[SOLVED]
It caused by /etc/nginx/sites-enabled/default
default file already defines for in bound traffic, so when I delete it,It works fine.
I'm using Django/uwsgi/nginx.
And to access ssl, installed Lets encrypt.
Below source is nginx and uwsgi confirue file.
[project_rest.conf]
upstream django {t
server 127.0.0.1:8001;
}
server {
listen 8000;
server_name .mysitedomain.com;
charset utf-8;
client_max_body_size 75M; # adjust to taste
# Django media
location /media {
alias /home/app/project_rest/media; # your Django project's media files - amend as required
}
location /static {
alias /home/app/project_rest/static; # your Django project's static files - amend as required
}
# Finally, send all non-media requests to the Django server.
location / {
uwsgi_pass django;
include /home/app/project_rest/uwsgi_params; # the uwsgi_params file you installed
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysitedomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysitedomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
(I created project_rest.conf and link to /etc/nginx/sites-enabled/)
[/etc/nginx/sites-available/default]
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name mysitedomain.com www.mysitedomain.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysitedomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysitedomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.mysitedomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mysitedomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name mysitedomain.com www.mysitedomain.com;
return 404; # managed by Certbot
}
[uwsgi.ini]
[uwsgi]
# the base directory (full path)
chdir=/home/app/project_rest
# Django's wsgi file
module=project_rest.wsgi:application
master=true
# maximum number of worker processes
processes=10
# the socket (use the full path to be safe
socket=127.0.0.1:8001
chmod-socket=664
chown-socket=app:app
pidfile=/tmp/project_rest.pid
# clear environment on exit
vacuum=true
max-requests=5000
daemonize=project_rest.uwsgi.log
(I used vitualenv)
after entered "uwsgi --ini uwsgi.ini", I can access to mysitedomain.com:8000 to my django's site.
But I can't access to https://mysitedomain.com:8000 while can access to https://mysitedomain.com
I want to access https://mysitedomain.com:8000, How can it implement?
Thanks.
[SOLVED]
It caused by /etc/nginx/sites-enabled/default
default file already defines for in bound traffic, so when I delete it,
It works fine.
server {
listen 80;
server_name example.com;
rewrite ^/(.*) https://example.com/$1 permanent;
}
server {
listen 443 ssl;
server_name example.com;
access_log /var/log/nginx/example.com_access.log combined;
error_log /var/log/nginx/example.com_error.log error;
ssl_certificate /etc/letsencrypt/live/mysitedomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysitedomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /static/ {
alias /webapps/example/static/;
}
location /media/ {
alias /webapps/example/media/;
}
location / {
proxy_pass http://localhost:8000/;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Change the values with your domain and report feedback please
Related
I'd like to add ssl certificate to my django app. I've followed tutorial so the nginx config for domain was changed but now it looks like generated certificate is incorrect.
nginx conf before certbot modifications
server {
listen 80;
listen [::]:80;
server_name doamin.com www.domain.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/poul3r/doamin.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
and after certbot action
server {
server_name doamin.com www.doamin.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/poul3r/doamin.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/doamin.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/doamin.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = doamin.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name doamin.com www.doamin.com;
return 404; # managed by Certbot
}
What I'm doing wrong or what could went wrong during letsencypt implementation ?
I've already found solution for this problem. Based info from solution I realized, there is one more app on nginx that does not have ssl certification but redirect to 443. When I changed theirs config to listen only on 80, first domain works correctly.
Nginx + Ubuntu 18.04 + Django 2.2.10
Accessing directly via "www.examples.com" will show nginx welcome page, but accessing anything else--"examples.com", "https://examples.com", "https://www.examples.com"--will work as expected.
On DigitalOcean, I have two A-type records [www.examples.com, examples.com] directing to the IP address--I believe they are correctly set up.
On my Django project, I have ALLOWED_HOSTS = ['localhost', 'examples.com', '137.68.49.136', 'www.examples.com'] set.
Here is my /etc/nginx/sites-available/project:
server {
server_name examples.com www.examples.com;
charset UTF-8;
error_log /home/jay/eco/nginx-error.log;
location = /favicon.ico { access_log off; log_not_found off; }
location /static {
alias /home/jay/eco/static;
}
location /media/ {
alias /home/jay/eco/media/;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/examples.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/examples.com/privkey.pem; # managed by Certb$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = examples.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name examples.com;
return 404; # managed by Certbot
}
I believed this was everything but apparently not. What am I missing?
You have two server blocks, the first processes requests using the https protocol and the second processes requests using the http protocol. There is also a default server block in some other file, which responds with the Nginx welcome page.
The second server block in your question only processes requests for http://example.com. You need to add www.example.com to the server_name directive, and update the logic so that both domain names are redirected to the https service.
