The stack is: Ubuntu // Supervisor // Nginx <--> Gunicorn <--> Django 1.11
Static files folder: /home/sitebiz/sitebiz/static/
Nginx config: /etc/nginx/sites-enabled/site.biz
server {
listen 80;
listen [::]:80;
access_log off;
server_name site.biz;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
#listen 80 ssl;
server_name site.biz;
ssl_certificate /etc/letsencrypt/live/site.biz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.biz/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#listen 80;
gzip on;
access_log /var/log/nginx-access.log;
error_log /var/log/nginx-error.log;
location /static {
root /home/sitebiz/sitebiz;
internal;
}
location /track {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8899;
break;
}
}
location /income {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8899;
break;
}
}
location / {
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://127.0.0.1:8000;
break;
}
}
}
I tried to change the /home/sitebiz/sitebiz/static/ directory and all of its content ownership to sitebiz user and to www-data , but none helped.
Not even Django itself can serve static files and I have no idea why.
From django settings:
SITE_ROOT = os.path.abspath(os.path.dirname(name))
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'media')
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(SITE_ROOT, 'static')
Thank you in advance.
I have no idea, why, but the solution from the POST works fine
Just execute in shell:
sudo chmod o+x /root
If someone could explain this logic - why root folder must have Execute permission - I would be very thankful (and upvoteful)
Related
I'm trying to use WSO2 Identity Server behind a reverse proxy to not expose ip and port when I use wso2 custom pages like "Create Password" and "Reset Password", but I'm getting an error.
When I try to log in on carbon it redirect to login_action.jsp and it shows:
login_action.jsp - 403 Forbidden.
The steps that I did to configure were:
deployment.toml
[server]
offset = "1"
hostname = "example.com"
node_ip = "xxx.xxx.xx.xxx"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
proxy_context_path = "/is"
[transport.https.properties]
proxyPort = 443
nginx.conf
server {
server_name example.com;
access_log /var/log/nginx/dev_mtz_access.log;
error_log /var/log/nginx/example.com.error_log debug;
proxy_cache one;
proxy_cache_key $request_method$request_uri;
proxy_cache_min_uses 1;
proxy_cache_methods GET;
proxy_cache_valid 200 1y;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/certs/cup.crt;
ssl_certificate_key /etc/letsencrypt/private/cup.key;
rewrite \w*(carbon|admin)$ $1/ permanent;
location /is/ {
proxy_pass https://csm-wso2-is:9444/;
proxy_redirect https://example.com/authenticationendpoint/ https://example.com/is/authenticationendpoint/;
proxy_redirect https://example.com/accountrecoveryendpoint/ https://example.com/is/accountrecoveryendpoint/;
proxy_redirect https://example.com/oauth2/ https://example.com/is/oauth2/;
proxy_redirect https://example.com/carbon/ https://example.com/is/carbon/;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
# Proxy timeouts
proxy_connect_timeout 3600s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
}
location /carbon/admin/js/csrfPrevention.js {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://example.com/is/carbon/admin/js/csrfPrevention.js;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
I didn't find any documentation explaining how to achieve, only on WSO2-APIM
If you don't need a subcontext the easiest way is to route everything coming to the root context (/) to port 9443. Here is a sample Nginx config block.
upstream ssl.wso2.is.com {
server xxx.xxx.xxx.xx3:9443;
server xxx.xxx.xxx.xx4:9443;
ip_hash;
}
server {
listen 443;
server_name is.wso2.com;
ssl on;
ssl_certificate /etc/nginx/ssl/wrk.crt;
ssl_certificate_key /etc/nginx/ssl/wrk.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://ssl.wso2.is.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
The documentation is here.
Current nginx config:
server {
listen 443 ssl http2;
server_name NAME www.NAME;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/NAME-cert.pem;
ssl_certificate_key /etc/nginx/ssl/NAME-key.pem;
location /static/ {
alias /home/ubuntu/NAME/static_collection/;
}
location /media/ {
alias /home/ubuntu/NAME/media_collection/;
}
location / {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Everything works, apart from the websockets. I suppose this is because it doesn't deal with the http upgrade header... I've looked at the docs, but I can't figure out how to modify this config without breaking anything else.
Try this. Let me know if it works.
server {
listen 443 ssl http2;
server_name NAME www.NAME;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/NAME-cert.pem;
ssl_certificate_key /etc/nginx/ssl/NAME-key.pem;
location /static/ {
alias /home/ubuntu/NAME/static_collection/;
}
location /media/ {
alias /home/ubuntu/NAME/media_collection/;
}
location / {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_read_timeout 86400;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
I tried to make run the tutorial from the channels docs on my production server, using ssl.
