nginx + letsencrypt problems
|
Posts: 6
Threads: 2
Joined: Oct 2016
Reputation:
0
[Not Solved]
Oct 21, 2016, 02:23 PM
(This post was last modified: Oct 21, 2016, 02:25 PM by fear.)
i've run into some problems when following this guide. first, snippets/proxy-control.conf for the deluge doesn't exist on my machine and no clue what to put in it. second, after commenting out the deluge section nginx config show no errors, however when trying to visit any of the pages for any of the services i have running i get the following error using chrome:
This site can’t provide a secure connection
<dynamic_dns_address> sent an invalid response
ERR_SSL_PROTOCOL_ERROR
original error i posted was when using chrome,
this is what ff tells me:
Secure Connection Failed
An error occurred during a connection to my.d.dns.address SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
nginx is running on ubuntu server 16.04
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Oct 21, 2016, 03:00 PM
(This post was last modified: Oct 21, 2016, 03:05 PM by drake.)
Ok, we will solve this. I'm not home yet, until then: did you try with other browser, like Chrome or IE?
You installed nginx from the ppa that is in the guide?
Can you try to access your nginx server from outside of your local network, from 3G/4G on mobile, or any other way?
I don't know why you don't have the proxy control snippet, but I wi send you the content when home.
When you requested the LE certificates, it went fine, no errors reported?
Sent from my Xperia Z3 Compact using Tapatalk
One more thing: what is the result of the ssl test that is in the guide? Can you post the result of the test?
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 6
Threads: 2
Joined: Oct 2016
Reputation:
0
[Not Solved]
Oct 21, 2016, 09:10 PM
(Oct 21, 2016, 03:00 PM)drake Wrote: Ok, we will solve this. I'm not home yet, until then: did you try with other browser, like Chrome or IE?
You installed nginx from the ppa that is in the guide?
Can you try to access your nginx server from outside of your local network, from 3G/4G on mobile, or any other way?
I don't know why you don't have the proxy control snippet, but I wi send you the content when home.
When you requested the LE certificates, it went fine, no errors reported?
Sent from my Xperia Z3 Compact using Tapatalk
One more thing: what is the result of the ssl test that is in the guide? Can you post the result of the test?
Sent from my Xperia Z3 Compact using Tapatalk
ive tried with chrome, ff and edge
installed nginx while following the guide for vpn split tunneling which seems to be the standard ubuntu ppa as neither guide made mention of adding a different one
just tested and was able to access the server from my phone so yes to outside local network
correct no errors that i can recall when i requested the certs
ive got everything running without the ssl reverse proxy config atm so i can still use the serverm and its fine for that. the issue only appears when i switch to the ssl config
thanks for taking the time to help
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Oct 22, 2016, 11:51 AM
(This post was last modified: Oct 22, 2016, 11:52 AM by drake.)
OK, just to make clear, if you try to access your server from your phone (not from wifi, but mobile network), then you can access it, while nginx is running LE certs, configured as per the guide? The problem is only from your local network?
Please give me the output of your reverse proxy config (you can mask out your dynds address)
Code:
sudo cat /etc/nginx/sites-available/reverse
Here is the proxy-control.conf content (no idea why you don't have it), put it in:
Code:
sudo nano /etc/nginx/snippets/proxy-control.conf
Copy and paste:
Code:
proxy_connect_timeout 59s;
proxy_send_timeout 600;
proxy_read_timeout 36000s; ## Timeout after 10 hours
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_pass_header Set-Cookie;
proxy_hide_header Vary;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_set_header Accept-Encoding '';
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port '443';
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Authorization '';
proxy_buffering off;
proxy_redirect off;
And let me know the output of:
Code:
sudo /opt/certbot/certbot-auto renew
And finally, the output of:
Posts: 6
Threads: 2
Joined: Oct 2016
Reputation:
0
[Not Solved]
Oct 22, 2016, 04:59 PM
(Oct 22, 2016, 11:51 AM)drake Wrote: OK, just to make clear, if you try to access your server from your phone (not from wifi, but mobile network), then you can access it, while nginx is running LE certs, configured as per the guide? The problem is only from your local network?
i misunderstood your question before, no does not work while running le certs either forgot about that when i checked and had been using the non secured version at that point.
