I'm working through https://serversforhackers.com/video/letsencrypt-for-free-easy-ssl-certificates and https://certbot.eff.org/docs/intro.html , trying to add an ssl certificate to my site (django 1.8 on nginx on ubuntu 16.04). I have been able to do this before a few months ago using the standalone option (Certbot cannot reach nginx webroot running django), but this time I want to get the certbot-auto script working so I can run it on a chron job. I tried:
deploy#server:/opt/certbot$ sudo ./certbot-auto certonly --webroot -w /var/www/html -d example.org -d www.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.org
http-01 challenge for www.example.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.example.org (http-01): urn:acme:erruthorized :: The client lacks sufficient authorization :: Invalid response http://www.example.org/.well-known/acme-challenge/6j3QzM4LGMRWaLYZXYTR98: "
If I paste http://www.example.org/.well-known/acme-challenge/6j3QzM4LGMRWaLYZXYTR98: " into the browser I get a 404 like in the screenshot. Is it possible to set django to allow the challenge to 'pass through ' the routing without generating a django error?
EDIT:
please note I am NOT running from root but rather a normal user (deploy)
output of nginx -T:
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/sites-enabled/example3:
server {
#listen 80;
listen 80 ;
listen [::]:80 ;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name example.org www.example.org;
include snippets/ssl-example.org.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/deploy/example3;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/example3.sock;
}
location ~* (?:^|/)\. {
allow all;
}
}
# configuration file /etc/nginx/snippets/ssl-example.org.conf:
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# configuration file /etc/nginx/uwsgi_params:
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
Related
I have this Nginx configuration file set up:
server {
listen 80;
server_name example.com www.example.com;
location /flasky {
include proxy_params;
proxy_pass http://unix:/tmp/flasky.sock;
}
}
I'm using Gunicorn to bind to the socket file while running my app. I changed the ownership of the /tmp directory to www-run:www-run but I'm still getting a permission denied error. What am I doing wrong?
Edit: Here is my Nginx.conf file. It is the default that comes loaded with Nginx when installed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
Here is the virtual host file I'm trying to use:
server {
listen 80;
server_name mywebsite.com www.mywebsite.com;
location /flasky {
include proxy_params;
proxy_pass http://127.0.0.1:8090;
}
}
And finally, the Gunicorn command I am running is:
gunicorn -b 0.0.0.0:8090 -w 2 wsgi:applicaiton
I'm using django channel for my Django application. On top of Django, I add nginx as layer for http request. All http request is working nicely, but when I tried to create a websocket connection, it was getting 302 HTTP Code.
Nginx Configuration
# Enable upgrading of connection (and websocket proxying) depending on the
# presence of the upgrade field in the client request header
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Define connection details for connecting to django running in
# a docker container.
upstream uwsgi {
server uwsgi:8080;
}
server {
# OTF gzip compression
gzip on;
gzip_min_length 860;
gzip_comp_level 5;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/xml application/x-javascript text/xml text/css application/json;
gzip_disable “MSIE [1-6].(?!.*SV1)”;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# the port your site will be served on
listen 8080;
# the domain name it will serve for
#server_name *;
charset utf-8;
error_page 500 502 /500.html;
location = /500.html {
root /html;
internal;
}
# max upload size, adjust to taste
client_max_body_size 15M;
# Django media
location /media {
# your Django project's media files - amend as required
alias /home/web/media;
expires 21d; # cache for 71 days
}
location /static {
# your Django project's static files - amend as required
alias /home/web/static;
expires 21d; # cache for 21 days
}
location /archive {
proxy_set_header Host $http_host;
autoindex on;
# your Django project's static files - amend as required
alias /home/web/archive;
expires 21d; # cache for 6h
}
# Finally, send all non-media requests to the Django server.
location / {
uwsgi_pass uwsgi;
# the uwsgi_params file you installed needs to be passed with each
# request.
# the uwsgi_params need to be passed with each uwsgi request
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
if (!-f $request_filename) {
proxy_pass http://uwsgi;
break;
}
# Require http version 1.1 to allow for upgrade requests
proxy_http_version 1.1;
# We want proxy_buffering off for proxying to websockets.
proxy_buffering off;
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if you use HTTPS:
# proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client for the sake of redirects
proxy_set_header Host $http_host;
# We've set the Host header, so we don't need Nginx to muddle
# about with redirects
proxy_redirect off;
# Depending on the request value, set the Upgrade and
# connection headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
Routing.py
from channels.routing import route
from consumers import ws_add, ws_message, ws_disconnect
channel_routing = [
route("websocket.connect", ws_add),
route("websocket.receive", ws_message),
route("websocket.disconnect", ws_disconnect),
]
Consumers. py
from channels import Channel, Group
from channels.sessions import channel_session
from channels.auth import channel_session_user, channel_session_user_from_http
# Connected to websocket.connect
#channel_session_user_from_http
def ws_add(message):
# Accept the connection
message.reply_channel.send({"accept": True})
# Add to the group
Group("progress-%s" % message.user.username).add(message.reply_channel)
#channel_session_user
def ws_message(message):
Group("progress-%s" % message.user.username).send({
"text": message['text'],
})
# Connected to websocket.disconnect
#channel_session_user
def ws_disconnect(message):
Group("progress-%s" % message.user.username).discard(message.reply_channel)
If i remove the nginx layer it is working nicely. Is there any configuration that I miss?
