Example SSL setup for Nginx/Apache with certbot...

[corepay]

Example SSL setup for Nginx/Apache with certbot...

Problem

4+ hours trying to figure out how to get NGINX to serve app via SSL. Can reach site using https:// now but getting Maintenance mode. Been stuck for a long time banging the keyboard and kicking the dog.

Tried Caddy but that blew up the Internet it was so wrong.

Using Digital Ocean One-Click Install (perfect!). IMO if you provide a installation for a public site, good security citizenship would be to walk dummies like me through securing our installations to thwart hackers and protect the universe.

BTW - I love, love, love FusionAuth. It is very polished, complete as far as I can tell and am excited to use this in my dream apps...thank you.

Solution

Sample generic APACHE and NGINX configuration with certbot- ideally in docker-compose and part of one-click...think about Caddy also :)

Alternatives/workarounds

Additional context

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[robotdan]

Thanks for the suggestion @corepay - sorry about your dog. :-)

Glad you're enjoying FusionAuth. This is a great suggestion.

The website and documentation is all open source.. you are also welcome to submit a PR. https://github.com/FusionAuth/fusionauth-site

[corepay]

Fast reply - been noticing that....

So I just got it working 5 minutes ago. Following is an NGINX setup post-certbot

#Setup upstream for backend server

upstream auth {
    server 127.0.0.1:9011;
    keepalive 8;
}

#The Nginx server instance

server {
    server_name auth.example.io;
    access_log /var/log/nginx/example.com.log;

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      # proxy_set_header X-NginX-Proxy true;
      proxy_set_header X-Forwarded-Port "443";
      proxy_set_header X-Forwarded-Proto "https";

      proxy_pass http://auth/;
      proxy_redirect off;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/auth.example.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/auth.example.io/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = auth.example.io) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 0.0.0.0:80;
    server_name auth.example.io;
    return 404; # managed by Certbot
}

Not going to PR - I don't know enough to put code out there myself in the vulnerable position of experienced server admins exposing me...

Be looking forward to seeing a docker-compose setup if/when you guys get around it. Eventually want everything scripted....

Thanks!

[jerryhopper]

In my home-enviroment i use virtualmin (apache) for simple webhosting +SSL. i have configured a virtualhost that proxies requests to a fusionauth instance.

This is the Apache configuration im using.

---

RequestHeader unset Host

RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Host "idp.yourserver.ext" ProxyPass /.well-known ! ProxyPass / http://fusionauth:9011/ ProxyPassReverse / http://fusionauth:9011/

---

The "/.well-known" proxy-exception is to facilitate certbot's validation.

Without the "RequestHeader unset Host" i expirienced 500 server-errors in the adminBackend of fusionAuth. ( im not sure, yet i think #88 might benefit from this knowledge )

i hope this helps people setting up FA behind Apache.

Nginx

Im not a primary nginx user, but ive noticed there are some issues that seem header-related.

In issue #406 @jesperwe suggests the use of 'proxy_redirect http:// https://;' when having issues with the redirect-url. https://github.com/FusionAuth/fusionauth-issues/issues/406#issuecomment-571030635

So it seems there are a few caveats when running behind apache/nginx that need to be documented. Im no expert on both engines, maybe someone with more thorough knowledge of nginx/apache could shine a light on these config suggestions.

[gregoriopellegrino]

I've set up nginx as @corepay suggested. It seems to work ok, but I get an error in Chrome when, after the login in an iframe, the authentication redirects to http, instead of https.

[gregoriopellegrino]

Solved following https://github.com/FusionAuth/fusionauth-issues/issues/406#issuecomment-571030635

[gjdass]

Hello guys.

Thanks for the nginx config, tested it and seems to work so far on my homologation cloud instance.

2 problems :

• my cloud provider blocks outgoing SMTP (to avoid mail bombers I guess) and will enable it soon for my, nothing to do with FusionAuth so far
• Nginx configuration must miss something still because I discovered with this SMTP stuff that the error is not well randered by the UI

Using nginx with my subdomain and SSL (selfsigned certif though) :

If I hit direclty the IP, without SSL (so without nginx redirecting anything) :

and the console is clean, no JS error.

Nginx is showing one interesting log (I changed sensible datas obviously but mail address and server names are all right) in errors.log :

2020/05/11 19:17:56 [error] 19796#19796: *341 upstream timed out (110: Connection timed out) while reading response header from upstream, client: xx.xx.xx.xx, server: sso.hom-1.xxxxxx.com, request: "POST /ajax/tenant/smtp/test?email=email_address%40gmail.com HTTP/1.1", upstream: "http://[::1]:9011/ajax/tenant/smtp/test?email=email_address%40gmail.com", host: "sso.hom-1.xxxxxx.com", referrer: "https://sso.hom-1.xxxxxxx.com/admin/tenant/edit?tenantId=e94ff3e7-46f9-4233-07e2-7ce1e7da0f06"

Maybe it's in fact a normal behavior from Nginx (I suppose it's normal to time out when you cannot reach what you want ... in this case, SMTP server), but the FusionAuth behavior is still not the same though, it does not error gracefully with nginx.

For information :

• runs on debian server >> docker
• behind nginx (exact same config @corepay posted, except server_name of course)
• SMTP outgoing forbidden by the cloud provider

Any idea where it could come from ?

Posting just in case.

[robotdan]

What version are you on? It may be related to this issue ( https://github.com/FusionAuth/fusionauth-issues/issues/617 ). To confirm, you can pull the latest 1.16.0 image and re-try.

[gjdass]

Thanks for your very quick answer. Just deleted the container, pulled and relaunch. Now it's acting normal under nginx as well, thanks.

Not sure I understood why though. But I'm pretty new here 😃