Detail: Fetching .... Timeout


#1

I have been going thru a FrontEndMasters (“Full Stack for Front End Engineers”) tutorial that sets up an nginx, node stack via the terminal. At one point in the lesson, i’m instructed to request certificates.

I am consistently “timing out” and failing the challenges.

I would very much appreciate any help.

Best wishes to all,

Beau
PS
(This is my first post and am having trouble getting my head around this).
At the risk of sounding like an idiot, am I required to spin up a server in order to pass challenges in this cert authorization?)

My domain is:
beau.haus
www.beau.haus

I ran this command:
sudo certbot --nginx
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): beau.haus, www.beau.haus
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for beau.haus
http-01 challenge for www.beau.haus
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.beau.haus (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.beau.haus/.well-known/acme-challenge/litdVlsN4EileF0OHrNh9RVaZTyV2OAuYNduH6nvCe0: Timeout, beau.haus (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://beau.haus/.well-known/acme-challenge/cFaubiNjh08DvAg7Z1RTtOUVoRzr5EVNM7DyC5TeEto: Timeout

IMPORTANT NOTES:

My web server is (include version):
node and nginx

The operating system my web server runs on is (include version):
ubuntu linux
Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:
registrar: porkbun
host: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):
YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
-bash


#2

Hi @beau.haus,

I can’t connect to your site too. Are you sure nginx is started and listening on port 80?, are you sure there is a rule in your firewall allowing connections to port 80?.

Cheers,
sahsanu


#3

hmm…
Something’s spinning.
— This is all a bit above my paygrade, I admit –

beau@beauhaus:/var/www/fsfe2$ node app.js
events.js:160
throw er; // Unhandled ‘error’ event
^

Error: listen EADDRINUSE :::3001
at Object.exports._errnoException (util.js:1020:11)
at exports._exceptionWithHostPort (util.js:1043:20)
at Server._listen2 (net.js:1277:14)
at listen (net.js:1313:10)
at Server.listen (net.js:1409:5)
at Object. (/var/www/fsfe2/app.js:94:8)
at Module._compile (module.js:577:32)
at Object.Module._extensions…js (module.js:586:10)
at Module.load (module.js:494:32)
at tryModuleLoad (module.js:453:12)

–I will check about the firewall-- I’m still feeling my way about, so that quite likely could be the culprit. thx!


#4

That error means there is something already listening on port 3001 and I suppose it is your own application. You should stop or kill it if you want to start it again. Also, are you using nginx as a proxy to your node.js app or…?


#5

yes I’m using it as a proxy server. I have to be away for a bit & will look at this with more depth. I’ll be back in a few hours.
thx!


#6

To me, it looks like connections to your site (curl www.beau.haus) are timing out. That can mean a couple of this:

  • Maybe you have a firewall configured, and the firewall is too aggressive? Run ufw status and share the output.
  • Maybe you have the wrong IP address configured in DNS? Double-check your Digital Ocean control panel.

#7

HI! I really appreciate the help. I’ve run ufw status
root@beauhaus:/home/beau# ufw status
Status: inactive

(I believe I’m using the standard firewall rules having added via the gui in DO)

--INBOUND RULES--

ssh tcp port-range (22) all IPv4 All IPv6

--OUTBOUND RULES--

icmp icmp … all IPv4 All IPv6
all TCP TCP all ports all IPv4 All IPv6
all UDP UDP all ports all IPv4 All IPv6


#8

FWIW:
I’m instructed to proxy traffic to a node server (by the tutorial I’m following)
inside nginx/sites-available/default…

location / {
   proxy_pass http://127.0.0.1:3001/;
}

—I will double-check my steps–

/etc/nginx/sites-available$ sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

---- Then, I start up my repo using forever -----

beau@beauhaus:/var/www/fsfe2$ /home/beau/.npm-global/lib/node_modules/forever/bin/forever start app.js
warn:    --minUptime not set. Defaulting to: 1000ms
warn:    --spinSleepTime not set. Your script will exit if it does not stay up for at least 1000ms
info:    Forever processing file: app.js

–allow port 443----

beau@beauhaus:/var/www/fsfe2$ sudo ufw allow 443
Rules updated
Rules updated (v6)

$ sudo ufw allow ssh
Rules updated
Rules updated (v6)

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup


$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
443                        ALLOW       Anywhere
22                         ALLOW       Anywhere
443 (v6)                   ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)

#9

Hi @beau.haus,

You need to open port 80 too:

ufw allow 80

or

ufw allow http

Then I would create a location on your server block to serve the http challenge for Let’s Encrypt, if you post the output of nginx -T I could modify it for you.

Cheers,
sahsanu


#10

(very kind of you! --Okay, just for documentation’s sake…I’ll print out the steps.)
root@beauhaus:~# ufw allow 80
Rule added
Rule added (v6)


root@beauhaus:~# nginx -T

Summary
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {

		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		proxy_pass http://127.0.0.1:3001;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

(I feel like I’m very close… Thx again…)
FWIW: at this point in the tutorial, the instructor has long had access to his example site…giving me the suspicion that I missed an important step somewhere.

–There are some things that given careful attention, others… less so.


