0

I have the following architecture:

  • An Angular webapp hosted on Google Firebase (HTTPS)
  • A jelastic environment with:
    • An NGINX server (HTTPS)
    • A Springboot 2 application server (HTTP)

In order to work fine Firebase needs to use HTTPS API, so I added to the NGINX server an SSL certificate and a public IP. If I call the API using HTTP from postman the calls work fine. But if I call the API HTTPS from the Angular app in firebase than it doesn't work and I get this error: "Referrer Policy: no-referrer-when-downgrade" - net::ERR_CONNECTION_REFUSED.

I saw this question but I was not able to fix the problem.

This is the nginx conf file. I replaced the IP addresses with XXX.XXX.XXX.XXX


######## HTTP SECTION PROTOTYPE ########

http {
    server_tokens off ;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        set_real_ip_from  192.168.0.0/16;
        set_real_ip_from  10.0.0.0/8;
        set_real_ip_from  172.16.0.0/16;
        real_ip_header    X-Forwarded-For;
        real_ip_recursive on;

    log_format  main  '$remote_addr:$http_x_remote_port - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$host" sn="$server_name" '
                      'rt=$request_time '
                      'ua="$upstream_addr" us="$upstream_status" '
                      'ut="$upstream_response_time" ul="$upstream_response_length" '
                      'cs=$upstream_cache_status' ;


        client_header_timeout 10m;
        client_body_timeout 10m;
        send_timeout 10m;
        client_max_body_size 100m;

        connection_pool_size 256;
        client_header_buffer_size 1k;
        large_client_header_buffers 4 2k;
        request_pool_size 4k;

#        gzip on;
        gzip_min_length 1100;
        gzip_buffers 4 8k;
        gzip_types text/plain;

        output_buffers 1 32k;
        postpone_output 1460;

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;

        keepalive_timeout 75 20;

        ignore_invalid_headers on;

    map $upstream_addr        $group {
        default               "";
    ### MAPPING FOLLOWS HERE ###
    ### ~XXX\.XXX\.XXX\.XXX\:XX$   $GROUPNAME; ### MAPPROTO ### This is mappings prototype line, do not remove this! 
~XXX\.XXX\.XXX\.XXX\:80$ common; ### MAPPROTO for common ###
    }

    ### DEFAULT UPSTREAM FOLLOWS HERE ###
    upstream default_upstream{
    ### server XXX.XXX.XXX.XXX; ### $GROUPNAME ### DEFUPPROTO ###
server XXX.XXX.XXX.XXX;   ### DEFUPPROTO for common ###
    sticky path=/; keepalive 100;
}



    ### UPSTREAMS LIST FOLLOWS HERE ###
        #upstream nodes{ server XXX.XXX.XXX.XXX; server 127.0.0.1:8001 backup # UPSTREAMPROTO # This is upstream prototype line, do not remove this! }
upstream common {   server XXX.XXX.XXX.XXX ;  sticky path=/; keepalive 100; } ### UPSTREAMPROTO for common ###


        #GFADMIN

        server {
                listen *:80;
                listen [::]:80;
                server_name  _;

                #add_header Referrer-Policy "no-referrer"; # by Paolo

                access_log /var/log/nginx/localhost.access_log main;
                error_log /var/log/nginx/localhost.error_log info;

        #ModSecurityEnabled on;
        #ModSecurityConfig /etc/nginx/conf.d/modsecurity/modsec_includes.conf;

                proxy_temp_path /var/nginx/tmp/;
                proxy_connect_timeout 5s;

                error_page   500 502 503 504  /50x.html;

                proxy_next_upstream error timeout http_500;
                proxy_http_version 1.1;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Host $http_host;
                proxy_set_header X-Forwarded-For $http_x_forwarded_for;
                proxy_set_header X-Remote-Port $http_x_remote_port;
                proxy_set_header X-URI $uri;
                proxy_set_header X-ARGS $args;
                proxy_set_header Refer $http_refer;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                if ($http_x_remote_port = '' ) {
                    set $http_x_remote_port $remote_port;
                }

                location = /50x.html {
                        root   html;
                }

                location / {
                        if ($cookie_SRVGROUP ~ group|common) {
                                proxy_pass http://$cookie_SRVGROUP;
                                error_page   500 502 503 504 = @rescue;
                        }

