Closed delprofile closed 7 years ago
FZambia
commented
7 years ago Hi, there is an example Nginx configuration in docs. Your config looks absolutely different. Also you don't have to use SSL in Centrifugo config if you are terminating SSL in Nginx.
delprofile
commented
7 years ago Я использовал конфиг из примеров, толку 0
upstream centrifugo {
ip_hash;
server 127.0.0.1:8000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name *******.ru www.*******.ru;
ssl on;
ssl_certificate "/var/www/httpd-cert/*******/*******.ru.crtca";
ssl_certificate_key "/var/www/httpd-cert/*******/*******.ru.key";
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!RSA+3DES;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000;";
ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
charset off;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/*******.ru/*.conf;
access_log /var/www/httpd-logs/*******.ru.access.log;
error_log /var/www/httpd-logs/*******.ru.error.log notice;
ssi on;
set $root_path /var/www/*******/data/www/*******.ru/public;
gzip on;
gzip_comp_level 5;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
expires 7d;
try_files $uri $uri/ @fallback;
}
location / {
try_files /does_not_exists @fallback;
}
}
location @fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
access_log off;
}
location /centrifugo/ {
rewrite ^/centrifugo/(.*) /$1 break;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://centrifugo;
}
location /centrifugo/socket {
rewrite ^/centrifugo(.*) $1 break;
proxy_next_upstream error;
proxy_buffering off;
keepalive_timeout 65;
proxy_pass http://centrifugo;
proxy_read_timeout 60s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /centrifugo/connection {
rewrite ^/centrifugo(.*) $1 break;
proxy_next_upstream error;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
proxy_buffering off;
keepalive_timeout 65;
proxy_pass http://centrifugo;
proxy_read_timeout 60s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
root $root_path;
listen 185.87.49.66:443;
listen [2a02:f680:1:1100::3985]:443;
}Как же мне не использовать ssl если у меня хост использует ssl? У меня веб сервером управляет isp manager
Inpassor
commented
7 years ago Here's the config that I use (removed some extra lines):
server {
server_name {{SERVER_NAME}};
listen 80;
error_log off;
access_log off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
if ($http_user_agent ~* (nmap|nikto|wikto|sf|sqlmap|bsqlbf|w3af|acunetix|havij|appscan)) {
return 403;
}
location / {
return 301 https://$host:443$request_uri;
}
}
upstream centrifugo {
server 127.0.0.1:8000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name {{SERVER_NAME}};
listen 443 ssl http2;
error_log /var/log/nginx/msg.{{DOMAIN}}.error.log;
access_log /var/log/nginx/msg.{{DOMAIN}}.access.log;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000;";
add_header 'Access-Control-Allow-Origin' "$http_origin";
if ($http_user_agent ~* (nmap|nikto|wikto|sf|sqlmap|bsqlbf|w3af|acunetix|havij|appscan)) {
return 403;
}
set $root_path /var/www/msg.{{DOMAIN}};
root $root_path;
disable_symlinks if_not_owner from=$root_path;
charset utf-8;
autoindex off;
ssi on;
ssl on;
ssl_certificate "/etc/letsencrypt/live/{{DOMAIN}}/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/{{DOMAIN}}/privkey.pem";
ssl_trusted_certificate "/etc/letsencrypt/live/{{DOMAIN}}/chain.pem";
ssl_ciphers AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:24m;
ssl_buffer_size 1400;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_next_upstream error;
location /connection {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /socket {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location / {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}Instead of {{...}} insert what you need, the ssl settings should be changed according to your needs. Change paths to files and directories to your own.
delprofile
commented
7 years ago Не прокатит, по простой причине у вас стоит чистый nginx у меня же стоит nginx+apache
FZambia
commented
7 years ago @Inpassor thanks for a valuable snippet.
@delprofile can you proxy requests from Nginx to Centrifugo without Apache involved or something? Actually I have never worked with ISP manager and have no notion about how it works. Maybe you better ask this question in ISP community.
