Categories
Mastering Development System & Network

Why my nodejs REST API doesn’t work on HTTPS?

I have droplet on Digital Ocean (I am novice to server setting).

I use: Ubuntu, NGINX, Let’s encrypt certs, PM2.

App is written in NUXT.JS and server side use Express for REST API. I can access my REST API just on HTTP.

App is on port 8080 (I don’t know if is it ideal – I tried also 3000, 8443 and the result was the same).

PM2 log is clear.

0|index    |  READY  Server listening on http://0.0.0.0:8080
0|index    |

When try with CURL on server

root@ubuntu-s-1vcpu-1gb-nyc1-01:/var/www/html/app# curl -v -k  https://0.0.0.0:8080/api/posts
*   Trying 0.0.0.0...
* TCP_NODELAY set
* Connected to 0.0.0.0 (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I still have this error and I am not able to solve it (CURL just on HTTP give me expected JSON as a result, so it’s ok).

This is my config

index   index.html index.htm;

server {
    listen 80;
    server_name premonstrati2021.cz www.premonstrati2021.cz;

        location / {
            proxy_pass                    https://0.0.0.0:8080;

            proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
            proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
            proxy_ssl_server_name on;
            proxy_ssl_verify        on;
            proxy_ssl_verify_depth  2;
            proxy_ssl_session_reuse on;
        }

    return 301 https://$server_name$request_uri;
}

server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;

        root /var/www/html/app/dist;

        server_name  premonstrati2021.cz www.premonstrati2021.cz;

        ssl_dhparam /etc/nginx/dhparam.pem
        ssl_certificate "/etc/letsencrypt/live/premonstrati2021.cz/cert.pem";
        ssl_certificate_key "/etc/letsencrypt/live/premonstrati2021.cz/privkey.pem";
        ssl_verify_client      optional;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
             ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES2$

        location / {
                proxy_pass http://0.0.0.0:8080;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
                proxy_ssl_server_name on;
        }
}

Any idea what’s wrong? I guess it is something with SSL.

I switched off SSL3 with

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Thanks. I spent many, many hours :-(…

EDITED:

  1. SSL TEST

Leave a Reply

Your email address will not be published. Required fields are marked *