Code:
sudo cat /etc/nginx/sites-available/reverse
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name ddns.address 192.168.1.31;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/ddns.address/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ddns.address/privkey.pem;
# Root location
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
# Basic Auth to protect the site
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
# Change the client side error pages (4xx) to prevent some information disclosure
error_page 401 403 404 /404.html;
# First attempt to serve request as file, then as directory,
# then fall back to displaying a 404.
location / {
try_files $uri $uri/ =404;
}
# Deny access to .htaccess files, if Apache's document
# root concurs with nginx's one
location ~ /\.ht {
deny all;
}
# Let's Encrypt Webroot plugin location -- allow access
location ~ /.well-known {
allow all;
}
# Location settings for reverse proxy; enable those you wish to use
# by removing the # from the section between the location line and the last }
#
# Transmission
# location /transmission {
# proxy_pass http://127.0.0.1:9091;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
#
# Deluge
location /deluge {
proxy_pass http://localhost:8112/;
proxy_set_header X-Deluge-Base "/deluge/";
include snippets/proxy-control.conf;
}
#
# NZBGet
# location /nzbget {
# proxy_pass http://127.0.0.1:6789;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
#
# Sonarr
location /sonarr {
proxy_pass http://127.0.0.1:8989;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#
# SickRage
# location /sickrage {
# proxy_pass http://127.0.0.1:8081;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
#
# CouchPotato
location /couchpotato {
proxy_pass http://127.0.0.1:5050;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#
# Madsonic
# location /madsonic {
# proxy_pass http://127.0.0.1:4040;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
#
# Headphones
# location /headphones {
# proxy_pass http://127.0.0.1:8181;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
#
# PlexPy
location /plexpy {
proxy_pass http://127.0.0.1:8181;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#
# Monit
# location /monit/ {
# rewrite ^/monit/(.*) /$1 break;
# proxy_ignore_client_abort on;
# proxy_pass https://127.0.0.1:2812;
# proxy_set_header Host $host;
# }
#
# HTPC Manager
location /htpc {
proxy_pass http://127.0.0.1:8085;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#
# Plex
location /web {
proxy_pass http://127.0.0.1:32400;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /plex {
proxy_pass http://127.0.0.1/web;
}
#
# PlexRequests.net
location /request {
proxy_pass http://127.0.0.1:3579;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Code:
sudo /opt/certbot/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ddns.address.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/ddns.address/fullchain.pem (skipped)
No renewals were attempted.
Code:
nginx -v
nginx version: nginx/1.10.0 (Ubuntu)
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Oct 22, 2016, 07:17 PM
It looks good to me. Do you have port 443 forwarded to your server in the router?
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 6
Threads: 2
Joined: Oct 2016
Reputation:
0
[Not Solved]
Oct 22, 2016, 08:14 PM
(Oct 22, 2016, 07:17 PM)drake Wrote: It looks good to me. Do you have port 443 forwarded to your server in the router?
Sent from my Xperia Z3 Compact using Tapatalk
wow yea, im bad, i had it forwarded but the rule was toggled off...
seems to be working well now
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Oct 22, 2016, 08:18 PM
Great, gald we solved it!
Btw, I really don't know why was proxy-control.conf missing for you. Now that you have it, Deluge reverse proxy is working too?
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 6
Threads: 2
Joined: Oct 2016
Reputation:
0
[Not Solved]
Oct 22, 2016, 08:47 PM
yes, deluge works as does everything else so far
thanks a lot for the help and yea no clue why proxy-control.conf was missing
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Oct 22, 2016, 08:51 PM
You are welcome!
Sent from my Xperia Z3 Compact using Tapatalk
|
|
Recent Posts
|
About Swap
jonescelinaa Apr 10, 2024, 06:58 AM
|
Tracker Status: Error Connection Time Out
jonesPhedra Apr 04, 2024, 08:17 AM
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Latest unread posts | Unanswered posts |
|