Im stumped! https/nginx configuration

Help
1

Hi All

As soon as I enable theHTTPS block, the website works but it asks me for a password. This is odd given the configuration I use is from another machine and that works fine on that one.

server {
    listen 80;
    server_name home.nsautomate.com.au;
    root /var/www/openhab-cloud;
    location ~ /.well-known {
        allow all;
    }
    access_log /var/log/nginx/certbox.log;
    error_log /var/log/nginx/certbox.err;

}
server {
    listen *:443 ssl;
    ssl_certificate /etc/letsencrypt/live/home.nsautomate.com.au/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.nsautomate.com.au/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    server_name home.nsautomate.com.au;
    open_file_cache max=10000 inactive=30s;
    open_file_cache_valid    60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;

if ( $scheme = "http" ) {
    rewrite ^/(.*)$     https://$host/$1 permanent;
}

charset utf-8;

access_log /var/log/nginx/openhabcloud-access.log;
error_log /var/log/nginx/openhabcloud-error.log;

location /css {
    alias  /var/www/openhab-cloud/public/css;
    }
location /js {
    alias /var/www/openhab-cloud/public/js;
    }
location /img {
    alias /var/www/openhab-cloud/public/img;
    }
location /bootstrap {
    alias /var/www/openhab-cloud/public/bootstrap;
    }
location /font-icons {
    alias /var/www/openhab-cloud/public/font-icons;
    }
location /fonts {
    alias /var/www/openhab-cloud/public/fonts;
    }
location /js-plugin {
    alias /var/www/openhab-cloud/public/js-plugin;
    }
location /downloads {
    alias /var/www/openhab-cloud/public/downloads;
    }
location / {
    proxy_pass http://localhost:3000;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr ;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
    proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ .html$ {
    expires        off;
    proxy_pass http://localhost:3000;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr ;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
    proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}

Any thoughts? Thanks!

2

The authentication prompt comes from your Node.js/Express application, not nginx. Specifically, the “Connect” middleware.

1 Like
3

This needs to be in the :80 block.

4

But it is not in the :80 block on other working machines?

_az hmm. I dont get it, the application is cloned from git, the same as always :frowning:

5

A redirection from http to https does nothing when it is located in the https block.
It needs to be located in the http block to be seen by the http requests.

1 Like
6

Ive resetup everything and again, some kind of login! This cant be a node.js issue. The server is a DigitalOcean ubuntu 18 VM


server {
    listen 80;
    server_name home.nsautomate.com.au;
    root /var/www/openhab-cloud;
    location ~ /.well-known {
        allow all;
    }
    access_log /var/log/nginx/certbox.log;
    error_log /var/log/nginx/certbox.err;

}

server {
    listen *:443;
    server_name home.nsautomate.com.au;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/home.nsautomate.com.au/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.nsautomate.com.au/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    root /var/www/openhab-cloud;
    index index.html index.htm;
    location ~ /.well-known {
    allow all;
}
location /css {
        alias  /var/www/openhab-cloud/public/css;
    }
    location /js {
        alias /var/www/openhab-cloud/public/js;
    }
    location /img {
        alias /var/www/openhab-cloud/public/img;
    }
    location /bootstrap {
        alias /var/www/openhab-cloud/public/bootstrap;
    }
    location /font-icons {
        alias /var/www/openhab-cloud/public/font-icons;
    }
    location /fonts {
        alias /var/www/openhab-cloud/public/fonts;
    }
    location /js-plugin {
        alias /var/www/openhab-cloud/public/js-plugin;
    }
    location /downloads {
        alias /var/www/openhab-cloud/public/downloads;
    }
    location / {
        proxy_pass http://localhost:3000;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
        proxy_set_header X-Forwarded-Proto https;
}
}
7

Hi @KrisAU

your certificate is correct. Http + /.well-known/acme-challenge works ( https://check-your-website.server-daten.de/?q=home.nsautomate.com.au ):

Domainname Http-Status redirect Sec. G
• http://home.nsautomate.com.au/
104.248.145.68 403 0.543 M
Forbidden
• https://home.nsautomate.com.au/
104.248.145.68 502 3.990 S
Bad Gateway
• http://home.nsautomate.com.au/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.248.145.68 404 0.530 A
Not Found
Visible Content: 404 Not Found nginx/1.15.5 (Ubuntu)

But http has a 403 and https (with correct certificate) a bad Gateway.

