I am trying to deploy a blazor server template app on Nginx, but i'm stucked with this problem.
I tried everything that I could find online, but still the same error.
error.log
*36 upstream prematurely closed connection while reading response header from upstream, client:, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:7155/"
in case of that helps, browsers just show 502 code
this is my nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and here the server block at /sites-enabled/
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/cert.pem;
ssl_certificate_key /etc/nginx/cert.key;
location / {
proxy_pass http://dotnet;
proxy_set_header Host $host;
proxy_http_version 1.1; # you need to set this in order to use params below.
proxy_temp_file_write_size 64k;
proxy_connect_timeout 10080s;
proxy_send_timeout 10080;
proxy_read_timeout 10080;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_redirect off;
proxy_request_buffering off;
proxy_buffering off;
}
}
upstream dotnet {
zone dotnet 64k;
server 127.0.0.1:7155;
}
I don't know what I am doing wrong. please help
Based on this I made some notes on how to deploy on Nginx a Blazor Server App. I share and hope that helps.
Install nginx and start it:
sudo apt-get install nginx
sudo service nginx start
Now you need to configure it so that requests arriving to port 80 are passed to your app on port 5000. To do that, open the /etc/nginx/sites-available/default file in your favorite editor. The default configuration defines only one server, listening on port 80. Under this server, look for the section starting with location /: this is the configuration for the root path on this server. Replace it with the following configuration:
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
proxy_pass http://localhost:5000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
This should prevent connection reverting to long-polling.
Reload nginx:
sudo nginx -s reload
The default under /etc/nginx/sites-available/ looks like this:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
proxy_pass http://localhost:5000/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
Miscrosoft reference on how to deploy.
I just solved the problem. The server block was redirecting to SSL, but when I called the upstream I was not doing it with HTTPS!
To solve the problem I just changed
proxy_pass http://dotnet;
to
proxy_pass https://dotnet;
and now everything works.
Related
I have install a free Artifactory Server (Community Edition and edition license 7.29.8 rev 72908900 )
So when I can't configure url HTTP or HTTPS url
When I launch Artifactory web In http (Administration ==> General ==> HTTP Setting) are unavailable.
I have install NGINX server and I can't launch artifactory in https.
I use the same VM to NGIX and Artifactory.
I have found this documentation: https://www.jfrog.com/confluence/display/JFROG/HTTP+Settings & https://www.jfrog.com/confluence/display/JFROG/HTTP+Settings & https://www.jfrog.com/confluence/display/JFROG/Configuring+NGINX
My configuration nginx server:
## add ssl entries when https has been set in config
##ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /etc/ssl/certs/domain.crt;
ssl_certificate_key /etc/ssl/private/domain.key;
ssl_session_cache shared:SSL:1m;
##ssl_prefer_server_ciphers on;
## server configuration
server {
listen 443 ssl;
listen 8080;
server_name <Server_Name>;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
## Application specific logs
## access_log /var/log/nginx/<Server_Name>-access.log timing;
## error_log /var/log/nginx/<Server_Name>-error.log;
rewrite ^/$ /ui/ redirect;
rewrite ^/ui$ /ui/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 2400s;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_buffer_size 128k;
proxy_buffers 40 128k;
proxy_busy_buffers_size 128k;
proxy_pass https://<Artifactory_IP>:8082;
proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location ~ ^/artifactory/ {
proxy_pass https://<Artifactory_IP>:8081;
}
}
}
And all are KO
Can you help me?
I juste want to launch artifactory in https://x.x.x.x:80802 for example
HTTP Settings is not supported in Artifactory Community Edition. That said, you may want to check out the free-tier option for testing this configuration and additional features at: https://jfrog.com/start-free
similar query: HTTPS Settings is disabled in freshly started artifactory-cpp-ce - how do I enable it?
I am troubleshooting the Nginx configuration to allow for web sockets. The WebSocket works perfectly, but when testing the implementation behind an NGINX server, the WSS connection fails.
There are no error logs in the node behind NGINX (http://127.0.0.1:5000).
