I have trying to add proxy_set_header in my nginx.conf file. When I try to add proxy_pass and invoke the URL it throws 502 Bad Gateway nginx/1.11.1 error.
Not sure how to resolve this error:
upstream app-server {
# connect to this socket
server unix:///tmp/alpasso-wsgi.sock; # for a file socket
}
server {
server_name <name>;
listen 80 default_server;
# Redirect http to https
rewrite ^(.*) https://$host$1 permanent;
}
server {
server_name <name>;
listen 443 ssl default_server;
recursive_error_pages on;
location /azure{
proxy_pass http://app-server;
}
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_client_certificate /etc/nginx/server.crt;
ssl_verify_client optional;
}
Had similar problem with proxy_pass, if your Linux server is using SELINUX then you may want to try this.
$ setsebool -P httpd_can_network_connect true
Refer to Warren's answer: https://unix.stackexchange.com/questions/196907/proxy-nginx-shows-a-bad-gateway-error
502 is sent when your upstream is not reachable.
Try to switch on error log and you might see failed to connect to upstream,
for this you need to check whether your upstream server is running or not, sudo service upstream status, and try to switch that on.
Nginx proxy with unix socket troubleshooting:
Check nginx conf:
nginx -t
Check socket:
netstat --protocol=unix -nlp | grep alpasso-wsgi.socket
Check is app working:
curl --unix-socket /tmp/alpasso-wsgi.sock http:/your-path-on-app
(Must be html code on screen output)
If not, check your app. If yes:
Check nginx error log
sudo tail -f /var/log/nginx/error.log
In case you get a nginx permissions error, check nginx user rights for socket:
Determine which username nginx use:
ps aux | grep nginx
And, for example, if nginx user is www-data, give to www-data user required rights. Add www-data user to required group:
sudo usermod -a -G your-socket-file-group www-data
and check permissions of a socket file,
or use ACL:
sudo setfacl -R -m u:www-data:rwX /path-to-your-unix-socket
sudo setfacl -Rd -m u:www-data:rwX /path-to-your-unix-socket
Im my opinion, ACL is better for security. Because you give rights to nginx only to one file, not for all files which belongs to group.
Related
I am trying to generate an ssl certificate on an AWS EC2 nano machine configured with a NGINX server.
My NGINX configuration file is as follows:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name my_server_name.com;
}
When I check my Nginx configuration with the following command :
nginx -t
this error is returned:
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/default:22 nginx: configuration file /etc/nginx/nginx.conf test failed
Of course, when I try to go further in generating the SSL certificate with the following command:
certbot certonly --dry-run
the following error is returned:
Error while running nginx -c /etc/nginx/nginx.conf -t.
What changes/commands do I need to make to generate the SSL certificate ?
I have modified my Nginx configuration file in a thousand ways, without success.
Assuming you have installed NGINX correctly on your machine, for Certbot to take into account your configuration, you must first move (or delete) the default one located here:
/etc/nginx/sites-enabled/
for this, you will need these 2 commands:
cd /etc/nginx/sites-enabled/
rm default
Once these 2 commands are done, you have to switch off the NGINX server to generate the SSL certificate, using this command:
service nginx stop
Now you can restart your command and generate the SSL certificate with :
certbot certonly
I'm using 'Oracle Cloud'.
I created a VM(Computer instance) on Oracle Cloud with CentOS 8. And I installed NginX, and it works well when I test it with 'http://mydeal.servername.com'.
To make NginX service with HTTPS, I also installed certbot(Let's Encrypt) and created certificate, using the following command.
sudo certbot --standalone -d mydeal.servername.com certonly
Result files were like below.
Cert : /etc/letsencrypt/live/mydeal.servername.com/fullchain.pem;
Key : /etc/letsencrypt/live/mydeal.servername.com/privkey.pem;
I added http and https to firewall service list like below.
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
And I created test index.html like below.
sudo -i
mkdir /var/www
mkdir /var/www/mydeal
echo "MyDeal at Oracle Cloud" > /var/www/mydeal/index.html
And I created https settings, including http redirection, in /etc/nginx/conf.d/my.conf file.
server {
listen 80;
server_name my.servername.com;
location / {
root /var/www/mydeal;
index index.html;
try_files $uri /index.html;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydeal.servername.com;
ssl_certificate /etc/letsencrypt/live/mydeal.servername.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydeal.servername.com/privkey.pem;
location / {
root /var/www/mydeal;
index index.html;
try_files $uri /index.html;
}
}
Finally, when I start nginx server with the following command, it works well.
sudo -i
sudo nginx
But, when I start nginx server with the following command, it gives error "500 Internal Server Error" on the browser screen.
sudo systemctl enable nginx
sudo systemctl start nginx
I can not find any differences b/w 2 start procedures.
How I can debug this problem?
