My Jupyter config like this:
# encoding=utf-8
c = get_config()
c.IPKernelApp.pylab = 'inline'
c.NotebookApp.certfile = u'/root/.ipython/profile_txz_server/mycert.pem'
c.NotebookApp.client_ca = u'/root/.ipython/profile_txz_server/mycert.pem'
c.NotebookApp.password = u'sha1:4a46aefd018f:170840e2f9af032488....' # txzing_token
c.NotebookApp.ip = '127.0.0.1'
c.NotebookApp.port = 8888
c.NotebookApp.open_browser = False
c.NotebookApp.trust_xheaders = True
And My Nginx HTTP Config like this:
upstream notebook {
server localhost:8888;
}
server {
listen 80;
server_name xx.xx.com;
rewrite ^/(.*) https://xx.xx.com/$1 permanent;
}
server{
listen 443 ssl;
index index.html;
server_name xx.xx.com;
ssl_certificate /root/.ipython/profile_txz_server/mycert.pem;
ssl_certificate_key /root/.ipython/profile_txz_server/mycert.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
}
Finally I try to visit url : https://xx.xx.com
Jupyter get error like this:
SSL Error on 9 ('127.0.0.1', 43378): [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:749)
How can I deal this question?
I deal this question. And I try to do like this:
# c.NotebookApp.certfile = u'/root/.ipython/profile_txz_server/mycert.pem'
# c.NotebookApp.client_ca = u'/root/.ipython/profile_txz_server/mycert.pem'
Related
I have a Django project already using AWS SSL certificate from the Certificate Manager service. My application is accessible via HTTPS, however, it isn't redirecting automatically when accessing via HTTP.
My Nginx default.conf file before redirect (works like a charm!):
upstream django {
server my_app:8000;
}
server {
location / {
proxy_pass http://django;
}
}
After setting up the redirect:
upstream django {
server my_app:8000;
}
server {
listen 80;
if ($http_x_forwarded_proto = 'http'){
return 301 https://$host$request_uri;
}
location / {
proxy_pass http://django;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
And here is my Django settings.py for this:
.
.
.
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
CORS_ORIGIN_ALLOW_ALL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 340505040
SECURE_SSL_REDIRECT = True
.
.
.
Then I'm getting http 400 (this is the Load Balancer Health Checker):
Edit 1
With this new setup, I'm getting http 301:
upstream django {
server my_app:8000;
}
server {
listen 80;
location / {
proxy_pass http://django/;
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
}
}
I've been looking around and didn't find any example that helps me. What can I try next?
On NGINX config put all the sites on SSL only
site on SSL
nginx/sites-available/sitex only listens to port 443
server {
# SSL configuration
#
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_certificate /etc/letsencrypt/live/www.sitex.nl/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.sitex.cops.nl/privkey.pem; # managed by Certbot
server_name www.sitex.com; # managed by Certbot
access_log /var/log/nginx/sitex_access.log;
error_log /var/log/nginx/sitex_error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Access-Control-Allow-Origin *;
proxy_pass http://127.0.0.1:8004;
}
}
All SSL/TLS requests to www.sitex.com are forwarded to localhost:8004.
And the SiteX Docker Image is picking up on that port.
