Am using python sentry server for tracking logs of my website.And i have used nginx server to deploy it, my servers IP is xx.xx.xx.xx when i open this in browser it shows me 502 Bad Gateway and when i checked the log it shows
"connect() failed (111: Connection refused) while connecting to upstream".
Below is configuration i have used in NGINX ,
log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
server {
listen 80;
server_name xx.xx.xx.xx ;
root /srv/www/name-sentry;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 default ssl;
ssl on;
ssl_certificate /etc/ssl/xx.xx.xx.xx/ssl.crt;
ssl_certificate_key /etc/ssl/xx.xx.xx.xx/ssl.key;
ssl_ciphers '';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";
keepalive_timeout 0;
# CHANGE ME: long timeout for ERP POST images
proxy_read_timeout 200;
proxy_send_timeout 200;
server_name xx.xx.xx.xx ;
root /srv/www/name-sentry;
access_log /var/log/nginx/name-sentry-access.log timed_combined;
error_log /var/log/nginx/name-sentry-error.log;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
try_files $uri #name-sentry;
location / {
proxy_pass http://xx.xx.xx.xx;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $http_host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Protocol https;
#add_header Access-Control-Allow-Origin "*";
#add_header Access-Control-Allow-Credentials "true";
#add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
#add_header X-Backend-Server $hostname;
}
}
NOTE: xx.xx.xx.xx--is my IP.Command to start sentry server is "sentry start" and it works and sentry uses 9000 port.What is the solution of this ?
Related
I have a couchbase server behind a NGINX reverse proxy (behind the subpath /db).
How do I specify the correct connection string in Python?
I tried
from couchbase.cluster import Cluster, ClusterOptions
from couchbase.auth import PasswordAuthenticator
cluster = Cluster('couchbase://testserver.com/db', ClusterOptions(
PasswordAuthenticator('Administrator', 'password')))
But I get
ValueError: Cannot pass bucket to connection string: db
Accessing the admin website at https://testserver.com/db/_utils/index.html works.
NGINX configuration:
server {
listen 80;
server_name testserver.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name stagingpos.rsj.de;
ssl_certificate /etc/ssl/xxx.crt;
ssl_certificate_key /etc/ssl/xxx.key;
location / {
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /db {
rewrite /db/(.*) /$1 break;
proxy_pass http://127.0.0.1:5984/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
}
location /_session {
proxy_pass http://127.0.0.1:5984/_session;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X_Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Ssl on;
}
}
I have an issue when I run two python flask websites. The port forwarding does not work for the second website.
My starting points are two html hello-world websites accessible via domain names.
I removed the HTML index files and started python flask
waitress-serve --port 8080 --call "mysite_1:myflaskentrypoint"
mysite_1.com:8080 -> accessible (Ok for now)
I entered the following config in Plesk -> Home -> Domains -> mysite_1 -> Appache & nginx Settings -> Additional nginx directives.
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://0.0.0.0:8080;
}
https://mysite_1.com accessible (great)
Now comes the issue with the second website.
waitress-serve --port 9080 --call "mysite_2:myflaskentrypoint"
mysite_2.com:9080 -> accessible (Ok for now)
Plesk -> Home -> Domains -> mysite_2 -> Appache & nginx Settings -> Additional nginx directives.
