I have an Django(3.0) app using Daphne as an app container and Nginx as proxy server.
Daphne -u /home/ubuntu/virtualenvs/src/app/app.sock app.asgi:application
My problem is that the websocket connection failed.
(index):16 WebSocket connection to 'ws://example.com/ws/chat/1/' failed: Error during WebSocket handshake: Unexpected response code: 404
I'm pretty sure that my app setting and route is just fine.
Because if I stop Nginx, bind Daphne to 0.0.0.0:8000 and use real IP("ws://xx.xx.xx.xx:8000/ws/chat/1") as URL, the websocket connection established and very stable.
How should I modify my Nginx to make websocket work?
#my nginx setting
upstream websocket {
server unix:/home/ubuntu/virtualenvs/src/app/app.sock;
}
#websocket settings
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80 default_server;
listen 443 SSL default_server;
listen [::]:443 SSL default_server;
server_name example.com;
return 301 https://example.com$request_uri;
ssl on;
# certificate settings
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 10m;
#ssl_session cache shared:SSL:1m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3;
#ssl_prefer_server_ciphers on;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!$
location / {
root /home/ubuntu/virtualenvs/
include proxy_params;
proxy_pass https://websocket;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~* \.(js|css)$ {
expires -1;
}
}
Related
I was under the assumption that I could run a Django Channels app using only Daphne (ASGI) and Nginx as a proxy for my Django app to begin with.
The application would be running with Daphne on 127.0.0.1:8001
However, I am running into a 403 Forbidden error.
2019/03/06 17:45:40 [error] *1 directory index of "/home/user1/app/src/app/" is forbidden
And when I posted about that, another user mentioned
There is no directive to pass http request to django app in your
nginx config
And suggested to look into fastcgi_pass or uwsgi_pass or Gunicorn.
Obviously Django Channels runs on ASGI and I am passing all requests through that right now (not to uWSGI then on to ASGI depending on the request.)
Can I serve my Django app with only Nginx and Daphne? The Django Channels docs seem to think so as they don't mention needing Gunicorn or something similar.
my nginx config
upstream socket {
ip_hash;
server 127.0.0.1:8001 fail_timeout=0;
}
server {
listen 80;
#listen [::]:80 ipv6only=on;
server_name your.server.com;
access_log /etc/nginx/access.log;
root /var/www/html/someroot;
location / {
#autoindex on;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri =404;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
#proxy_set_header X-NginX-Proxy true;
#proxy_pass http://socket;
#proxy_redirect off;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
#proxy_redirect off;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_cache one;
#proxy_cache_key sfs$request_uri$scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/some/fullchain.pem;
# managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/some/privkey.pem;
# managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
Yes, it's possible. Try this config:
upstream socket {
ip_hash;
server $DAPHNE_IP_ADDRESS$ fail_timeout=0;
}
server {
...
location / {
proxy_pass http://socket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
...
}
Where $DAPHNE_IP_ADDRESS$ - your daphne IP and port without schema(127.0.0.1:8001).
I configured API cluster with Nginx Load Balancer by manuals :
https://docs.wso2.com/display/AM250/Configuring+the+Proxy+Server+and+the+Load+Balancer
https://docs.wso2.com/display/CLUSTER44x/Setting+up+a+Cluster
I tried to use a self-signed certficate or commercial cert for LB, but when i open LB web-page on 443 port i have the same errors in logs:
SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream.
What is the problem?
Nginx config:
upstream server1 {
server x.x.x.x:9443;
}
upstream server2 {
server x.x.x.x:8243;
}
server {
listen 80;
server_name server1.com;
rewrite ^/(.*) https://server1.com/$1 permanent;
}
server {
listen 443;
server_name server1.com;
proxy_set_header X-Forwarded-Port 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.cer;
ssl_certificate_key /etc/nginx/ssl/server1.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://server1.com;
}
}
server {
listen 443;
server_name server1.com;
proxy_set_header X-Forwarded-Port 443;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.cer;
ssl_certificate_key /etc/nginx/ssl/server1.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://server1.com;
}}
I'm using django-channels2+daphne in production.
After uncertain time passed I got this error twice (after 2 and after 6 hours correspondingly), which involved 504 answer on any HTTP request. I have no idea how should I debug the problem. Using nginx, django-channels2, daphne.
Application instance <Task pending coro=<AsgiHandler.__call__() running at /usr/local/lib/python3.7/site-packages/channels/http.py:202> wait_for=<Future pending cb=[_chain_future.<locals>._call_check_cancel() at /usr/local/lib/python3.7/asyncio/futures.py:348, <TaskWakeupMethWrapper object at 0x7ff116ef9708>()]>> for connection <WebRequest at 0x7ff116a86d30 method=GET uri=/api/v1/feed/?page_size=10&distance=-1000¬_reviewed=1 clientproto=HTTP/1.1> took too long to shut down and was killed
Here is my nginx config:
server {
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
server_name www.lvh.me lvh.me;
return 301 https://lvh.me$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
server_name www.lvh.me;
return 301 https://lvh.me$request_uri;
}
server {
server_name example.com lvh.me;
charset UTF-8;
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
access_log /var/log/nginx/mini.access.log;
error_log /var/log/nginx/mini.error.log;
location /static/ {
autoindex on;
root /data/django;
}
location /media/ {
autoindex on;
root /data/django;
}
location / {
proxy_pass http://django:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Starting daphne.com with:
daphne -b 0.0.0.0 -p 8000 project.asgi:application
I am using nginx proxy to force all traffic through HTTPS. However, I have a page (/upload) which posts to /upload-downloadable which then uploads the users files using a stream to aws (bucketname.s3.eu-west-1.amazonaws.com)
It uploads as I can see it on AWS s3 bucket, but doesn't respond back to the server to tell the user? Works without the proxy perfectly, but not with my current config.
So it does Client -> AWS, but AWS->Server/Client doesn't work.
Any ideas?
upstream site {
server 127.0.0.1:1337;
}
upstream project {
server localhost:27017;
}
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tryhackme.com;
error_page 502 /down.html;
location /down.html {
root /var/www/html;
}
#error_page 500 502 503 504 /var/www/html/down.html;
# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
#proxy_pass http://127.0.0.1:28017;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 3600;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
I am working on a project using Django, nginx and Gunicorn. Everything is good except for POST requests. Django raise a CSRF error.
I dont know what is missing or wrong in my django and/or nginx conf.
Edit: I found out what was wrong. Because of my exotic SSL port.
I replaced this line in the 'location /' block:
proxy_set_header Host $host;
by:
proxy_set_header Host localhost:8443;
Django error:
Forbidden (403):
CSRF verification failed. Request aborted.
Reason given for failure:
Referer checking failed - https://localhost:8443/accounts/login/ does not match https://localhost/
Here is my nginx conf:
server {
listen 8880;
server_name localhost:8443;
rewrite ^ https://$server_name$request_uri? permanent;
}
#Gunicorn
upstream project {
server localhost:8888;
}
# HTTPS server
server {
listen 8443 ssl default_server;
ssl on;
server_name localhost;
ssl_certificate /path/file.crt;
ssl_certificate_key /path/file.key;
#Disable SSLv3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / {
proxy_pass http://localhost:8888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl https;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 8443;
proxy_set_header Host $host; #Replaced by proxy_set_header Host localhost:8443;
}
}
and in my settings.py:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
Try add in your location / this: proxy_pass_header X-CSRFToken;