NGINX not responding - nginx

I have three sites configured on my server using NGINX and the first two are working fine. One is a static site and one is running Rails (using Unicorn). I have attempted to mirror the NGINX/Unicorn configurations.
For the non-working site, I get "problem loading site" in my browser and absolutely nothing in my NGINX error logs (even at debug level) or my Unicorn log. I also get nothing when I attempt to cURL to the site.
I have double checked DNS by pinging domain name and am running out of ideas. I've also tried making this the default server and browsing by IP address.
Thoughts on how I should go about debugging? I would like to at least understand if NGINX is seeing these requests or not.
NGINX configuration:
upstream unicorn-signup {
server unix:/home/signup/app/tmp/sockets/unicorn.sock;
}
server {
listen 80;
listen [::]:80;
root /home/signup/app/current/public;
server_name signup.quote2bill.com;
# configure for Unicorn (NGINX acts as reverse proxy)
location / {
try_files $uri #unicorn;
}
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded_Proto $scheme;
proxy_redirect off;
proxy_pass http://unicorn-signup;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
}

Fixed! It was the dreaded force_ssl flag in my production configuration. For future travelers, here is how I went about troubleshooting:
Went on a Costco run to clear my mind and buy huge quantities of stuff.
To determine if it was a DNS, NGINX or Unicorn/Rails problem, I replaced my NGINX configuration with a very simple one and placed a simple index.html in my public root. This worked fine - which lets DNS off the hook (I could resolve the domain name at the web server).
I diff'd the working and non-working NGINX configuration files for the nth time and made them as close as possible but didn't find anything.
Then I noticed that when I was serving the simple index.html file in #2 above, the domain was not getting redirected to https:// but when switched to my "normal" Unicorn/Rails version, I was always getting redirected.
I searched for Rails redirecting to SSL and remembered the force_ssl flag.
I checked my two projects and noticed the flag was not set in the working project, but set in the non-working one (smoking gun).
I changed, committed, redeployed and reloaded the browser and it... didn't work (!) Fortunately, I had the good sense to clear browser cache and try again and it is all good now.
Hope this helps someone.

Related

DO Spaces [or S3] + Nginx with subdomain

All, i'm running into issues proxying a subdomain to a DO space (suspect that AWS/S3 would act the same way); in this case, trying to serve logos off the bucket, with the requested url being logos.mysite.com/dev/logo1. Nginx should proxy_pass this to https://mybucket.dospace.com/logos/dev/logo1.png (and it will always be .png).
NGINX setup is currently:
server{
server_name logos.mysite.com
location / {
set $bucket "mybucket.dospace.com"
proxy_pass https://$bucket/logos$request_uri.png;
proxy_set_header Host $host;
... other proxy_set/hide settings ...
}
Above is simplest version of many rewrite/return/regex location attempts, but nothing works. In the example above (using chrome), a redirect to https://mybucket.dospace.com/dev/logo1.png occurs, which is missing /logos in the path. Moreover, I don't want chrome to redirect at all - it's more convenient for the user to see the original request from logos.mysite.com (if that's possible).
Was anyone able to execute on a similar setup?

Nginx warning "conflicting server name <domain_name> on 0.0.0.0:80, ignored"

I have looked across several forums and StackOverflow questions but I'm truly at a loss here as to why this is not working.
I was running a Ghost.org blog on a Digital Ocean droplet and had configured it according to this tutorial. I took a snapshot and destroyed the droplet a week ago. Everything is working fine at this moment.
Today, I created a fresh droplet with the same snapshot. Since the IP was different, I modified the domain settings accordingly and it was reflected on my computer as well.
Then I try to access the website but the connection times out. Even after an hour or so, it times out, so I figures it's not DNS propogation at fault. A simple check on whatsmydns.net also confirms this is not the issue.
Upon further investigation, I find that /var/log/nginx/error.log has the following line in it - the only one for today's date:
2016/05/29 16:32:10 [warn] 988#0: conflicting server name "foobar.com.tld" on 0.0.0.0:80, ignored
I have checked the two configs I know could conflict - nginx.conf and sites-enabled/ghost (symlink to sites-available/ghost) for any conflicts - and I can't seem to find any.
I am not very comfortable with nginx - this is really my first exposure to it, but I've been banging my head for over 2.5 hours now and would really appreciate some help.
nginx.conf: http://pastebin.com/YUhBZVhX
sites-enabled/ghost: http://pastebin.com/3cdZgTG3
www/ghost/config.js: http://pastebin.com/iunffMzN
Edit: /etc/nginx/conf.d/ folder is empty, so there isn't a conflict there.
Edit 2: The simplest config:
server {
listen 80;
server_name foobar.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
}
doesn't seem to work either. I did restart the nginx service after making this change and also modified Ghost's config.js accordingly and restarted its service.
Edit 3: There are no hidden or backup files in the sites-enabled folder.
Once you've confirmed that foobar.com isn't used in server_name anywhere else in your Nginx configs, look for $hostname or other Nginx variable, whose value might match your server_name:
Alphabetical index of Nginx variables
Example:
server {
server_name localhost $hostname;
listen 80;
access_log off;
}
Got me puzzled there for a while.