I'm working through https://serversforhackers.com/video/letsencrypt-for-free-easy-ssl-certificates and https://certbot.eff.org/docs/intro.html , trying to add an ssl certificate to my site. I tried:
root#server:/opt/certbot# ./certbot-auto certonly --webroot -w /var/www/html --agree-tos --email me#yahoo.com -d mysite.com -d www.mysite.com --non-interactive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Using the webroot path /var/www/html for all unmatched domains.
...
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.com
Type: unauthorized
Detail: Invalid response from
example.com.well-known/acme-challenge/gygb7wEj3o-_5MIoUgraBRddmqrtZdfIM-UWMySoNl8:
Domain: www.example.com
Type: unauthorized
Detail: Invalid response from
www.example.com.well-known/acme-challenge/z8oZ1FAiHBJNwWvLTI-g9hMZ5zoLdJSZBgaQ9CSTJU0:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
root#server:/opt/certbot# cd .
I checked the domain name and A record and they seem to be OK. In my browser I opened the link and I see the screenshot, which makes sense since I'm running a django app.
How can I set things so that the certbot can access the webroot?
edit :
root#server:/etc/nginx# cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
/var/log/nginx/access.log shows:
66.133.109.36 - - [10/Feb/2017:13:16:40 -0500] "GET /.well-known/acme-challenge/-GMR_DzXR-oOTzl7LEesFiQI0H-2zCak2Bq3cDO7mTQ HTTP/1.1" 404 1080 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:13:16:40 -0500] "GET /.well-known/acme-challenge/4hTpEFaTJDTCiAS-Y9242MmNngEHM6e9cPr2WIdCL4Q HTTP/1.1" 404 1083 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/nginx/error.log shows no errors.
Also I notice that there are no files in the .well known directory:
deploy#server:/var/www/html/.well-known$ ll
total 8
drwxrwxrwx 2 root root 4096 Feb 11 10:20 ./
drwxr-xr-x 3 root root 4096 Feb 10 09:29 ../
edit 2: In /etc/nginx/sites-available/mysite I've changed it to:
server {
listen 80;
server_name mysite.com www.mysite.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/deploy/mysite;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/mysite.sock;
}
location ~ /.well-known {
allow all;
}
}
restarted nginx - same error
The following worked in the site's server block:
server {
listen 80;
server_name mysite.com www.mysite.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/deploy/mysite;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/mysite.sock;
}
location ^~ /\.well-known {
allow all;
}
}
edit: here's another option that may work:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
I am learning nginx and configuring nginx.conf with gunicorn. I am running gunicorn on port 8000 and nginx listening on port 80. Sometimes it works fine, sometimes it gives an "Unable to connect" error.
Here is my nginx.conf file
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
I have supervisor config file:
here is my supervisor config file
[program:python-activate]
directory=<path of my directory>
command=/home/ashiyap/ianp3.sh gunicorn proj.wsgi:application -b 0.0.0.0:8000
autostart=true
autorestart=true
stderr_logfile=/var/log/supervisor.err.log
stdout_logfile=/var/log/supervisor.out.log
Here is my nginx python conf file
server {
# the port your site will be served on
listen 80;
# the domain name it will serve for
server_name <ipaddress>; # substitute by your FQDN and machine's IP address
charset utf-8;
#Max upload size
client_max_body_size 75M; # adjust to taste
# Django media
location /media {
root /home/ashiyap/test/wp005_v02.00.00.d2_itr1/proj; # your Django project's media files
autoindex off;
}
location /static {
root /home/ashiyap/test/wp005_v02.00.00.d2_itr1/proj; # your Django project's static file
autoindex off;
}
# Finally, send all non-media requests to the Django server.
location / {
proxy_pass http://<ipaddress>:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
It is slightly over 4 hours now, and I cannot get my nginx server to work with my SSL certificates for my Django application.
Here is my nginx.conf:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream app {
server django:5000;
}
server {
listen 80;
server_name www.example.com;
rewrite ^/(.*) https://www.example.com/$1 permanent;
}
server {
listen 443 ssl;
server_name www.example.com;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl/1_www.example.com_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/example_rsa.key;
location / {
try_files $uri #proxy_to_app;
}
location #proxy_to_app {
proxy_pass http://app;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
}
}
I did manage to redirect all http traffic to https, but when I visit https://www.example.com I get a beautiful ERR_CONNECTION_REFUSED.
The only related part I can think of in my Django application is:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
but I do think that the problem is at nginx level. I am using Django Cookiecutter by pydanny. The unmodified nginx.conf file can be found here. I did edit the Dockerfile to ADD my certificates.
Thanks!
This is a conf file I use for that case. You might want to compare or follow the same approach:
# nginx config file for example.com
upstream django {
server unix:/srv/www/app/run/app.sock;
}
server {
listen 80 default_server;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/app.crt;
ssl_certificate_key /etc/nginx/ssl/app.key;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/app.crt;
ssl_certificate_key /etc/nginx/ssl/app.key;
proxy_set_header X-Forwarded-Protocol $scheme;
add_header Strict-Transport-Security "max-age=31536000";
charset utf-8;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
location /media {
alias /srv/www/app/app/media;
}
location /static {
alias /srv/www/app/app/collected_static;
}
location / {
uwsgi_pass django;
include /srv/www/app/run/uwsgi_params;
}
location /api/v1/app/upload {
uwsgi_max_temp_file_size 1M;
}
location /favicon.ico {
alias /srv/www/app/app/collected_static/img/favicon.ico;
}
}
On django side, only for production environment, I do:
# SSL
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
That's it!