I'm working through https://serversforhackers.com/video/letsencrypt-for-free-easy-ssl-certificates and https://certbot.eff.org/docs/intro.html , trying to add an ssl certificate to my site. I tried:
root#server:/opt/certbot# ./certbot-auto certonly --webroot -w /var/www/html --agree-tos --email me#yahoo.com -d mysite.com -d www.mysite.com --non-interactive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Using the webroot path /var/www/html for all unmatched domains.
...
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.com
Type: unauthorized
Detail: Invalid response from
example.com.well-known/acme-challenge/gygb7wEj3o-_5MIoUgraBRddmqrtZdfIM-UWMySoNl8:
Domain: www.example.com
Type: unauthorized
Detail: Invalid response from
www.example.com.well-known/acme-challenge/z8oZ1FAiHBJNwWvLTI-g9hMZ5zoLdJSZBgaQ9CSTJU0:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
root#server:/opt/certbot# cd .
I checked the domain name and A record and they seem to be OK. In my browser I opened the link and I see the screenshot, which makes sense since I'm running a django app.
How can I set things so that the certbot can access the webroot?
edit :
root#server:/etc/nginx# cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
/var/log/nginx/access.log shows:
66.133.109.36 - - [10/Feb/2017:13:16:40 -0500] "GET /.well-known/acme-challenge/-GMR_DzXR-oOTzl7LEesFiQI0H-2zCak2Bq3cDO7mTQ HTTP/1.1" 404 1080 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:13:16:40 -0500] "GET /.well-known/acme-challenge/4hTpEFaTJDTCiAS-Y9242MmNngEHM6e9cPr2WIdCL4Q HTTP/1.1" 404 1083 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
/var/log/nginx/error.log shows no errors.
Also I notice that there are no files in the .well known directory:
deploy#server:/var/www/html/.well-known$ ll
total 8
drwxrwxrwx 2 root root 4096 Feb 11 10:20 ./
drwxr-xr-x 3 root root 4096 Feb 10 09:29 ../
edit 2: In /etc/nginx/sites-available/mysite I've changed it to:
server {
listen 80;
server_name mysite.com www.mysite.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/deploy/mysite;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/mysite.sock;
}
location ~ /.well-known {
allow all;
}
}
restarted nginx - same error
The following worked in the site's server block:
server {
listen 80;
server_name mysite.com www.mysite.com;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/deploy/mysite;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/mysite.sock;
}
location ^~ /\.well-known {
allow all;
}
}
edit: here's another option that may work:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html;
Related
I have this Nginx configuration file set up:
server {
listen 80;
server_name example.com www.example.com;
location /flasky {
include proxy_params;
proxy_pass http://unix:/tmp/flasky.sock;
}
}
I'm using Gunicorn to bind to the socket file while running my app. I changed the ownership of the /tmp directory to www-run:www-run but I'm still getting a permission denied error. What am I doing wrong?
Edit: Here is my Nginx.conf file. It is the default that comes loaded with Nginx when installed:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
Here is the virtual host file I'm trying to use:
server {
listen 80;
server_name mywebsite.com www.mywebsite.com;
location /flasky {
include proxy_params;
proxy_pass http://127.0.0.1:8090;
}
}
And finally, the Gunicorn command I am running is:
gunicorn -b 0.0.0.0:8090 -w 2 wsgi:applicaiton
I'm working through https://serversforhackers.com/video/letsencrypt-for-free-easy-ssl-certificates and https://certbot.eff.org/docs/intro.html , trying to add an ssl certificate to my site (django 1.8 on nginx on ubuntu 16.04). I have been able to do this before a few months ago using the standalone option (Certbot cannot reach nginx webroot running django), but this time I want to get the certbot-auto script working so I can run it on a chron job. I tried:
deploy#server:/opt/certbot$ sudo ./certbot-auto certonly --webroot -w /var/www/html -d example.org -d www.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.org
http-01 challenge for www.example.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.example.org (http-01): urn:acme:erruthorized :: The client lacks sufficient authorization :: Invalid response http://www.example.org/.well-known/acme-challenge/6j3QzM4LGMRWaLYZXYTR98: "
If I paste http://www.example.org/.well-known/acme-challenge/6j3QzM4LGMRWaLYZXYTR98: " into the browser I get a 404 like in the screenshot. Is it possible to set django to allow the challenge to 'pass through ' the routing without generating a django error?
EDIT:
please note I am NOT running from root but rather a normal user (deploy)
output of nginx -T:
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/sites-enabled/example3:
server {
#listen 80;
listen 80 ;
listen [::]:80 ;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name example.org www.example.org;
include snippets/ssl-example.org.conf;
include snippets/ssl-params.conf;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/deploy/example3;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/example3.sock;
}
location ~* (?:^|/)\. {
allow all;
}
}
# configuration file /etc/nginx/snippets/ssl-example.org.conf:
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
# configuration file /etc/nginx/snippets/ssl-params.conf:
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# configuration file /etc/nginx/uwsgi_params:
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
I am learning nginx and configuring nginx.conf with gunicorn. I am running gunicorn on port 8000 and nginx listening on port 80. Sometimes it works fine, sometimes it gives an "Unable to connect" error.