Set up a Ghost blog at /blog on Meteor

I am not sure if this is possible but there is a way to host a Ghost blog at a subfolder instead of a subdomain https://www.allaboutghost.com/how-to-install-ghost-in-a-subdirectory/
I have set up everything on that end the way it says and now the only thing that is needed is to exclude /blog from the FlowRouter.notFound function. is there a way to do that or set up the route to listen to nginx?
// EDIT
Here's the nginx config
server {
listen 80;
server_name localhost;
location ^~ /blog {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:2368;
proxy_redirect off;
}
}
here's ghost config
config = {
// ### Production
// When running Ghost in the wild, use the production environment.
// Configure your URL and mail settings here
production: {
url: 'https://www.raiseyourflag.com/blog',
//everything else
}
}
There are two separate issues here.
Setting up Ghost to be served a subdirectory through Nginx. The tutorial you linked to covers exactly that.
Integrating the blog with a second site based on Meteor.
It's not clear if you've completed the first step or not, so let's make sure that's taken care of first:
# Make sure your config.js for Ghost includes /blog in the url key in the development section: 'http://127.0.0.1:2368/blog'
# Start Ghost in in the development enviroment: NODE_ENV=development node index.js
# Check that something is actually running on port 2368: sudo netstat -plnt | grep ':2368'
# Go here in your browser, you should see your Ghost blog and be able to browse it: http://127.0.0.1:2368/blog
If you have gotten that far, your Ghost blog is working and you are ready to access it through Nginx on port 80. To simplify the problem for this step, move any Meteor code out of the way temporarily so this can be verified.
Your Nginx configuration looks good. Just reload Nginx once more for
good measure, and then check this URL in your browser now:
http://127.0.0.1/blog
Now you should see your Ghost blog again, but now accessed through Nginx and proxied to the other port.
Once you've confirmed that step is working, add put the Meteor frontend code back in place. From the perspective of any frontend code, /blog is just like any URL handled by the web server.
If you go to /blog and see a NotFound page served by Meteor, that means that the client-side Meteor framework must have loaded from /somewhere/, presumably /index.html. In this case, there's a problem with the Nginx configuration. Perhaps there is more to it whant you have posted?

docker-registry nginx rest api

I am trying to build a docker-registry server from source (not as a container) on Ubuntu 14.04.1. I was able to get most of the way there using the instructions found on digitalocean.
I am able to curl http://localhost:5000 and https://user:password#localhost:8000 with no problems
When I try to open a web browser to see hopefully more than just that, that is when the issues seem to happen.
Here is my docker-registry file in /etc/nginx/sites-available/:
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server 192.168.x.x:5000;
}
server {
listen 8000;
server_name docker-registry;
ssl on;
ssl_certificate /etc/nginx/ssl/docker-registry.crt;
ssl_certificate_key /etc/nginx/ssl/docker-registry.key;
proxy_set_header Host $http_host; # required for Docker client sake
X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
I have my docker registry stored locally in /var/docker-registry and ensured that it was readable by the www-data user. Why can I not see my images on the web browser?
If I tag an image and push it to my repository it works, I can see it in the web browser:
https://192.168.x.x:8000/v1/repositories/ubuntu-test/tags/latest
I see the following:
"5ba9dab47459d81c0037ca3836a368a4f8ce5050505ce89720e1fb8839ea048a"
When I try to get to:
https://192.168.x.x:8000/v1
Or:
https://192.168.x.x:8000/v1/repositories
Or:
https://192.168.x.x:8000/v1/images
I get a "not found" error
How would I be able to see everything in my /var/docker-registry folder (which is where these are stored....and yes, they are owned by the www-data user) through the web interface?
This is by design. Not only is there no reason one would implement the entire url path, but there are severe security implications with implementing it.
I'm assuming you don't have much experience with web programming. There is no directory '/v1/repositories'... etc. Instead, there is a program (in this case either Python or Ruby) that is listening for the url path and has logic built-in to determine what to do.
i.e. if url = /v1/_ping: return 'ok'

