https for nginx

[chris ohearne]

Hi, 

hoping someone can help with https for netbox either direct or redirect. I have followed the netbox guide but I cannot get https to work, only http.

netbox version 3.0.2

steps taken:

• generated ssl keys as per instructions
• changed example.com to my server IP address in nginx.conf
• copied nginx.conf from netbox contrib into nginx sites-available
• sym link sites-available to sites-enabled. 
• I was unable to delete default file as it id not exist
• ( I have not removed '*' in my config.py file as when I add my server ip i get a 400 error code)

below is nginx.conf

[netbox@netbox netbox]$ pwd

/etc/nginx/sites-enabled/netbox/netbox

[netbox@netbox netbox]$ cat nginx.conf

server {

    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME

    server_name 10.44.193.136;

    ssl_certificate /etc/ssl/certs/netbox.crt;

    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {

        alias /opt/netbox/netbox/static/;

    }

    location / {

        proxy_pass http://127.0.0.1:8001;

        proxy_set_header X-Forwarded-Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-Proto $scheme;

    }

}

server {

    # Redirect HTTP traffic to HTTPS

    listen [::]:80 ipv6only=off;

    server_name 10.44.193.136;

    return 301 https://$host$request_uri;

}

Thanks 

Chris

[Brian Candler]

What do you mean by "I cannot get https to work"? For example, you might mean:

- nginx fails to start (in which case, what error do you see?)

- nginx starts, but does not accept connections on port 443 (what do you see?)

- nginx starts, accepts SSL connections on port 443, but you don't see the page you expect (what do you see instead?)

- ... etc

What does

curl -k https://10.44.193.136/

show?

How did you generate /etc/ssl/certs/netbox.crt and /etc/ssl/certs/netbox.key ?

Note: you should not use an IP address (especially a private one) as the server name.  Use a real DNS name, under a domain you control - e.g. "netbox.mydomain.com".  Then you will be able to get a valid certificate for it, using LetsEncrypt or a commercial CA.

(Technically, if you run your own certificate authority then you *can* issue your own certificate with an IP address instead of a DNS name as the SubjectAltName, but you really don't want to be doing this.  No external CA will do this for you.)