Chrome Log:
When I attempt to connect to the WebSocket on the client level, I get the console error in Chrome:
WebSocket connection to 'wss://<domain>/socket/?EIO=4&transport=websocket&sid=fL4zwiY3jykAkO1XAADU ' failed
NGINX Log response:
In the NGINX log, I see the following "Internal server error":
<IP> <DATE> "GET /socket/?EIO=4&transport=websocket&sid=fL4zwiY3jykAkO1XAADU HTTP/1.1" 500 110 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36"
Note that there is no error in the service behind the NGINX, so we know the issue lies with NGINX.
NGINX Configuration
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_max_body_size 100M;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
map $http_upgrade $connection_upgrade{
default upgrade;
`` close;
}
upstream websocket{
server 127.0.0.1:5000;
}
server {
listen [::]:443 SSL;
listen 443 SSL;
root /var/www/html;
ssl on;
index index.html index.htm index.nginx-debian.html;
server_name _;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location /socket {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# SSL Settings by Certbot
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
# Redirect HTTP to HTTPS
listen 80 ;
listen [::]:80 ;
return 301 https://$host$request_uri;
server_name <domain>;
return 404; # managed by Certbot
}
}
NGINX Version:
nginx/1.18.0 (Ubuntu)
A normal WebSocket seems to work perfectly fine (ws://). But the secure WebSocket (wss://) doesn't work. I have been looking all over for a solution, but are unable to find the issue.
What alteration should I make to the configuration in order for the NGINX to allow wss:// sockets and not throw 500 Internal Server Error.
I found the solution, I will post the answer here if someone encounters the same issue in the future.
Explanation:
My stack was:
React (using socket.io-client)
Nginx as reverse Proxy
Docker for image and container management
waitress-serve as ENTRYPOINT for the python code
Flask-SocketIO as Python backend.
There were no logs indicating any issues. After looking looking at nginx logs with DEBUG level using the following line in nginx.conf.
error_log /var/log/nginx/error.log debug;
I noticed that the 500 error in the normal nginx log was coming from waitress.
Waitress does not support (at least not the version I was using) websockets. This is implicitly implied with Flask-SocketIO since waitress is not listed as a deployment option here in the docs.
Solution:
Replace waitress with Gunicorn. The websockets works like a charm. No need for polling anymore (which is a silent bug waiting to blow up in your face).
I have a nginx proxy in front of an application (listens 10.10.10.10:80) that a SSL certificate is terminated, but have an issue when trying to access the log-in page, as nginx redirects traffic to port 80 (which doesn't listen).
The NGINX configuration is shown below:
server {
listen 10.11.11.11:443 ssl;
server_name test.example.com;
access_log /var/log/nginx/test-access.log main;
error_log /var/log/nginx/test-error.log warn;
client_body_buffer_size 1M;
client_max_body_size 16M;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
ssl_certificate <PATH>/cert.crt;
ssl_certificate_key <PATH>/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://10.10.10.10;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_ignore_headers Expires Cache-Control Set-Cookie;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_max_temp_file_size 0;
proxy_force_ranges on;
}
}
what is needed in order NGINX redirects traffic always to 10.11.11.11:443 and apparently to 10.10.10.10:80?
PS If I manually enter the FQDN (https://test.example.com) to the failed request, then request becomes successful.
hope I explained it properly :)
thank you.
Sounds like you are testing using the IP Address (10.11.11.11) and your proxy_pass endpoint (10.10.10.10) is configured to only accept requests for specified FQDN (test.example.com) on HTTP (TCP port 80).
When it receives a request for a domain it does not recognize it redirects the user to what it believes should work http://test.example.com
You have a couple options to fix this
Update the upstream server to accept requests for additional host header values
Rewrite the 302 location header in the response to change the protocol from HTTP to HTTPS
Configure server block to listen on HTTP and have it redirect to HTTPS
Hard code the 'proxy_set_header Host' directive to test.example.com so it matches what the upstream expects (Not recommended because it could create unexpected results down the road when troubleshooting different issues)
I have updated my gems and I have lost my old nginx config. I´m setting a new config in nginx.conf. My new Nginx version is 1.17.3. The home page is loading and navigation from home is also right. But, if I directly type a specific url in my browser, Nginx responds a 404.