Is your port 3000 working?

PS: Checked your port 3000:

Domainname Http-Status redirect Sec. G
• http://home.nsautomate.com.au:3000/
104.248.145.68 401 0.540 M
Unauthorized
• https://home.nsautomate.com.au:3000/
104.248.145.68 -4 1.066 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream.
• http://home.nsautomate.com.au:3000/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.248.145.68 401 0.536 M
Unauthorized
Visible Content: Unauthorized

http has a 401 (not a 403), https is closed, /.well-known/acme-challenge has also the 401, not the 404.

1 Like
8

Thanks, this sounds like 3000 is not working which is odd because if you do a telnet to the port it responds.

I’m stumped, this is a node.js application and ive followed the instructions to the tee.

Odd thing is, if you go to the IP:3000 it works just fine

http://104.248.145.68:3000/

9

But only http, not https ( https://check-your-website.server-daten.de/?q=104.248.145.68%3A3000 ):

Domainname Http-Status redirect Sec. G
• http://104.248.145.68:3000/
104.248.145.68 200 0.557 H
• https://104.248.145.68:3000/
104.248.145.68 -4 1.057 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream.
• http://104.248.145.68:3000/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.248.145.68 404 0.533 A
Not Found
Visible Content: Cannot GET /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

Then install there the certificate and recheck the domain. Certificate errors are shown, but a connection should be possible.

And your 401 / 403 must have another reason, if the port works.

10

Hello @JuergenAuer the certs are already installed:


root@OpenHab-Cloud:~# ls -la /etc/letsencrypt/live/home.nsautomate.com.au/
total 12
drwxr-xr-x 2 root root 4096 Mar  3 22:08 .
drwx------ 3 root root 4096 Mar  3 22:08 ..
-rw-r--r-- 1 root root  682 Mar  3 22:08 README
lrwxrwxrwx 1 root root   46 Mar  3 22:08 cert.pem -> ../../archive/home.nsautomate.com.au/cert1.pem
lrwxrwxrwx 1 root root   47 Mar  3 22:08 chain.pem -> ../../archive/home.nsautomate.com.au/chain1.pem
lrwxrwxrwx 1 root root   51 Mar  3 22:08 fullchain.pem -> ../../archive/home.nsautomate.com.au/fullchain1.pem
11

Yep, your home… has the correct certificate. If not, there would be an error message.

• https://home.nsautomate.com.au/
104.248.145.68 502 3.990 S

But your port 3000 doesn’t have a working https configuration.

PS: Why do you have one http port 3000, but not a second https port (3001 or another number)?

How is the connection between your https and this application?

12

How it is supposed to work, is that HTTPS has the cert and it redirects all traffic to HTTP, the actual application listens on 3000. There should be no direct HTTP connection

The instructions I followed for the NGINX/LE is her. I believe I have it correct

Thanks for helping!

13

Hi Guys, still working through this one.

I have changed my domain name and updated my settings, installed a new LE cert.

I used https://check-your-website.server-daten.de/?q=home.nsautomate.com.au and its showing a misconfiguration. Misconfiguration - http-status 400 - 499

The page is prompting me for a password, which it should not. the HTTPS connection proxies to Port 3000, and provides a login page but being prompted for a username/pass straight up isnt correct.

All I did was install a new cert and change occurances of the old domain name, oh2.ddns.net to home.nsautomate.com.au

I should note my old dns provider worked fine with the old name, oh2.ddns.net but given ive got an Australian domain I wanted to move everything over. So i created all new DNS records which are pingable/resolve and just updated occurrences of the old domain in my linux server to the new domain. My NGINX configuration was also working fine and nothing was changed but references to the domain name

Any thoughts as to what I’ve done wrong? Thank you!

I see these errors:

2019/04/01 10:10:19 [error] 15245#15245: *303 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:19 [error] 15245#15245: *303 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:21 [error] 15245#15245: *305 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:21 [error] 15245#15245: *305 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:24 [error] 15245#15245: *307 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:24 [error] 15245#15245: *307 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:29 [error] 15245#15245: *309 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:29 [error] 15245#15245: *309 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:34 [error] 15245#15245: *311 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
2019/04/01 10:10:34 [error] 15245#15245: *311 open() "/usr/share/nginx/html/50x.html" failed (2: No such file or directory), client: 192.168.0.3, server: home.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "home.nsautomate.com.au"
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.