delprofile
commented
7 years ago I asked, ISP support dont help. isp manager cfg
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 40000;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/vhosts/*/*.conf;
client_max_body_size 128m;
server {
server_name localhost;
disable_symlinks if_not_owner;
listen 80;
include /etc/nginx/vhosts-includes/*.conf;
location @fallback {
error_log /dev/null crit;
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log off ;
}
}
}conf.d - # disabled by ISPmanager
vhosts domain.conf
upstream centrifugo {
server 127.0.0.1:8000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name *******.ru www.*******.ru;
ssl on;
ssl_certificate "/var/www/httpd-cert/*******/*******.ru.crtca";
ssl_certificate_key "/var/www/httpd-cert/*******/*******.ru.key";
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!RSA+3DES;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000;";
ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
charset off;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/*******.ru/*.conf;
access_log /var/www/httpd-logs/*******.ru.access.log;
error_log /var/www/httpd-logs/*******.ru.error.log notice;
ssi on;
set $root_path /var/www/*******/data/www/*******.ru/public;
gzip on;
gzip_comp_level 5;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
expires 7d;
try_files $uri $uri/ @fallback;
}
location / {
try_files /does_not_exists @fallback;
}
}
location @fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
access_log off;
}
location /centrifugo/connection {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /centrifugo/socket {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /centrifugo/ {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
root $root_path;
listen 185.87.49.66:443;
listen [2a02:f680:1:1100::3985]:443;
}But not worked
Inpassor
commented
7 years ago @delprofile try this:
wss://centrifugo.yourdomain.com@delprofile by the way, did you try to connect by the url wss://yourdomain.com/centrifugo ?
delprofile
commented
7 years ago Try! not worked... I'll try your version in the evening
delprofile
commented
7 years ago work, but jscent
var cent_conf = {
url: "https://centrifugo.*****.ru/api/",
secret: "secret",
strictSSL: "true"
} url: 'https://centrifugo.*****.ru/api/',
error: { Error: unable to verify the first certificateTry to add the root certificate at the top of your certificate chain.
FZambia
commented
7 years ago @delprofile as far as I can see problem solved?
delprofile
commented
7 years ago @FZambia sorry, no problem steel on jscent. i changed certificate bot don't work
error: { Error: unable to verify the first certificate
And you may add this config to your readme for nginx+apache+isp manager 5+Let's Encrypt
upstream centrifugo {
server 127.0.0.1:8000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name centrifugo.{{ YOURDOMAIN }} www.centrifugo.{{ YOURDOMAIN }};
listen xxx.xxx.xxx.xxx:443;
ssl on;
ssl_certificate "/var/www/httpd-cert/hardcsgo/centrifugo.{{ YOURDOMAIN }}.crt";
ssl_certificate_key "/var/www/httpd-cert/hardcsgo/centrifugo.{{ YOURDOMAIN }}.key";
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!RSA+3DES;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
error_log /var/www/httpd-logs/centrifugo.{{ YOURDOMAIN }}.error.log;
access_log off;
include /etc/nginx/vhosts-includes/*.conf;
location / {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}@FZambia , Alexandr, you were allowed!
Inpassor
commented
7 years ago @delprofile , is this a complete listing of your config? This will not work.
delprofile
commented
7 years ago @Inpassor , working (=
upstream centrifugo {
server 127.0.0.1:8000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name centrifugo.{{ YOURDOMAIN }} www.centrifugo.{{ YOURDOMAIN }};
ssl on;
ssl_certificate "/var/www/httpd-cert/{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.crt";
ssl_certificate_key "/var/www/httpd-cert//{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.key";
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!RSA+3DES;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
access_log off;
error_log /var/www/httpd-logs/centrifugo.{{ YOURDOMAIN }}.error.log;
include /etc/nginx/vhosts-includes/*.conf;
location / {
proxy_pass http://centrifugo;
proxy_buffering off;
keepalive_timeout 65;
proxy_read_timeout 60s;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
listen xxx.xxx.xxx.xxx:443;
}may check
FZambia
commented
7 years ago @delprofile you can look at results of SSLLabs for your site: https://www.ssllabs.com/ssltest/analyze.html?d=centrifugo.hardcsgo.ru - which is saying:
This server's certificate chain is incomplete.
I think if you resolve this issue you will get NodeJS client to work properly.
Btw, I remember that in past I used https://certificatechain.io/ site for problem like this.
delprofile
commented
7 years ago @FZambia dont i generate chain, isp manager generate this
delprofile
commented
7 years ago @FZambia isp manager generate 4 file
crt ca key and crtca
i changed
ssl_certificate "/var/www/httpd-cert/{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.crt";
to
ssl_certificate "/var/www/httpd-cert/{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.crtca";
and test js work fine, fucking ispmanager (=
solution
ssl_certificate "/var/www/httpd-cert/{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.crt";
ssl_certificate_key "/var/www/httpd-cert//{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.key";to
ssl_certificate "/var/www/httpd-cert/{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.crtca";
ssl_certificate_key "/var/www/httpd-cert//{{ YOURISPUSER }}/centrifugo.{{ YOURDOMAIN }}.key";THX ALL FOR HELP AND MOST RESPECT FOR CENTRIFUGO!!!!!!!!!!
FZambia
commented
7 years ago Cool! Thanks:)
@Inpassor many thanks for your help with this issue btw
Inpassor
commented
7 years ago @FZambia , no problem, you're welcome!
config.json
При попытке соединения http://SSMaker.ru/00af39aa/