#11

Okay, I would separate the default nginx conf file to create your own for your domains but well, by now lets work with your current conf

Before this:

location / {

	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	proxy_pass http://127.0.0.1:3001;
}

Create this new location:

location ~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
    root /tmp;
}

Save the file and restart or reload nginx.

Once done use this command to get your certificate for beau.haus domain.

certbot certonly -a webroot -w /tmp -d beau.haus

Or if you want a certificate covering beau.haus and www.beau.haus.

certbot certonly -a webroot -w /tmp -d beau.haus,www.beau.haus

Once you get the cert, you will need to create a new server block in your default conf, something like this:

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name _;

    location / {
        proxy_pass http://127.0.0.1:3001;
    }
	
    ssl_certificate /etc/letsencrypt/live/beau.haus/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/beau.haus/privkey.pem;
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;
}

As I said I would use a new conf file and I would define the right server names but it should work by now.

Cheers,
sahsanu


#12

trying to follow this carefully…
I’m editing the sites-available/default
beau@beauhaus:/etc/nginx/sites-available$ pwd
/etc/nginx/sites-available
beau@beauhaus:/etc/nginx/sites-available$ cat default
##
# You should look at the following URL’s in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

        location ~ /.well-known/acme-challenge/ {
            allow all;
            default_type "text/plain";
            root /tmp;
        }

	location / {

		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		proxy_pass http://127.0.0.1:3001;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

then, restart…
beau@beauhaus:/etc/nginx/sites-available$ sudo service nginx restart

then,
beau@beauhaus:/etc/nginx/sites-available$ sudo certbot certonly -a webroot -w /tmp -d beau.haus

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for beau.haus
Using the webroot path /tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. beau.haus (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://beau.haus/.well-known/acme-challenge/Bic_f1qLhzr0tbyD6MKWjVQ6wo68nlEoYe-8tNbGqBk: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: beau.haus
   Type:   connection
   Detail: Fetching
   http://beau.haus/.well-known/acme-challenge/Bic_f1qLhzr0tbyD6MKWjVQ6wo68nlEoYe-8tNbGqBk:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

#13

There is nothing listening on port 80 or something is blocking it. Are you sure port 80 is allowed in your firewall?


#14

I believe I have. yes.

root@beauhaus:~# ufw allow 80
Skipping adding existing rule
Skipping adding existing rule (v6)
root@beauhaus:~#

I’ve just run this.
(i had run it before with the same response)


#15

For reference the DO GUI reads as follows:

A	www.beau.haus 	directs to    198.211.109.116             3600 
A	beau.haus       directs to    198.211.109.116             3600
NS	beau.haus       directs to    ns2.digitalocean.com      1800 
NS	beau.haus       directs to    ns3.digitalocean.com      1800
NS	beau.haus       directs to    ns1.digitalocean.com       1800

[edit: I’ll try disabling the firewall just to see if I can get a pulse…]


#16

Could you please show the output of these commands?.

iptables --list-rules
iptables -t nat --list-rules
ip a
ss -tlpn

#17
root@beauhaus:~# iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N f2b-sshd
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A f2b-sshd -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 80 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

root@beauhaus:~# iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

root@beauhaus:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether e2:64:dc:4b:50:87 brd ff:ff:ff:ff:ff:ff
    inet 198.211.109.116/24 brd 198.211.109.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.10.0.5/16 brd 10.10.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::e064:dcff:fe4b:5087/64 scope link
       valid_lft forever preferred_lft forever

root@beauhaus:~# ss -tlpn
State      Recv-Q Send-Q                                            Local Address:Port                                                           Peer Address:Port
LISTEN     0      128                                                           *:22                                                                        *:*                   users:(("sshd",pid=20862,fd=3))
LISTEN     0      128                                                           *:80                                                                        *:*                   users:(("nginx",pid=22522,fd=6),("nginx",pid=22521,fd=6))
LISTEN     0      128                                                          :::22                                                                       :::*                   users:(("sshd",pid=20862,fd=4))
LISTEN     0      128                                                          :::3001                                                                     :::*                   users:(("node",pid=15742,fd=10))
LISTEN     0      128                                                          :::80                                                                       :::*                   users:(("nginx",pid=22522,fd=7),("nginx",pid=22521,fd=7))

#18

Hi @beau.haus,

I see no problem on your firewall rules, indeed I’ve tested them in an Ubuntu Server and are working fine, your public ip is correct and nginx is listening on port 80. Maybe there is a firewall in front of your server, as far as I know DigitalOcean has cloud firewalls or something like that, you should take a look to your control panel in DigitalOcean to check whether there is some kind of firewall active for your droplet.

Cheers,
sahsanu


#19

There is indeed a firewall, yes.

I have not altered any default settings for this…& it seemed best to keep it as “vanilla” as possible.as I’m treading in unfamiliar territory.

–Again, i’m very grateful for your assistance in this. I’m learning a great deal & will credit you somewhere (FWIW) when this site is up :slight_smile:

–I’m inferring that I might go ahead and disable this – (I will report back once I’ve disabled it)


#20

before I take this step… I thought I might consult you to be absolutely certain: