NGINX working for some time now broken? Cert issue?

Hi All

The errors I see are this:

2020/09/09 06:10:34 [error] 25108#25108: *9855 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: ihp.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "ihp.nsautomate.com.au"

Looking here, I see a remote certificate mismatch but im not an expert enough to determine if thats an issue

https://check-your-website.server-daten.de/?q=ihp.nsautomate.com.au

Most works, but the Google firebase notifications are failing and i see the above message.

Any thoughts as to what could be wrong? Certbot renews the cert so im a bit confused why it was working so well and now only notifications are failing? Login to the site is all fine etc.

Thanks!

Hi @KrisAU

is this

your server? If yes, fix your not working /socket.io/ proxy configuration.

Please read the output.

https://180.150.13.216/
180.150.13.216
	302
	https://ihp.nsautomate.com.au/login.htm?page=%2F
	6.267
	N
Certificate error: RemoteCertificateNameMismatch

Connects your code that address via the ip number?

No. So that result isn’t relevant.

1 Like

Hello JuergenAuer, thanks for the fast reply.

I havent made any changes, so it seems odd

There isnt anything in my NGINX configuration specific to socket.io

upstream ihp {

    server 192.168.0.3:3000;

}

upstream grafana {

    server 192.168.0.3:3001;

}

server {

    listen 80;
    listen [::]:80;

    server_name ihp.nsautomate.com.au;

    return 301 https://ihp.nsautomate.com.au$request_uri;

    server_tokens off; # This hide server version just in case someones needs it for a hack...

}

server {

    listen 443 ssl;
    listen [::]:443 ssl http2;

    server_name ihp.nsautomate.com.au;
    server_tokens off;

    access_log      /var/log/nginx/ihp.nsautomate.com.au/access.log;
    error_log       /var/log/nginx/ihp.nsautomate.com.au/error.log;

    #### SSL Config

    ssl_certificate         /etc/letsencrypt/live/ihp.nsautomate.com.au/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/ihp.nsautomate.com.au/privkey.pem;
    ssl_dhparam             /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout     1d;
    ssl_session_cache       shared:SSL:20m;
    ssl_session_tickets     off;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;

ssl_protocols TLSv1.2 TLSv1.3; # This will affect old Browsers that doesn’t supports new versions of TLS (not SSL ;)).

    ssl_prefer_server_ciphers       on;
    ssl_ecdh_curve          secp384r1;
    ssl_ciphers             'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AE                                                                                                 S256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECD                                                                                                 HE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SH                                                                                                 A:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-G                                                                                                 CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!R                                                                                                 C4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_stapling            on;
    ssl_stapling_verify     on;

    resolver                        8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout                5s;

    add_header                      Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header                      X-Frame-Options DENY;
    add_header                      X-Content-Type-Options nosniff;
    add_header                      X-XSS-Protection "1; mode=block";

    #### Compression - Can be disabled anytime but will help externally

    gzip                    on;
    gzip_disable            "msie6";
    gzip_vary                       on;
    gzip_proxied            any;
    gzip_comp_level                 9;
    gzip_buffers            16 8k;
    gzip_http_version               1.1;
    gzip_min_length                 256;
     gzip_types                     text/plain
                            text/css
                            application/json
                            application/javascript
                            application/x-javascript
                            text/xml
                            application/xml
                            application/xml+rss
                            text/javascript
                            application/vnd.ms-fontobject
                            application/x-font-ttf
                            font/opentype
                            image/svg+xml
                            image/x-icon;

  location / {

     proxy_pass                     http://ihp; # Defined on the upstream section
     proxy_set_header               X-Real-IP        $remote_addr;
     proxy_set_header               X-Forwarded-For  $proxy_add_x_forwarded_for;
     proxy_set_header               Host $http_host;
     proxy_set_header               X-Forwarded-SSL on;
     proxy_set_header               X-Forwarded-Proto https;
     proxy_redirect                 default;
     proxy_redirect                 http://$host/ https://$host/;
     proxy_redirect                 http://hostname/ https://$host/;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";

proxy_send_timeout 1200s;
proxy_read_timeout 1200s;
fastcgi_send_timeout 1200s;
fastcgi_read_timeout 1200s;
proxy_buffering off;

    }

Please read your own error message.

Your destination doesn’t work.

http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling

is buggy / Connection refused.

That’s an internal problem of your configuration, not a certificate problem.

So it’s completely unrelevant for this forum. Fix it.

1 Like

If i open the URL locally, it works just fine though which seems odd - http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling, it works . Just not remotely through NGINX

Try this:

as this:
proxy_pass http://ihp/;

and this is kind of unrelated, if the returned links have IPs in them:

[or maybe you already fixed the secure URL with an IP issue]

Hello rg305

Im getting this:

kris@ihp:/etc/nginx/sites-enabled$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-09-09 09:38:45 AEST; 9s ago
Docs: man:nginx(8)
Process: 7021 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=2)
Process: 1341 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 7230 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Main PID: 1351 (code=exited, status=0/SUCCESS)

Sep 09 09:38:45 ihp systemd[1]: Starting A high performance web server and a reverse proxy server…
Sep 09 09:38:45 ihp nginx[7230]: nginx: [emerg] duplicate upstream “ihp” in /etc/nginx/sites-enabled/ihp.nsautomate.com.au.conf:3

If i restore it back to the old version, it starts again

Please show the changed file (that didn’t work).