NGINX working for some time now broken? Cert issue?

Hi All

The errors I see are this:

2020/09/09 06:10:34 [error] 25108#25108: *9855 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.3, server: ihp.nsautomate.com.au, request: "GET /socket.io/?EIO=3&transport=polling HTTP/1.1", upstream: "http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling", host: "ihp.nsautomate.com.au"

Looking here, I see a remote certificate mismatch but im not an expert enough to determine if thats an issue

https://check-your-website.server-daten.de/?q=ihp.nsautomate.com.au

Most works, but the Google firebase notifications are failing and i see the above message.

Any thoughts as to what could be wrong? Certbot renews the cert so im a bit confused why it was working so well and now only notifications are failing? Login to the site is all fine etc.

Thanks!

Hi @KrisAU

is this

your server? If yes, fix your not working /socket.io/ proxy configuration.

Please read the output.

https://180.150.13.216/
180.150.13.216
	302
	https://ihp.nsautomate.com.au/login.htm?page=%2F
	6.267
	N
Certificate error: RemoteCertificateNameMismatch

Connects your code that address via the ip number?

No. So that result isn’t relevant.

1 Like

Hello JuergenAuer, thanks for the fast reply.

I havent made any changes, so it seems odd

There isnt anything in my NGINX configuration specific to socket.io

upstream ihp {

    server 192.168.0.3:3000;

}

upstream grafana {

    server 192.168.0.3:3001;

}

server {

    listen 80;
    listen [::]:80;

    server_name ihp.nsautomate.com.au;

    return 301 https://ihp.nsautomate.com.au$request_uri;

    server_tokens off; # This hide server version just in case someones needs it for a hack...

}

server {

    listen 443 ssl;
    listen [::]:443 ssl http2;

    server_name ihp.nsautomate.com.au;
    server_tokens off;

    access_log      /var/log/nginx/ihp.nsautomate.com.au/access.log;
    error_log       /var/log/nginx/ihp.nsautomate.com.au/error.log;

    #### SSL Config

    ssl_certificate         /etc/letsencrypt/live/ihp.nsautomate.com.au/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/ihp.nsautomate.com.au/privkey.pem;
    ssl_dhparam             /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout     1d;
    ssl_session_cache       shared:SSL:20m;
    ssl_session_tickets     off;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;

ssl_protocols TLSv1.2 TLSv1.3; # This will affect old Browsers that doesn’t supports new versions of TLS (not SSL ;)).

    ssl_prefer_server_ciphers       on;
    ssl_ecdh_curve          secp384r1;
    ssl_ciphers             'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AE                                                                                                 S256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECD                                                                                                 HE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SH                                                                                                 A:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-G                                                                                                 CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!R                                                                                                 C4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_stapling            on;
    ssl_stapling_verify     on;

    resolver                        8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout                5s;

    add_header                      Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header                      X-Frame-Options DENY;
    add_header                      X-Content-Type-Options nosniff;
    add_header                      X-XSS-Protection "1; mode=block";

    #### Compression - Can be disabled anytime but will help externally

    gzip                    on;
    gzip_disable            "msie6";
    gzip_vary                       on;
    gzip_proxied            any;
    gzip_comp_level                 9;
    gzip_buffers            16 8k;
    gzip_http_version               1.1;
    gzip_min_length                 256;
     gzip_types                     text/plain
                            text/css
                            application/json
                            application/javascript
                            application/x-javascript
                            text/xml
                            application/xml
                            application/xml+rss
                            text/javascript
                            application/vnd.ms-fontobject
                            application/x-font-ttf
                            font/opentype
                            image/svg+xml
                            image/x-icon;

  location / {

     proxy_pass                     http://ihp; # Defined on the upstream section
     proxy_set_header               X-Real-IP        $remote_addr;
     proxy_set_header               X-Forwarded-For  $proxy_add_x_forwarded_for;
     proxy_set_header               Host $http_host;
     proxy_set_header               X-Forwarded-SSL on;
     proxy_set_header               X-Forwarded-Proto https;
     proxy_redirect                 default;
     proxy_redirect                 http://$host/ https://$host/;
     proxy_redirect                 http://hostname/ https://$host/;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";

proxy_send_timeout 1200s;
proxy_read_timeout 1200s;
fastcgi_send_timeout 1200s;
fastcgi_read_timeout 1200s;
proxy_buffering off;

    }

Please read your own error message.

Your destination doesn’t work.

http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling

is buggy / Connection refused.

That’s an internal problem of your configuration, not a certificate problem.

So it’s completely unrelevant for this forum. Fix it.

1 Like

If i open the URL locally, it works just fine though which seems odd - http://192.168.0.3:3000/socket.io/?EIO=3&transport=polling, it works . Just not remotely through NGINX

Try this:

as this:
proxy_pass http://ihp/;

and this is kind of unrelated, if the returned links have IPs in them:

[or maybe you already fixed the secure URL with an IP issue]

Hello rg305

Im getting this:

kris@ihp:/etc/nginx/sites-enabled$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2020-09-09 09:38:45 AEST; 9s ago
Docs: man:nginx(8)
Process: 7021 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=2)
Process: 1341 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 7230 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Main PID: 1351 (code=exited, status=0/SUCCESS)

Sep 09 09:38:45 ihp systemd[1]: Starting A high performance web server and a reverse proxy server…
Sep 09 09:38:45 ihp nginx[7230]: nginx: [emerg] duplicate upstream “ihp” in /etc/nginx/sites-enabled/ihp.nsautomate.com.au.conf:3

If i restore it back to the old version, it starts again

Please show the changed file (that didn’t work).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.