messed up ssl for nginx sub-dir with reverse proxy

Question

My server hosts several sub-domains:

• one containing a Laravel app: cluego
• a Node.js app: qruzzle
• and another Laravel app: ijsbrekerz

I tried to follow some tutorials to get HTTPS working.

The result is puzzling for me, tutorial-follower:( Wat I see now is:

When I browse to:

https://cluego.nl              ->    Welcome to NGINX, succesfully installed, need to configure
https://qruzzle.cluego.nl/     ->    Welcome to NGINX, succesfully installed, need to configure
https://ijsbrekerz.cluego.nl/  ->    Welcome to NGINX, succesfully installed, need to configure
www.cluego.nl                  ->    Works great!
qruzzle.cluego.nl              ->    works, not secure
ijsbrekerz.cluego.nl           ->    works, not secure

I have to add some paths somewhere but I cannot figure out where since I do not really understand the reverse proxy configuration. I am afraid to break something because this all was done based of following tutorials.

Can anyone point out where I must add the locations of root, qruzzle, and ijsbrekerz?

The sub-domains are defined in sites-available, for example: /etc/nginx/sites-availabe/qruzzle.cluego.nl

# the nginx server instance
server {
    listen 80;
    listen [::]:80;
    server_name qruzzle.cluego.nl www.qruzzle.cluego.nl;
    access_log /var/log/nginx/qruzzle.cluego.nl.log;

    # pass the request to the node.js server with the correct headers
    # and much more can be added, see nginx config options
    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-NginX-Proxy true;

      proxy_pass http://127.0.0.1:3000/;
      proxy_redirect off;
    }
 }

In ssl.conf I have:

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name cluego.nl;
    ssl_certificate /etc/letsencrypt/live/cluego.nl/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cluego.nl/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ########################################################################
    # from https://cipherlist.eu/                                            #
    ########################################################################

    ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    ##################################
    # END https://cipherlist.eu/ BLOCK #
    ##################################

}

Answer 1

Non definitive answer as the question lacks some design information.

The following points must be checked/changed:

• does the certificate contain all of the domains (cluego.nl, www.cluego.nl , qruzzle.cluego.nl,..)? It doesn't look so at first sight.
• server_name must contain all of the domains, for both server blocks if the HTTP to HTTPS should done by the applications
• add server_name blocks for each domain if the HTTP to HTTPS redirections must be done by NGINX, and combine that with return 302 directives.