I have a rails 6 app with /cable websocket and nginx reverse proxy
I put same config as another server (who works fine) :
in production.rb
config.action_cable.url = 'wss://domain.fr:8001/cable'
config.action_cable.allowed_request_origins = ['https://domain.fr', 'http://domain.fr']
config.action_cable.mount_path = '/cable'
in routes :
mount ActionCable.server => '/cable'
in JS :
ActionCable.createConsumer 'wss://domain.fr:8001/cable'
in proxy :
server {
listen 443 ssl http2;
server_name domain.fr;
if ($host ~ '^www\.') { return 301 https://domain.fr$request_uri; }
ssl_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.fr/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/domain.fr/fullchain.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /home/liberty/dhparams.pem;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Ssl on; # Optional
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
location / {
proxy_pass http://127.0.0.1:90;
}
location /cable {
proxy_pass http://127.0.0.1:8001;
}
access_log /var/log/rsh_proxy.access.log;
error_log /var/log/rsh_proxy.error.log;
location ~*^.+(swf|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
proxy_pass http://127.0.0.1:90;
proxy_cache cache;
proxy_cache_valid 9999d;
expires max;
}
}
in vhost :
server {
listen 8001 default_server;
listen [::]:8001 default_server ipv6only=on;
server_name domain.fr;
root /var/www/domain/public;
passenger_enabled on;
passenger_app_group_name MYAPP_action_cable;
passenger_app_type rack;
passenger_startup_file cable/config.ru;
passenger_force_max_concurrent_requests_per_process 0;
access_log /var/log/rsh_cable.access.log combined;
error_log /var/log/rsh_cable.error.log;
}
I try restart nginx but nothing new
the error in chrome console :
WebSocket connection to 'wss://domain.fr:8001/cable' failed: Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR
PS : port in firewall as open ;)
EDIT : exemple of log in /var/log/rsh_cable.access.log :
37.170.142.84 - - [29/Jul/2020:02:34:13 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x9F\x19\x1E\xA7\x96\xDBC\x98\x92\xCC.<S\xBC\x02\x04Jd\xB4M\x03uK\xA8\x1D\xEE\x0B\x96\xA2]\x1A\xD6 \x08\x1C\xC73/f\x8CaA\xFD/\xAA\xFE\xC1\xCB\x9A+\x9A(8)\xD7\xE1\xB8nR\x15!\x99\xD4^\xEA\x00\x22\x9A\x9A\x13\x03\x13\x01\x13\x02\xCC\xA9\xCC\xA8\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:17 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:32 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03Y\xBD\x08i\x1D\x9C\x83{\x0B\xE3\x9E\x02P\x99\xBDJ#\xD5\xFB50\x17 T\x10\xB3\x09O\xFA9\x07: \xEE\x1A\xE9x\xC3oI\xE1\xB7b\x5C\xD3\xF8\xE1\x03\xF0\x86(\xAB\xB1\xB9\xEA=d\x19\xB0ul\x8D\xF0\xED\x8B\x00 \xDA\xDA\x13\x03\x13\x01\x13\x02\xCC\xA9\xCC\xA8\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x93\x9A\x9A\x00\x00\x00\x00\x00\x0E\x00\x0C\x00\x00\x09domain.fr\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:32 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xA30O\xF7\xF0\x09" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:54 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x97\x04b" 400 157 "-" "-"
37.170.142.84 - - [29/Jul/2020:02:34:54 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xEAx\x19\x0Bg\xEB:E\x13x\x87WVd\xD4\xCFXA-\xD4\x09v\x17\xCC\xA4x\x19xP\xCA\xAB\xD8 )\x07+\xF4\xFA=U\xB1z\xDE\xD9\x1D\x11\xCFE\xF3\x97/\xC1y!\xE7u\xE68#&\xD7\xCF\xEB\xB5\x90\x00 JJ\x13\x03\x13\x01\x13\x02\xCC\xA9\xCC\xA8\xC0+\xC0/\xC0,\xC00\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x93JJ\x00\x00\x00\x00\x00\x0E\x00\x0C\x00\x00\x09domain.fr\x00\x17\x00\x00\xFF\x01\x00\x01\x00\x00" 400 157 "-" "-"
In config you should specify final actioncable url that is going to be accessible by the end user.
Since you're using additional proxy - that is going to be wss://www.domain.fr/cable, and your port 8001 should be closed in firewall for everything except the proxy, since it's not ssl-terminated (hence the ssl error)
Also make sure that http 1.1 is correctly proxied with necessary headers:
location /cable {
proxy_pass http://127.0.0.1:8001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# not always needed, but in some setups can be necessary:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Real-IP $remote_addr;
}
Related
Have deployed my Rails 5.2 app via Capistrano, and am having problems with ActionCable. I am using Nginx, Puma and Lets Encrypt.