I've search a bunch of questions to set the correct configuration for nginx SSL, but my EC2 website isn't online. Actually when It was only HTTP protocol (80) it was working fine.
Steps I made
1 - Set security group for ec2 opening traffic for all ipv4 to access 443 and 80 (ok)
2 - Set /etc/nginx/sites-avaiable and /etc/nginx/sites-eneabled for only HTTP access, that was working fine (ok)
3 - Now started SSL process, creating crypto keys sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nginx-selfsigned.key -out /etc/nginx/nginx-selfsigned.crt (ok)
4 - Now I modified 'default' file for both /etc/nginx/sites-avaiable and /etc/nginx/sites-eneabled to apply SSL on my website (???)
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name ec2-23-22-52-143.compute-1.amazonaws.com www.ec2-23-22-52-143.compute-1.amazonaws.com;
#Importing ssl
ssl_certificate /etc/nginx/nginx-selfsigned.crt;
ssl_certicate_key /etc/nginx/nginx-selfsigned.key;
# front-end
location / {
root /var/www/html;
try_files $uri /index.html;
}
# node api
location /api/ {
proxy_pass http://localhost:3000/;
}
}
server {
listen 80;
listen [::]:80;
server_name ec2-23-22-52-143.compute-1.amazonaws.com www.ec2-23-22-52-143.compute-1.amazonaws.com;
return 301 https://$server_name$request_uri;
}
5 - Tested configuration sudo nginx -t and it's a ok configuration (ok)
6 - Restarted nginx sudo systemctl restart nginx (ok)
7 - Tested if the necessary ports are being listening sudo netstat -plant | grep 80 sudo netstat -plant | grep 443 and both are being listening (ok)
8 - I should work everything looks great, so I tried to enter to website and for my surprise it's offline with error "ERR_CONNECTION_CLOSED"
https://ec2-23-22-52-143.compute-1.amazonaws.com/
9 - The unique thing that rest to check is the nginx error logs at /var/log/nginx/ , and there are this ERROR related to SSL
2022/04/07 19:24:25 [crit] 2453#2453: *77 SSL_do_handshake() failed (SSL: error:14201044:SSL routines:tls_choose_sigalg:internal error) while SSL handshaking, client: 45.56.107.29, server: 0.0.0.0:443
Conclusion
I don't why SSL_do_handshake() failed what I can do to fix this issue, anyone has a guess to solve this problem. Thanks a lot for stackoverflow comunnity you are great !!!
My aqueduct server is working on ubuntu 18.04 (http://127.0.0.1:8888). I install nginx from nginx.org. Currently I don't use any block for my aqueduct on nginx. I modified default config such as I add my domain name into it. And separately both my aqueduct server and nginx server is working.
My problem is that how to configure my nginx so I can use reverse proxy option so I don't connect to my aqueduct server directly. Any help please?
PS. I use fake domain and ip to show my config settings.
my nginx config is:
# Default server configuration
# My domain (mobile.niyazitoros.com) ip: 5.5.5.5 // TEST IP
# ------ http://mobile.niyazitoros.com and http://5.5.5.5 is working.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mobile.niyazitoros.com;
# root /var/www/example.com;
# index index.html;
location / {
# My aqueduct server works on 127.0.0.1:8888
proxy_pass http://127.0.0.1:8888/;
}
}
Ok. I found it. to I use default.conf in sites-available and sites-enabled. this was wrong place to modify default.conf. Correct path is modify default.conf in conf.d dir.
1) install nginx
2) run:
nginx -v
(nginx version: nginx/1.15.5)
3) sudo nano /etc/nginx/conf.d/default.conf
server {
listen 80;
listen [::]:80;
error_log /var/log/nginx/your_domain_name.error.log debug;
rewrite_log on;
server_name your_domain_name;
location / {
proxy_pass http://127.0.0.1:8888/;
}
}
4) sudo systemctl reload nginx
5) sudo systemctl restart nginx
6) sudo nginx -t
7) curl http://your_domain_name/
In order to monitor my docker containers, I've decided to expose docker remote API through nginx by the following rule:
server {
listen 1234;
server_name xxx.xxx.xxx.xxx;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unix:/var/run/docker.sock;
}
}
But in the nginx.error file, I get the following error:
connect() to unix:/var/run/docker.sock failed (13: Permission denied
The reason is that docker.sock is under the ownership of docker group while nginx is running in www-data group.
What is the best way to solve this problem?
The reason is that docker.sock is under the ownership of docker group
while nginx is running in www-data group.
What is the best way to solve this problem?
For this issue you can add user under which nginx running to docker group.
usermod -a -G www-data,docker user
You can open the http socket in the daemon by adding the following text to the ExecStart in the daemon config file:
-H <ip address>:2375
You can find the location of the configuration file in the output of the command:
systemctl status docker
You can set permission for docker socket:
sudo chmod a+r /var/run/docker.sock