KrisAU
September 8, 2020, 8:22pm
1
Hi All
The errors I see are this:
2020/09/09 06:10:34 [error] 25108#25108: *9855 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: ihp.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "ihp.nsautomate.com.au"
Looking here, I see a remote certificate mismatch but im not an expert enough to determine if thats an issue
https://check-your-website.server-daten.de/?q=ihp.nsautomate.com.au
Most works, but the Google firebase notifications are failing and i see the above message.
Any thoughts as to what could be wrong? Certbot renews the cert so im a bit confused why it was working so well and now only notifications are failing? Login to the site is all fine etc.
Thanks!
Hi @KrisAU
is this
your server? If yes, fix your not working /socket.io/ proxy configuration.
Please read the output.
https://180.150.13.216/
180.150.13.216
302
https://ihp.nsautomate.com.au/login.htm?page=%2F
6.267
N
Certificate error: RemoteCertificateNameMismatch
Connects your code that address via the ip number?
No. So that result isn't relevant.
KrisAU
September 8, 2020, 9:21pm
3
Hello JuergenAuer, thanks for the fast reply.
I havent made any changes, so it seems odd
There isnt anything in my NGINX configuration specific to socket.io
upstream ihp {
server 192.168.0.3:3000;
}
upstream grafana {
server 192.168.0.3:3001;
}
server {
listen 80;
listen [::]:80;
server_name ihp.nsautomate.com.au;
return 301 https://ihp.nsautomate.com.au$request_uri;
server_tokens off; # This hide server version just in case someones needs it for a hack...
}
server {
listen 443 ssl;
listen [::]:443 ssl http2;
server_name ihp.nsautomate.com.au;
server_tokens off;
access_log /var/log/nginx/ihp.nsautomate.com.au/access.log;
error_log /var/log/nginx/ihp.nsautomate.com.au/error.log;
#### SSL Config
ssl_certificate /etc/letsencrypt/live/ihp.nsautomate.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ihp.nsautomate.com.au/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3; # This will affect old Browsers that doesn’t supports new versions of TLS (not SSL ;)).
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AE S256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECD HE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SH A:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-G CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!R C4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#### Compression - Can be disabled anytime but will help externally
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain
text/css
application/json
application/javascript
application/x-javascript
text/xml
application/xml
application/xml+rss
text/javascript
application/vnd.ms-fontobject
application/x-font-ttf
font/opentype
image/svg+xml
image/x-icon;
location / {
proxy_pass http://ihp; # Defined on the upstream section
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect default;
proxy_redirect http://$host/ https://$host/;
proxy_redirect http://hostname/ https://$host/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_send_timeout 1200s;
}
Please read your own error message.
KrisAU:
connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: ihp.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "ihp.nsautomate.com.au"
Your destination doesn't work.
http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling
is buggy / Connection refused.
That's an internal problem of your configuration, not a certificate problem.
So it's completely unrelevant for this forum. Fix it.
KrisAU
September 8, 2020, 9:53pm
5
If i open the URL locally, it works just fine though which seems odd - http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling , it works . Just not remotely through NGINX
rg305
September 8, 2020, 10:58pm
6
Try this:
KrisAU:
proxy_pass http://ihp;
as this:proxy_pass http://ihp/;
and this is kind of unrelated, if the returned links have IPs in them:
[or maybe you already fixed the secure URL with an IP issue]
KrisAU
September 8, 2020, 11:39pm
7
Hello rg305
Im getting this:
kris@ihp:/etc/nginx/sites-enabled$ systemctl status nginx
Sep 09 09:38:45 ihp systemd[1]: Starting A high performance web server and a reverse proxy server…
If i restore it back to the old version, it starts again
rg305
September 9, 2020, 12:18am
8
Please show the changed file (that didn’t work).
system
October 9, 2020, 12:18am
9
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.