Try with TLSv1.2 TLSv1.3 is for http3.
On Thu 26 Nov, 2020, 7:09 AM Pavan P, <[email protected]> wrote: > Still the same problem, enabled ssl_protocols TLSv1.3; > > Is there any issue with my configuration? With the below configuration, > http://ci1.altlifelab.com redirects to the authentication page, but https > does not, it will directly go to the application without authentication. > > server { > server_name ci1.altlifelab.com; > > location / { > proxy_set_header Host $host:$server_port; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > > > # Fix the "It appears that your reverse proxy set up is broken" > error. > proxy_pass http://127.0.0.1:9080; > proxy_read_timeout 90; > > proxy_redirect http://127.0.0.1:9080 > http://www.ci1.altlifelab.com; > > # Required for new HTTP-based CLI > proxy_http_version 1.1; > proxy_request_buffering off; > # workaround for https://issues.jenkins-ci1.org/browse/JENKINS-45651 > add_header 'X-SSH-Endpoint' 'ci1.altlifelab.com:50022' always; > } > > listen 443 ssl; # managed by Certbot > ssl_certificate /etc/letsencrypt/live/ci1.altlifelab.com/fullchain.pem; > # managed by Certbot > ssl_certificate_key /etc/letsencrypt/live/ > ci1.altlifelab.com/privkey.pem; # managed by Certbot > include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot > ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot > ssl_protocols TLSv1.3; > } > > server { > if ($host = ci1.altlifelab.com) { > # return 301 https://$host$request_uri; > return 301 > https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd > ; > } # managed by Certbot > > > listen 80; > server_name ci1.altlifelab.com; > return 404; # managed by Certbot > } > > On Thu, Nov 26, 2020 at 11:24 AM Pavan P <[email protected]> wrote: > >> HI Harish, >> But the issue I'm facing is different, when I try >> http://ci1.altlifelab.com it works fine, when I use >> https://ci1.altlifelab.com the url does not redirect to auth. >> >> On Thu, Nov 26, 2020 at 11:12 AM HARISH KUMAR Ivaturi < >> [email protected]> wrote: >> >>> Once try this. >>> >>> >>> https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ >>> >>> And configure again with auth proxy module >>> >>> On Thu 26 Nov, 2020, 6:17 AM Pavan P, <[email protected]> wrote: >>> >>>> Yes Harish, Certificate is working fine. >>>> >>>> root@ip-172-31-33-18:~# nginx -V >>>> nginx version: nginx/1.10.3 (Ubuntu) >>>> built with OpenSSL 1.0.2g 1 Mar 2016 >>>> TLS SNI support enabled >>>> configure arguments: --with-cc-opt='-g -O2 -fPIE >>>> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time >>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie >>>> -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx >>>> --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log >>>> --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock >>>> --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body >>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi >>>> --http-proxy-temp-path=/var/lib/nginx/proxy >>>> --http-scgi-temp-path=/var/lib/nginx/scgi >>>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit >>>> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module >>>> --with-http_realip_module --with-http_auth_request_module >>>> --with-http_addition_module --with-http_dav_module --with-http_geoip_module >>>> --with-http_gunzip_module --with-http_gzip_static_module >>>> --with-http_image_filter_module --with-http_v2_module >>>> --with-http_sub_module --with-http_xslt_module --with-stream >>>> --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads >>>> (base) root@ip-172-31-33-18:~# >>>> >>>> On Thu, Nov 26, 2020 at 10:43 AM HARISH KUMAR Ivaturi < >>>> [email protected]> wrote: >>>> >>>>> 1) once type nginx -V and send rhe output. >>>>> >>>>> 2) certificate - certificate.cert >>>>> Certificate_key - certificate.key >>>>> >>>>> Once recheck the certs section and make sure that you have generated >>>>> with certificates with openssl properly. >>>>> >>>>> BR >>>>> Harish Kumar >>>>> >>>>> On Thu 26 Nov, 2020, 5:27 AM Pavan P, <[email protected]> wrote: >>>>> >>>>>> Hi Harish, >>>>>> Below is the config of my nginx. Https module is configured fine. >>>>>> Please let me know if I have missed anything. >>>>>> >>>>>> server { >>>>>> server_name ci1.altlifelab.com; >>>>>> >>>>>> location / { >>>>>> proxy_set_header Host $host:$server_port; >>>>>> proxy_set_header X-Real-IP $remote_addr; >>>>>> proxy_set_header X-Forwarded-For >>>>>> $proxy_add_x_forwarded_for; >>>>>> proxy_set_header X-Forwarded-Proto $scheme; >>>>>> >>>>>> >>>>>> # Fix the "It appears that your reverse proxy set up is broken" >>>>>> error. >>>>>> proxy_pass http://127.0.0.1:9080; >>>>>> proxy_read_timeout 90; >>>>>> >>>>>> proxy_redirect http://127.0.0.1:9080 >>>>>> http://www.ci1.altlifelab.com; >>>>>> >>>>>> # Required for new HTTP-based CLI >>>>>> proxy_http_version 1.1; >>>>>> proxy_request_buffering off; >>>>>> # workaround for >>>>>> https://issues.jenkins-ci1.org/browse/JENKINS-45651 >>>>>> add_header 'X-SSH-Endpoint' 'ci1.altlifelab.com:50022' always; >>>>>> } >>>>>> >>>>>> listen 443 ssl; # managed by Certbot >>>>>> ssl_certificate /etc/letsencrypt/live/ >>>>>> ci1.altlifelab.com/fullchain.pem; # managed by Certbot >>>>>> ssl_certificate_key /etc/letsencrypt/live/ >>>>>> ci1.altlifelab.com/privkey.pem; # managed by Certbot >>>>>> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by >>>>>> Certbot >>>>>> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by >>>>>> Certbot >>>>>> >>>>>> >>>>>> } >>>>>> >>>>>> server { >>>>>> if ($host = ci1.altlifelab.com) { >>>>>> # return 301 https://$host$request_uri; >>>>>> return 301 >>>>>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd >>>>>> ; >>>>>> } # managed by Certbot >>>>>> >>>>>> >>>>>> listen 80; >>>>>> server_name ci1.altlifelab.com; >>>>>> return 301 >>>>>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd; >>>>>> >>>>>> } >>>>>> >>>>>> On Thu, Nov 26, 2020 at 5:04 AM HARISH KUMAR Ivaturi < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I am not sure if you have configured nginx with https_module. Once >>>>>>> try that. And also add proper headers in the nginx.conf like >>>>>>> >>>>>>> Listen 443 ssl; >>>>>>> Certificates location >>>>>>> >>>>>>> BR >>>>>>> Harish Kumar >>>>>>> >>>>>>> On Wed 25 Nov, 2020, 3:53 PM Pavan P, <[email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> I have configured nginx to authenticate with azure AD for login. >>>>>>>> >>>>>>>> When I access the site abc.example.com it redirects to Azure for >>>>>>>> authentication and redirects me back once the authentication is >>>>>>>> complete. >>>>>>>> >>>>>>>> How ever when I try to access the site with https abc.example.com >>>>>>>> it does not redirect for authentication. >>>>>>>> >>>>>>>> Is there anyway I can get both http and https to redirect for azure >>>>>>>> auth. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Pavan >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> nginx-devel mailing list >>>>>>>> [email protected] >>>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>>>> >>>>>>> _______________________________________________ >>>>>>> nginx-devel mailing list >>>>>>> [email protected] >>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>>> >>>>>> _______________________________________________ >>>>>> nginx-devel mailing list >>>>>> [email protected] >>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>> >>>>> _______________________________________________ >>>>> nginx-devel mailing list >>>>> [email protected] >>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>> >>>> _______________________________________________ >>>> nginx-devel mailing list >>>> [email protected] >>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>> >>> _______________________________________________ >>> nginx-devel mailing list >>> [email protected] >>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >> >> _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
