I am trying to config a nginx server on an EC2 instance:
What I have done are:
nginx listening 443 with ssl configured
there is a webservice deployed on the ec2 localhost:8086/applications/, this is what I want nginx to proxy to
What I have now is:
location /applications/.* {
proxy_pass http://localhost:8086
proxy_redirect default
}
but this doesn't work, when I try POST with url https://<ip>/applications/?wsdl the nginx error.log reads like below:
[error]15692#0 *1 "/usr/share/nginx/html/applications/index.html" is not found (2: No such file or directory), client <my_ip>, server: , request "POST /applications/ HTTP/1.1", host: <the_host_ip>
Very noob about nginx here, your help will be appreciated, or direct me to wherever documenting this kind of config please.
You have some ;s missing in your configs and I don't think you need /applications/.* on your location
Try something like this:
listen 80;
server_name your.website.com;
location /applications {
proxy_pass http://localhost:8086;
proxy_redirect off;
}
Make sure you don't have something like this:
location / {
root html;
index index.html index.htm;
}
It works for me with the following example code. The version of nginx is 1.8.0.
listen 5554;
server_name localhost;
location / {
proxy_pass http://soap.example.com;
}
Related
I'm trying to set up a webhook with python-telegram-bot and Nginx. I am faced with a problem, my bot doesn't get messages from telegram. I also tried to make GET/POST queries from the postman and I always get a "502 Bad Gateway" error. I also launched the netstat to monitor port 5000 where my telegram bot connects but it is always empty. It seems like webhook doesn't launch at all.
My Nginx default.conf file looks like the following:
upstream django {
server gunicorn:8000;
}
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name example.com www.example.com;
ssl_certificate fullchain.pem;
ssl_certificate_key privkey.pem;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location /TELEGRAM_TOKEN {
proxy_pass http://0.0.0.0:5000/TELEGRAM_TOKEN/;
}
location /static/ {
alias /static/;
}
location / {
proxy_pass http://example.com:8000;
}
}
And my telegram client code:
updater = Updater(api_token)
updater.dispatcher.add_handler(CommandHandler('start', start))
updater.dispatcher.add_handler(CallbackQueryHandler(button))
updater.dispatcher.add_handler(MessageHandler(Filters.text & ~Filters.command, custom_command))
jq = updater.job_queue
job_minute = jq.run_repeating(callback_minute, interval=5)
#updater.start_polling()
updater.start_webhook(listen="0.0.0.0", port=5000, url_path=api_token,
webhook_url=f'https://example.com/{api_token}')
updater.idle()
I also have Django options for the Nginx server but I've never seen any tutorial or documentation on how to tune the webhook with Django and it can be the reason for my problems.
Have anyone any idea about solving my problem?
CallMeStag, your advice to use the following code helped me solve the issue:
print(Bot(api_token).get_webhook_info()))
I had 2 problems with the Nginx config file
First: ssl on
It gave me an error connection refused and I deleted it
Second
I changed this
location /TELEGRAM_TOKEN {
proxy_pass http://0.0.0.0:5000/TELEGRAM_TOKEN/;
}
to this
location /TELEGRAM_TOKEN {
proxy_pass http://example.com:5000/TELEGRAM_TOKEN/;
}
and the webhook is now working.
Thank you.
I'm trying to test a deployment config for a Django setup that works fine in development mode.
I have name-based routing via Nginx's ssl_preread module on a load balancer, and SSL terminates at another Nginx instance on the server itself where the requests are proxied to uwsgi by socket.
server {
server_name dev.domain.net;
listen 80 proxy_protocol;
listen [::]:80 proxy_protocol;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name dev.domain.net;
listen 443 ssl;
listen [::]:443 ssl;
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/website.sock;
}
location /favicon.ico {
access_log off; log_not_found off;
}
}
I have uwsgi set to log %(host) and %(referer), they match in the logs.
