Hi - first post here.. I've built an nginx server with SSL and basic
auth. Basic auth works great from within my network but when I try to
come in from outside (via port forwarding on my router) my http pages
work fine, but the protected pages with SSL just hang.

I'm thinking of 2 possibilities:

1) I've messed up something in my nginx.conf, or
2) I'm blocking a port that's needed other than 80 or 443.

Any ideas?

Thanks,

Mike

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,226665,226665#msg-226665

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

After further testing, it's not the basic auth that's causing the
problem... it's simply trying to access subdirectories from outside.
Makes me thing I've messed something up in my nginx.conf:


worker_processes 1;
events {
worker_connections 64;
}
http {
ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 5m;

## Timeouts
keepalive_timeout 300 300;

## General Options
charset utf-8;
default_type application/octet-stream;
ignore_invalid_headers on;
types {
text/html html;
image/gif gif;
image/jpeg jpg;
}
keepalive_requests 20;
max_ranges 0;
recursive_error_pages on;
sendfile on;
server_tokens off;
source_charset utf-8;

## Request limits
limit_req_zone $binary_remote_addr zone=fred:1m rate=60r/m;

## Compression
gzip on;
gzip_static on;
gzip_vary on;

## Log Format
log_format main '$remote_addr $host $remote_user [$time_local]
"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
$ssl_cipher $request_time';

## http .:. redirect to https
server {
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires 0;
limit_req zone=fred burst=200 nodelay;
listen 80;
root /var/empty;
rewrite ^ https://192.168.1.100$request_uri permanent;
}

## https .:. (www.)example.com
server {
add_header Cache-Control "public";
add_header Strict-Transport-Security "max-age=315360000;
includeSubdomains";
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires max;
index index.html;
limit_req zone=fred burst=200 nodelay;
listen 443;
root /var/www/htdocs;
server_name 192.168.1.100;

## Basic auth on test
location / {
}

location ^~ /test/ {
index index.html;
auth_basic "Admin Login";
auth_basic_user_file .htpasswd;
}

#!!! IMPORTANT !!! We need to hide the password file from prying
eyes
# This will deny access to any hidden file (beginning with a
..period)
location ~ /\. { deny all; }

## SSL Certs
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /home/root/ssl/test.crt;
ssl_certificate_key /home/root/ssl/test.key;
ssl_ecdh_curve secp521r1;

## Stop Image and Document Hijacking
location ~* (\.jpg|\.gif|\.png|example\.css)$ {
if ($http_referer !~ ^(https://192.168.1.100) ) {
return 404;
}
}

## All other errors get the generic error page
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413
414 415 416 417 495 496 497 500 501 502 503 504 505 506 507
/error_page.html;
location /example_error_page.html {
internal;
}
}
}

....again, it just hangs accessing subdirectories like "test", while
everything works well from within the local network. The www root
directory index.html serves up fine, even redirected to 443.

TIA,

Mike

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,226665,226666#msg-226666

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

-------- Original-Nachricht --------
> Datum: Sun, 20 May 2012 18:58:53 -0400 (EDT)
> Von: "rattus" <[email protected]>
> An: nginx@nginx.org
> Betreff: Re: no basic auth from outside network

> After further testing, it's not the basic auth that's causing the
> problem... it's simply trying to access subdirectories from outside.
> Makes me thing I've messed something up in my nginx.conf:
>
>
> worker_processes 1;
> events {
> worker_connections 64;
> }
> http {
> ssl_ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;
> ssl_prefer_server_ciphers on;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_session_timeout 5m;
>
> ## Timeouts
> keepalive_timeout 300 300;
>
> ## General Options
> charset utf-8;
> default_type application/octet-stream;
> ignore_invalid_headers on;
> types {
> text/html html;
> image/gif gif;
> image/jpeg jpg;
> }
> keepalive_requests 20;
> max_ranges 0;
> recursive_error_pages on;
> sendfile on;
> server_tokens off;
> source_charset utf-8;
>
> ## Request limits
> limit_req_zone $binary_remote_addr zone=fred:1m rate=60r/m;
>
> ## Compression
> gzip on;
> gzip_static on;
> gzip_vary on;
>
> ## Log Format
> log_format main '$remote_addr $host $remote_user [$time_local]
> "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
> $ssl_cipher $request_time';
>
> ## http .:. redirect to https
> server {
> access_log /var/log/nginx/access.log main buffer=32k;
> error_log /var/log/nginx/error.log error;
> expires 0;
> limit_req zone=fred burst=200 nodelay;
> listen 80;
> root /var/empty;
> rewrite ^ https://192.168.1.100$request_uri permanent;
>
Are you sure you want this rewrite to go from outside (aka: Internet) to an internal (aka: private network) address?


> }
>
> ## https .:. (www.)example.com
> server {
> add_header Cache-Control "public";
> add_header Strict-Transport-Security "max-age=315360000;
> includeSubdomains";
> access_log /var/log/nginx/access.log main buffer=32k;
> error_log /var/log/nginx/error.log error;
> expires max;
> index index.html;
> limit_req zone=fred burst=200 nodelay;
> listen 443;
> root /var/www/htdocs;
> server_name 192.168.1.100;
>
> ## Basic auth on test
> location / {
> }
>
> location ^~ /test/ {
> index index.html;
> auth_basic "Admin Login";
> auth_basic_user_file .htpasswd;
> }
>
> #!!! IMPORTANT !!! We need to hide the password file from prying
> eyes
> # This will deny access to any hidden file (beginning with a
> .period)
> location ~ /\. { deny all; }
>
> ## SSL Certs
> ssl on;
> ssl_session_cache shared:SSL:10m;
> ssl_certificate /home/root/ssl/test.crt;
> ssl_certificate_key /home/root/ssl/test.key;
> ssl_ecdh_curve secp521r1;
>
> ## Stop Image and Document Hijacking
> location ~* (\.jpg|\.gif|\.png|example\.css)$ {
> if ($http_referer !~ ^(https://192.168.1.100) ) {
> return 404;
> }
> }
>
> ## All other errors get the generic error page
> error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413
> 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507
> /error_page.html;
> location /example_error_page.html {
> internal;
> }
> }
> }
>
> ...again, it just hangs accessing subdirectories like "test", while
> everything works well from within the local network. The www root
> directory index.html serves up fine, even redirected to 443.
>
What? Are you telling that using your external IP (lets say it is 1.2.3.4) is working properly?

This here works from external? Really?

http://1.2.3.4/ will get redirected to https://192.168.1.100/
http://1.2.3.4/index.html will get redirected to https://192.168.1.100/index.html


You know that 192.168.0.0/16 is a class c private address range that is not routed on the Internet?

IMHO you should rewrite your http config to:

server {
....
rewrite ^ https://$host$request_uri permanent;
....
}



And IMHO you should change the server_name in the https part to be:

server_name 192.168.1.100 "";




> TIA,
>
> Mike
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,226665,226666#msg-226666
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx