I want to get Letsencrpyt SSL for my domain. Part of the process is, the site needs to be authorized before getting the certificate.
I created the folder ./well-known and ran the command I was asked to and I got;
Nginx 403 forbidden.
I'm on nginx/1.10.0 (Ubuntu)
I chown the directory and granted it 755 yet still the same. Check out the permissions in my directory below.
namei -l /var/www/example.com/.well-known
f: /var/www/example.com/.well-known
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root www
drwxr-xr-x cman sudo example.com
drwxr-xr-x cman sudo .well-known
I also created a working.html file in the /.well-known folder and I load example.com/.well-known/working.html, I got the same 403 Forbidden.
Nginx.conf
upstream kip_app_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Gunicorn master nukes a
# single worker for timing out).
server unix:/var/www/example.com/src/run/trav.sock fail_timeout=0;
}
server {
listen 80;
server_name example.com www.example.com;
location = /favicon.ico { access_log off; log_not_found off; }
access_log /var/www/example.com/logs/access.log;
error_log /var/www/example.com/logs/nerror.log;
charset utf-8;
client_max_body_size 75M;
location /static/ {
alias /var/www/example.com/src/static/;
}
location /media/ {
alias var/www/example.com/src/media/;
}
location ~ /\.well-known {
allow all;
alias /var/www/example.com/.well-known/;
}
location / {
include proxy_params;
proxy_pass http://kip_app_server;
#proxy_set_header X-Forwarded-Host $server_name;
#proxy_set_header X-Real-IP $remote_addr;
}
}
Your code would work if you were not using an alias.
Try this:
location ^~ /.well-known {
allow all;
alias /var/www/example.com/.well-known/;
}
or this:
location ^~ /.well-known {
allow all;
auth_basic off;
alias /path/to/.well-known/;
}
When aliasing, the ^ is required.
This is Nginx specific behaviour, to the way they perform matching. There is a detailed write-up here on matching logic and caveats, it is confusing: https://github.com/letsencrypt/acme-spec/issues/221
I tried but could not figure this out. I believe certbot is not getting the correct location and is probably writing the challenge to some other location. I had a script watching the acme challenge directory and nothing was ever created there. Ended by using the webroot option.
certbot certonly -d example.com -a webroot
It prompts for the webroot location, but only for the 1st time - not for renewal, which allows for auto-renewal. It may work without the certonly option, but I did not try it. I updated the NGINX config manually with the cert location.
Related
Getting the error:
nginx: [emerg] "proxy_pass" directive is duplicate in /etc/nginx/sites-enabled/mhprints:12
nginx: configuration file /etc/nginx/nginx.conf test failed
when trying to run my django project on nginx and gunicorn.
my settings in folder error points to:
server {
listen 80;
server_name 194.146.49.249;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/dave/mhprints;
}
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
Can't find a fix, hoping somebody knows on here.
Solved, used the following command:
sudo grep -ri 'proxy_pass' /etc/nginx/
Found the duplicate and deleted it.
question regarding letsencrypt.org certbot.
Whenever I run the certbot --nginx command, it never finishes the process.
Full output (running as root):
$ certbot --nginx --agree-tos --redirect --uir --hsts --staple-ocsp --must-staple -d <DOMAINS> --email <EMAIL>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <DOMAIN>
http-01 challenge for <DOMAIN>
nginx: [emerg] duplicate listen options for [::]:80 in /etc/nginx/sites-enabled/django:50
Cleaning up challenges
nginx restart failed:
b''
b''
Running certbot certificates:
$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
No certs found.
-------------------------------------------------------------------------------
The only thing where I messed up was not properly configuring my DNS before running certbot the first time (messed up my A record, et al; I'm new at this :P), however I don't know what to do moving forward; this is my first web-server so I'm still in a bit of a learning curve. I'm not sure if this is a configuration error, or something else.
For info, I'm running a DigitalOcean Django/Ubuntu 16.04 droplet (only edited /etc/nginx/sites-available/default, to change server_name). Will update below for any additional info needed; thanks in advance. ^_^
=========================================================================
edit 1.
/etc/nginx/sites-enabled/django
upstream app_server {
server unix:/home/django/gunicorn.socket fail_timeout=0;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
client_max_body_size 4G;
server_name _;
keepalive_timeout 5;
# Your Django project's media files - amend as required
location /media {
alias /home/django/django_project/django_project/media;
}
# your Django project's static files - amend as required
location /static {
alias /home/django/django_project/django_project/static;
}
# Proxy the static assests for the Django Admin panel
location /static/admin {
alias /usr/lib/python2.7/dist-packages/django/contrib/admin/static/admin/;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://app_server;
}
}
I think the issue is that you're trying to specify two default_server directives on the same port. This is invalid - there can be only one default server. Changing your configuration as follows should fix your issue:
listen 80;
listen [::]:80 default_server;
You can also remove the ipv6only directive as this is the default anyway.
I have a live server running django, the address is http://179.188.3.54/ . As you can see, the app works but looks like the static files arent working. Also if I click in any other link, doesnt work.
This website is running without any problems in development version. Im not sure what I should do to fix this problem.
Here is my nginx config file and my settings.py
STATIC_URL = '/static/'
STATIC_ROOT = '/cinegloria/cinegloria/cinegloria/static/'
PS: I tried to run collectstatic ;)
server {
root /usr/share/nginx/www;
index index.html index.htm;
access_log /var/log/nginx/domain-access.log;
server_name 0.0.0.0;
location / {
try_files $uri $uri/ /index.html;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
proxy_pass http://0.0.0.0:8000/;
}
}
Any ideas or sample code will be appreciated!
