SSL for local dmain - laravel

I have a project in Laravel. It was downloaded from a server to make some modifications. I have a SSL certificate for local domain (syworkx.local) from nginx. Can somebody help me with the installation and setting up the certificate

You can easily add an existing certificate to your nginx config file as shown below
listen 443 ssl;
server_name syworkx.local;
ssl_certificate /etc/nginx/ssl/syworkx_local.crt;
ssl_certificate_key /etc/nginx/ssl/syworkx_local.key;

Related

Nginx configuration Let's Encrypt Multiple Elastic Stack Ports

I have an Elastic Stack (8.0.1) consisting of Elasticsearch, Logstash, and Kibana all running within Docker containers deployed to private subnet using AWS EC2. For now, I have the entire Elastic Stack running in a single AWS EC2 instance (this is just for our initial small test environment; I know this is not the way Elasticsearch is intended to be run).
I have Nginx sitting in a public subnet acting as a proxy to the various Elastic Stack components which are all separated by their port numbers: :9200 (elasticsearch), :8080 (logstash HTTP plugin), :5601 (kibana).
Since Kibana 8+ is configured by default using TLS, I also installed Let's Encrypt with Nginx to create signed certificates that would work with browsers and maintain the SSL connectivity all the way back.
What I have works perfect for the default URL works because Nginx redirects port 80 to 443 and then to port 5601 for Kibana interaction.
What I want to do now is allow HTTPS connectivity for other ports: e.g. :9200 and :8080 (logstash http plugin). For example, I want to be able to interact with Logstash via cURL at port 8080:
`curl -0 -v XPUT --user elastic: 'https://elastic.example.com:8080//<doc#> -H 'Content-Type: text/csv; charset=utf-8' --data-binary "#/filename.txt"
(NOTE: running this cURL command locally on my Dockerized Elastic Stack without Nginx works great)
I don't understand how to modify the Nginx configuration that was created by Let's Encrypt to also forward traffic on to other ports (:9200 and :8080).
Here's the nginx.conf that is currently loaded into /etc/nginx/nginx.conf
http {
server {
server_name elastic.example.com;
location / {
proxy_pass https://10.6.101.20:5601;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/elastic.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/elastic.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = elastic.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name elastic.example.com;
listen 80;
return 404; # managed by Certbot
}
}
What confuses me is that it appears as if I need nested "listen" lines, one for 443 SSL and others for the :8080 and :9200 e.g.
http {
server {
listen 443 ssl; # managed by Certbot
listen 8080; # <-- Nested somehow?
server_name elastic.example.com;
location / {
proxy_pass https://10.6.101.20:8080; # <-- Proxy forward to IP and Port
}
...
}
After reading more, I realized that "ssl" did not have to be limited to port 443 and I could use "ssl" on any of the ports. (Therefore, I didn't need to "nest" the nginx config) Duh! So, all I needed to do for nginx.conf to be able to be the SSL reverse proxy for elasticsearch was to add the following:
http {
server {
server_name elastic.example.com;
location / {
proxy_pass https://10.6.101.20:5601;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/elastic.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/elastic.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name elastic.example.com;
location / {
proxy_pass https://10.6.101.20:9200;
}
listen 9200 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/elastic.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/elastic.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = elastic.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name elastic.example.com;
listen 80;
return 404; # managed by Certbot
}
}
So, I'm now able to do things like:
curl --user elastic:<password> -XGET "https://elastic.example.com:9200/_cluster/state?pretty"
And get back some very basic cluster information.
BUT, adding another block to the nginx.conf to be able to do something similar via the HTTP plugin for Logstash failed to work. I suspect it's something with the Nginx "location /" specification because I continue to get permission denied error, but maybe this is a question for another SO?

