I have a node application having its front end deployed in Nginx http web server and the back end (molecular microservices) in node server both on an AWS ec2 Linux VM. the application URL is essentially this Linux server hostname or public ipv4 address (http://hostname:80 or http://ipv4:8080 ) now, since this URL was insecure, I thought to secure it using SSL, and to be able to do that, I purchased a domain name from cloudns.net and pointed it back to my ec2 instance's public ipv4. now, I got an SSL certificate installed in the Nginx server using certbot and letsencrpt.org and now my login page has https in it and SSL certificate is showing correctly (https://host.mypurchaseddomainname). Now, when I try to sign in to my application by passing credentials, it doesn't let me in and upon checking using the inspect elements (i am using chrome), the request URL returns nothing and the error is ERR_CONNECTION_CLOSED. this request URL is a post method that is making the request on 8082 port. the request URL looks like this: https://hostname:8082/v1/auth/signin Another thing to mention here is, before installing SSL, the application's endpoint URL could be appended with port number 80, 8080 and upon entering, it would eventually become just the hostname (http://hostname/signin?) but after SSL installation, if I append anything to the https URL (like https://mypurchasedhostname:8080), it throws an error: the site can't be reached and this is apparently the same thing happening with the request URL for sign-in. although these ports (80,8080) when given with http://hostname eventually become https://hostname/somewelcometext and the sign-in page opens.
I am not sure if its a server configuration issue or something needs to be changed in the back end also. please note that my login request URL previously had http in it which I changed to https from the back end to avoid mix content error. Below are the nginx.conf file before and after I added SSL configuration.
NO SSL:
sudo vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
#Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen 8080 default_server;
server_name mypurchasedhostname;
root /usr/share/nginx/html;
index index.html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ /index.html;
add_header Cache-Control 'no-cache';
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}}
With SSL:
sudo vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen 8080 default_server;
server_name mypurchasedhostname;
# root /usr/share/nginx/html;
# index index.html;
return 301 https://$host$request_uri;
}
#SSL settings
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mypurchasedhostname;
root /usr/share/nginx/html;
index index.html;
ssl_certificate /etc/letsencrypt/live/mypurchasedhostname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mypurchasedhostname/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
# ssl_dhparam /path/to/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 8.8.8.8;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ /index.html;
add_header Cache-Control 'no-cache';
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}