Add the static serving to the nginx conf before the / pattern:
location /static {
alias /cinegloria/cinegloria/cinegloria/static/;
}
location / {
...
}
Or set the STATIC_ROOT to the directory under the www root:
STATIC_ROOT = '/usr/share/nginx/www/static'
Or add the symlink from www root to you static dir:
$ ln -s /cinegloria/cinegloria/cinegloria/static /usr/share/nginx/www/static
Add another nginx directive for the static files. Static files should be served by nginx, not the Django server.
location /static/ {
alias /cinegloria/cinegloria/cinegloria/static/;
}
If that still doesn't work, you may need to add the mime type directive. I had to do that yesterday, because for some reason nginx wasn't serving the correct mime type when I used an alias.
As a helpful pointer, whenever you run into problems like this, take a look at your nginx error log and paste the last few lines for debugging. It is located at /var/log/nginx/error.log or a similar path.
I am trying to setup a django production server on OSX (Mavericks).
This is my nginx server config file:
server {
listen 80;
server_name localhost;
error_log /pathtoerrorlog;
access_log /pathtoaccesslog;
# serve static files
location ~ ^/static/ {
root /Users/Hello/assets;
expires 30d;
}
# serve media files ~ ^
location ~ ^/media/ {
root /Users/Hello/assets;
expires 30d;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
}
}
This is the nginx.conf config file
user www-data;
worker_processes 4;
error_log /var/log/nginx/error.log;
events {
worker_connections 4092;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_names_hash_bucket_size 64;
gzip on;
gzip_disable "msie6";
include /etc/nginx/sites-enabled/*;
}
I have created a user called www-data on the system and gave the folllowing access permissions:
sudo chown -R www-data:www-data /usr/local/etc/nginx
sudo chown -R www-data:www-data /etc/nginx
sudo chown -R www-data:www-data /var/log/nginx
I started gunicorn without any errors and so is the case with nginx too.
In a browser, localhost redirects me to the django app but static media is not displayed. This is a sample error (out of all for static content) I get, as I see in nginx error log:
2014/01/25 20:16:23 [error] 35068#0: *68 open() "/Users/Hello/assets/static/css/base.css" failed (13: Permission denied),
client: 127.0.0.1, server: localhost, request: "GET /static/css/base.css HTTP/1.1", host: "localhost", referrer: "http://localhost/"
I tried changing the permissions of /Users/Hello/assets using sudo chown -R www-data:www-data assets but it didn't help. -R 777 also didn't work.
Please suggest where I am going wrong. Thanks!
It turns out to be that read permissions have to be granted for all parent directories of /Users/Hello/assets. So, I set read access to all of Users, Hello, assets and not just assets as earlier.
Related articles are :
Nginx 403 forbidden for all files
http://nginxlibrary.com/403-forbidden-error/
I've migrated my server to amazon ec2, and trying to set up the following environment there:
Nginx in the front serving static content, passing to django for dynamic content. I also would like to use phpmyadmin in this setting.
I am not a server admin, so I simply followed a few tutorials to make nginx and django up and running. But I've been working for two days now trying to hook phpmyadmin to this setup, with no avail. I am sending my current server configuration now, how can I serve phpmyadmin here?
server {
listen 80;
server_name localhost;
access_log /opt/django/logs/nginx/vc_access.log;
error_log /opt/django/logs/nginx/vc_error.log;
# no security problem here, since / is always passed to upstream
root /opt/django/;
# serve directly - analogous for static/staticfiles
location /media/ {
# if asset versioning is used
if ($query_string) {
expires max;
}
}
location /admin/media/ {
# this changes depending on your python version
root /path/to/test/lib/python2.7/site-packages/django/contrib;
}
location /static/ {
# if asset versioning is used
if ($query_string) {
expires max;
}
}
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
proxy_pass http://localhost:8000/;
}
# what to serve if upstream is not available or crashes
error_page 500 502 503 504 /media/50x.html;
}
This question should rightly belong to http://serverfault.com
Nevertheless, the first thing you ought to do is to configure a separate subdomain for your phpmyadmin for ease of administration.
So there will be two apps running with nginx as reverse proxy, one nginx server for your above django app and another server (also known as virtualhost) for your phpmyadmin with a configuration similar to this:-
server {
server_name phpmyadmin.<domain.tld>;
access_log /srv/http/<domain>/logs/phpmyadmin.access.log;
error_log /srv/http/<domain.tld>/logs/phpmyadmin.error.log;
location / {
root /srv/http/<domain.tld>/public_html/phpmyadmin;
index index.html index.htm index.php;
}
location ~ \.php$ {
root /srv/http/<domain.tld>/public_html/phpmyadmin;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/http/<domain.tld>/public_html/phpmyadmin/$fastcgi_script_name;
include fastcgi_params;
}
}
Each of your server configuration can point at different domain names via the server_name configuration. In this example, server_name phpmyadmin.<domain.tld>;
Here's an example taken from http://wiki.nginx.org/ServerBlockExample
http {
index index.html;
server {
server_name www.domain1.com;
access_log logs/domain1.access.log main;
root /var/www/domain1.com/htdocs;
}
server {
server_name www.domain2.com;
access_log logs/domain2.access.log main;
root /var/www/domain2.com/htdocs;
}
}
As you can see, there are two declarations of server inside the large http brackets. Each declaration of the server should contain the configuration you have for django and another for the configuration of phpmyadmin.
2 "virtual hosts" ("server" instances) taken care by nginx.