nginx.conf
In the nginx.conf file the Virtual Hosts section is as follows
##
# Virtual Host Configs
##
include /etc/nginx/all_http_to_https.conf;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
all_http_to_https.conf
This file does the trick
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
I had a working configuration of nginx proxying to an upstream daphne server for django channels. However, when I moved my site to ssl, I started running into issues 403 errors with the websocket requests. This is from my error log:
None - - [24/Apr/2017:02:43:36] "WSCONNECTING /pulse_events" - -
None - - [24/Apr/2017:02:43:36] "WSREJECT /pulse_events" - -
2017/04/24 02:43:37 [info] 465#465: *10 client 69.203.115.135 closed keepalive
connection
And from the access log:
- - [24/Apr/2017:02:48:54 +0000] "GET /pulse_events HTTP/1.1" 403 5 "-" "-"
- - [24/Apr/2017:02:49:03 +0000] "GET /pulse_state/ HTTP/2.0" 200 1376 "-" "Pulse/1 CFNetwork/811.4.18 Darwin/16.1.0"
My nginx config is as follows:
upstream pulse_web_server {
server unix:/home/pulseweb/run/gunicorn.sock fail_timeout=0;
}
upstream pulse_web_sockets {
server unix:/home/pulseweb/run/daphne.sock;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name backend.com;
return 301 https://$host$request_uri;
}
server {
listen 443 http2 ssl;
server_name backend.com;
root /var/www/vhosts/backend.com;
location ~ /.well-known {
allow all;
}
include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/backend.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/backend.com/privkey.pem;
client_max_body_size 4G;
access_log /var/log/nginx/pulse-access.log;
error_log /var/log/nginx/pulse-error.log info;
location /static/ {
alias /var/www/vhosts/backend.com/static/;
}
location /pulse_events {
proxy_pass http://pulse_web_sockets;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_http_version 1.1;
server_tokens off;
proxy_buffering on;
if (!-f $request_filename) {
proxy_pass http://pulse_web_server;
break;
}
}
}
This is my requirements.txt:
asgi-redis==0.14.0
asgiref==0.14.0
asyncio==3.4.3
autobahn==0.16.0
channels==0.17.2
daphne==0.14.3
Django==1.10
django-extensions==1.7.2
django-webpack-loader==0.3.3
djangorestframework==3.4.4
msgpack-python==0.4.8
python-dateutil==2.5.3
redis==2.10.5
requests==2.11.0
six==1.10.0
Twisted==16.2.0
txaio==2.5.1
zope.interface==4.2.0
Any insight would be greatly appreciated.
I do have a working configuration for Django+Daphne+nginx+ssl without any issues, I run daphne via supervisor with the following config file:
[program:project]
directory=<project_directory>
command=daphne -u <path_to_socket>/daphne.sock --root-path=<project_directory> <project>.asgi:channel_layer
stdout_logfile = <log_path>
stderr_logfile= <error_log_path>
[program:project_asgi_workers]
command=python <project_directory>/manage.py runworker
stdout_logfile=<log_file_path_2>
stderr_logfile=<log_error_path_2>
process_name=asgi_worker%(process_num)s
numprocs=2
environment=LANG=en_US.UTF-8,LC_ALL=en_US.UTF-8 ; Set UTF-8 as default encoding
autostart=true
autorestart=true
redirect_stderr=true
stopasgroup=true
To stop and start these workers I run the commands:
sudo supervisorctl stop all
sudo supervisorctl start all
Inside nginx I have the following configuration to connect to my websockets:
location /pulse_events/ {
proxy_pass http://unix:<path_to_socket>/daphne.sock;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
I used on this project daphne version 1.4.1, asgi-redis 1.4.3, redis 2.10.6 and channels 1.1.8.
If you still have issues, maybe it's also a good idea to check your routing and consumers for django channels.
your nginx expects a wss request not a ws request.
I use Django + Daphne + Nginx + SSL and here is my nginx mysite.conf. Your conf file is missed for handling /ws request. And ws and wss will be handle with this parameters. Please be sure you have a backend socket server like Daphne(i see you have), and run this server in bash and accept request in 8443(this is important because most servers permit only in this socket). And enjoy it..
location /ws {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8443;
}
server {
#https
listen 443 ssl;
server_name my_site.com www.my_site.com my_ip;
root /usr/share/nginx/html;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 3000;
fastcgi_send_timeout 3000;
fastcgi_read_timeout 3000;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
#your SSL configuration
ssl on;
ssl_certificate /home/django/ssl/my_site.com.chained.crt;
ssl_certificate_key /home/django/ssl/my_site.key;
client_max_body_size 4G;
keepalive_timeout 500;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/default.d/*.conf;
# Your Django project's media files - amend as required
location /media {
alias /home/django/media;
}
# your Django project's static files - amend as required
location /static {
alias /home/django/static;
}
# Proxy the static assests for the Django Admin panel
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://unix:/home/django/mysite.sock;
}
location /ws {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8443;
}
}
server {
listen 80;
listen [::]:80;
server_name my_site.com www.my_site.com my_ip;
return 301 https://$server_name$request_uri;
}
Am using python sentry server for tracking logs of my website.And i have used nginx server to deploy it, my servers IP is xx.xx.xx.xx when i open this in browser it shows me 502 Bad Gateway and when i checked the log it shows
"connect() failed (111: Connection refused) while connecting to upstream".
