duane
November 20, 2024, 3:41pm
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: tendaafrica.net
server {
listen 80;
server_name tendaafrica.net;
return 301 https://$host$request_uri;
root /var/www/tenda-express-api;
location / {
proxy_pass http://localhost:3000; # Node.js app port
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
and this is the default.conf in my sites-enable
server {
#listen 443 default_server;
#listen [::]:443 default_server;
ssl_reject_handshake on;
server_name tendaafrica.net; # managed by Certbot
return 444;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = tendaafrica.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 ;
server_name tendaafrica.net;
return 404; # managed by Certbot
}
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is: hostinger
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Nekit
November 20, 2024, 5:58pm
2
Hi!
Remove ssl_reject_handshake on; from your configuration. How did it get there?
Not_so_ninja_edit: that's what I saw immediately, but looking closer, config doesn't make much sense. Server block for 443 looks to be a catch-all for requests without SNI (or with a wrong one) to reject erroneous connections. If server_name was indeed added by Certbot—that sound like a bug.
You should look into getting your config in order. I don't have time for a thorough walk-through, but it looks like the config in sites-available is mostly correct, just needs to be “converted” for serving TLS connections.
2 Likes
duane
November 21, 2024, 6:26am
3
Yes, Thank you; have commented out the handshake but still; its not working
1 Like
duane
November 21, 2024, 6:48am
4
Nekit:
You should look into getting your config in order. I don't have time for a thorough walk-through, but it looks like the config in sites-available is mostly correct, just needs to be “converted” for serving TLS connections
I have converted the config in sites available to this
server {
listen 80;
server_name tendaafrica.net;
return 301 https://$host$request_uri;
}
# HTTPS server block
server {
listen 443 ssl;
server_name tendaafrica.net;
# Path to SSL certificate and key
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # Update this path
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # Update this path
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /var/www/tenda-express-api;
location / {
proxy_pass http://localhost:3000; # Node.js app port
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
and i have commented out the handshake but still my site is not accessible
1 Like
Nekit
November 21, 2024, 7:43am
5
Do you have this config symlinked from sites-enabled?
1 Like
Nekit
November 21, 2024, 9:32am
7
Can you post the entire output of nginx -T command?
I applaud the effort to make the code readable, but the way you do this (plain <pre> tags?), makes it hard to horizontally scroll on mobile. And for some reason there's no way to scroll such a block on the desktop at all, lol. Better to use “tripple backticks” syntax of Markdown, like so:
```
<output of nginx -T>
```
3 Likes
duane
November 21, 2024, 11:16am
8
Below is my /etc/nginx/sites-available/site-config
listen 80;
server_name tendaafrica.net;
return 301 https://$host$request_uri;
}
# HTTPS server block
server {
listen 443 ssl;
server_name tendaafrica.net;
# Path to SSL certificate and key
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # Update this path
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # Update this path
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /var/www/tenda-express-api;
location / {
proxy_pass http://localhost:3000; # Node.js app port
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
this is default.config from /etc/nginx/sites-enabled
server {
#listen 443 default_server;
#listen [::]:443 default_server;
ssl_reject_handshake on;
server_name tendaafrica.net; # managed by Certbot
return 444;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed
by Certbot
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed
by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = tendaafrica.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 ;
server_name tendaafrica.net;
return 404; # managed by Certbot
}
Below is the output of nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user root;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 2000;
# multi_accept on;
}
http {
##
# Basic Settings
##
geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
real_ip_recursive on;
set_real_ip_from 127.0.0.1;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from 0.0.0.0/0;
#real_ip_header X-Forwarded-For;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 64M;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
port_in_redirect off;
access_log off;
map $scheme $fastcgi_https { ## Detect when HTTPS is used
default off;
https on;
}
include /etc/nginx/blocked_ips;
pagespeed off;
pagespeed XHeaderValue 1;
##
# Security Settings
##
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "img-src 'self' data:;";
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Referrer-Policy same-origin;
#add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com/' 'https://twofactorauth.org/%27), usb=(), vr=()";
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_stapling off;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Limit the requests for php
##
limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;
##
# Brotli Settings
##
brotli on;
brotli_comp_level 8;
brotli_static on;
brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-ngx-brotli.conf:
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-ngx-pagespeed.conf:
load_module modules/ngx_pagespeed.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/blocked_ips:
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default.conf:
server {
listen 80;
listen [::]:80 default_server;
#listen 443 default_server;
#listen [::]:443 default_server;
ssl_reject_handshake on;
server_name _;
return 444;
}
#server {
# listen 80;
# listen [::]:80;
# listen 443;
#listen [::]:443
#ssl_reject_handshake on;
#server_name tendaafrica.net www.tendaafrica.net;
#return 444;
#ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem
#ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem
#}
server {
#listen 443 default_server;
#listen [::]:443 default_server;
#ssl_reject_handshake on;
server_name tendaafrica.net; # managed by Certbot
return 444;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = tendaafrica.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 ;
server_name tendaafrica.net;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
1 Like
MikeMcQ
November 21, 2024, 4:00pm
10
The return 444; causes every connection attempt to fail.