install wildcard lets encrypt ssl certificate on laravel sail

I created a SaaS app using laravel 8 with first-party package laravel sail (Docker) and tenancy for laravel
package for the SaaS.
I need to install wildcard lets encrypt SSL on the main app and all tenant apps will be on HTTPS.
I tried to install certbot image like this
certbot:
image: certbot/certbot:latest
the image installed but I do not know what to do after that.
I tried without docker using certbot instructions
it's installed and everything succeeded but the website doesn't open and all request timeout.
Update:
this is the ports section in my docker-compose.yml file
ports:
- '443:443'
I ran docker ps and all services are up and running.
I ran sudo ufw status and this is the result
TLDR: Laravel sail is not for production. Use a different docker configuration, if you need an example you can find it here: https://github.com/thomasmoors/laravel-docker
Also wildcard certificates are not achievable by using HTTP-01 challenges, you need a DNS-01 challenge, which you do by adding a txt record to your dns config.
Wildcard certificates by Let's Encrypt are only possible with a DNS-01 challenge. This however requires you to paste a TXT record to your DNS registry. So no go for wildcard unless you have an api to change your dns. It might be worth a try to look at this: https://stackexchange.github.io/dnscontrol/
However I do not know if your domain provider supports this.
For regular (non-wildcard) certificates:
By default Laravel Sail runs using the built in php artisan serve command-webserver, which has no support for ssl certificates. So you need to add a reverse proxy like nginx. Because of this I believe sail not to be production ready and also not intended. I have made an example of a non-sail docker-compose config for laravel: https://github.com/thomasmoors/laravel-docker
Certbot works by placing a file on your webserver which will be retrieved for the challenge. However it looks like your current configuration does not share a volume between your webserver and Certbot. Also you need to allow certbot to modify your nginx config.
The default location for you code is /var/www/html, so you should enable Certbot to write to that directory by adding a volume for the Certbot service as well:
upstream sentry_docker {
server 192.168.1.94:9005;
}
server {
server_name example.dev;
location / {
proxy_pass http://sentry_docker;
proxy_set_header Host $host;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.dev/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.dev/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = example.dev) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name example.dev;
listen 80;
return 404; # managed by Certbot
}
certbot:
image: certbot/certbot:latest
volumes:
- .:/var/www/html
- ./data/nginx:/etc/nginx/conf.d
There are not enough information to help you but I can suggest to check out this guide https://github.com/Daanra/laravel-lets-encrypt and double check your configuration.
If the website doesn't show up, according to the error, the problem might be related to the network (firewall) or something else (the application not running and binding itself to the port 80 for http requests and 443 for https).

Hugo site CSS not loading after adding SSL certificate with Nginx

https://www.greenhousemarketplace.com
After freshly installing certbot and forcing HTTPS redirect, my CSS and JS no longer loads, even though it is accessible via direct URL.
I'm not sure why, I've updated the links to the CSS and JS files, and set my config.toml to include the https prefix.
sites-enabled/ghm-landing-page
server {
root /var/www/ghm-landing-page/public/;
index index.html index.htm index.nginx-debian.html;
server_name greenhousemarketplace.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/greenhousemarketplace.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/greenhousemarketplace.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = greenhousemarketplace.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name greenhousemarketplace.com;
return 404; # managed by Certbot
config.toml
# Site settings
baseurl = "https://www.greenhousemarketplace.com/"
languageCode = "en-us"
title = "Greenhouse Marketplace"
theme = "hugo-highlights-theme"
The Javascript is not loading because you are loading mixed content. The script tags at the bottom of the page should use the https:// scheme.
The CSS is not loading because of a SSL_ERROR_BAD_CERT_DOMAIN error. You have the content loading on www., which is a domain not listed on your certificate. Using your cert issuer, be sure to add both the www. and non-www. domains of your domain.

Laravel Forge - access app by naked IP instead of domain name

I have a laravel app on production (using Laravel Forge and a Digital Ocean droplet).
I'm able to access the app via www.domain.com, but if I try with the server's IP I get a 404 (nginx).
How can I manage to access the app with the IP address?
Thanks a lot for your help
EDIT:
Here is my Nginx config on Laravel Forge:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com;
root /home/forge/domain.com/public;
...
}
This occurs because nginx searches for a configuration block containing default_server when no matching domain can be found. You can remove the default_server tag for the default(/etc/nginx/enabled-sites/default) and move it the config for the site you want to display by default:
server {
listen 80 default_server;
server_name example.net www.example.net;
...
}
your server block with updated default_server:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name domain.com;
root /home/forge/domain.com/public;
...
}
Be sure to edit the default config to remove the default_server tag before restarting nginx, it is not allowed to have two config blocks with default_server. The config can be verified using nginx -t
more information can be found at the nginx documentation
Why would you want to access your server from the naked ip?
Nginx returns a 404 since it cant find the requested domain on your server.
If you look at your folder structure your project folder corresponds to your site domain. It redirects you towards the right folder based on your domain name.
You could make a default project to show you something like phpinfo() when request trough the ip

Laravel hostname not updating for routes

When I head over to my public DNS and attempt to load an Auth route, it sends me to http://localhost:8080/ExoscapeWebsite/public/login. Inside of my .env file, I have altered the APP_URL to my public DNS:
APP_URL=http://exoscape.co.uk
I am using NGINX to load Laravel by proxy_pass since I couldn't get try_files working so I stuck with using Apache2. My NGINX configuration looks like this:
server {
server_name exoscape.co.uk;
location / {
proxy_pass http://localhost:8080/ExoscapeWebsite/public/;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/exoscape.co.uk/fullchain.pem; # manag$
ssl_certificate_key /etc/letsencrypt/live/exoscape.co.uk/privkey.pem; # man$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Any ideas on how I could change the hostname in Laravel so it continues with the correct domain?

Resources