I have an issue when I run two python flask websites. The port forwarding does not work for the second website.
My starting points are two html hello-world websites accessible via domain names.
I removed the HTML index files and started python flask
waitress-serve --port 8080 --call "mysite_1:myflaskentrypoint"
mysite_1.com:8080 -> accessible (Ok for now)
I entered the following config in Plesk -> Home -> Domains -> mysite_1 -> Appache & nginx Settings -> Additional nginx directives.
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://0.0.0.0:8080;
}
https://mysite_1.com accessible (great)
Now comes the issue with the second website.
waitress-serve --port 9080 --call "mysite_2:myflaskentrypoint"
mysite_2.com:9080 -> accessible (Ok for now)
Plesk -> Home -> Domains -> mysite_2 -> Appache & nginx Settings -> Additional nginx directives.
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://0.0.0.0:9080;
}
https://mywebsite_2.com accessible
-> ERROR 403 Forbidden
Error-Log
403 GET / HTTP/2.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) ... 795 nginx
SSL/TLS access
Error ... 11691#0: *386 directory index of "/var/www/vhosts/<mysite_2>.de/httpdocs/"
is forbidden nginx error
Any hints are welcome
----
nginx -T
root#localhost:~# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#user nginx;
worker_processes 1;
#error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
#pid /var/run/nginx.pid;
include /etc/nginx/modules.conf.d/*.conf;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#tcp_nodelay on;
#gzip on;
#gzip_disable "MSIE [1-6]\.(?!.*SV1)";
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/ssl.conf:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
# configuration file /etc/nginx/conf.d/zz010_psa_nginx.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
include /etc/nginx/plesk.conf.d/server.conf;
include /etc/nginx/plesk.conf.d/webmails/*.conf;
include /etc/nginx/plesk.conf.d/vhosts/*.conf;
include /etc/nginx/plesk.conf.d/forwarding/*.conf;
include /etc/nginx/plesk.conf.d/wildcards/*.conf;
# configuration file /etc/nginx/plesk.conf.d/server.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
include "/etc/nginx/plesk.conf.d/ip_default/*.conf";
server {
listen <vps_ip>:443 ssl;
ssl_certificate /opt/psa/var/certificates/scfK6DJ8w;
ssl_certificate_key /opt/psa/var/certificates/scfK6DJ8w;
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
location / {
proxy_pass https://<vps_ip>:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen <vps_ip>:80;
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
location / {
proxy_pass http://<vps_ip>:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# configuration file /etc/nginx/plesk.conf.d/ip_default/<website_1>.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen <vps_ip>:443 ssl;
ssl_certificate /opt/psa/var/certificates/scf9FAuU9;
ssl_certificate_key /opt/psa/var/certificates/scf9FAuU9;
server_name www.<website_1>;
location / {
return 301 https://<website_1>$request_uri;
}
}
server {
listen <vps_ip>:443 default_server ssl http2;
server_name <website_1>;
server_name ipv4.<website_1>;
ssl_certificate /opt/psa/var/certificates/scf9FAuU9;
ssl_certificate_key /opt/psa/var/certificates/scf9FAuU9;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_1>";
}
client_max_body_size 128m;
root "/var/www/vhosts/<website_1>/httpdocs";
access_log "/var/www/vhosts/system/<website_1>/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/<website_1>/logs/proxy_error_log";
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location ~ /\.ht {
deny all;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
auth_basic "Domain statistics";
auth_basic_user_file "/var/www/vhosts/system/<website_1>/pd/d..httpdocs#plesk-stat";
autoindex on;
location ~ ^/plesk-stat(.*) {
alias /var/www/vhosts/system/<website_1>/statistics/$1;
}
location ~ ^/awstats-icon(.*) {
alias /usr/share/awstats/icon/$1;
}
location ~ ^/(.*) {
alias /var/www/vhosts/system/<website_1>/statistics/$1;
}
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/<website_1>/conf/vhost_nginx.conf";
}
server {
listen <vps_ip>:80;
server_name www.<website_1>;
location / {
return 301 https://<website_1>$request_uri;
}
}
server {
listen <vps_ip>:80 default_server;
