I'm trying to enable port 443 on Linux Nginx as I'm trying to install an SSL certificate. I've ran sudo lsof -i -P -n | grep LISTEN and got the following:
rpcbind 1751 rpc 8u IPv4 15914 0t0 TCP *:111 (LISTEN)
rpcbind 1751 rpc 11u IPv6 15917 0t0 TCP *:111 (LISTEN)
master 2172 root 13u IPv4 17752 0t0 TCP 127.0.0.1:25 (LISTEN)
nginx 2264 root 6u IPv4 19741 0t0 TCP *:80 (LISTEN)
nginx 2264 root 7u IPv6 19742 0t0 TCP *:80 (LISTEN)
nginx 2265 nginx 6u IPv4 19741 0t0 TCP *:80 (LISTEN)
nginx 2265 nginx 7u IPv6 19742 0t0 TCP *:80 (LISTEN)
nginx 2266 nginx 6u IPv4 19741 0t0 TCP *:80 (LISTEN)
nginx 2266 nginx 7u IPv6 19742 0t0 TCP *:80 (LISTEN)
sshd 7640 root 3u IPv4 1317041 0t0 TCP *:22 (LISTEN)
sshd 7640 root 4u IPv6 1317050 0t0 TCP *:22 (LISTEN)
sudo netstat -tulpn | grep :443 doesn't give any result either.
I ran sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT but this didn't work. I did not get any results after this command.
My server is running on AWS EC2 and my security group has HTTPS enabled, but I still have the same issue.
My nginx.conf looks like this. I've added settings for a TLS enabled server listening on port 443:
server {
listen 80;
listen [::]:80;
server_name _;
location / {
root /home/ec2-user;
try_files $uri $uri/ /index.html;
# add_header 'Access-Control-Allow-Origin' '*';
}
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
root /home/ec2-user;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
First check if ngnix is running with systemctl status nginx
If not then there is something wrong with config file and I guess your ssl certificates are missing. If that is the case then try to generate certificates and place in same path as you mention in your nginx.conf with owner of that dir as nginx.
Related
I have multiple node.js apps running (through pm2) on different ports (8000, 8200, 8300) of a single server using the http protocol.
Now to enable https support I installed nginx and wrote config for redirecting incoming traffic on port 8200 to the localhost's port 8200 (likewise for ports 8000 and 8300) but it causes nginx to crash with the error: nginx: [emerg] bind() to [::]:8200 failed (98: Address already in use)
Following is my nginx config:
server {
listen 8200 ssl;
server_name <redacted>;
ssl_certificate /certs/<redacted>.cer;
ssl_certificate_key /certs/<redacted>.key;
error_page 497 301 =307 https://$host:$server_port$request_uri;
location / {
proxy_pass http://localhost:8200;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
}
I understand that port 8200 is already being used by pm2 but I want to redirect http traffic on those ports to https somehow.
The problem is this line:
listen 8200 ssl;
You can't listen on the same port than your node app.
Servers, like nginx or your node app use sockets to listen to network datas. So even if it is on another network protocol they should listen to the socket. So, port SOULD be diffrents.
I am trying to make a request to the my Node Express server via the browser and I am being returned with ERR_CONNECTION_REFUSED.
i.e.
POST http://localhost:9000/api/search net::ERR_CONNECTION_REFUSED
Requests from the Chrome console are also refused.
However, when I make curl requests from the EC2 terminal, the request is successful and i'm returned a JSON.
My nginx.conf file is detailed below:
server {
listen 80 default_server;
server_name _;
location / {
root /usr/share/nginx/html;
include /etc/nginx/mime.types;
try_files $uri $uri/ /index.html;
add_header 'Access-Control-Allow-Headers' *;
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' *;
}
location /sockjs-node {
proxy_pass http://localhost:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location /api {
proxy_pass http://localhost:9000;
}
}
From within the EC2 instance, the firewall status is:
sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
9000 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
9000 (v6) ALLOW Anywhere (v6)
netstat -tunlp returns
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::9000 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 172.31.2.45:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -
My EC2 security group rules look like this
I've no idea what the issue could be. Any help would be appreciated.
SOLUTION: I've managed to resolve the issue by changing all fetch requests on the front-end to use the EC2 IP address instead of localhost. This doesn't seem very optimal though. Is there some sort of wildcard operator I could use instead as the EC2 IP address changes on restart. Any advances would be appreciated!
SOLUTION: I've managed to resolve the issue by changing all fetch requests on the front-end to use the EC2 IP address instead of localhost. This doesn't seem very optimal though. Is there some sort of wildcard operator I could use instead as the EC2 IP address changes on restart. Any advances would be appreciated!
Been ripping hair out because I cannot find out why I cannot connect to my WebSocket server through HTTPS.
So, I have an Express 4 server running a vue app. It uses the ws library from npm to connect to the WebSocket server. The nginx is 1.10.3. I use LetsEncrypt to secure it.
