How do I make nginx accept unencrypted http traffic on the local network?

Question

I'm running nginx bundled with gitlab, and it has a ssl cert, but the ssl cert is only for the public domain, so now nginx wont accept traffic that isn't encrypted, and because of this I cant access my server from the local network (which is my home network). Is there a way that I can change this so that nginx will accept unencrypted traffic only on the local network?

EDIT: Similar to this question.

here is my nginx config:

user gitlab-www gitlab-www;
worker_processes 4;
error_log stderr;
pid nginx.pid;

daemon off;

events {
   worker_connections 10240;
}

http {
  log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
  log_format gitlab_ci_access '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
  log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;

 keepalive_timeout 65;

 gzip on;
 gzip_http_version 1.0;
 gzip_comp_level 2;
 gzip_proxied any;
 gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json;

  include /opt/gitlab/embedded/conf/mime.types;

  include /var/opt/gitlab/nginx/conf/gitlab-http.conf;




}

here is the gitlab-http config:

upstream gitlab {
   server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}

upstream gitlab-workhorse {
   server unix:/var/opt/gitlab/gitlab-workhorse/socket;
}

## Redirects all HTTP traffic to the HTTPS host
server {
  listen 0.0.0.0:80;
  listen [::]:80;
  server_name git.team2roblox.tk;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://git.team2roblox.tk:443$request_uri;
  access_log  /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
  error_log   /var/log/gitlab/nginx/gitlab_error.log;
}

server {
  listen 0.0.0.0:443 ssl spdy;


  listen [::]:443 ssl spdy;


  server_name git.team2roblox.tk;
  server_tokens off; ## Don't show the nginx version number, a security best practice
  root /opt/gitlab/embedded/service/gitlab-rails/public;

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 250m;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl on;
  ssl_certificate /etc/gitlab/ssl/cert.pem;
  ssl_certificate_key /etc/gitlab/ssl/fullchain.pem;

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
 ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache  builtin:1000  shared:SSL:10m;
 ssl_session_timeout  5m;


 ## Individual nginx logs for this GitLab vhost
 access_log  /var/log/gitlab/nginx/gitlab_access.log gitlab_access;
 error_log   /var/log/gitlab/nginx/gitlab_error.log;

 location / {
 ## Serve static files from defined root folder.
 ## @gitlab is a named location for the upstream fallback, see below.
    try_files $uri /index.html $uri.html @gitlab;
 }

 location /uploads/ {
 ## If you use HTTPS make sure you disable gzip compression
 ## to be safe against BREACH attack.
 gzip off;

 ## https://github.com/gitlabhq/gitlabhq/issues/694
 ## Some requests take more than 30 seconds.
 proxy_read_timeout      300;
 proxy_connect_timeout   300;
 proxy_redirect          off;

 proxy_set_header    Host                $http_host;
 proxy_set_header    X-Real-IP           $remote_addr;
 proxy_set_header    X-Forwarded-Ssl     on;
 proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
 proxy_set_header    X-Forwarded-Proto   https;
 proxy_set_header    X-Frame-Options     SAMEORIGIN;

 proxy_pass http://gitlab;
}

## If a file, which is not found in the root folder is requested,
## then the proxy passes the request to the upsteam (gitlab unicorn).
location @gitlab {
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;

## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout      300;
proxy_connect_timeout   300;
proxy_redirect          off;

proxy_set_header    Host                $http_host;
proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-Ssl     on;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   https;
proxy_set_header    X-Frame-Options     SAMEORIGIN;

proxy_pass http://gitlab;
}

location ~ ^/[\w\.-]+/[\w\.-]+/gitlab-lfs/objects {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/(info/refs|git-upload-pack|git-receive-pack)$ {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/[\w\.-]+/[\w\.-]+/repository/archive {
    client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

location ~ ^/api/v3/projects/.*/repository/archive {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

# Build artifacts should be submitted to this location
location ~ ^/[\w\.-]+/[\w\.-]+/builds/download {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
error_page 418 = @gitlab-workhorse;
return 418;
}

# Build artifacts should be submitted to this location
location ~ /ci/api/v1/builds/[0-9]+/artifacts {
client_max_body_size 0;
# 'Error' 418 is a hack to re-use the @gitlab-workhorse block
 error_page 418 = @gitlab-workhorse;
return 418;
}

location @gitlab-workhorse {
client_max_body_size 0;
## If you use HTTPS make sure you disable gzip compression
## to be safe against BREACH attack.
gzip off;

## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout      300;
proxy_connect_timeout   300;
proxy_redirect          off;

proxy_set_header    Host                $http_host;
proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-Ssl     on;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   https;

proxy_pass http://gitlab-workhorse;
}

 ## Enable gzip compression as per rails guide:
 ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
 ## WARNING: If you are using relative urls remove the block below
 ## See config/application.rb under "Relative url support" for the list of
 ## other files that need to be changed for relative url support
 location ~ ^/(assets)/ {
 root /opt/gitlab/embedded/service/gitlab-rails/public;
 gzip_static on; # to serve pre-gzipped version
 expires max;
 add_header Cache-Control public;
 }


 error_page 502 /502.html;


 }

score -1 · Answer 1 · answered Dec 13 '15 at 23:28

-1

Take a look at iptables or whatever firewall you have. This may possibly be different if you're using a different OS.

On the NGINX server (assuming you're using a Linux derivative), use iptables to allow network only connections and block any other connections. The first entry below is the local network CIDR range, which might be different for your network. The second is the loopback address. The last entry is for everything else.

iptables -A INPUT -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

answered Dec 13 '15 at 23:28

tjg184

4,508
1
27
54

errm, my firewall opens to all connections and I know for a fact, that my issue has to do with nginx as, in [the gitlab nginx docs](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md) it says that once enabled for https, nginx will stop listening for unecrypted http traffic, so quite clearly nginx is ignoring my http requests. Now if I could, I'd probably down vote this answer, because of the above mentioned. – chabad360 Dec 14 '15 at 03:10
Can you post your nginx configuration then? – tjg184 Dec 14 '15 at 14:01
I know nginx can be configured to listen on both. Check this out: http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server – tjg184 Dec 14 '15 at 14:05
I put my config in the question, also i need it to accept unencrypted traffic on port 80 not just listen. – chabad360 Dec 14 '15 at 21:01

How do I make nginx accept unencrypted http traffic on the local network?

1 Answers1