Below is configuration i have used in NGINX ,
log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
server {
listen 80;
server_name xx.xx.xx.xx ;
root /srv/www/name-sentry;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 default ssl;
ssl on;
ssl_certificate /etc/ssl/xx.xx.xx.xx/ssl.crt;
ssl_certificate_key /etc/ssl/xx.xx.xx.xx/ssl.key;
ssl_ciphers '';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";
keepalive_timeout 0;
# CHANGE ME: long timeout for ERP POST images
proxy_read_timeout 200;
proxy_send_timeout 200;
server_name xx.xx.xx.xx ;
root /srv/www/name-sentry;
access_log /var/log/nginx/name-sentry-access.log timed_combined;
error_log /var/log/nginx/name-sentry-error.log;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
try_files $uri #name-sentry;
location / {
proxy_pass http://xx.xx.xx.xx;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Protocol https;
#add_header Access-Control-Allow-Origin "*";
#add_header Access-Control-Allow-Credentials "true";
#add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
#add_header X-Backend-Server $hostname;
}
}
NOTE: xx.xx.xx.xx--is my IP.Command to start sentry server is "sentry start" and it works and sentry uses 9000 port.What is the solution of this ?
I tried to use django-sslify and django-secure to redirect all http requests to https, but i just can't get it to work. Is it a valid solution to redirect them with nginx instead, like it is shown here: link
Or, maybe someone could explain, what is wrong with my config right now:
Before i added "proxy_set_header Host $host;" to the second server block it redirected nicely, but forms wouldn't work, because the csrf protection threw referrer errors.
server {
listen 80;
server_name domain.com;
location /static {
alias /home/adrian/sites/www.domain.com/static;
}
location / {
proxy_set_header Host $host;
proxy_pass http://unix:/tmp/www.domain.com.socket;
}
}
server {
listen 200.200.200.200:443;
server_name domain.com;
location /static {
alias /home/adrian/sites/www.domain.com/static;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://unix:/tmp/www.domain.com.de.socket;
}
ssl on;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/domain.com.de.key;
ssl_prefer_server_ciphers on;
}
Okay, never mind. Django-sslify just didn't work for some reason and so i retried django-secure with
proxy_set_header Host $host;
set and it did work like a charm. But i would really like to hear, if it would be better or more efficient to redirect with nginx and i will accept that answer. Thanks.
I'm using Nginx as webserver, with a reverse proxy to a gunicorn django server.
I tried using the SSLRedirect snippet from here:
http://djangosnippets.org/snippets/85/
Because this snippet would always return false from is_secure() with my setup, resulting in a redirect loop, I had to make some changes.
SSL works, but when I access http://domain.net/main it doesn't redirect to https://domain.net/main. Isn't it supposed to do that?
Below outlines the modification I made:
if 'HTTP_X_FORWARDED_PROTOCOL' in request.META:
return True
And in my nginx conf (I only need SSL, http not required):
server {
listen 8888;
server_name domain.net;
ssl on;
ssl_certificate /path/to/domain.pem;
ssl_certificate_key /path/to/domain.key;
# serve directly - analogous for static/staticfiles
location /media/ {
root /path/to/root;
}
location /static/ {
root /path/to/root;
}
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
proxy_pass http://127.0.0.1:8881/;
# note this line
proxy_set_header X-Forwarded-Protocol https;
}
}
Just do it entirely with nginx. No need to involve Django at all:
server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
# The rest of your original server config here
}