When I go online, I get (in the console):
main.js:12 WebSocket connection to 'wss://play.mysite.com:8443/' failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED
Line 12:
window.ws = new WebSocket(${tls}://${window.location.hostname}:${port});`
That is wss://play.mysite.com:8443. It is indeed on a subdomain.
Here is my nginx block:
update: I got it!
upstream websocket {
server 127.0.0.1:8443;
}
server {
root /var/www/play.mysite.com/dist;
index index.html;
access_log /var/log/wss-access-ssl.log;
error_log /var/log/wss-error-ssl.log;
server_name play.mysite.com www.play.mysite.com;
location /ws {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
listen [::]:443 ssl ipv6only=on default_server; # managed by Certbot
listen 443 ssl http2 default_server; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/play.mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/play.mysite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
As you see, we have the subdomain on https://play.mysite.com. My Express server always listen on port 4000 and my WebSocket server listens to wss / port 8443 on production.
When I view the /var/log/wss-error-ssl.log, I get:
2018/03/01 04:45:17 [error] 30343#30343: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 68.117.172.118, server: play.mysite.com, request: "GET /static/css/app.67b8cb3fda61e1e2deaa067e29b52040.css HTTP/1.1", upstream: "http://[::1]:4000/static/css/app.67b8cb3fda61e1e2deaa067e29b52040.css", host: "play.mysite.com", referrer: "https://play.mysite.com/"
So, what exactly am I doing wrong?
The proxy_pass was set right. Listening to port 8443 for WebSocket on both client/server. What is the meaning? Thank you.
edit: and yes, I know the port 8443 is running:
root#MySITE:/var/www/play.mysite.com# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:https *:* LISTEN
tcp 0 0 localhost:4000 *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp6 0 0 [::]:8443 [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
udp 0 0 *:bootpc *:*
udp 0 0 45.76.1.234.vultr.c:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp6 0 0 2001:19f0:5:2b9c:54:ntp [::]:*
udp6 0 0 fe80::5400:1ff:fe61:ntp [::]:*
udp6 0 0 localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
TL'DR Add a second location block for /websocket and have the javascript client hit wss://play.mysite.com/websocket
I see a couple of issues with your nginx server conf.
Nginx is not listening on port 8443 yet your javascript is hitting wss://play.mysite.com:8443. So while nginx is serving up ports 443 and 80 for the play.mysite.com domain, you javascript is trying to bypass nginx using wss (TLS) and hit NodeJS directly -- though I suppose you meant to offload the SSL onto Nginx. The wss call must go through nginx in order for the SSL handshake to be successful.
You are passing all calls to localhost:4000. Instead I suggest that you have two location blocks location / { ... } and location /websocket { ... }. This way in the second websocket location block you can proxy pass the calls to localhost:8443. This would require the client to connect to wss://play.mysite.com/websocket.
I am trying to get data from my server but if I try from 0.0.0.0/my/api it gives a 400, but if I try from localhost/my/api it gives the content I need. I am using nginx and here is the config file for the server
server {
listen 80;
server_name localhost;
access_log /var/log/nginx/myapp.log;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/myapp;
}
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Also if I do a netstat I get this for the server
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8080/nginx
Why would it only give me the correct content from localhost, and give me 400's from the 0.0.0.0 address? Also this is making it so I can not access the api from an outside machine. Finally I am using gunicorn as a backend server and using nginx to reverse proxy gunicorn.
It looks like your output is the output from netstat -a not just netstat. Here's a fairly generic result from netstat -a on an AWS Ubuntu image:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:hostmon 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
As one of the commenters noted 0.0.0.0 means "all ip addresses".
Localhost will be represented specifically by the word localhost as shown above.
P.S. The server_name directive doesn't need to be specified for such a simple nginx.conf where you only have one server block.
P.P.S. Nice touch turning off logging for favicon in your nginx config!
My site shows always a blank page when I run Nginx on port 80. However if I run Nginx on an other port e.g. port 8080 and I go to mypage.com:8080 it shows my Meteor App. I have no idea why Nginx work on all ports but 80.
Here are my configs.
Nginx
server {
listen *:80 default_server;
server_name mypage.de;
access_log /var/log/nginx/app.dev.access.log;
error_log /var/log/nginx/app.dev.error.log;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Meteor App started with
sudo PORT=5000 MONGO_URL=mongodb://user:pwd#127.0.0.1:27017/mypage
ROOT_URL=http://mypage.de forever start -a -o out.log -e err.log main.js
netstat -tulpn shows
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11214/nginx -g daem
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 10853/node
but as I said before mypage.de shows blank page... The same configs with Nginx on Port 8080 works. I working on Ubuntu. How can I fix this?
Your IP Tables seem to be blocking port 80. That or a firewall in between you and your server.
These are the IP Table rules for web traffic. Just run these commands on the command line:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
I would also drop any rules that aren't needed like allowing port 5000. You only want people going to the web ports and that's it.