I am using Nginx and Gunicorn to host a Django project. I need to secure this site, and as a test I set up Let's encrypt to an unused domain of mine. While tailing the Django access log, I noticed the following entry from time to time:
Invalid HTTP_HOST header: 'aydinfatih.com'. You may need to add u'aydinfatih.com' to ALLOWED_HOSTS.
This is an unknown domain to me, and while trying to access the domain (it got 400 response), I could se more of these log entries on my server. What is this? Is it related to my SSL-setup, and an indication that it's not secure?
server {
server_name example.com example.com;
location /static/ {
root /home/user/project/django-project;
}
location /media/ {
root /home/user/project/django-project;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/user/project/project.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name my.server.ip.here example.com;
return 301 https://example.com;
}
I added the following to my server block:
if ($host !~* ^(example.com|www.example.com)$ ) {
return 444;
}
The unknown domain now displays 520. Is this the correct way to deal with this? Something else I've missed?
I misread your question. Here's a new answer.
Someone configs their DNS record to point their domain name to your server IP. Adding hostname checking certainly helps, but normally we use a default "catch all" server block to handle all unwanted requests:
# "Catch all" server
server {
server_name _;
return 444;
}
# Your site settings
server {
server_name example.com example.com;
location /static/ {
root /home/user/project/django-project;
}
location /media/ {
root /home/user/project/django-project;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/user/project/project.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 80;
server_name my.server.ip.here example.com;
return 301 https://example.com;
}
Related
Im trying to set-up SSL sertificate for Django. I set up it by this guide: https://www.youtube.com/watch?v=dYdv6pkCufk&ab_channel=TonyTeachesTech, in the guide django server just start working with SSL, but for me is not working, but rederecting domain from http to https, but not redirecting to django server. I dont even know what to do. I search in entire internet and find nothing.
This is my nginx config:
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
server_name wavera.ru www.wavera.ru; # managed by Certbot
return 301 https://$host$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.wavera.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.wavera.ru/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = wavera.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.wavera.ru) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
server_name wavera.ru www.wavera.ru;
return 404; # managed by Certbot
}
i starting server by
python3 manage.py runserver
Runserver is for development purposes only, You should run something like gunicorn to create a .sock file.
For now, you can try something like -
upstream backend {
server localhost:8000;
}
server {
server_name wavera.ru www.wavera.ru;
location / {
include proxy_params;
proxy_pass http://backend
}
}
for https, try-
server {
server_name wavera.ru www.wavera.ru;
location / {
include proxy_params;
proxy_pass http://backend
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.wavera.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wavera.ru/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = wavera.ru) {
return 301 https://$host$request_uri;
}
if ($host = www.wavera.ru) {
return 301 https://$host$request_uri;
}
listen 80 ;
server_name wavera.ru www.wavera.ru;
return 404;
}
I am hosting a django website on digital ocean. I have wish to access my website's IP using https with self-signed cert as Let's Encrypt does not provide certificates for public IP addresses. I followed this guide and wrote an nginx server block. I can access https://example-ip-address with:
server {
listen 443 ssl;
listen [::]:443 ssl;
include /etc/nginx/snippets/self-signed.conf;
include /etc/nginx/snippets/ssl-params.conf;
server_name 123.123.12.123;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/djangotemplates;
}
location / {
include /etc/nginx/proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
server {
listen 80;
listen [::]:80;
server_name 123.123.12.123;
return 301 https://$server_name$request_uri;
}
And, I can access https://example.com and https://www.example.com with let's encrypt SSL cert by following this and this is the server block I wrote:
server {
server_name www.example.com example.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/user/djangotemplates;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com example.com;
return 404; # managed by Certbot
}
The problem here is when I put both server blocks into one single configuration file and access https://example-ip-address, the connection is then not encrypted. However, it works fine for https://example.com and https://www.example.com. Any idea what went wrong here?
I just started my django website live on digital ocean - and I received an error email 'Invalid HTTP_HOST header: '123.123.12.123'. You may need to add '123.123.12.123' to ALLOWED_HOSTS.' So, I added the ip address in the ALLOWED_HOSTS. And I think it's safer to visit the ip address with https.
I suggest you to use certbot instead of a self signed certificate
https://certbot.eff.org
I'd like to add ssl certificate to my django app. I've followed tutorial so the nginx config for domain was changed but now it looks like generated certificate is incorrect.
nginx conf before certbot modifications
server {
listen 80;
listen [::]:80;
server_name doamin.com www.domain.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/poul3r/doamin.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
and after certbot action
server {
server_name doamin.com www.doamin.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/poul3r/doamin.com;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/doamin.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/doamin.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = doamin.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name doamin.com www.doamin.com;
return 404; # managed by Certbot
}
What I'm doing wrong or what could went wrong during letsencypt implementation ?
I've already found solution for this problem. Based info from solution I realized, there is one more app on nginx that does not have ssl certification but redirect to 443. When I changed theirs config to listen only on 80, first domain works correctly.
Nginx + Ubuntu 18.04 + Django 2.2.10
Accessing directly via "www.examples.com" will show nginx welcome page, but accessing anything else--"examples.com", "https://examples.com", "https://www.examples.com"--will work as expected.
On DigitalOcean, I have two A-type records [www.examples.com, examples.com] directing to the IP address--I believe they are correctly set up.
On my Django project, I have ALLOWED_HOSTS = ['localhost', 'examples.com', '137.68.49.136', 'www.examples.com'] set.
Here is my /etc/nginx/sites-available/project:
server {
server_name examples.com www.examples.com;
charset UTF-8;
error_log /home/jay/eco/nginx-error.log;
location = /favicon.ico { access_log off; log_not_found off; }
location /static {
alias /home/jay/eco/static;
}
location /media/ {
alias /home/jay/eco/media/;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/examples.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/examples.com/privkey.pem; # managed by Certb$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = examples.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name examples.com;
return 404; # managed by Certbot
}
I believed this was everything but apparently not. What am I missing?
You have two server blocks, the first processes requests using the https protocol and the second processes requests using the http protocol. There is also a default server block in some other file, which responds with the Nginx welcome page.
The second server block in your question only processes requests for http://example.com. You need to add www.example.com to the server_name directive, and update the logic so that both domain names are redirected to the https service.
For example:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
See this document for details.
I'm having an issue with my nginx configuration.
I receive the error ERR: TOO MANY REDIRECTS
If I change the var SECURE_SSL_REDIRECT = True to False the error goes away but I believe this is causing issue with my channels setup, my websockets are unable to complete handshake.
I found this link which I think is my problem but I don't know how to fix it.
I tried changing proxy_pass http://unix... to https://unix... which causes the redirects to stop but the page won't load.
server {
server_name myproject.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias /home/xx/myproject/static/;
}
location /static/admin/ {
alias /home/xx/myproject/static/admin/;
}
location /media/ {
alias /home/xx/myproject/media/;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/xx/myproject/myproject.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/myproject.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/myproject.com/privkey.pem; # managed by Certb$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = myproject.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name myproject.com;
return 404; # managed by Certbot
}