I have a Nginx web server running on a CentOS 7 VM with the default site disabled and two server blocks within /etc/nginx/conf.d/mysite.conf
/etc/nginx/conf.d/mysite.conf
server {
listen 443 ssl;
server_name community.mysite.com;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_certificate /media/www/mysite_com/community_cert/community_mysite_com.crt;
ssl_certificate_key /media/www/mysite_com/community_cert/community_mysite_com.key;
add_header Strict-Transport-Security "max-age=31536000";
access_log /media/www/community_mysite_com/requests.log main;
location / {
#This proxy forwards to a NodeBB Installation running on Node.JS
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 80;
server_name community.mysite.com;
return 301 https://$host$request_uri;
}
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
The goal here, is that non https requests are redirected to https. The issue seems to be that https requests are being received on port 80. I believe this to be true because,
- All https page requests result in an infinite loop.
- netstat shows no established connections on port 443.
- netstat shows established connections on port 80.
I have services http as well as https allowed in iptables. Ports 443 and 80 allowed in firewalld. Ports 443 and 80 are forwarded within the network firewall as well.
netstat outputs:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4128/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4128/nginx: master
tcp 0 0 192.168.1.53:80 111.231.123.11:10471 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:10116 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:29768 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:36415 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:11619 ESTABLISHED 4129/nginx: worker
tcp 0 0 192.168.1.53:80 111.231.123.11:33847 ESTABLISHED 4129/nginx: worker
iptables output:
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:tram ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:http ctstate NEW
firewalld public zone:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: dhcpv6-client http https samba ssh
ports: 443/tcp 80/tcp 4567/tcp 80/udp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
How would I go about debugging why Nginx seems to be receiving port 443 requests on port 80? Is there something I may have missed?
I've disabled the reverse proxy by removing it from the server block and it still does the same thing. I've tried multiple web browsers. I've tried clearing the cache in Chrome. I've rebooted the VM.
https://community.mysite.com
-> Redirect loop.
http://community.mysite.com
Redirects to https://community.mysite.com
-> Redirect loop.
https://community.mysite.com:443
-> Redirect loop.
:EDIT:
I've installed a different web server, which has the exact same result. My guess is this is either CentOS or ESXI related.
Best Answer
After a day and a half of searching, I found this issue to not be caused by my internal network, nor to be caused by any OS.
I completely forgot I had my DNS routed through CloudFlare which was set to "Flexible" mode for SSL. Setting this to "Full" or "Full (Strict)" fixed this issue.