server_name <website_1>;
server_name ipv4.<website_1>;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_1>";
}
client_max_body_size 128m;
location / {
return 301 https://$host$request_uri;
}
}
# configuration file /var/www/vhosts/system/<website_1>/conf/vhost_nginx.conf:
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://0.0.0.0:8080;
}
# configuration file /etc/nginx/plesk.conf.d/webmails/<website_2>_webmail.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen <vps_ip>:443 ssl;
server_name "webmail.<website_2>";
ssl_certificate /opt/psa/var/certificates/scfETmI6V;
ssl_certificate_key /opt/psa/var/certificates/scfETmI6V;
client_max_body_size 128m;
#extension sslit begin
#extension sslit end
location / {
proxy_pass https://<vps_ip>:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen <vps_ip>:80;
server_name "webmail.<website_2>";
client_max_body_size 128m;
#extension sslit begin
#extension sslit end
location / {
proxy_pass http://<vps_ip>:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# configuration file /etc/nginx/plesk.conf.d/webmails/<website_1>_webmail.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
# Webmail is not enabled on the domain
# Webmail is not enabled on the domain
# configuration file /etc/nginx/plesk.conf.d/vhosts/<website_2>.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen <vps_ip>:443 ssl;
ssl_certificate /opt/psa/var/certificates/scfETmI6V;
ssl_certificate_key /opt/psa/var/certificates/scfETmI6V;
server_name www.<website_2>;
location / {
return 301 https://<website_2>$request_uri;
}
}
server {
listen <vps_ip>:443 ssl http2;
server_name <website_2>;
server_name ipv4.<website_2>;
ssl_certificate /opt/psa/var/certificates/scfETmI6V;
ssl_certificate_key /opt/psa/var/certificates/scfETmI6V;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_2>";
}
client_max_body_size 128m;
root "/var/www/vhosts/<website_2>/httpdocs";
access_log "/var/www/vhosts/system/<website_2>/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/<website_2>/logs/proxy_error_log";
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location ~ /\.ht {
deny all;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
auth_basic "Domain statistics";
auth_basic_user_file "/var/www/vhosts/system/<website_2>/pd/d..httpdocs#plesk-stat";
autoindex on;
location ~ ^/plesk-stat(.*) {
alias /var/www/vhosts/system/<website_2>/statistics/$1;
}
location ~ ^/awstats-icon(.*) {
alias /usr/share/awstats/icon/$1;
}
location ~ ^/(.*) {
alias /var/www/vhosts/system/<website_2>/statistics/$1;
}
}
location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
alias /var/www/vhosts/<website_2>/web_users/$1/$2;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ \.php(/.*)?$ {
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ /$ {
index "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml";
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/<website_2>/conf/vhost_nginx.conf";
}
server {
listen <vps_ip>:80;
server_name www.<website_2>;
location / {
return 301 http://<website_2>$request_uri;
}
}
server {
listen <vps_ip>:80;
server_name <website_2>;
server_name ipv4.<website_2>;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_2>";
}
client_max_body_size 128m;
root "/var/www/vhosts/<website_2>/httpdocs";
access_log "/var/www/vhosts/system/<website_2>/logs/proxy_access_log";
error_log "/var/www/vhosts/system/<website_2>/logs/proxy_error_log";
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location ~ /\.ht {
deny all;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
return 301 https://$host$request_uri;
}
location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
alias /var/www/vhosts/<website_2>/web_users/$1/$2;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ \.php(/.*)?$ {
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ /$ {
index "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml";
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/<website_2>/conf/vhost_nginx.conf";
}
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
# configuration file /var/www/vhosts/system/<website_2>/conf/vhost_nginx.conf:
location / { return 200 "OK \n"; }
root#localhost:~#
curl -v <website_2.de>
curl -v https://<website_2.de>
* Trying <plesk IP>:443...