Not sure what your purpose is for that but just try removing that line.
https://nginx.org/en/docs/http/request_processing.html
3 Likes
duane
November 21, 2024, 4:25pm
11
Thanks @MikeMcQ Now My SSL seems to work and my site at https://tendaafrica.net is reachable only that i cant access my nodejs api; but try to debug from here.
1 Like
MikeMcQ
November 21, 2024, 4:38pm
12
Okay good. Did you notice your active (nginx -T) config did not have the above proxy statements for your nodejs? You showed it from a config in your sites-available, but, is not in the server blocks in sites-enabled
3 Likes
duane
November 21, 2024, 4:45pm
13
i created a symbolic link between sites-available and sites enabled and when i list the contents of sites-enabled i have the default.conf and the tendaafrica.net unless when i have to transfer the contents of tendaafrica.net ; the whole server block that includes the proxy to default.conf as another server block; will it work?
MikeMcQ
November 21, 2024, 5:03pm
14
I am not sure what you are explaining. But, you should focus on what the nginx -T command shows. I was just pointing out a different between what you showed earlier and the nginx -T result to help you on your way.
We focus on helping people with the certificates. Help with configuring your app and other services is best done on forums specializing in nginx or nodejs.
4 Likes
duane
November 21, 2024, 5:11pm
15
I think the issue was with the way i named the sites-available/site-config; it didnt have the .conf and it couldnt be loaded since the directive says include/files/*.conf so have changed that this is how my output for "nginx -T" looks like
nginx: [warn] conflicting server name "tendaafrica.net" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "tendaafrica.net" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user root;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 2000;
# multi_accept on;
}
http {
##
# Basic Settings
##
geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
real_ip_recursive on;
set_real_ip_from 127.0.0.1;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from 0.0.0.0/0;
#real_ip_header X-Forwarded-For;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 64M;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
port_in_redirect off;
access_log off;
map $scheme $fastcgi_https { ## Detect when HTTPS is used
default off;
https on;
}
include /etc/nginx/blocked_ips;
pagespeed off;
pagespeed XHeaderValue 1;
##
# Security Settings
##
#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "img-src 'self' data:;";
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Referrer-Policy same-origin;
#add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(self 'https://haveibeenpwned.com/' 'https://twofactorauth.org/%27), usb=(), vr=()";
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_stapling off;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Limit the requests for php
##
limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;
##
# Brotli Settings
##
brotli on;
brotli_comp_level 8;
brotli_static on;
brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
# configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:
load_module modules/ngx_http_auth_pam_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:
load_module modules/ngx_http_dav_ext_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:
load_module modules/ngx_http_echo_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:
load_module modules/ngx_http_subs_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:
load_module modules/ngx_http_upstream_fair_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-ngx-brotli.conf:
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-ngx-pagespeed.conf:
load_module modules/ngx_pagespeed.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/blocked_ips:
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default.conf:
server {
listen 80;
listen [::]:80 default_server;
#listen 443 default_server;
#listen [::]:443 default_server;
ssl_reject_handshake on;
server_name _;
return 444;
}
#server {
# listen 80;
# listen [::]:80;
# listen 443;
#listen [::]:443
#ssl_reject_handshake on;
#server_name tendaafrica.net www.tendaafrica.net;
#return 444;
#ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem
#ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem
#}
server {
#listen 443 default_server;
#listen [::]:443 default_server;
#ssl_reject_handshake on;
server_name tendaafrica.net; # managed by Certbot
#return 444;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}server {
if ($host = tendaafrica.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80 ;
server_name tendaafrica.net;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# configuration file /etc/nginx/sites-enabled/tendaafrica.conf:
#server {
# listen 80;
# server_name tendaafrica.net;
# return 301 https://$host$request_uri;
# root /var/www/tenda-express-api;
# index index.js
#
# location / {
# proxy_pass http://localhost:3000; # Node.js app port
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
# proxy_set_header Host $host;
# proxy_cache_bypass $http_upgrade;
# }
#}
# Redirect HTTP to HTTPS
server {
if ($host = tendaafrica.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name tendaafrica.net;
return 301 https://$host$request_uri;
}
# HTTPS server block
server {
listen 443 ssl;
server_name tendaafrica.net;
# Path to SSL certificate and key
ssl_certificate /etc/letsencrypt/live/tendaafrica.net-0001/fullchain.pem; # managed by Certbot
# Update this path
ssl_certificate_key /etc/letsencrypt/live/tendaafrica.net-0001/privkey.pem; # managed by Certbot
# Update this path
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /var/www/tenda-express-api;
index index.js;
location / {
proxy_pass http://localhost:3000; # Node.js app port
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
but then the first two lines; of conflicting server names; have failed to fix that
duane
November 21, 2024, 6:27pm
16
Alright @MikeMcQ ; Thank you very much for the assistance.
1 Like
MikeMcQ
November 22, 2024, 4:16am
17
A post was split to a new topic: Certbot timeout problem
system
December 22, 2024, 4:17am
18
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.