I have tried many combinations of configuration, but each time am receiving the same error. I am not sure how to debug this issue, and suggestions as well and any tips on re-arranging my ngnx.conf would be well-appreciated.
Have changed the real website to website.com
nginx.conf
upstream puma {
server unix:///home/deploy/apps/website/shared/tmp/sockets/website-puma.sock;
}
server {
server_name website.com www.website.com;
root /home/deploy/apps/website/current/public;
index index.html;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
location /cable {
proxy_pass http://puma;
proxy_http_version 1.1;
proxy_set_header Upgrade websocket;
proxy_set_header Connection Upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 10;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.website.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = website.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name website.com www.website.com;
return 404; # managed by Certbot
}
config/production.rb
config.action_cable.mount_path = '/cable'
config.action_cable.url = 'wss://website.com/cable'
config.action_cable.allowed_request_origins = [ 'https://website.com', 'http://website.com' ]
Error Message
Reviewed posts
Rails5 Action Cable Nginx 404 and 502 errors
ActionCable on AWS: Error during WebSocket handshake: Unexpected response code: 404
Actioncable Nginx and Puma WebSocket handshake: Unexpected response
UPDATE
Updated nginx.conf
upstream puma {
server unix:///home/deploy/apps/immersive/shared/tmp/sockets/immersive-puma.sock;
}
server {
if ($host = www.immersive.ch) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = immersive.ch) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name immersive.ch www.immersive.ch;
return 404; # managed by Certbot
}
server {
server_name immersive.ch www.immersive.ch;
root /home/deploy/apps/immersive/current/public;
index index.html;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
location /cable {
proxy_pass http://puma;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on;
proxy_buffering off;
proxy_redirect off;
break;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 10;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/immersive.ch/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/immersive.ch/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
production.rb
config.action_cable.mount_path = '/cable'
config.action_cable.url = 'wss://immersive.ch/cable'
config.action_cable.allow_same_origin_as_host = true
config.action_cable.allowed_request_origins = [ '*' ]
#config.action_cable.allowed_request_origins = [ 'https://immersive.ch', 'http://immersive.ch' ]
Partial output of curl
> GET /cable HTTP/1.1
> Host: immersive.ch
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: https://immersive.ch
> Sec-WebSocket-Key: MIN4DsiwEAutsE11kgG5rg==
> Upgrade: websocket
> Connection: Upgrade
> Sec-WebSocket-Version: 13
>
< HTTP/1.1 404 Not Found
< Server: nginx/1.15.5 (Ubuntu)
< Date: Tue, 16 Apr 2019 20:10:43 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: no-cache
< X-Request-Id: 7a9aa8f1-676d-419b-9e4f-0c1bb38bcaa2
< X-Runtime: 0.004730
<
* Connection #0 to host immersive.ch left intact
Page not found%
puma.rb
threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }.to_i
threads threads_count, threads_count
port ENV.fetch("PORT") { 3000 }
environment ENV.fetch("RAILS_ENV") { "development" }
workers 2
daemonize true
plugin :tmp_restart
EDIT 2
/var/logs/nginx/access.log
HTTP/1.1" 200 4447 "https://immersive.ch/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
xxx.xxx.xxx.xxx - - [16/Apr/2019:22:33:58 +0200] "GET /cable HTTP/1.1" 404 24 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
xxx.xxx.xxx.xxx - - [16/Apr/2019:22:33:59 +0200] "GET /cable HTTP/1.1" 404 24 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36"
puma.error.log
I, [2019-04-16T22:39:06.100106 #21136] INFO -- : [80dc2a43-13e1-499e-a8f6-9fd54d48270b] Started GET "/cable" for xxx.xxx.xxx.xxx at 2019-04-16 22:39:06 +0200
I, [2019-04-16T22:39:06.103811 #21136] INFO -- : [80dc2a43-13e1-499e-a8f6-9fd54d48270b] Started GET "/cable/"[non-WebSocket] for xxx.xxx.xxx.xxx at 2019-04-16 22:39
E, [2019-04-16T22:39:06.103943 #21136] ERROR -- : [80dc2a43-13e1-499e-a8f6-9fd54d48270b] Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: close, HTTP_UPGRADE: )
I, [2019-04-16T22:39:06.104062 #21136] INFO -- : [80dc2a43-13e1-499e-a8f6-9fd54d48270b] Finished "/cable/"[non-WebSocket] for xxx.xxx.xxx.xxx at 2019-04-16 22:39
puma.access.log
2019-04-16 20:58: HTTP parse error, malformed request (127.0.0.1): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>
ActionCable answers 404 when Origin header is missing or does not match/invalid.