curl -v <website_2.de>
* TCP_NODELAY set
* Connected to <website_2.de> (<plesk IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=<website_2.de>
* start date: Feb 22 18:06:21 2021 GMT
* expire date: May 23 18:06:21 2021 GMT
* subjectAltName: host "<website_2.de>" matched cert's "<website_2.de>"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x565382a48e10)
> GET / HTTP/2
> Host: <website_2.de>
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 403
< server: nginx
< date: Fri, 26 Feb 2021 08:37:59 GMT
< content-type: text/html
< content-length: 795
< etag: "6033f929-31b"
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>403 Forbidden</title>
<link rel="stylesheet" href="/error_docs/styles.css">
</head>
<body>
<div class="page">
<div class="main">
<h1>Server Error</h1>
<div class="error-code">403</div>
<h2>Forbidden</h2>
<p class="lead">You do not have permission to access this document.</p>
<hr/>
<p>That's what you can do</p>
<div class="help-actions">
Reload Page
Back to Previous Page
Home Page
</div>
</div>
</div>
</body>
* Connection #0 to host <website_2.de> left intact
I found a configuration that works for me.
First I checked the box in nginx settings "Proxy mode"
I have set the proxy, not in Nginx, but in Additional Apache directives -> "Additional directives for HTTP/HTTPS"
<Proxy *>
Order deny, allow
Allow from all
</Proxy>
ProxyPreserveHost On
<Location "/">
ProxyPass "http://127.0.0.1:9080/"
ProxyPassReverse "http://127.0.0.1:9080/"
</Location>
This worked. I can access both flask websites via domain name.
Related
I am having an Nginx server, with uwsgi and Wordpress installed on it. So the problem is that whenever I am trying to send a POST request to uwsgi application it fails with the error 405, but the method is allowed on server so I don't know why it happens.
Here is the nginx.conf file:
server {
listen 80;
server_name hrspot.me;
return 301 https://hrspot.me$request_uri;
}
server {
listen 443 ssl;
server_name hrspot.me;
index index.php index.html index.htm;
root /var/www/html;
ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/www.hrspot.me.key;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
client_max_body_size 1024m;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
log_not_found off;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location /api {
include uwsgi_params;
uwsgi_pass hrspotme_server:8080;
}
}
And here is the method in flask app:
...
#account.route('/api/register', methods=['POST'])
def route_api_register():
form = RegisterForm()
return api_register(form)
...
As you can see that is the POST method.
For some reason UWSGI perceives it as a GET request
And here is the log for this method from UWSGI:
[pid: 10|app: 0|req: 2/3] ip_address () {44 vars in 686 bytes} [Fri Jul 10 13:01:55 2020] GET /api/register => generated 178 bytes in 17 msecs (HTTP/1.1 405) 3 headers in 118 bytes (1 switches on core 1)
So I understand that some kind of problem with the settings.
HOW I MAKE A REQUEST:
LOGS WHEN I TRY TO SEND POST REQUEST TO /api/auth:
ip - - [10/Jul/2020:13:51:06 +0000] "POST /api/auth HTTP/1.1" 301 169 "-" "PostmanRuntime/7.26.1" "-"
ip - - [10/Jul/2020:13:51:06 +0000] "GET /api/auth HTTP/1.1" 405 178 "http://hrspot.me/api/auth" "PostmanRuntime/7.26.1"
UPD:
I tried to specify https in front of the url in the postman and it worked, so it seems an error that when I initially call on the http request, it incorrectly redirects it to the https request, changing the method from POST to GET.
I have subdomain, Currently its showing an index.html page containing just the name of the domain etc.
That index.html page is loading from the /home/admin/web/****.******.com/public_html.
What i cannot find is the config file which is pointing to that directory.
I checked twice /etc/nginx/conf.d it have nothing which seems to be pointing to that page.
I am using centOs with nginx.
