.4 valid=86400;
> resolver_timeout 10;
>
> location / {
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Host $host;
> proxy_set_header X-NginX-Proxy true;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-Proto https;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> #additional settings
> proxy_read_timeout 300;
> proxy_connect_timeout 300;
>
> proxy_pass http://localhost:3000;
> proxy_redirect off;
> proxy_http_version 1.1;
> } }
nodejs settings
require('@babel/polyfill');
const app = require('./app');
const debug = require('debug')('learn-express:server');
const http = require('http');
require('dotenv').config();
const port = normalizePort(process.env.http_port);
app.listen(port, () => {
console.log('Server is running on port '+port);
});
node.js express nginx https
node.js express nginx https
edited Nov 11 at 21:30
mihai
23.2k73968
asked Nov 4 at 14:13
websterking
63
edited Nov 11 at 21:30
mihai
23.2k73968
asked Nov 4 at 14:13
websterking
63
edited Nov 11 at 21:30
mihai
23.2k73968
edited Nov 11 at 21:30
mihai
23.2k73968
edited Nov 11 at 21:30
mihai
23.2k73968
23.2k73968
asked Nov 4 at 14:13
websterking
63
asked Nov 4 at 14:13
websterking
63
asked Nov 4 at 14:13
websterking
63
63
add a comment |
add a comment |
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53141737%2fwhat-should-i-do-for-https-in-nginx-express%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53141737%2fwhat-should-i-do-for-https-in-nginx-express%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