Check that it's not you regular 404:
curl -v 'https://your_site.com/cable' -H 'Origin: https://your_site.com' -H 'Sec-WebSocket-Key: MIN4DsiwEAutsE11kgG5rg==' -H 'Upgrade: websocket' -H 'Connection: Upgrade' -H 'Sec-WebSocket-Version: 13'
When everything is fine there'll be HTTP/1.1 101 Switching Protocols, on origin mismatch - just Page not found body, or your regular 404 page if there's some other routing trouble.
Make sure allowed_request_origins in settings is correct. Note that it includes port, if it's non-standard. Check which Origin browser sends in devtools
Also there's config.action_cable.allow_same_origin_as_host = true (the default, needs correct Host and X-Forwarded-Proto headers)
Then we need nginx to pass all the headers that are being used to reconstruct origin:
location /cable {
proxy_pass http://puma;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme; # <- most probably this one is missing
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_headers on; # this is default, but just to be sure
proxy_buffering off;
proxy_redirect off;
break;
}
Update:
Remaining two cases when activecable responds with this is failed connection authentication and missing websocket driver(should not be the case for puma)
I'm trying to connect to an ActionCable websocket and everything works fine running locally with just Puma and without nginx.
However, when I try to do the exact same thing on my staging environment, the connection is immediately closing after connecting. I am able to get the downstream welcome messages and maybe a ping.
However, the connection abruptly closes without any of the onClose callbacks so my guess is nginx is not letting the connection persist.
Here is my sites nginx configuration.
upstream app {
# Path to Puma SOCK file, as defined previously
server unix:/home/deploy/my-app/shared/tmp/sockets/puma.sock fail_timeout=60;
keepalive 60;
}
server {
listen 80;
server_name localhost;
# websocket_pass websocket;
root /home/deploy/my-app/current/public;
try_files $uri/index.html $uri #app;
location #app {
proxy_pass http://app;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
}
#location / {
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Host $host;
# proxy_redirect off;
# proxy_http_version 1.1;
# proxy_set_header Connection '';
# proxy_pass http://app;
#}
location ~ ^/(assets|fonts|system)/|favicon.ico|robots.txt {
gzip_static on;
expires max;
add_header Cache-Control public;
}
location /cable {
proxy_pass http://app;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
I also found this error in nginx error logs:
2019/02/11 21:08:35 [error] 10233#10233: *2 recv() failed (104: Connection reset by peer) while proxying upgraded connection, client: x.x.x.x, server: localhost, request: "GET /cable/ HTTP/1.1", upstream: "http://unix:/home/deploy/wr-api/shared/tmp/sockets/puma.sock:/cable/", host: "x.x.x.x"
So after some time, we noticed that the staging environment cable.yml had this value for url:
url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
Removing that value and all other values except for adapter: staging fixed it for us.
New cable.yml staging config:
staging:
adapter: redis
Working!
Hello I am trying to setup a reverse proxy with nginx and docker container rails app, public static files are served correctly but can not access to my app. the nginx error log says:
2018/12/08 16:46:45 [error] 4093#4093: *350 could not find named location "#puma", client: xx.xxx.xxx.xx, server: my.app, request: "GET /en/users/sign_in HTTP/2.0",host: "my.app", referrer: "https://my.app/"
my nginx config is this:
upstream puma {
server 0.0.0.0:3000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.app;
root /var/www/myapp/public;
# SSL
ssl_certificate /etc/letsencrypt/live/my.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.app/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.app/fullchain.pem;
include snippets/letsencrypt.conf;
include snippets/ssl.conf;
# reverse proxy
location / {
proxy_pass http://puma; # => http://0.0.0.0:3000
proxy_set_header Host $http_host; # => $host
proxy_set_header X-Forwarded-Proto $scheme; # => "https"
proxy_set_header X-Forwarded-Host $host; # => 0.0.0.0
proxy_set_header X-Forwarded-Port $server_port; # => 3000
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_bypass $http_upgrade;
# index fallback
try_files $uri $uri/ /index.html;
}
# . files
location ~ /\. {
deny all;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
# error pages
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/myapp/public;
}
error_page 404 /404.html;
location = /404.html {
root /var/www/myapp/public;
}
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _ *.my.app;
# SSL
ssl_certificate /etc/letsencrypt/live/my.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.app/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.app/chain.pem;
include snippets/letsencrypt.conf;
include snippets/ssl.conf;
return 301 https://my.app$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name _ .my.app my.app;
include snippets/letsencrypt.conf;
return 301 https://my.app$request_uri;
}
the rails container start thru docker-compose with this setup:
version: '3.2'
services:
web:
command: rails server -p '3000' -b '0.0.0.0' -e production
ports:
- '3000:3000'