                        if ($cookie_SRVGROUP !~ group|common) {
                                add_header Set-Cookie "SRVGROUP=$group; path=/";
                        }
                        proxy_pass http://default_upstream;
                        add_header Set-Cookie "SRVGROUP=$group; path=/";
                }

                location @rescue {
                        proxy_pass http://default_upstream;
                        add_header Set-Cookie "SRVGROUP=$group; path=/";
                }


                #USERLOCATIONS
        }

#        server {
#                listen *:8001;
#                server_name  backup.local;
#
#           location / {
#                        proxy_pass http://default_upstream;
#                        add_header Set-Cookie "SRVGROUP=$group; path=/";
#                        proxy_http_version 1.1;
#                        proxy_set_header Host $host;
#                        proxy_set_header X-Real-IP $remote_addr;
#                        proxy_set_header X-Host $http_host;
#                        proxy_set_header X-Forwarded-For $http_x_forwarded_for;
#                        proxy_set_header X-URI $uri;
#                        proxy_set_header X-ARGS $args;
#                        proxy_set_header Refer $http_refer;
#                        proxy_set_header Upgrade $http_upgrade;
#                        proxy_set_header Connection "upgrade";
#                }
#        }

 include /etc/nginx/conf.d/*.conf;

}

######## TCP SECTION PROTOTYPE ########

This is the content of conf.d/ssl.conf

#
# HTTPS server configuration
#

#server {
#    listen       443;
#    server_name  _;

#    ssl                  on;

#    ssl_certificate      cert.pem;
#    ssl_certificate_key  cert.key;

#    ssl_session_timeout  5m;

#    ssl_protocols  SSLv2 SSLv3 TLSv1;
#    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#    ssl_prefer_server_ciphers   on;

#    location / {
#        root   html;
#        index  index.html index.htm;
#    }
#}

while this is the content of conf.d/ssl.conf.disabled

#
# HTTPS server configuration
#

server {
    listen       443 http2;
    listen       [::]:443 http2;
    server_name  _;

    ssl                  on;
    ssl_certificate      /var/lib/jelastic/SSL/jelastic.chain;
    ssl_certificate_key  /var/lib/jelastic/SSL/jelastic.key;


    ssl_session_timeout  5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers '*****removed by me*****';

    ssl_prefer_server_ciphers   on;
    ssl_session_cache shared:SSL:10m;

    access_log /var/log/nginx/localhost.access_log main;
    error_log /var/log/nginx/localhost.error_log info;
    proxy_temp_path /var/nginx/tmp/;
    error_page   500 502 503 504  /50x.html;

    location = /50x.html {
                        root   html;
               }

    location / {
     set $upstream_name common;
include conf.d/ssl.upstreams.inc;

                        proxy_pass http://$upstream_name;
                        proxy_next_upstream error;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Host $http_host;
                        proxy_set_header X-Forwarded-For $http_x_forwarded_for;
                        proxy_set_header X-URI $uri;
                        proxy_set_header X-ARGS $args;
                        proxy_set_header Refer $http_refer;
                        proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Ssl-Offloaded "1";
                }
}
Paolo
  • 555
  • 4
  • 28
  • Something looks wrong, I don't understand how you can have SSL working with those conf files, because there is no `server { listen 443 ...` (knowing that .conf.disabled files won't be included). Are you missing here another conf file? – Erdal G. Feb 04 '20 at 13:16

1 Answers1

1

You should add:

add_header 'Referrer-Policy' 'origin';

to /etc/nginx/conf.d/ssl.conf

Virtuozzo
  • 1,993
  • 1
  • 10
  • 13
  • Dear jelastic, first of all thank you! I tried your suggestion, I put the conf in ssl.conf and I have uncommented the server part but it doesn't work. Then I tried in the other file that I put in the question but unfortunatelly with no results. Could you tell me how to put this string? From the UI configuration the SSL is enabled. – Paolo Jan 31 '20 at 17:07
  • Seems like SSL is not configured properly. We recommend that you contact your hosting provider for help. – Virtuozzo Feb 03 '20 at 14:55
  • Thank you, but Aruba.it said that their Jelastic cloud is not managed... My solution? To change Aruba with something else... – Paolo Feb 06 '20 at 09:37
  • Dear Paolo, We would like to know about your choice. Also, please let us know if the problem still persists and if you need assistance from our side. – Virtuozzo Feb 11 '20 at 13:53