I have implemented Private_Pub with SSL and I am running that over port 4443 as recommended in: https://github.com/ryanb/private_pub#serving-faye-over-https-with-thin
However, whenever I actually use the private_pub service I receive the following error:
Errno::ETIMEDOUT: Connection timed out - connect(2) for "www.mysite.com" port 4443
The really odd thing is that it was working on another server before we migrated providers.
I have ensured port 4443 is open by telnet-ing to it successfully. I have played around with the nginx config without any luck. I have restarted the thin server several times just to see if I get lucky.
I am able to access: https://www.mysite.com:4443/faye/faye.js
Can anybody point me in the right direction here?
Edit: Added my nginx config file:
worker_processes 1;
error_log /var/log/nginx.log debug;
events {
worker_connections 1024;
}
http {
passenger_root /home/me/.rvm/gems/ruby-2.1.2/gems/passenger-4.0.52;
passenger_ruby /home/me/.rvm/gems/ruby-2.1.2/wrappers/ruby;
passenger_app_env production;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
root /var/www/mysite/current/public;
rails_env production;
passenger_enabled on;
}
server {
listen 443;
root /var/www/mysite/current/public;
rails_env production;
proxy_read_timeout 1200;
client_max_body_size 20m;
error_log /var/log/nginx.log debug;
ssl on;
ssl_certificate /var/server.crt;
ssl_certificate_key /var/server.key;
proxy_set_header X-Forwarded-Proto: https;
passenger_pass_header X-Forwarded-Proto;
passenger_enabled on;
# Tried it also without this part to no avail
location /faye {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
root /var/applications/current/faye;
proxy_pass http://127.0.0.1:4443;
break;
}
}
server {
listen 80;
listen 443;
server_name www.mysite.co mysite.co;
return 302 $scheme://www.mysite.com$request_uri;
}
}
Related
I have been trying to get my application working in production. I was able to access the site before changing config.force_ssl = true in my config\environments\production.rb.
I have seen many others with this problem need to add proxy_set_header X-Fowarded-Proto https;
I have tried adding this in my /etc/nginx/sites-available/default but haven't seen a difference.
My full default is below:
upstream puma {
server unix:///home/deploy/apps/appname/shared/tmp/sockets/appname-puma.sock;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/html;
index index.html index.htm index.nginx-debian.html
server_name appname.com www.appname.com
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
}
After making changes I reloaded nginx using sudo service nginx reload followed by sudo service nginx stop and sudo service nginx start
Am I missing something?
EDIT:
I updated my default and removed the config.force_ssl = true:
upstream puma {
server unix:///home/kiui/apps/appnamw/shared/tmp/sockets/appname-puma.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
keepalive_timeout 70;
server_name appname.com www.appname.com;
ssl on;
ssl_certificate /root/appname.com.chain.cer;
ssl_certificate_key /root/appname.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
root /home/deploy/apps/appname/current/public;
access_log /home/deploy/apps/appname/current/log/nginx.access.log;
error_log /home/deploy/apps/appname/current/log/nginx.error.log info;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #puma;
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
}
I can now access the site with http but not https.
Could you try the following:
upstream puma {
server unix:///home/deploy/apps/appname/shared/tmp/sockets/appname-puma.sock;
}
server {
listen 80;
server_name appname.com www.appname.com;
return 301 https://$host$request_uri;
}
server {
# SSL configuration
ssl on;
listen 443 ssl;
ssl_certificate path-to-your-crt-file;
ssl_certificate_key path-to-your-key-file;
server_name appname.com www.appname.com;
...
}
My problem was where I was adding the code above. I was adding it in default rather than nginx.conf. Moving the code above solved the problem.
I'm deploying my Ruby on Rails website on a remote server.
I put my code in /var/www/[websitename]
/opt/nginx/conf/nginx.conf is as follows:
worker_processes 1;
events {
worker_connections 1024;
}
http {
passenger_root /home/tamer/.rvm/gems/ruby-2.5.0#meraki/gems/passenger-5.2.0;
passenger_ruby /home/tamer/.rvm/gems/ruby-2.5.0#meraki/wrappers/ruby;
passenger_app_env development;
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name http://[my external ip];
# Tell Nginx and Passenger where your app's 'public' directory is
root /var/www/[my directory]/public;
index index.html index.htm;
# Static assets are served from the mentioned root directory
location / {
# root /var/www/APPNAME/current;
# index index.html index.htm;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
# proxy_set_header X-Real-Port $server_port;
# proxy_set_header X-Real-Scheme $scheme;
proxy_set_header X-NginX-Proxy true;
}
Then, I ran rails s -b 127.0.0.1 -p 3000
The code runs perfectly in my terminal.
However, the browser gives me "This site can’t be reached".
I get the same result with passenger start -a 127.0.0.1 -p 3000
How can I fix this problem
It worked after running iptables -F and restarting my rails appllication.