I have tried also with unix socket to connect puma and nginx without success
I am trying to reverse proxies a ruby project on GCP with NGINX, my /etc/nginx/sites-available/default file looks like this
server {
large_client_header_buffers 4 16k;
listen 80 default_server;
#server_name my-devops-staging.com
listen [::]:80 default_server;
#return 301 https://$host$request_uri;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/certificate.crt;
ssl_certificate_key /etc/nginx/key.key;
ssl off;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
location / {
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:8080;
# proxy_read_timeout 300;
proxy_read_timeout 9000;
proxy_request_buffering off;
proxy_buffering off;
proxy_redirect off;
}
}
What could I be doing wrong, whenever I run
$ sudo service nginx restart
I get these errors in the error.log
2018/03/27 08:32:50 [error] 2959#2959: *64 upstream prematurely closed connection while reading response header from upstream, client: 130.211.2.175, server: , request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/", host: "my-devops-staging.com"
2018/03/27 08:32:53 [error] 2959#2959: *66 upstream prematurely closed connection while reading response header from upstream, client 130.211.2.87, server: , request: "GET / HTTP/1.1", upstream: http://127.0.0.1:8080/", host: "my-devops-staging.com"
Make the communication between your proxy and backend more loyal by adding these params to your proxy Nginx config file:
location / {
proxy_http_version 1.1; # you need to set this in order to use params below.
proxy_temp_file_write_size 64k;
proxy_connect_timeout 10080s;
proxy_send_timeout 10080;
proxy_read_timeout 10080;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_redirect off;
proxy_request_buffering off;
proxy_buffering off;
proxy_pass <whatever_here>;
}
The magic numbers I've took from the production environment that works for us. You may want to consider changing those numbers to fit your environment and number of connections, etc.
I hope this helps.
You are actually timing out in connecting into your Rails application, you can lower that proxy_read_timeout back to 300 and up your proxy_connect_timeout to match it, or higher if it keeps happening. Just add those lines in your location \ {...} block:
location / {
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080;
proxy_read_timeout 300; # Reducing this
proxy_connect_timeout 300; # Adding this
proxy_request_buffering off;
proxy_buffering off;
proxy_redirect off;
}
I want to configure NGINX with Rails 4 and run my application in production mode. The problem is I get 403 code - command: rails s -e production and in browser typing localhost. Naturally I established 755 privileges for the whole files in my application folder. There is my nginx.conf below:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
client_max_body_size 50M;
# fastcgi_buffers 8 16k;
# fastcgi_buffer_size 32k;
# fastcgi_connect_timeout 300;
# fastcgi_send_timeout 300;
# fastcgi_read_timeout 300;
upstream proxy-user {
server 127.0.0.1:2000;
}
upstream thin_cluster {
server unix:/tmp/thin.0.sock;
# server unix:/tmp/thin.1.sock;
# server unix:/tmp/thin.2.sock;
}
server {
listen 80;
server_name localhost;
# access_log /var/log/nginx-access.log;
root /home/user/Apps/myapp/public;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mp3|flv|mpeg|avi)$ {
try_files $uri #app;
}
location /home/user/Apps/myapp/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://proxy-user;
if (!-f $request_filename) {
proxy_pass http://proxy-user;
break;
}
}
}
server {
listen 443;
server_name _;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
access_log /var/log/nginx-access-ssl.log;
root /home/user/Apps/myapp/public;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mp3|flv|mpeg|avi)$ {
try_files $uri #app;
}
location /home/user/Apps/myapp/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED_PROTO https;
proxy_set_header SSL_CLIENT_S_DN $ssl_client_s_dn;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://proxy-user;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
You kinda have few issues in your config, I'll write what I would have done and you tell me what ever questions you have, I'll assume that the server is on port 2000 because that's the upstream you used.
I'll also ignore the http block and only use the server and upstream blocks.
upstream rails {
server 127.0.0.1:2000;
}
server {
server_name domain.com; # or whichever
listen 80;
# ssl settings start
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# ssl settings end
root /home/user/Apps/myapp/public;
error_page 500 502 503 504 /50x.html;
access_log /var/log/nginx/domain-access.log;
error_log /var/log/nginx/domain-error.log;
location #pass_to_rails {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED_PROTO $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://rails;
}
location / {
try_files $uri $uri/ #pass_to_rails;
}
}
You should place this inside sites-available and symlink to sites-enabled if you are on a debian/ubuntu distro, or use /etc/nginx/conf.d if you are on another distro, to keep things tidy and maintainable.
also make sure to uncomment one of those lines depending on what you want to use
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;