Here is my nginx.conf file
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
I have supervisor config file:
here is my supervisor config file
[program:python-activate]
directory=<path of my directory>
command=/home/ashiyap/ianp3.sh gunicorn proj.wsgi:application -b 0.0.0.0:8000
autostart=true
autorestart=true
stderr_logfile=/var/log/supervisor.err.log
stdout_logfile=/var/log/supervisor.out.log
Here is my nginx python conf file
server {
# the port your site will be served on
listen 80;
# the domain name it will serve for
server_name <ipaddress>; # substitute by your FQDN and machine's IP address
charset utf-8;
#Max upload size
client_max_body_size 75M; # adjust to taste
# Django media
location /media {
root /home/ashiyap/test/wp005_v02.00.00.d2_itr1/proj; # your Django project's media files
autoindex off;
}
location /static {
root /home/ashiyap/test/wp005_v02.00.00.d2_itr1/proj; # your Django project's static file
autoindex off;
}
# Finally, send all non-media requests to the Django server.
location / {
proxy_pass http://<ipaddress>:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I am trying to follow this guide here to run flask app with ngnix. I followed everything but nginx still serves the default page and not from my app.
Attached are my conf files -
app.ini
[uwsgi]
module = wsgi
callable = app
master = true
processes = 3
socket = potter.sock
chmod-socket = 777
vacuum = true
die-on-term = true
Upstart script potter.conf
description "uWSGI server instance configured to serve potter"
start on runlevel [2345]
stop on runlevel [!2345]
setuid root
setgid root
env PATH=/root/jobs_env/bin
chdir /root/potter
exec uwsgi --ini app.ini
nginx.conf
user root;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
potter in sites-enabled for nginx
server {
listen 80;
server_name 178.62.31.95;
location / {
include uwsgi_params;
uwsgi_pass unix:/root/potter/potter.sock;
}
}
EDIT -
I get the following error in nginx error logs -
2015/05/06 16:46:12 [error] 19614#0: *3 connect() to unix:/tmp/potter.sock failed (111: Connection refused) while connecting to upstream, client: 113.193.186.206, server: potter.hack, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:/tmp/potter.sock:", host: "178.62.31.95"
Give it a try with these changes:
app.ini
[uwsgi]
...
socket = 127.0.0.1:5678 # Use the inner port you want for this
...
in /etc/nginx/sites-enabled/potter add:
upstream uwsgi_myupsocket {
server 127.0.0.1:5678;
}
server {
[...]
location / {
include uwsgi_params;
uwsgi_pass uwsgi_myupsocket;
[...]
}
[...]
}
I hope this will help.
EDIT: You can try to execute manually the .ini file from shell:
root#yourmachine:~/potter# uwsgi app.ini
Output should give information about what's wrong with the configuration
I'm putting together a PoC for a side-project meal-planner tool. I'm using django running on AWS with nginx and uwsgi. The site is running and loading pages, but there is no CSRF cookie being passed to the browser.
The CSRF and Messages middleware are both enabled, and the django debug output lists a value for 'CSRF_COOKIE', and my browser has cookies enabled, so I suspect that Django is attempting to set a cookie which is getting stripped out by nginx or uwsgi.
Configuration information below:
uwsgi.ini
[uwsgi]
chdir=/opt/django/mealplanner/src/mealplanner/
module=mealplanner.wsgi:application
master=True
autoload=True
pidfile=/opt/run/mealplanner.pid
vacuum=True
max-requests=5000
socket=/opt/run/mealplanner.sock
chmod-socket=True
harakiri=120
processes=1
home=/opt/django/mealplanner/src
daemonize=/opt/log/uwsgi/mealplanner.log
nginx.conf
user www-data;
worker_processes 1;
pid /opt/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /opt/log/nginx/access.log;
error_log /opt/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
gzip_proxied any;
gzip_comp_level 2;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml \
application/xml+rss text/javascript;
server {
listen 80;
# I've also tried the dns name I access the site with as the server name.
server_name ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com xx.xx.xx.xx;
client_max_body_size 50M;
set $home /opt/django/mealplanner;
root $home;
location / {
include uwsgi_params;
uwsgi_pass unix://opt/run/mealplanner.sock;
root $home;
}
}
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
It looks like the problem might possibly have been the server_name in nginx.conf. It suddenly started working, and the only thing I had changed was making the server_name match the domain name of the site. On the other hand, changing it back didn't seem to re-introduce the problem, so either I'm not restarting nginx properly or that wasn't the issue after all.
The site is working now, but it's one of those situations where I don't have a satisfactory understanding of the cause and solution, so if anyone can confirm this hypothesis or point out something else I'd welcome the input.