For example:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
See this document for details.
I have 2 machines one is django (https://orgofoods.com) and another one is wordpress (https://blog.orgofoods.com). Django is running with nginx, gunicorn and the configuration goes like this
upstream app_server {
server unix:/home/django/gunicorn.socket fail_timeout=0;
}
server {
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 4G;
server_name orgofoods.com;
keepalive_timeout 5;
# Your Django project's media files - amend as required
location /media {
alias /home/django/django_project/django_project/media;
}
# your Django project's static files - amend as required
location /static {
alias /home/django/django_project/django_project/static;
}
# Proxy the static assests for the Django Admin panel
location /static/admin {
alias /usr/lib/python2.7/dist-packages/django/contrib/admin/static/admin/;
}
location /blog {
proxy_pass https://blog.orgofoods.com;
}
location /blog/wp-content {
proxy_pass https://blog.orgofoods.com/wp-content;
}
location /blog/wp-includes {
proxy_pass https://blog.orgofoods.com/wp-includes;
}
location /blog/wp-login.php {
proxy_pass https://blog.orgofoods.com/wp-login.php;
}
location /blog/wp-admin {
proxy_pass https://blog.orgofoods.com/wp-admin;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://app_server;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/orgofoods.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/orgofoods.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = orgofoods.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name orgofoods.com;
return 404; # managed by Certbot
}
but when i try to access orgofoods.com/blog it is returning 404 error, and the request is handled by nginx where as it needs to be handled by apache, please any one can shed some light on it.
dev tools network screenshot
Thanks in advance
p.s.: i followed this tutorial (https://jeffreyeverhart.com/2016/12/11/wordpress-nginx-proxy-server-subdomain-subdirectory)
I have a subdomain as : app.example.com
Now I want to serve a static website on app.example.com which does some API based querying on the Django app which I want to host on same base URL something like : app.example.com/app/api....
But I am unable to do so. My Nginx configuration is as follows :
server {
root /home/ubuntu/dist/;
index index.html index.htm index.nginx-debian.html;
server_name app.example.com;
location / {
alias /home/ubuntu/dist/ ;
try_files $uri /$uri index.html last;
}
location /admind {
alias /home/ubuntu/admind/dist/ ;
try_files $uri /$uri/ index.html last;
}
location /app/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://gunicorn;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = app.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name app.example.com;
return 404; # managed by Certbot
}
Whenever I implement the following configuration app.example.com opens as expected but the Django app url app.example.com/app/api or for that matter /app/admin/ of Django Admin doesn't open up and throws 404.
TIA
How about you just append a BASE_URL to all the core url_patterns, something like,
settings.py
BASE_URl = 'app/'
urls.py
from django.conf import settings
from django.urls import path
from .views import *
urlpatterns = [
path("%sadmin/" % settings.BASE_URL, AdminView, name='admin'),
path("%sapi/" % settings.BASE_URL, MyAPIView, name="myapi"),
]
This way all your URLs already start with app/, so even if you reverse proxy the root app.example.com it'll still serve on app/
You need to add a header to tell Django you are serving from a sub-path.
location /app/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header SCRIPT_NAME app;
proxy_redirect off;
proxy_pass http://gunicorn;
}
I am using Nginx and Gunicorn to host a Django project. I need to secure this site, and as a test I set up Let's encrypt to an unused domain of mine. While tailing the Django access log, I noticed the following entry from time to time:
Invalid HTTP_HOST header: 'aydinfatih.com'. You may need to add u'aydinfatih.com' to ALLOWED_HOSTS.
This is an unknown domain to me, and while trying to access the domain (it got 400 response), I could se more of these log entries on my server. What is this? Is it related to my SSL-setup, and an indication that it's not secure?
server {
server_name example.com example.com;
location /static/ {
root /home/user/project/django-project;
}
location /media/ {
root /home/user/project/django-project;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/user/project/project.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name my.server.ip.here example.com;
return 301 https://example.com;
}
I added the following to my server block:
if ($host !~* ^(example.com|www.example.com)$ ) {
return 444;
}
The unknown domain now displays 520. Is this the correct way to deal with this? Something else I've missed?
I misread your question. Here's a new answer.
Someone configs their DNS record to point their domain name to your server IP. Adding hostname checking certainly helps, but normally we use a default "catch all" server block to handle all unwanted requests:
# "Catch all" server
server {
server_name _;
return 444;
}
# Your site settings
server {
server_name example.com example.com;
location /static/ {
root /home/user/project/django-project;
}
location /media/ {
root /home/user/project/django-project;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/user/project/project.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name my.server.ip.here example.com;
return 301 https://example.com;
}