Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Nginx reverse proxy works fine with Safari and Firefox but doesn't work with Chrome

Tags:

nginx

google-chrome

https

ssl

nginx-reverse-proxy

I use Nginx as reverse proxy to forward my Https request to backend server (which runs in Http protocol with port 7654 in the same server). Everything works well in Safari and Firefox, but Chrome throws an error.

Chrome Error: net::ERR_CERT_AUTHORITY_INVALID

Below is my nginx.conf file. BTW, it also works fine when I use IP address instead of domain name in Chrome. How can I fix this problem?

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  mydomain.name.lan;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/tls/certs/crt.crt";
        ssl_certificate_key "/etc/pki/tls/private/key.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
                try_files $uri $uri/ /index.html;
        }

        location /app/v1/ {
                proxy_pass http://localhost:7654;
                proxy_set_header Host  $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
        }

    }
like image 335
周天钜 Avatar asked Nov 27 '25 23:11

周天钜

1 Answers

i can give you an example of working config, which works for all browsers (currently latest releases) which we use at company. TLDR story behind, we have docker swarm deployment, but we have entry point Nginx which runs on host, and has another Nginx inside container which then redirects trafic to specific API gateways and so on..

We are gonna focus on that first level Nginx (which is on host), which actually does all SSL checks and so on .. we use http inside docker (between pods & containers)..

Working example for linux:
server_tokens off;

    server {

        listen 443 http2 ssl;

        server_name development.docker.company.si;


        add_header Strict-Transport-Security "max-age=31536000" always;

        proxy_buffering off;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;

        set $upstream_local_docker_proxy 10.10.0.2; #static location of inner nginx

        ssl_certificate /etc/tls/si.company.docker.development-chain.crt;
        ssl_certificate_key /etc/tls/si.company.docker.development-unencrypted.key;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
        ssl_protocols TLSv1.2 TLSv1.3;

        #here we just have /url-location-level-routing/ , in case you want to know
        location /my-application-demo/ {
                proxy_pass http://$upstream_local_docker_proxy;
                proxy_set_header Host local.docker.company-my-application-demo;
                rewrite ^/my-application-demo/(.*) /$1 break;
        }
    }

For a specific case you have, i have a windows config, all u need to do is change windows path of certs to linux and it should work:

   worker_processes  1;
  
   events {
       worker_connections  1024;
   }

   http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;

    upstream local-company1-api {
            server localhost:5000;
    }

    server {

            listen 443 http2 ssl;

            server_name company1.company.si;


            add_header Strict-Transport-Security "max-age=31536000" always;

            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;

            ssl_certificate C:\\tls\\si.company.company1-chain.pem;
            ssl_certificate_key C:\\tls\\si.company.company1-unencrypted.pem;
            ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
            ssl_prefer_server_ciphers off;
            ssl_protocols TLSv1.2 TLSv1.3;

            # ----------------------------------------------------------------------------------------------------

            location / {

                    proxy_pass http://local-company1-api/;
                    proxy_redirect off;
            }
       }
   }

I hope any of this helps.

like image 83
matic1123 Avatar answered Nov 29 '25 16:11

matic1123

Sign in to Comment

Related questions

How to detect if user is screen sharing in a Chrome Extension?
Download image link from browser console (javascript)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!