After a few hours i managed to get a connection but it instantly disconnects :
None - - [12/Mar/2018:17:42:22] "WSCONNECTING /ws/chat/bibou/" - -
None - - [12/Mar/2018:17:42:22] "WSCONNECT /ws/chat/bibou/" - -
None - - [12/Mar/2018:17:42:23] "WSDISCONNECT /ws/chat/bibou/" - -
my stack is
ubuntu 16.04
nginx 1.10.3
channels==2.0.2
daphne==2.1.0
channels-redis==2.1.0
Twisted==17.9.0
I have the exact copy paste of the code from the tutorial, except for this part in room.html
var chatSocket = new WebSocket(
'wss://' + window.location.host +
':8443/ws/chat/' + roomName + '/');
and here is my nginx conf
server {
#http
listen 80;
server_name domain.com;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
#https
listen 443 ssl;
listen 8443 ssl;
server_name domain.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/domain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/domain.com/privkey.pem";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/default.d/*.conf;
location /static/ {
root /home/ubuntu;
}
location /media/ {
root /home/ubuntu;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://unix:/home/ubuntu/tlebrize/Project.sock;
}
location /ws/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://unix:/home/ubuntu/tlebrize/Daphne.sock;
}
}
I run daphne with daphne -u Daphne.sock Project.asgi:application -v 3
I also tried bypassing nginx and using sudo daphne -e ssl:8443:privateKey=/etc/letsencrypt/live/domain.co/privkey.pem:certKey=/etc/letsencrypt/live/domain.co/fullchain.pem Project.settings:CHANNEL_LAYERS
but i had the same results.
The front break with the message Chat socket closed unexpectedly with the error code 1011 (Internal Error) and no reason.
I managed to make it work, it was an issue with nginx and/or using ReconnectingWebSocket. here's my whole working conf:
nginx
server {
#http
listen 80;
server_name domain.co;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
#https
listen 443 ssl;
server_name domain.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/letsencrypt/live/domain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/domain.com/privkey.pem";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/default.d/*.conf;
location /static/ {
root /home/ubuntu;
}
location /media/ {
root /home/ubuntu;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8443;
}
location / {...}
}
daphne
sudo /home/ubuntu/venv/bin/daphne -e ssl:8443:privateKey=/etc/letsencrypt/live/domain.com/privkey.pem:certKey=/etc/letsencrypt/live/domain.com/fullchain.pem Project.asgi:application -v 3
js
var chatSocket = new ReconnectingWebSocket(
'wss://' + window.location.host +
':8443/ws/chat/' + roomName + '/');
I had this problem because I've forgot to include CHANNEL_LAYERS to settings.py.
Server was even able to send 1-2 messages before disconnecting.
This was resulting in error 1011 when connecting through nginx and 1006 when connecting directly without https/wss. I tried both uvicorn and daphne.
I'm trying to set up a project using django, gunicorn and nginx and I'm having trouble with the nginx configuration. More precisely when I use try_files.
If I use if (!-f $request_filename) {...} everything works fine but if use
try_files ... Django generates the exception:
Invalid HTTP_HOST header: 'myproject_server'. The domain name provided is not valid according to RFC 1034/1035.
Once everything works using the if ... I assume that the other settings
(gunicorn etc) are correct.
The configuration files I'm using are:
/home/myproject/myproject/settings.py (django)
...
ALLOWED_HOSTS = [192.168.200.100, ]
...
/etc/nginx/sites-available/myproject (this one WORKS)
upstream myproject_server {
unix server:/home/myproject/run/gunicorn.sock fail_timeout = 0;
}
server {
listen 80;
server_name 192.168.200.100;
root /home/myproject;
location /media/ {}
location /static/ {}
location / {
proxy_set_header Host $HTTP_HOST;
proxy_set_header X-Real-IP $REMOTE_ADDR;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if (!-f $request_filename) {
proxy_pass http://myproject_server;
break;
}
}
}
/etc/nginx/sites-available/myproject (this one DOES NOT WORK)
upstream myproject_server {
unix server: /home/myproject/run/gunicorn.sock fail_timeout = 0;
}
server {
listen 80;
server_name 192.168.200.100;
root /home/myproject;
location /media/ {}
location /static/ {}
location / {
proxy_set_header Host $HTTP_HOST;
proxy_set_header X-Real-IP $REMOTE_ADDR;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
try_files $uri #myproject_backend;
}
location #myproject_backend {
proxy_pass $scheme://myproject_server;
}
}
What am I doing wrong?
Thanks in advance any help.
PS: English is not my native language so I apologize for the (many) errors.
proxy_set_header should be in the same location as proxy_pass.
location / {
try_files $uri #myproject_backend;
}
location #myproject_backend {
proxy_set_header Host $HTTP_HOST;
proxy_set_header X-Real-IP $REMOTE_ADDR;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://myproject_server;
}
I use django-hosts and nginx.
Example, hosts.py
host_patterns = patterns('project',
host(r'', 'urls', name=''),
host(r'beta', 'private_urls', name='beta'),
)
nginx.conf
server {
listen 80;
server_name example.ru *.example.ru 174.61.223.135;
access_log /var/log/nginx/example.log;
location /static/ {
alias /home/path/to/static/;
}
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
But when I turn on beta.example.ru, django does not take the settings from hosts.py. It takes on the url defaults host(r'', 'urls', name='') and not find urls from host(r'beta', 'private_urls', name='beta')
How do I configure nginx.conf?