I'm trying to add ssl to my website hosted on my VPS (Ubuntu 20). I do not have any skill nginx (v 1.18.0) and I just followed tutorials to add ssl to my website by helping letsEncrypt and certbot.
Here I have some problems:
I followed this tutorial and in it's 3rd part I only used sudo certbot --nginx -d example.com because I faced error in sudo certbot --nginx -d www.example.com. So I decided to just add example.com and forward every request from www.appsazz.ir to appsazz.ir in nginx. Now certbot generated a file inside /etc/nginx/conf.d with the name www.appsazz.ir.conf.It's configuration did't resolved my problem I tryed to changed it a little. Here is the file configurations:
server {
if ($host = appsazz.ir){
return 301 https://$host$request_uri;
}
if ($scheme != "https"){
return 301 https://$host$request_uri;
}
}
server {
listen 80;
listen [::]:80;
root /var/www/venus;
server_name appsazz.ir www.appsazz.ir;
# managed by Certbot
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/appsazz.ir/fullchain.pem; #managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/appsazz.ir/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
nginx -t response seems to be ok:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
why when I request from browser to appsazz.ir it still loads with not secure?
when I request on www.appsazz.ir Chrome responds with ERR_INTERNET_DISCONNECTED error
Your setup is correct and appsazz.ir is loading with https:// on the browser. I can also see the ssl certificate issued using let's encrypt. However www.appsazz.ir isn't configured properly in your DNS provider. A quick nslookup www.appsazz.ir is showing this:
Server: 1.1.1.1
Address: 1.1.1.1#53
** server can't find www.appsazz.ir: NXDOMAIN
Please configure the subdomain www to point to a valid IP or endpoint and it should work. In your case. appsazz.ir points to IP 188.121.122.161, I guess www.appsazz.ir should be pointing to the same.
Related
I have an nginx server that's giving me an error that I can't find any information on. The server is up and running and I believe the underlying site (a Flask app) is also running, but clients receive a generic 500 error. When I look at /var/log/nginx/error.log, I see this:
2022/09/04 04:59:52 [error] 1523#1523: *1 connect() failed (111: Unknown error) while connecting to upstream, client: [clients ip], server: mysite.com, request: "GET / HTTP/1.1", upstream: "http://[::1]:8000/", host: "mysite.com"
I have no idea what to do with this. I've searched around and can't find any info on how to dig in deeper or where to look to resolve the issue.
How I got into this state
I'm running the server on Ubuntu on a Linode and wanted to upgrade the OS. To do so, I spun up a new Linode with the latest version of Ubuntu (22.04) and recreated the server from scratch. After getting everything installed, I swapped the IP addresses of the old and new servers to avoid having to redo the DNS records. I'm using CertBot to manage https certificates, so I ran that again and then restarted everything.
At this point, nginx was up and running and happy with my config. Everything looks the same as it did on the old server. But every request is a 500 with the error above.
Any help / pointers to get me back to a working state is very much appreciated!
EDIT: nginx config
server {
server_name = www.mysite.com;
return 301 $scheme://mysite.com$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name mysite.com;
location ^~ /static/ {
include /etc/nginx/mime.types;
root /home/my_username/path/to/code/;
}
location / {
proxy_pass http://localhost:8000;
include /etc/nginx/proxy_params;
proxy_redirect off;
proxy_read_timeout 300s;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.mysite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mysite.com) {
return 301 https://$host$request_uri;
} # Manually added by me
server_name = mysite.com;
listen 80;
return 404; # managed by Certbot
}
Rewrite your nginx config to use ip, not dns. For instance, 127.0.0.1 instead of localhost, or remove the ipv6 alias from /etc/hosts.
Try this.
Ugh. I was a dummy. It was not an nginx error.
I misconfigured something in my Flask site, causing it to throw 500 errors. Because of the misconfiguration, they weren't being logged to the right file, so I didn't realize that was the problem. Fixed the Flask config and the server went back to normal.
Posting my stupidity in case it helps any future searchers who hit the same nginx error.
I used to connect my app (Next, React, ApolloClient) to my backend (ApolloServer) using this url: http://167.99.145.82:4020/graphql, and it worked.
Now that I have switched to https, GraphQL Playground still works in the browser (https://sketchdaily.club/graphql), but when the client (https://sketchdaily.vercel.app/) tries to connect to it, it returns [Network error]: TypeError: Failed to fetch.
