I am currently working on deploying my project over https however I am running into some issues. I have it working with http but when I try to incorporate the ssl it breaks. I think I am misconfiguring the gunicorn upstream client in my nginx block but I am uncertain. Could the issue be in the unix binding in my gunicorn service file? I am very new to gunicorn so I'm a little lost.
Here is my configuration below.
Gunicorn:
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
Environment=PYTHONHASHSEED=random
User=USER
Group=www-data
WorkingDirectory=/path/to/project
ExecStart=/path/to/project/project_env/bin/gunicorn --workers 3 --bind unix:/path/to/project/project.sock project.wsgi:application
[Install]
WantedBy=multi-user.target
Nginx (working-http):
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name server_domain;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /path/to/project;
}
location / {
include proxy_params;
proxy_pass http://unix:/path/to/project/project.sock;
}
}
Nginx (https):
upstream server_prod {
server unix:/path/to/project/project.sock fail_timeout=0;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name server_domain;
}
server {
server_name server_domain;
listen 443;
ssl on;
ssl_certificate /etc/ssl/server_domain.crt;
ssl_certificate_key /etc/ssl/server_domain.key;
location /static/ {
root /path/to/project;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://server_prod;
break;
}
}
}
Your gunicorn systemd unit file seems OK. Your nginx is generally OK too. You have posted too little info to get an appropriate diagnostic. I'm guessing you are missing passing the X-Forwarded-Proto header to gunicorn, but it could be something else. Here's an nginx configuration file that works for me:
upstream gunicorn{
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
# for UNIX domain socket setups:
server unix:/path/to/project/project.sock fail_timeout=0;
# for TCP setups, point these to your backend servers
# server 127.0.0.1:9000 fail_timeout=0;
}
server {
listen 80;
listen 443 ssl http2;
server_name server_domain;
ssl_certificate /etc/ssl/server_domain.crt;
ssl_certificate_key /etc/ssl/server_domain.key;
# path for static files
root /path/to/collectstatic/dir;
location / {
# checks for static file, if not found proxy to app
try_files $uri #proxy_to_app;
}
location #proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When Nginx is handling SSL it is helpful to pass the protocol information
# to Gunicorn. Many web frameworks use this information to generate URLs.
# Without this information, the application may mistakenly generate http
# URLs in https responses, leading to mixed content warnings or broken
# applications. In this case, configure Nginx to pass an appropriate header:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
proxy_pass http://gunicorn;
}
}
Related
I was under the assumption that I could run a Django Channels app using only Daphne (ASGI) and Nginx as a proxy for my Django app to begin with.
The application would be running with Daphne on 127.0.0.1:8001
However, I am running into a 403 Forbidden error.
2019/03/06 17:45:40 [error] *1 directory index of "/home/user1/app/src/app/" is forbidden
And when I posted about that, another user mentioned
There is no directive to pass http request to django app in your
nginx config
And suggested to look into fastcgi_pass or uwsgi_pass or Gunicorn.
Obviously Django Channels runs on ASGI and I am passing all requests through that right now (not to uWSGI then on to ASGI depending on the request.)
Can I serve my Django app with only Nginx and Daphne? The Django Channels docs seem to think so as they don't mention needing Gunicorn or something similar.
my nginx config
upstream socket {
ip_hash;
server 127.0.0.1:8001 fail_timeout=0;
}
server {
listen 80;
#listen [::]:80 ipv6only=on;
server_name your.server.com;
access_log /etc/nginx/access.log;
root /var/www/html/someroot;
location / {
#autoindex on;
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri =404;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
#proxy_set_header X-NginX-Proxy true;
#proxy_pass http://socket;
#proxy_redirect off;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
#proxy_redirect off;
#proxy_set_header X-Forwarded-Proto $scheme;
#proxy_cache one;
#proxy_cache_key sfs$request_uri$scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/some/fullchain.pem;
# managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/some/privkey.pem;
# managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
Yes, it's possible. Try this config:
upstream socket {
ip_hash;
server $DAPHNE_IP_ADDRESS$ fail_timeout=0;
}
server {
...
location / {
proxy_pass http://socket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
...
}
Where $DAPHNE_IP_ADDRESS$ - your daphne IP and port without schema(127.0.0.1:8001).
I'm trying to use nginx as a reverse proxy to receive incoming calls, then, depending on the server_name, redirect those calls to different computers (hosts), running nginx Django and Gunicorn. So far, I've tried different configurations for the conf file on the host, but none of them are working. Is there anything wrong with my conf files?
This is the nginx.conf in 192.168.0.13 that will function as a reverse proxy:
server {
listen 80;
server_name www.coding.test;
location / {
proxy_pass http://192.168.0.8:80;
proxy_redirect off;
# app1 reverse proxy follow
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
This is the nginx.conf in 192.168.0.8 that is intended to run the django app:
upstream django {
server unix:///home/pi/coding-in-dfw/mysocket.sock fail_timeout=0;
}
server {
listen 80 default_server;
server_name www.coding.test
client_max_body_size 4G;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /static/ {
alias /home/pi/coding-in-dfw/static/;
}
location /media/ {
alias /home/pi/coding-in-dfw/media/;
}
# Finally, send all non-media requests to the Django server.
location / {
uwsgi_pass django;
include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
}
location /.well-known {
alias /home/pi/coding-in-dfw/.well-known;
}
}
Finally this is the way I'm running gunicorn:
gunicorn --workers 5 --bind unix:///home/pi/coding-in-dfw/mysocket.sock codingindfw.wsgi:application && sudo service nginx restart
Any help is appreciated.
