Error Type: connection Detail: Fetching

So did you get it working?

My Nginx server is working http://172.104.239.204/
But the server block at https://openbooksocial.com/ with mastodon install, is not redirecting properly.
Any clue would be great. Thanks!

The redirection seems to be looping:

curl -Iki http://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:17 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

curl -Iki https://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:20 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

HTTP > HTTPS [this is good]
HTTPS > ITSELF [this is bad - endless loop]

Can we see the vhost configs for HTTP and HTTPS?

Thanks.
Can we see the vhost configs for HTTP and HTTPS?

Do you know your way around NGINX?
If not, show the output of:
grep -Eri 'server_name|SSL|listen' /etc/nginx/

Are you using anything like WordPress?

Not Wordpress. Its Mastodon.

root@localhost:/var/www/html# grep -Eri ‘server_name|SSL|listen’ /etc/nginx/
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/nginx.conf: # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf: # server_name_in_redirect off;
/etc/nginx/nginx.conf: # SSL Settings
/etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
/etc/nginx/nginx.conf: ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf:# listen localhost:110;
/etc/nginx/nginx.conf:# listen localhost:143;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon: listen [::]:443 ssl ipv6only=on; # managed by Certbot
/etc/nginx/sites-available/mastodon: listen 443 ssl; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon:#listen 443;
/etc/nginx/sites-available/mastodon:# listen 443 ssl http2;
/etc/nginx/sites-available/mastodon: # listen [::]:443 ssl http2;
/etc/nginx/sites-available/mastodon:# server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon:# ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/sites-available/mastodon: # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
/etc/nginx/sites-available/mastodon: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/mastodon: #ssl_session_cache shared:SSL:10m;
/etc/nginx/sites-available/mastodon:# ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
/etc/nginx/sites-available/mastodon: # ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;
/etc/nginx/sites-available/mastodon: listen 80;
/etc/nginx/sites-available/mastodon: listen [::]:80;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/default: listen 80 default_server;
/etc/nginx/sites-available/default: listen [::]:80 default_server;
/etc/nginx/sites-available/default: # server_name openbooksocial.com;
/etc/nginx/sites-available/default: # SSL configuration
/etc/nginx/sites-available/default: # listen 443 ssl default_server;
/etc/nginx/sites-available/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default: # Note: You should disable gzip for SSL traffic.
/etc/nginx/sites-available/default: # Read up on ssl_ciphers to ensure a secure configuration.
/etc/nginx/sites-available/default: # Self signed certs generated by the ssl-cert package
/etc/nginx/sites-available/default: server_name _;
/etc/nginx/sites-available/default:# listen 80;
/etc/nginx/sites-available/default:# listen [::]:80;
/etc/nginx/sites-available/default:# server_name example.com;
/etc/nginx/snippets/snakeoil.conf:# Self signed certificates generated by the ssl-cert package
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;

OK, all the “magic” seems to be happening here:
/etc/nginx/sites-available/mastodon

Let’s have a look at that entire file.


root@localhost:/var/www/html# cat /etc/nginx/sites-available/mastodon
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream backend {
    server 127.0.0.1:3000 fail_timeout=0;
}

upstream streaming {
    server 127.0.0.1:4000 fail_timeout=0;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

server {
  server_name openbooksocial.com;
  root /home/mastodon/live/public;
#root /var/www/html;
 location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
#listen 443;
#return 301 http://$host$request_uri;


#  listen 443 ssl http2;
 # listen [::]:443 ssl http2;
#  server_name openbooksocial.com;

#  ssl_protocols TLSv1.2 TLSv1.3;
 # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
 # ssl_prefer_server_ciphers on;
  #ssl_session_cache shared:SSL:10m;

  # Uncomment these lines once you acquire a certificate:

# ssl_certificate     /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
  # ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;


  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

#  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;
    add_header Strict-Transport-Security "max-age=31536000";

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}


server {
    if ($host = openbooksocial.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name openbooksocial.com;
    return 404; # managed by Certbot


}
root@localhost:/var/www/html#

Please edit your post and add a line above and below with just these three back ticks:
```

[so we can read it better]

This block doesn’t need to redirect:

server {
  server_name openbooksocial.com;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; } <<<<<<<<<<<<<<<<<<  take this out 
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

This block doesn’t have a listen statement…
So I’m not sure what it does, if anything:

server {
  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;
  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  location / {
    try_files $uri @proxy;
  }
  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }
  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }
  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;
    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;
    add_header Strict-Transport-Security "max-age=31536000";
    tcp_nodelay on;
  }
  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    tcp_nodelay on;
  }
  error_page 500 501 502 503 504 /500.html;
}

So what do you suggest?
Should I include

 listen 443;

Edit :No this does not work.

I suggest you first figure out why that block exists.
There are already two blocks for that FQDN.
The one that listens on 80 - which is doing it’s job just fine (sending everything it hears to 443]
And the one that listens on 443 - which had that extra redirection which you should have removed.
So I don’t know why that third blocks exists nor what you should do with it.
Perhaps it is somehow used/required for mastodon - I would not know.
If so, it might need to go into the block that listens on 443 - but again, I am not sure about it.

Hi,
I am now getting Error code: SSL_ERROR_RX_RECORD_TOO_LONG

root@localhost: cat /etc/nginx/sites-available/mastodon
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream backend {
    server 127.0.0.1:3000 fail_timeout=0;
}

upstream streaming {
    server 127.0.0.1:4000 fail_timeout=0;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

server {
  server_name openbooksocial.com;
#  root /home/mastodon/live/public;
root /var/www/html;
 location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }

#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
 #   listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
listen 443;
return 301 http://$host$request_uri;


#  listen 443 ssl http2;
 # listen [::]:443 ssl http2;
#  server_name openbooksocial.com;

#  ssl_protocols TLSv1.2 TLSv1.3;
 # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
 # ssl_prefer_server_ciphers on;
  #ssl_session_cache shared:SSL:10m;

  # Uncomment these lines once you acquire a certificate:

# ssl_certificate     /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;


  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

#  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;
  }

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;
    add_header Strict-Transport-Security "max-age=31536000";

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";

    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  error_page 500 501 502 503 504 /500.html;
}


server {
    if ($host = openbooksocial.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name openbooksocial.com;
    return 404; # managed by Certbot


}

Any help?

That happens if you connect a http port via https. Then the port sends a long http answer, https doesn’t understand that.

So your port 443 may be now a http port.

1 Like

Thank you for responding.
Any pointers to solution?

You have created these errors, so you know how to undo that.

Or use a backup with a working configuration.

1 Like

That makes no sense to me.
Why are redirecting HTTPS to HTTP ?

Also, openbooksocial.com resolves to an IPv4 IP and an IPv6 IP.
Both they don’t both work:
see: https://www.ssllabs.com/ssltest/analyze.html?d=openbooksocial.com