NOTE
your are connecting to your passenger instance localhost:3000
you should be able to connect via http://localhost IE default port 80 I think this is what you desire.
listen 80; <- > proxy_pass http://127.0.0.1:3000;
I have installed nginx (version 1.6.3) on my amazon ec2 server with unicorn, Rails 4.2.0 and Ruby 2.1.3. Amazon load balancing is enabled on my system. The domain looks like abc.example.com. If no redirection code is written on nginx conf file, then both https://abc.example.com and http://abc.example.com seem working. But when I try to redirect all http requests to https, then sometimes it works for few seconds and then appear blank page, and sometimes it appears blank page from the beginning. Sometimes it shows 503 error too. The redirection code is:
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
My nginx conf file looks like this:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
server {
listen 80;
listen 443 ssl;
client_max_body_size 4G;
server_name abc.example.com;
root '/var/www/html/example/public';
try_files $uri/index.html $uri.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded_Proto $scheme;
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
proxy_redirect off;
proxy_pass http://unicorn;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /var/www/html/example/public;
}
}
}
So, how to resolve this issue?
Please move the redirection to its own block;
Can you please use this as your redirection:
server {
server_name domain.com.au;
server_tokens off;
return 301 https://$host$request_uri;
}
I prefer not to use IF Condition in Nginx unless I have to. See if this works if not we can work on it.
Also please remove listen 80; if everything suppose to go to ssl then you can forget port 80.
listen 443 default deferred;
try it and let me know if you need more help.
Can you please adjust this setting to fit yours then restart the Nginx:
upstream unicorn {
server unix:/tmp/unicorn.production_domain.sock fail_timeout=0;
}
server {
server_name domain.com;
server_tokens off;
return 301 https://$host$request_uri;
}
server {
listen 443 default deferred;
ssl on;
ssl_certificate /etc/ssl/SSL.crt;
ssl_certificate_key /etc/ssl/domain.com.key;
server_name domain.com.au;
root /var/www/public_html/production.domain.com;
access_log /var/www/public_html/production.domain.com/log/nginx.access.log;
error_log /var/www/public_html/production.domain.com/log/nginx.error.log ;
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /public/500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
What do you have in your unicorn.rb?
I just deployed my Rails 4 app on a VPS with Ubuntu, Unicorn and NginX.
For my app I need to use SSL, so I have this ApplicationController:
class ApplicationController < ActionController::Base
force_ssl
...
end
This is my nginx.conf:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events { worker_connections 1024; }
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/xml text/css text/comma-separated-values;
upstream app_server { server 127.0.0.1:8080 fail_timeout=0; }
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server {
listen 80;
server_name myapp.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
server_name myapp.com;
root /home/rails/public;
index index.htm index.html;
ssl on;
ssl_certificate /etc/ssl/myapp.com.crt;
ssl_certificate_key /etc/ssl/myapp.com.key;
location / {
try_files $uri/index.html $uri.html $uri #app;
}
location #app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass http://app_server;
}
}
}
Everything seems to be working OK. When a request for an http page comes, it gets forwarded to https, which is nice.
However, when trying to change the locale of the application in the browser (through the languages menu), I get this error message in the browser:
Safari can't open the page https://app_server/en/sessions/new
because Safari can't find the server "app server"
In the URL it also says: https://app_server/en/sessions/new
What am I missing here?
I am fairly new to NginX, so maybe someone can help me out here?
Any general advice on how to enhance my code is highly appreciated.
You're using proxy_pass http://app_server; which set Host header to app_server by default. Add proxy_set_header Host $host;, so your application will get right Host.
location #app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass http://app_server;
}
I have the following snippet that works fine on Heroku (production) for enforcing SSL:
# /config/routes.rb
scope protocol: 'https://', constraints: { protocol: 'https://' } do
resource :user
resource :session
end
I'm trying to setup a development machine using NGINX and passenger with SSL, however I get:
Action Controller: Exception
No Route Matches [GET] "/session/new"
I get a green SSL in Chrome when browsing to other sections of the application with HTTPS, so it appears SSL is working. For some reason enforcing through the routes is not matching correctly though. My nginx.conf is:
worker_processes 4;
events {
worker_connections 1024;
}
http {
gzip on;
sendfile on;
include mime.types;
ssl_certificate cert.crt;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 60;
rack_env development;
passenger_user kevin;
passenger_root /Users/kevin/.rvm/gems/ruby-1.9.2-p290/gems/passenger-3.0.9;
passenger_ruby /Users/kevin/.rvm/wrappers/default/ruby;
server {
listen 80;
listen 443 ssl;
server_name local.demo;
location / {
root /Users/kevin/Sites/demo/public;
passenger_enabled on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
}
}
}
Any ideas how to fix it?
I'm not sure if this is the right approach for your problem but in my nginx.conf I'll tend
to fore-rewrite the URL-space I'd like to default to https:
server {
listen 80;
server_name local.demo;
rewrite ^(.*)$ https://local.demo$1 permanent;
}
server {
listen 443 ssl;
server_name local.demo;
location / {
root /Users/kevin/Sites/demo/public;
passenger_enabled on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
}
}
This setup will force any requests on http://local.demo/ to go through https://local.demo.
Alternatively you can be more specific and filter on a location or pattern match basis:
location ~ ^/sslrequired/(.*)$ {
rewrite ^(.*)$ https://local.demo/$1 permanent;
}
In a generic way it can be considered a workaround but why not let the server enforce
the SSL when you intend the user to actually use it ;)
For more information you may want to look at the HttpRewriteModule at the nginx wiki.
I hope this is helpful for your case.