I don´t remember what I´m missing. My nginx.conf file:
events {
worker_connections 1024;
}
http {
upstream api.development {
# Path to Puma SOCK file, as defined previously
server unix:/tmp/puma.sock fail_timeout=0;
}
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# set client body size to 10M #
client_max_body_size 10M;
gzip on;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /path-to-root/app;
index index.html index.htm;
# Proxy requests to backend API
location /api {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
#proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
rewrite ^/api(.*) /$1 break;
proxy_pass http://api.development;
}
}
include servers/*;
}
I think I have just already got it by adding: try_files $uri $uri/ /index.html =404;
My concern is that with this line it´s working on development environment, however, in production, I haven´t updated the server yet, and I don´t see that I have any try_files enabled in my config file. So´I don´t understand if this is what I should do. I´m not skilled at all in nginx config.
I am trying to run odoo in https mode using nginx but its not working. This is how I tried,
sudo apt-get install nginx
cd /etc/nginx/sites-available
sudo openssl genrsa -des3 -passout pass:odoo -out server.temp.key 2048
sudo openssl req -new -passin pass:odoo -key server.temp.key -out server.csr
sudo openssl rsa -in server.temp.key -out server.key
sudo rm server.temp.key
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
my certificate file,
upstream odoo {
server localhost:8069 weight=1 fail_timeout=3000s;
}
server {
listen 443;
listen [::]:443 ipv6only=on;
server_name odoo.example.com;
ssl on;
ssl_ciphers ALL:!ADH:!MD5:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Specifies the maximum accepted body size of a client request,
# as indicated by the request header Content-Length.
client_max_body_size 200m;
# add ssl specific settings
keepalive_timeout 60;
# increase proxy buffer to handle some OpenERP web requests
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://odoo;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
# Let the Odoo web service know that we're using HTTPS, otherwise
# it will generate URL using http:// and not https://
proxy_set_header X-Forwarded-Proto https;
# Set timeouts
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
# By default, do not forward anything
proxy_redirect off;
}
# Cache some static data in memory for 60mins.
# under heavy load this should relieve stress on the Odoo web interface a bit.
location ~* /[0-9a-zA-Z_]*/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}
access_log /var/log/nginx/odoo-ssl.access.log;
error_log /var/log/nginx/odoo-ssl.error.log;
}
After this I restarted nginx,enabled proxy mode in odoo config and restarted odoo server, but still my site runs in http mode. I have not given any domain name to my site. Is that compulsory before setting up nginx?
Ok, let's start from the beginning. In order to have set Odoo with ssl you need:
1) domain name
2) proper config for reverse proxy(you are using nginx so it will be easy fix)
3) ssl certificate
4) updated Odoo config
I have wrote down some hints to the above points
1) I assume that you have a domain pointing to your server. If not then you need to visit your domain control panel and set dns(simply put your server IP in "A" value). Sample tutorial on this(see point 5):
https://www.cier.tech/blog/blog-1/post/how-to-publish-your-website-on-amazon-ec2-linux-ubuntu-server-13
2) Sample Odoo config:
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name odoo.mycompany.com; #replace with your domain
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name odoo.mycompany.com; #replace with your domain
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters - update with your cert details
ssl on;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
location /longpolling {
proxy_pass http://odoochat;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
As you can see there is also upstream for the chat as it works on the other port.
Remember to create a shortcut in the sites-enabled:
ln -s /etc/nginx/sites-available/yoursite.com /etc/nginx/sites-enabled/yoursite.com
Later on test nginx config and restart it:
nginx -t
service nginx restart
Mentioned config comes from:
https://www.odoo.com/documentation/10.0/setup/deploy.html
4) Update your Odoo config with:
- proxy_mode = True
- workers = you need to have more than one worker if you want the "chat" and "discuss" modules to work properly.