Server behind nginx reverse proxy ignores relative path in URL

My title isn't the best, my knowledge of webstuff is quite basic, sorry.
What I want to achieve
I have one box fanbox running nginx on Archlinux that I use as main entry point to my home LAN from the internet (namely work where I can only get out to port 80 and 443) via the reverse proxy facility using a changing domain name over which I have no control and that we will call home.net for now.
fanbox has its ports 80 and 443 mapped to home.net, that part was easy.
I have 2 webservers behind the firewall, web1.lan, web2.lan, web2ilo.lan. Both of these have various applications (which may have same name on different machines) that can directly be accessed on the LAN via standard URLs (the names are given as examples, I have no control over the content):
http://web1.lan/phpAdmin/
http://web1.lan/gallery/
http://web2.lan/phpAdmin/
http://web2.lan/dlna/
...and so on...
Now web2ilo.lan is a particular case. It's the out of band management web interface of the HP server web2.lan. That particular webserver offers only 1 application, so it can only be accessed via its root URL:
http://web2ilo/login.html
My goal is to access these via subpath of home.net like this:
http://home.net/web1/phpAdmin/
http://home.net/web1/gallery/
http://home.net/web2/phpAdmin/
http://home.net/web2/dlna/
http://home.net/web2ilo/login.html
My problem
That nearly works but the web applications tend to rewrite URLs so that after I login to, respectively:
http://home.net/web1/phpAdmin/login.php
http://home.net/web2ilo/login.html
the browser is redirected respectively to
http://home.net/phpAdmin/index.php
http://home.net/index.html
Note that the relative subpaths web1 and web2ilo have gone, which logically give me a 404.
My config
So far, I've searched a lot and I tried many options in nginx without understanding too much what I was doing. Here is my config that reproduces this problem. I've left SSL out for clarity.
server {
listen 443 ssl;
server_name localhost;
# SSL stuff left out for clarity
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /web1/ {
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass https://web1.lan/;
}
location /web2/ {
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass https://web2.lan/;
}
location /web2ilo/ {
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass https://web2ilo.lan/;
}
}
After first answers
After the first couple of answers (thanks!), I realise that my setup is far from common and that I may be heading for trouble all alone.
What would then be a better idea to access the webserver behind the firewall without touching frontend ports and domain/hostname ?
You may wish to consider the use of setting proxy_redirect to let nginx know that it should modify the "backend" server response headers (Location and Refresh) to the appropriate front-end URLs. You can either use the default setting to allow nginx to calculate the appropriate values from your location and proxy_pass directives, or explicitly specify the mappings like below:
proxy_redirect http://web1.lan/ /web1/
See: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
Note: This only affects response headers - not any links in HTML content, or any Javascript.
If you experience problems with links in content or Javascript, you can either modify the content on the backend servers (which you've indicated may not be possible), or adjust your proxy solution such that front end paths are the same as the back end ones (e.g., rather than http://frontend/web1/phpAdmin you simply have http://frontend/phpAdmin). This would entail adding location directives for each application, e.g.,
location /phpAdmin/ {
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass https://web1.lan/phpAdmin/;
}
Here is a tested example.
In my docker-compose.yml I use the demo image whoami to test:
whoareyou:
image: "containous/whoami"
restart: unless-stopped
networks:
- default
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoareyou.rule=Path(`/whoareyou`)"
- "traefik.http.routers.whoareyou.entrypoints=web"
- "traefik.http.routers.whoareyou.middlewares=https-redirect#file"
- "traefik.http.routers.whoareyou-secure.rule=Path(`/whoareyou`)"
- "traefik.http.routers.whoareyou-secure.entrypoints=web-secure"
- "traefik.http.routers.whoareyou-secure.tls=true"
In my config.yaml I have my https redirect:
http:
middlewares:
https-redirect:
redirectScheme:
scheme: https
I did not find an answer to my question and decided to try a different approach:
I now have containerized most of my servers
I use Traefik (https://containo.us/traefik/) as my "fanbox" (= reverse proxy) as it covers my needs but also solves in a quite easy fashion the SSL certificates stuff.
Thanks all for your suggestions.

Resources