neko
January 18, 2021, 5:07pm
1
I had my website up and running, I made some changes to html templates and restart gunicorn with kill -HUP <pid> reading the official documentation. After that I'm facing this ERR_TOO_MANY_REDIRECTS on browser. What could be wrong in my nginx conf file for this to happen?
upstream capngo_server {
server unix:/home/uday/website/cap_env/run/gunicorn.sock fail_timeout=0;
}
server {
server_name capfoundationindia.com www.capfoundationindia.com;
client_max_body_size 4G;
access_log /home/uday/logs/nginx-access.log;
error_log /home/uday/logs/nginx-access.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_hedaer X-Forwarded-Proto https;
proxy_set_header Host $https_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://capngo_server;
break;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/uday/static/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/capfoundationindia.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/capfoundation.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl--nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencypt/ssl-dhparrams.pem; # managed by Certbot
}
server {
if ($host = capfoundationindia.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name capfoundation.com www.capfoundation.com;
return 404; # managed by Certbot
}
1 Like
Osiris
January 18, 2021, 5:21pm
2
Well, currently, I'm getting a 404 File not found on port 80..? Which is kinda weird, because I would expect the redirect to HTTPS..
On HTTPS on port 443 however, I can see the redirect loop. I can't see it in nginx, but perhaps gunicorn is responsible for this redirect? I don't have any experience with gunicorn however. Can it produce some kind of access log to see what gets accessed and what response gunicorn produces?
In any case, as stated above, your HTTP to HTTPS redirect isn't working too, so that's something else to fix next to the HTTPS -> HTTPS redirect loop.
Also note that your certificate is only valid for capfoundationindia.com and not for the www subdomain www.capfoundationindia.com.
1 Like
neko
January 18, 2021, 7:42pm
3
Hey, thanks for replying but I don't think gunicorn redirects url.
rg305
January 18, 2021, 10:21pm
4
This section makes little sense:
It says when the name is "capfoundationindia.com ", then redirect.capfoundation.com www.capfoundation.com ".www.capfoundation.com " ?
There must be more that you are not showing...
Try showing the full configuration:nginx -T
2 Likes
neko
January 19, 2021, 2:22am
5
sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/capngo.conf:
upstream capngo_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
server unix:/home/uday/website/cap_env/run/gunicorn.sock fail_timeout=0;
}
server {
server_name capfoundationindia.com www.capfoundationindia.com;
client_max_body_size 4G;
access_log /home/uday/logs/nginx-access.log;
error_log /home/uday/logs/nginx-error.log;
location /static/ {
alias /home/uday/website/capngo/capngo_main/static/;
}
location /media/ {
alias /home/uday/website/capngo/capngo_main/media/;
}
location / {
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# set "proxy_buffering off" *only* for Rainbows! when doing
# Comet/long-poll stuff. It's also safe to set if you're
# using only serving fast clients with Unicorn + nginx.
# Otherwise you _want_ nginx to buffer responses to slow
# clients, really.
# proxy_buffering off;
# Try to serve static files from nginx, no point in making an
# *application* server like Unicorn/Rainbows! serve static files.
if ($host = capfoundationindia.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
}
# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
root /home/uday/static/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/capfoundationindia.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/capfoundationindia.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name capfoundationindia.com www.capfoundationindia.com;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "########";
1 Like
rg305
January 19, 2021, 5:10am
6
Technically... I can't find a real problem. But for whatever reason, certbot with --nginx doesn't seem to work well with it. certbot with --webroot -w /some/new/challenge/folder
To:
server {
listen 80;
location ^/(?!\.well-known) { # skip challenge requests
return 301 https://$host$request_uri; # send requests to HTTPS
}# location
root /some/new/challenge/folder; # you will need to properly name and create this path
}# server
1 Like
rg305
January 19, 2021, 5:12am
7
This section loops onto itself:
1 Like
neko
January 19, 2021, 5:14am
8
Yes, I thought that too so I tried removing the if statement but I don't understand why that didn't work either.
rg305
January 19, 2021, 5:14am
9
It remains in the 443 section.
You removed it from the port 80 section.
1 Like
rg305
January 19, 2021, 5:21am
10
You could try just adding "www."
To:return 301 https://www.$host$request_uri;
So that when it's the short name it goes to the longer name.
1 Like
neko
January 19, 2021, 5:22am
11
OMG! This actually worked.
1 Like
rg305
January 19, 2021, 5:24am
12
Of course it worked! - LOL
2 Likes
rg305
January 19, 2021, 5:26am
13
I don't know about everything being fine...
It is definitely closer to being fine!
1 Like
neko
January 19, 2021, 6:11am
14
I added the redirection code back to port 80 section and now it redirects me to https.
1 Like
rg305
January 19, 2021, 6:25am
15
A little bit better.
There are four possible ways to connect:
http://capfoundationindia.comhttp://www.capfoundationindia.comhttps://capfoundationindia.comhttps://www.capfoundationindia.com
Right now only #1 redirects to #3 .#2 returns:
curl -Iki http://www.capfoundationindia.com
HTTP/1.1 404 Not Found
Both (#3 & #4 ) return Forbidden, so I'm not sure if either of them work:
curl -Iki https://capfoundationindia.com
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 19 Jan 2021 06:24:06 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
curl -Iki https://capfoundationindia.com/
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 19 Jan 2021 06:24:11 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
1 Like
neko
January 19, 2021, 6:34am
16
Ones with www. are not redirected. For 403, it's an error on my side with nginx file which I'm working on.
1 Like
system
February 18, 2021, 6:35am
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.