Nginx x Certbot - port 3000

Help
1

Hello guys,

I'm writing here because I'm not able to run my react application in Https://
The react app was on the port 3000, so I used a nginx to "bind" it to the port 80.
Here is my configuration file :

upstream app_nodejs {
  server 127.0.0.1:3000;
}

server {
    #listen 80 is default
    server_name app.yetic.org;
    return 301 $scheme://mydomain.com$request_uri;
}

server {
    listen 80;
    listen   [::]:80;
    listen   443 default ssl;
    ssl on;
    ssl_certificate    /etc/letsencrypt/live/app.yetic.org/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/app.yetic.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot    

    server_name app.yetic.org;

    if ($ssl_protocol = "") {
       rewrite ^   https://$server_name$request_uri? permanent;
    }

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;

      proxy_pass https://app_nodejs;
      proxy_redirect off;
    }

}

It works with app.yetic.org:3000, but not with http://app.yetic.org (which redirects to https://app.yetic.org) and https://app.yetic.org doesn't work (no answer from the server).

I'm working on a VPS Ubuntu 22.04 (on Infomaniak)

I generated my certificates with the following command : sudo certbot --nginx -d app.yetic.org

Thanks in advance,

Jajoe

2

Hello @, welcome to the Let's Encrypt community. :slightly_smiling_face:

I assume you are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt

The HTTP-01 challenge states
"Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard."

Best Practice - Keep Port 80 Open

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like
3

Hello,

Thanks for your answer :slight_smile:

My domain is : app.yetic.org

I ran this command : I modified the nginx config file, and then I ran systemctl restart nginx

Here is another config file I tried :

server {
    server_name app.yetic.org;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/app.yetic.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/app.yetic.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = app.yetic.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80 ;
    listen [::]:80 ;
    server_name app.yetic.org;
    return 404; # managed by Certbot
}

It produced this output :
When I try to open http://app.yetic.org:3000, the React app is running well. If I try to open http://app.yetic.org, I have a redirection to https://app.yetic.org. When https://app.yetic.org is opened in the browser, I don't have nothing (frontend doesn't get any answer)

My web server is :
nginx version: nginx/1.18.0 (Ubuntu), and I'm running my React application, created from create-react-app, on the port 3000 (thanks to pm2)

The operating system my web server runs on is : Ubuntu 22.04

My hosting provider is Infomaniak (a VPS)

I can login to a root sheel on my machine

I'm not using a control panel to manage my application

The version of my client is certbot 1.21.0

Thanks in advance :slight_smile:

1 Like
4

This latest nginx config looks much better.

But, I think your port 443 is being blocked by your router and/or firewall or something.

nmap -p80,443 app.yetic.org
Nmap scan report for app.yetic.org (195.15.212.109)

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https
4 Likes
5

Oh thanks a lot ! Indeed, only ports 80, 3000 and 8080 were opened.
Now it's working, huge thanks :heart_eyes:

3 Likes
6

This seems poroblematic:

It is better to listen only to one port type per vhost.
Either secure or insecure; But not both.

2 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.