Why could that happen?
My nginx config:
server {
listen 80;
listen [::]:80;
server_name sketchdaily.club www.sketchdaily.club;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sketchdaily.club/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sketchdaily.club/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://0.0.0.0:4020;
}
}
What am I doing wrong?
Your certificate has been issued for the domain sketchdaily.club and only this name is included in the certificate. If you now connect to the server using it's IP address the used server name 167.99.145.82 does not match the name used in the certificate sketchdaily.club and thus the client will refuse connection because the server can not be trusted.
Just try it out and open https://167.99.145.82 in any web browser - it will not work. Therefore for HTTPS you have to use the DNS name of your server or change the registration at Let's Encrypt to also include the IP address of your server into the certificate as "Subject alternative name", then you can continue to use the IP address.
I want to access grafana from my browser and make it available publicly. However, I am receiving the following error:
If you're seeing this Grafana has failed to load its application files
1. This could be caused by your reverse proxy settings.
2. If you host grafana under subpath make sure your grafana.ini root_url setting includes subpath
3. If you have a local dev build make sure you build frontend using: yarn start, yarn start:hot, or yarn build
4. Sometimes restarting grafana-server can help
I tried going through some issues and added the domain name in the grafana's settings. My NGINX is perfect and as per the documentation. In fact, everything was working well. The problem is in the anonymous session i.e. if I try to load this in no-user mode, it doesn't load. In the logged-in mode, it loads but without all the dashboards that I had created.
My NGINX conf is as follows:
proxy_cache_path /var/nginx/cache levels=1:2 keys_zone=grafana_cache:10m max_size=20g
inactive=60m use_temp_path=off;
server {
server_name foo.bar www.foo.bar;
location / {
proxy_cache grafana_cache;
proxy_pass http://127.0.0.1:3000;
include /etc/nginx/proxy_params;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/foo.bar/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/foo.bar/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.foo.bar) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = foo.bar) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name foo.bar www.foo.bar;
return 404; # managed by Certbot
}
I expect the grafana dashboard to be working with and without the user logging in.
I removed the hash_bucket_size set to 64 in my nginx.conf and got it working.
I have configured Nginx on a CentOS 7 server. There I have 2 sites running, I installed the SSL certificate using Cerbot and the process was executed with no errors. There I have 2 subdomains, x.mydomain.com and y.mydomain.com
The sites that I am running correspond to applications that are running on their own ports, 9100 for one and 9200 for the second one, so I configured Nginx to redirect the petitions to the corresponding port. For example, the server block for the first application is:
server {
listen 80;
server_name x.mydomain.com;
access_log logs/mydomainX.log main;
location / {
proxy_pass http://127.0.0.1:9100;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/x.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/x.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
So, if I open in the browser x.mydomain.com I get status code 502 from Nginx, however, if I open directly using the IP: xxx.xxx.xxx.xxx.xxx:9100 then I can see the site. So I must have something wrong in the Nginx configuration, what am I missing? Thanks
Status code 502 shows that nginx could connect to proxy upstream, so there is something wrong with upstream on 127.0.0.1:9100.
If request to xxx.xxx.xxx.xxx.xxx:9100 working fine, you could change your nginx configuration to something like this:
server {
listen 80;
server_name x.mydomain.com;
access_log logs/mydomainX.log main;
location / {
proxy_pass http://xxx.xxx.xxx.xxx.xxx:9100;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/x.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/x.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
If you still want to use 127.0.0.1:9100 for proxy_pass, you should check your application, may be it not binded on 127.0.0.1.
I have Mattermost installed in my server, currently I can login to it by browsing through http://192.168.x.x:8066, I've installed a self-signed cerrtificate for this IP, but when I tried to browse it with https://192.168.x.x:8065, it failed to redirect to the Mattermost page.
Below is the configuration of my nginx.conf:
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
listen 443;
server_name 192.168.3.201:8066;
ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
}
However, when I just browse the URL without port 8066 , it displays the default nginx page with no errors.
What's wrong with my nginx.conf file? I'm still new to nginx FYI.
Any suggestions will be very much appreciated.
I suggest you follow the example nginx configuration from the documentation here. Start with that config file, updating server_name to be the domain name you want mattermost to be reachable from, and server to be the IP address and port on which mattermost is listening.
Once you've got that working, you can continue through the instructions to #9 which covers setting up SSL.