I'd like to add ssl certificate to my django app. I've followed tutorial so the nginx config for domain was changed but now it looks like generated certificate is incorrect.
nginx conf before certbot modifications
server {
listen 80;
listen [::]:80;
server_name doamin.com www.domain.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/poul3r/doamin.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
and after certbot action
server {
server_name doamin.com www.doamin.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/poul3r/doamin.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/doamin.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/doamin.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = doamin.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name doamin.com www.doamin.com;
return 404; # managed by Certbot
}
What I'm doing wrong or what could went wrong during letsencypt implementation ?
I've already found solution for this problem. Based info from solution I realized, there is one more app on nginx that does not have ssl certification but redirect to 443. When I changed theirs config to listen only on 80, first domain works correctly.
Related
I'm getting an error while connecting the websocket.
And I have read similar Q&A on stackoverflow but still not working for me. I've been trying all sorts of ways for days but still can't make the connection. This is my mistake
The server I use is: Django + Gunicorn + Nginx + Daphne
Browser error
WebSocket connection to 'wss://mydomain/ws/some_url/' failed:
Below is my config on the server
Ngnix config:
server {
server_name ****** mydomain www.mydomain;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/django/magi/src/staticfiles/;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_pass http://127.0.0.1:8001;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = www.mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host =mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name ****** mydomain www.mydomain;
listen 80;
return 404; # managed by Certbot
}
If you need to check any files, please comment below so I can add them!
Thank you very much
This issue is probably because you haven't added an upstream block in the Nginx configuration which will allow your WebSocket requests to get redirected on port 8001.
your Nginx config should be like below:
upstream channels-backend {
server localhost:8001;
}
server {
server_name ****** mydomain www.mydomain;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/django/magi/src/staticfiles/;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_pass http://127.0.0.1:8001;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = www.mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host =mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name ****** mydomain www.mydomain;
listen 80;
return 404; # managed by Certbot
}
Also, try to first remove the SSL configuration for HTTPS and WSS you did by using Certbot and make sure everything is working under HTTP and WS.
If it is still not working on WSS even after adding the upstream block, check for redirect config added by Certbot, try to remove them, and test it.
server {
if ($host = www.mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host =mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name ****** mydomain www.mydomain;
listen 80;
return 404; # managed by Certbot
}
I am hosting a django website on digital ocean. I have wish to access my website's IP using https with self-signed cert as Let's Encrypt does not provide certificates for public IP addresses. I followed this guide and wrote an nginx server block. I can access https://example-ip-address with:
server {
listen 443 ssl;
listen [::]:443 ssl;
include /etc/nginx/snippets/self-signed.conf;
include /etc/nginx/snippets/ssl-params.conf;
server_name 123.123.12.123;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/djangotemplates;
}
location / {
include /etc/nginx/proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
server {
listen 80;
listen [::]:80;
server_name 123.123.12.123;
return 301 https://$server_name$request_uri;
}
And, I can access https://example.com and https://www.example.com with let's encrypt SSL cert by following this and this is the server block I wrote:
server {
server_name www.example.com example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/djangotemplates;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com example.com;
return 404; # managed by Certbot
}
The problem here is when I put both server blocks into one single configuration file and access https://example-ip-address, the connection is then not encrypted. However, it works fine for https://example.com and https://www.example.com. Any idea what went wrong here?
I just started my django website live on digital ocean - and I received an error email 'Invalid HTTP_HOST header: '123.123.12.123'. You may need to add '123.123.12.123' to ALLOWED_HOSTS.' So, I added the ip address in the ALLOWED_HOSTS. And I think it's safer to visit the ip address with https.
I suggest you to use certbot instead of a self signed certificate
https://certbot.eff.org
Nginx + Ubuntu 18.04 + Django 2.2.10
Accessing directly via "www.examples.com" will show nginx welcome page, but accessing anything else--"examples.com", "https://examples.com", "https://www.examples.com"--will work as expected.
On DigitalOcean, I have two A-type records [www.examples.com, examples.com] directing to the IP address--I believe they are correctly set up.
On my Django project, I have ALLOWED_HOSTS = ['localhost', 'examples.com', '137.68.49.136', 'www.examples.com'] set.
Here is my /etc/nginx/sites-available/project:
server {
server_name examples.com www.examples.com;
charset UTF-8;
error_log /home/jay/eco/nginx-error.log;
location = /favicon.ico { access_log off; log_not_found off; }
location /static {
alias /home/jay/eco/static;
}
location /media/ {
alias /home/jay/eco/media/;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/examples.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/examples.com/privkey.pem; # managed by Certb$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = examples.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name examples.com;
return 404; # managed by Certbot
}
I believed this was everything but apparently not. What am I missing?
You have two server blocks, the first processes requests using the https protocol and the second processes requests using the http protocol. There is also a default server block in some other file, which responds with the Nginx welcome page.
The second server block in your question only processes requests for http://example.com. You need to add www.example.com to the server_name directive, and update the logic so that both domain names are redirected to the https service.
For example:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
See this document for details.
I'm having an issue with my nginx configuration.
I receive the error ERR: TOO MANY REDIRECTS
If I change the var SECURE_SSL_REDIRECT = True to False the error goes away but I believe this is causing issue with my channels setup, my websockets are unable to complete handshake.
I found this link which I think is my problem but I don't know how to fix it.
I tried changing proxy_pass http://unix... to https://unix... which causes the redirects to stop but the page won't load.
server {
server_name myproject.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/xx/myproject/static/;
}
location /static/admin/ {
alias /home/xx/myproject/static/admin/;
}
location /media/ {
alias /home/xx/myproject/media/;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/xx/myproject/myproject.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/myproject.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myproject.com/privkey.pem; # managed by Certb$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = myproject.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name myproject.com;
return 404; # managed by Certbot
}
I am using Nginx and Gunicorn to host a Django project. I need to secure this site, and as a test I set up Let's encrypt to an unused domain of mine. While tailing the Django access log, I noticed the following entry from time to time:
Invalid HTTP_HOST header: 'aydinfatih.com'. You may need to add u'aydinfatih.com' to ALLOWED_HOSTS.
This is an unknown domain to me, and while trying to access the domain (it got 400 response), I could se more of these log entries on my server. What is this? Is it related to my SSL-setup, and an indication that it's not secure?
server {
server_name example.com example.com;
location /static/ {
root /home/user/project/django-project;
}
location /media/ {
root /home/user/project/django-project;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/user/project/project.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name my.server.ip.here example.com;
return 301 https://example.com;
}
I added the following to my server block:
if ($host !~* ^(example.com|www.example.com)$ ) {
return 444;
}
The unknown domain now displays 520. Is this the correct way to deal with this? Something else I've missed?
I misread your question. Here's a new answer.
Someone configs their DNS record to point their domain name to your server IP. Adding hostname checking certainly helps, but normally we use a default "catch all" server block to handle all unwanted requests:
# "Catch all" server
server {
server_name _;
return 444;
}
# Your site settings
server {
server_name example.com example.com;
location /static/ {
root /home/user/project/django-project;
}
location /media/ {
root /home/user/project/django-project;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/user/project/project.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name my.server.ip.here example.com;
return 301 https://example.com;
}