In my uwsgi_params I'm passing $host and $referer like so, since I'm using name-based routing I pick up the $server_name variable that triggered the Nginx response...
uwsgi_param HTTP_REFERER $server_name;
uwsgi_param HTTP_HOST $host;
Adding (or taking away) protocols and ports to these makes no difference. Taking them away predictably generates a Django ALLOWED_HOSTS debug error.
I've confirmed that my ALLOWED_HOSTS includes the $host. I've tried adding CSRF_TRUSTED_ORIGINS for the same $host variable. I've tried setting CSRF_COOKIE_DOMAIN for the same $host variable. I have CSRF_COOKIE_SECURE set to True per the docs recommendation.
No matter what combination of the above settings are used, I get:
Referer checking failed - Referer is malformed. on all POST requests.
Short answer: don't use the uwsgi unix socket, but rather use http-socket and send the proxy request to localhost over unencrypted http (in uwsgi ini file):
http-socket = 127.0.0.1:8001
In nginx, get rid of uwsgi proxy params and simply proxy_pass with proxy_protocol headers enabled:
server {
server_name dev.domain.net;
listen 443 ssl proxy_protocol;
listen [::]:443 ssl proxy_protocol;
location / {
proxy_pass http://127.0.0.1:8001;
}
location /favicon.ico {
access_log off; log_not_found off;
}
}
At that point you can enable all of the recommended deployment settings in the Django docs, explicitly declare your ALLOWED_HOSTS and everything works fine.
These are a quite silly series of hoops with no apparent correct set of answers, especially considering referers are client headers that are easily forged.
The better answer is Django needs to get rid of a client referer check in its CSRF mechanism, it's pointless and makes no sense...
While running the django project locally, I can access my home, admin, app1, app2 directory (i.e
localhost:portnum , localhost:portnum/admin ,
localhost:portnum/app1 , localhost:portnum/app2 )
The problem begins when I deployed the app in a server ( I used nginx and gunicorn for django deployment with the help of this guide )
Problem : -
I'm unable able to access example.com/admin, example.com/app1 , example.com/app2.
I'm able to access my home example.com anyway.
When I trying to access example.com/app1/ the page give an error 403 forbidden
2018/11/17 18:00:55 [error] 28459#28459: *8 directory index of "/home/ubuntu/project/app/" is forbidden, client: 172.68.146.88, server: example.com, request: "GET /events/ HTTP/1.1", host: "www.example.com"
2018/11/17 18:00:58 [error] 28459#28459: *13 open() "/usr/share/nginx/html/app" failed (2: No such file or directory), client: 172.68.146.10, server: example.com, request: "GET /events HTTP/1.1", host: "www.example.com"
Some solutions which I tried to follow before this question::-
Django: when trying domain.com/admin gives 404 with an old unexisting urls file
Nginx 403 error: directory index of [folder] is forbidden
My nginx config
server {
listen 80;
listen 443;
ssl on;
ssl_certificate /home/ubuntu/certs/cert.pem;
ssl_certificate_key /home/ubuntu/certs/cert.key;
server_name example.com;
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /static/ {
root /home/ubuntu/example_project/app1;
}
location = / {
include proxy_params;
proxy_pass http://unix:/home/ubuntu/example_project/exampl_project.sock;
}
}
Thank You for trying to solve my problem.
When you use= in a location directive, it only applies for that exact path. Instead you should remove those for both of your locations and let nginx match for all prefixes.
location /static/ {
root /home/ubuntu/example_project/app1;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/ubuntu/example_project/exampl_project.sock;
}
I've never before configured any production server, I'm trying to configure nginx and keep getting the 403 Forbidden error. I can't figure out the reason why it's happening.