I am running a server with Nginx + Gunicorn + Django.
I have configured Django to show a robots.txt file, and this works just fine when I test Django on its own, without Nginx+Gunicorn.
However, when I run the whole stack, /robots.txt suddenly gets replaced with a different file that I didn't write.
Why is this happening? I never wrote anything to tell Nginx or Gunicorn to do such a thing. Is there a default somewhere that I need to overwrite or deactivate?
The folder /etc/nginx/sites-enabled contains only my own sites file, and it doesn't mention /robots explicitly. It just has a location block targeting / which gets routed to Gunicorn+Django, and for every site except robots.txt this works just fine.
My Gunicorn config:
[Unit]
Description=gunicorn daemon
After=network.target
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=root
Group=www-data
WorkingDirectory=/root/lod/collab/collab
ExecStart=/root/lod/CollabVenv/bin/gunicorn --access-logfile - --workers 3 --bind unix:/root/lod/collab.sock collab.wsgi:application
[Install]
WantedBy=multi-user.target
My Nginx config:
server {
# if no Host match, close the connection to prevent host spoofing
listen 80 default_server;
listen [::]:80 default_server;
return 444;
}
server {
# redirect any http requests to https
listen 80;
listen [::]:80;
server_name example.com www.example.com localhost;
return 301 https://example.com$request_uri;
}
server {
# this is the main server application, serving example.com with https
listen 443;
listen [::]:443;
server_name example.com;
# SSL certificate
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
# allow large request bodies, which may be necessary for some JSON commands
client_max_body_size 4G;
# ignore a missing favicon
location = /favicon.ico { access_log off; log_not_found off; }
# Django media
location /media {
alias /root/lod/CollabData/media_public; # your Django project's media files
}
# Django static
location /static {
autoindex on;
alias /root/lod/collab/collab/static_processed; # your Django project's static files
}
# send all non-media requests to the Django server
location / {
# necessary for SSL
# note:
# I have no idea what most of these do. I just followed tutorials on the internet.
# Feel free to improve this if you know what you are doing.
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host:443;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# the connection to Gunicorn
proxy_pass http://unix:/root/lod/collab.sock;
}
}
EDIT:
It just started working correctly, even though I made no changes since the last time I opened the site. Maybe some background process or cache took a while to update? I'm leaving this question open in case someone can explain what caused this, so that other people won't have to spend as much time with this problem as I did.
I am trying to deploy a django instance to ec2 . I am using a combination of nginx and gunicorn to achieve that. I got the nginx isntance and gunicorn to start correctly and I am able to get my instance running. But when i try to upload an image to the database on my application I run into this error in my gunicorn error.log :
connect-failed-111-connection-refused-while-connecting-to-upstream
Also all my api calls from the front end to the database return a 500 internal server in the console.
My nginx.conf looks like
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /etc/nginx/sites-available/*;
index index.html index.htm;
server {
listen 127.0.0.1:80;
listen [::]:80 default_server;
server_name 127.0.0.1;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
# redir
And my sites-enabled/default file as
upstream app_server_djangoapp {
server 127.0.0.1:8000 fail_timeout=0;
}
server {
#EC2 instance security group must be configured to accept http connections over Port 80
listen 80;
server_name myec2isntance.com;
access_log /var/log/nginx/guni-access.log;
error_log /var/log/nginx/guni-error.log info;
keepalive_timeout 5;
# path for static files
location /static {
alias xxxxxx;
}
location /media {
alias xxxxxx;
}
location / {
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://app_server_djangoapp;
break;
}
}
}
I tried most of the things people talked about - adding right permissisons to the folders. Changing localhost to 127.0.0.1 etc. I am relatively new to this topic so any help would be much appreciated!
Thank you
I would suggest to change default to this :
upstream app_server_djangoapp {
server 127.0.0.1:8000 max_fails=3 fail_timeout=50;
keepalive 512;
}
- remove
keepalive_timeout 5;
- why do u have two location / blocks ?
location / {
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://app_server_djangoapp;
break;
}
}
Im trying to setup nginx as a proxy server for my django server and here is my configuration.
For some reason when I send a request to the server http://ipaddress it automatically redirects me to https://ipaddress even though I have included anything to redirect.
I want to disable the redirect to https as its a dev server
upstream app_server {
# For a TCP configuration:
server 127.0.0.1:8000 fail_timeout=0;
}
# configuration of the server
server {
#add_header HTTP_X_FORWARDED_PROTO https;
# the port your site will be served on
listen 80 default_server;
# the domain name it will serve for
charset utf-8;
#server_name localhost;
# max upload size
client_max_body_size 75M; # adjust to taste
location / {
# checks for static file, if not found proxy to app
try_files $uri #proxy_to_app;
}
location #proxy_to_app {
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}