Still the same issue, https not redirecting to azure for authentication. Only http redirects.
On Thu, Nov 26, 2020 at 11:47 AM HARISH KUMAR Ivaturi < [email protected]> wrote: > Try with TLSv1.2 > > TLSv1.3 is for http3. > > On Thu 26 Nov, 2020, 7:09 AM Pavan P, <[email protected]> wrote: > >> Still the same problem, enabled ssl_protocols TLSv1.3; >> >> Is there any issue with my configuration? With the below configuration, >> http://ci1.altlifelab.com redirects to the authentication page, but >> https does not, it will directly go to the application without >> authentication. >> >> server { >> server_name ci1.altlifelab.com; >> >> location / { >> proxy_set_header Host $host:$server_port; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> >> >> # Fix the "It appears that your reverse proxy set up is broken" >> error. >> proxy_pass http://127.0.0.1:9080; >> proxy_read_timeout 90; >> >> proxy_redirect http://127.0.0.1:9080 >> http://www.ci1.altlifelab.com; >> >> # Required for new HTTP-based CLI >> proxy_http_version 1.1; >> proxy_request_buffering off; >> # workaround for >> https://issues.jenkins-ci1.org/browse/JENKINS-45651 >> add_header 'X-SSH-Endpoint' 'ci1.altlifelab.com:50022' always; >> } >> >> listen 443 ssl; # managed by Certbot >> ssl_certificate /etc/letsencrypt/live/ >> ci1.altlifelab.com/fullchain.pem; # managed by Certbot >> ssl_certificate_key /etc/letsencrypt/live/ >> ci1.altlifelab.com/privkey.pem; # managed by Certbot >> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot >> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot >> ssl_protocols TLSv1.3; >> } >> >> server { >> if ($host = ci1.altlifelab.com) { >> # return 301 https://$host$request_uri; >> return 301 >> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd >> ; >> } # managed by Certbot >> >> >> listen 80; >> server_name ci1.altlifelab.com; >> return 404; # managed by Certbot >> } >> >> On Thu, Nov 26, 2020 at 11:24 AM Pavan P <[email protected]> wrote: >> >>> HI Harish, >>> But the issue I'm facing is different, when I try >>> http://ci1.altlifelab.com it works fine, when I use >>> https://ci1.altlifelab.com the url does not redirect to auth. >>> >>> On Thu, Nov 26, 2020 at 11:12 AM HARISH KUMAR Ivaturi < >>> [email protected]> wrote: >>> >>>> Once try this. >>>> >>>> >>>> https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ >>>> >>>> And configure again with auth proxy module >>>> >>>> On Thu 26 Nov, 2020, 6:17 AM Pavan P, <[email protected]> wrote: >>>> >>>>> Yes Harish, Certificate is working fine. >>>>> >>>>> root@ip-172-31-33-18:~# nginx -V >>>>> nginx version: nginx/1.10.3 (Ubuntu) >>>>> built with OpenSSL 1.0.2g 1 Mar 2016 >>>>> TLS SNI support enabled >>>>> configure arguments: --with-cc-opt='-g -O2 -fPIE >>>>> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time >>>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie >>>>> -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx >>>>> --conf-path=/etc/nginx/nginx.conf >>>>> --http-log-path=/var/log/nginx/access.log >>>>> --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock >>>>> --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body >>>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi >>>>> --http-proxy-temp-path=/var/lib/nginx/proxy >>>>> --http-scgi-temp-path=/var/lib/nginx/scgi >>>>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit >>>>> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module >>>>> --with-http_realip_module --with-http_auth_request_module >>>>> --with-http_addition_module --with-http_dav_module >>>>> --with-http_geoip_module >>>>> --with-http_gunzip_module --with-http_gzip_static_module >>>>> --with-http_image_filter_module --with-http_v2_module >>>>> --with-http_sub_module --with-http_xslt_module --with-stream >>>>> --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads >>>>> (base) root@ip-172-31-33-18:~# >>>>> >>>>> On Thu, Nov 26, 2020 at 10:43 AM HARISH KUMAR Ivaturi < >>>>> [email protected]> wrote: >>>>> >>>>>> 1) once type nginx -V and send rhe output. >>>>>> >>>>>> 2) certificate - certificate.cert >>>>>> Certificate_key - certificate.key >>>>>> >>>>>> Once recheck the certs section and make sure that you have generated >>>>>> with certificates with openssl properly. >>>>>> >>>>>> BR >>>>>> Harish Kumar >>>>>> >>>>>> On Thu 26 Nov, 2020, 5:27 AM Pavan P, <[email protected]> wrote: >>>>>> >>>>>>> Hi Harish, >>>>>>> Below is the config of my nginx. Https module is configured fine. >>>>>>> Please let me know if I have missed anything. >>>>>>> >>>>>>> server { >>>>>>> server_name ci1.altlifelab.com; >>>>>>> >>>>>>> location / { >>>>>>> proxy_set_header Host $host:$server_port; >>>>>>> proxy_set_header X-Real-IP $remote_addr; >>>>>>> proxy_set_header X-Forwarded-For >>>>>>> $proxy_add_x_forwarded_for; >>>>>>> proxy_set_header X-Forwarded-Proto $scheme; >>>>>>> >>>>>>> >>>>>>> # Fix the "It appears that your reverse proxy set up is >>>>>>> broken" error. >>>>>>> proxy_pass http://127.0.0.1:9080; >>>>>>> proxy_read_timeout 90; >>>>>>> >>>>>>> proxy_redirect http://127.0.0.1:9080 >>>>>>> http://www.ci1.altlifelab.com; >>>>>>> >>>>>>> # Required for new HTTP-based CLI >>>>>>> proxy_http_version 1.1; >>>>>>> proxy_request_buffering off; >>>>>>> # workaround for >>>>>>> https://issues.jenkins-ci1.org/browse/JENKINS-45651 >>>>>>> add_header 'X-SSH-Endpoint' 'ci1.altlifelab.com:50022' always; >>>>>>> } >>>>>>> >>>>>>> listen 443 ssl; # managed by Certbot >>>>>>> ssl_certificate /etc/letsencrypt/live/ >>>>>>> ci1.altlifelab.com/fullchain.pem; # managed by Certbot >>>>>>> ssl_certificate_key /etc/letsencrypt/live/ >>>>>>> ci1.altlifelab.com/privkey.pem; # managed by Certbot >>>>>>> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by >>>>>>> Certbot >>>>>>> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by >>>>>>> Certbot >>>>>>> >>>>>>> >>>>>>> } >>>>>>> >>>>>>> server { >>>>>>> if ($host = ci1.altlifelab.com) { >>>>>>> # return 301 https://$host$request_uri; >>>>>>> return 301 >>>>>>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd >>>>>>> ; >>>>>>> } # managed by Certbot >>>>>>> >>>>>>> >>>>>>> listen 80; >>>>>>> server_name ci1.altlifelab.com; >>>>>>> return 301 >>>>>>> https://myapps.microsoft.com/signin/ci2/a825dd26-fed2-4423-ae69-6a7d457b4b44?tenantId=eb9970cc-4803-4f6a-9ad2-e9b46042c5fd; >>>>>>> >>>>>>> } >>>>>>> >>>>>>> On Thu, Nov 26, 2020 at 5:04 AM HARISH KUMAR Ivaturi < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> I am not sure if you have configured nginx with https_module. Once >>>>>>>> try that. And also add proper headers in the nginx.conf like >>>>>>>> >>>>>>>> Listen 443 ssl; >>>>>>>> Certificates location >>>>>>>> >>>>>>>> BR >>>>>>>> Harish Kumar >>>>>>>> >>>>>>>> On Wed 25 Nov, 2020, 3:53 PM Pavan P, <[email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> I have configured nginx to authenticate with azure AD for login. >>>>>>>>> >>>>>>>>> When I access the site abc.example.com it redirects to Azure for >>>>>>>>> authentication and redirects me back once the authentication is >>>>>>>>> complete. >>>>>>>>> >>>>>>>>> How ever when I try to access the site with https abc.example.com >>>>>>>>> it does not redirect for authentication. >>>>>>>>> >>>>>>>>> Is there anyway I can get both http and https to redirect for >>>>>>>>> azure auth. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Pavan >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> nginx-devel mailing list >>>>>>>>> [email protected] >>>>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> nginx-devel mailing list >>>>>>>> [email protected] >>>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>>>> >>>>>>> _______________________________________________ >>>>>>> nginx-devel mailing list >>>>>>> [email protected] >>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>>> >>>>>> _______________________________________________ >>>>>> nginx-devel mailing list >>>>>> [email protected] >>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>>> >>>>> _______________________________________________ >>>>> nginx-devel mailing list >>>>> [email protected] >>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>>> >>>> _______________________________________________ >>>> nginx-devel mailing list >>>> [email protected] >>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel >>> >>> _______________________________________________ >> nginx-devel mailing list >> [email protected] >> http://mailman.nginx.org/mailman/listinfo/nginx-devel > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