/etc/nginx/nginx.conf :
# Server globals
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 256m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+r$
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
# Cloudflare https://www.cloudflare.com/ips
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
#set_real_ip_from 2400:cb00::/32;
#set_real_ip_from 2606:4700::/32;
#set_real_ip_from 2803:f800::/32;
#set_real_ip_from 2405:b500::/32;
#set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;
# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SH$
# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;
# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# File cache settings
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
proxy_cache_valid any 1d;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# Wildcard include
include /etc/nginx/conf.d/*.conf;
}
If you check the configuration file you'll see the following:
include /etc/nginx/sites-enabled/*;
This means that additional vhost config files are being loaded from "/etc/nginx/sites-enabled/".
The correct way to use this is to have the config files in /etc/nginx/sites-available/ and create symlinks to them in /etc/nginx/sites-enabled/.
I have a flask app that I can run by doing python app.py from the command line, and can view it by going to localhost:5000. I'm trying to run it as a service with gunicorn/nginx, and have an nginx.conf file that looks like this
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name myserver.com;
root /home/user/app/deviceapp/templates;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8001;
}
}
}
My nginx isn't great. I'm getting the error
2018/05/07 16:12:49 [error] 10419#0: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 10.8.5.79, server: server.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8001/", host: "server.com"
along with a 502 Bad Gateway message. Is there something in my nginx.conf that's an obvious culprit?
I have a flask/nginx application and want to setup cache for 2 example url :
1. /category/apps-5.html
2. /product/test-product-sell-34690064571.html
my actual nginx config is this :
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
server_name selfmarket.net www.selfmarket.net;
ssl_certificate /etc/letsencrypt/live/selfmarket.net/cert.pem; # path to your cacert.pem
ssl_certificate_key /etc/letsencrypt/live/selfmarket.net/privkey.pem; # path to your privkey.pem
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
# Serve static files and uploads
location ^~ /static/ {
root /opt/master/app/;
}
location / {
proxy_pass 'http://127.0.0.1:8080/';
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
How i can setup simple cache (expiry in 3 minutes) for my example urls ? is my first time when use nginx .. im very beginer, thank you
The best way to do this is to cache on the backend. Flask has a simple cache or you can use memcache. See the examples here, here, and here.
Also, if you really need to speed things up, you can use the built-in memcache support that NGINX has (although this might be too complex). See this doc for more details.
If you really want NGINX to do the caching, check out the official docs on the proxy_cache module. There is also a guide available here.
Am using python sentry server for tracking logs of my website.And i have used nginx server to deploy it, my servers IP is xx.xx.xx.xx when i open this in browser it shows me 502 Bad Gateway and when i checked the log it shows
"connect() failed (111: Connection refused) while connecting to upstream".
Below is configuration i have used in NGINX ,
log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
server {
listen 80;
server_name xx.xx.xx.xx ;
root /srv/www/name-sentry;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 default ssl;
ssl on;
ssl_certificate /etc/ssl/xx.xx.xx.xx/ssl.crt;
ssl_certificate_key /etc/ssl/xx.xx.xx.xx/ssl.key;
ssl_ciphers '';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";
keepalive_timeout 0;
# CHANGE ME: long timeout for ERP POST images
proxy_read_timeout 200;
proxy_send_timeout 200;
server_name xx.xx.xx.xx ;
root /srv/www/name-sentry;
access_log /var/log/nginx/name-sentry-access.log timed_combined;
error_log /var/log/nginx/name-sentry-error.log;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
try_files $uri #name-sentry;
location / {
proxy_pass http://xx.xx.xx.xx;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Protocol https;
#add_header Access-Control-Allow-Origin "*";
#add_header Access-Control-Allow-Credentials "true";
#add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
#add_header X-Backend-Server $hostname;
}
}
NOTE: xx.xx.xx.xx--is my IP.Command to start sentry server is "sentry start" and it works and sentry uses 9000 port.What is the solution of this ?