Here is a complete error report:
[crit] 25145#25145: *1 connect() to unix:/home/albert/deploy_test/django_env
/run/gunicorn.sock failed (13: Permission denied) while connecting to
upstream, client: 192.168.1.118, server: 192.168.1.118, request: "GET /
HTTP/1.1", upstream: "http://unix:/home/albert/deploy_test/django_env
/run/gunicorn.sock:/", host: "192.168.1.118"
Here is my /etc/nginx/sites-available/deployproject.conf:
(I removed the default config and created a symlink as follows: sudo ln -s /etc/nginx/sites-available/deployproject.conf /etc/nginx/sites-enabled/deployproject.conf)
upstream sample_project_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
server unix:/home/albert/deploy_test/django_env/run/gunicorn.sock fail_timeout=0;
}
server {
listen 80;
server_name 192.168.1.118;
client_max_body_size 4G;
access_log /home/albert/logs/nginx-access.log;
error_log /home/albert/logs/nginx-error.log;
location /static/ {
alias /home/albert/static/;
}
location /media/ {
alias /home/albert/media/;
}
location / {
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
# proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# set "proxy_buffering off" *only* for Rainbows! when doing
# Comet/long-poll stuff. It's also safe to set if you're
# using only serving fast clients with Unicorn + nginx.
# Otherwise you _want_ nginx to buffer responses to slow
# clients, really.
# proxy_buffering off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if (!-f $request_filename) {
proxy_pass http://sample_project_server;
break;
}
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/albert/static/;
}
}
Here is the complete tutorial I'm using to deploy my app. Here I'm just trying to deploy the most primitive,default django app but in my real app I'm using django as a serverside, so there seems to be no need for nginx to serve static and all that.
File Permissions. Incorrect file permissions are another cause of the "403 Forbidden" error. The standard setting of 755 for directories and 644 for files is recommended for use with NGINX. The NGINX user also needs to be the owner of the files
Try to change the permissions on your web dir
sudo chown -R albert:www-data /webdirectory
sudo chmod -R 0755 /webdirectory
Move all your sites inside the webdirectory do not leave the dir and files in your root home.
Have you taken a look at the gunicorn docs here which has example of how to configure nginx
http://docs.gunicorn.org/en/stable/deploy.html
Can you try running gunicorn via TCP instead of unix socket, in your upstream sample_project_server replace server with:
server 192.168.0.7:8000 fail_timeout=0;
What are the settings in gunicorn? You can bind to localhost via TCP with the following, to check that it isn't a problem with your unix socket:
--bind 127.0.0.1:8000
Hey I am currently deploying my rails app on an ubuntu 14 server and I when I try to restart nginx it fails.
My nginx.conf looks like this:
upstream puma {
server unix:///home/deploy/apps/savoir/shared/tmp/sockets/savoir-puma.sock;
}
server {
listen 80 default_server deferred;
# server_name example.com;
root /home/deploy/apps/savoir/current/public;
access_log /home/deploy/apps/savoir/current/log/nginx.access.log;
error_log /home/deploy/apps/savoir/current/log/nginx.error.log info;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 10;
}
And if I test the config with this command:
sudo nginx -c /etc/nginx/nginx.conf -t
it tells me that my syntax is ok.
Why does it fail?
EDIT:
The error.log looked like this:
2016/02/15 14:17:59 [emerg] 57516#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
With deploy instead of info I get the same error message:
2016/02/16 13:20:35 [emerg] 365#0: bind() to 0.0.0.0:80 failed (98: Address already in use)
EDIT2:
I just realized that my conf is placed under /etc/nginx/sites-enabled/ and is called "savoir" (that's the name of my application). Maybe thats a mistake? I followed this guide.
EDIT3:
Ok, I changed the port in my nginx.conf and it works now:
server {
listen 81 default_server deferred;
}
Still can't see my Rails app in the webbrowser though.
EDIT4:
Uninstalled apache2 and changed the port back to 80. Now it works without changing the port.
EDIT5:
I am so close to having my application online but there is one last problem. I found this error in my puma.access.log:
Rack app error: #<RuntimeError: Missing `secret_key_base` for 'production' environment, set this value in `config/secrets.yml`>
I thought that capistrano adds this on deployment but somehow it didn't:
// /config/secrets.yml
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
Checking for a secret key with this command env | grep -E "SECRET_TOKEN|SECRET_KEY_BASE" doensn't return anything.
I tried to set it manually but that didn't really work. Could someone give me a short explaination how to set it best?