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://0.0.0.0:9080;
}
https://mywebsite_2.com accessible
-> ERROR 403 Forbidden
Error-Log
403 GET / HTTP/2.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) ... 795 nginx
SSL/TLS access
Error ... 11691#0: *386 directory index of "/var/www/vhosts/<mysite_2>.de/httpdocs/"
is forbidden nginx error
Any hints are welcome
----
nginx -T
root#localhost:~# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#user nginx;
worker_processes 1;
#error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
#pid /var/run/nginx.pid;
include /etc/nginx/modules.conf.d/*.conf;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#tcp_nodelay on;
#gzip on;
#gzip_disable "MSIE [1-6]\.(?!.*SV1)";
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/ssl.conf:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
# configuration file /etc/nginx/conf.d/zz010_psa_nginx.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
include /etc/nginx/plesk.conf.d/server.conf;
include /etc/nginx/plesk.conf.d/webmails/*.conf;
include /etc/nginx/plesk.conf.d/vhosts/*.conf;
include /etc/nginx/plesk.conf.d/forwarding/*.conf;
include /etc/nginx/plesk.conf.d/wildcards/*.conf;
# configuration file /etc/nginx/plesk.conf.d/server.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
include "/etc/nginx/plesk.conf.d/ip_default/*.conf";
server {
listen <vps_ip>:443 ssl;
ssl_certificate /opt/psa/var/certificates/scfK6DJ8w;
ssl_certificate_key /opt/psa/var/certificates/scfK6DJ8w;
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
location / {
proxy_pass https://<vps_ip>:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen <vps_ip>:80;
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
location / {
proxy_pass http://<vps_ip>:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# configuration file /etc/nginx/plesk.conf.d/ip_default/<website_1>.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen <vps_ip>:443 ssl;
ssl_certificate /opt/psa/var/certificates/scf9FAuU9;
ssl_certificate_key /opt/psa/var/certificates/scf9FAuU9;
server_name www.<website_1>;
location / {
return 301 https://<website_1>$request_uri;
}
}
server {
listen <vps_ip>:443 default_server ssl http2;
server_name <website_1>;
server_name ipv4.<website_1>;
ssl_certificate /opt/psa/var/certificates/scf9FAuU9;
ssl_certificate_key /opt/psa/var/certificates/scf9FAuU9;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_1>";
}
client_max_body_size 128m;
root "/var/www/vhosts/<website_1>/httpdocs";
access_log "/var/www/vhosts/system/<website_1>/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/<website_1>/logs/proxy_error_log";
location ^~ /plesk-site-preview/ {
proxy_pass http://127.0.0.1:8880;
proxy_set_header Host plesk-site-preview.local;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_domain plesk-site-preview.local $host;
access_log off;
}
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location ~ /\.ht {
deny all;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
auth_basic "Domain statistics";
auth_basic_user_file "/var/www/vhosts/system/<website_1>/pd/d..httpdocs#plesk-stat";
autoindex on;
location ~ ^/plesk-stat(.*) {
alias /var/www/vhosts/system/<website_1>/statistics/$1;
}
location ~ ^/awstats-icon(.*) {
alias /usr/share/awstats/icon/$1;
}
location ~ ^/(.*) {
alias /var/www/vhosts/system/<website_1>/statistics/$1;
}
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/<website_1>/conf/vhost_nginx.conf";
}
server {
listen <vps_ip>:80;
server_name www.<website_1>;
location / {
return 301 https://<website_1>$request_uri;
}
}
server {
listen <vps_ip>:80 default_server;
server_name <website_1>;
server_name ipv4.<website_1>;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_1>";
}
client_max_body_size 128m;
location / {
return 301 https://$host$request_uri;
}
}
# configuration file /var/www/vhosts/system/<website_1>/conf/vhost_nginx.conf:
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://0.0.0.0:8080;
}
# configuration file /etc/nginx/plesk.conf.d/webmails/<website_2>_webmail.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen <vps_ip>:443 ssl;
server_name "webmail.<website_2>";
ssl_certificate /opt/psa/var/certificates/scfETmI6V;
ssl_certificate_key /opt/psa/var/certificates/scfETmI6V;
client_max_body_size 128m;
#extension sslit begin
#extension sslit end
location / {
proxy_pass https://<vps_ip>:7081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen <vps_ip>:80;
server_name "webmail.<website_2>";
client_max_body_size 128m;
#extension sslit begin
#extension sslit end
location / {
proxy_pass http://<vps_ip>:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# configuration file /etc/nginx/plesk.conf.d/webmails/<website_1>_webmail.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
# Webmail is not enabled on the domain
# Webmail is not enabled on the domain
# configuration file /etc/nginx/plesk.conf.d/vhosts/<website_2>.conf:
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
server {
listen <vps_ip>:443 ssl;
ssl_certificate /opt/psa/var/certificates/scfETmI6V;
ssl_certificate_key /opt/psa/var/certificates/scfETmI6V;
server_name www.<website_2>;
location / {
return 301 https://<website_2>$request_uri;
}
}
server {
listen <vps_ip>:443 ssl http2;
server_name <website_2>;
server_name ipv4.<website_2>;
ssl_certificate /opt/psa/var/certificates/scfETmI6V;
ssl_certificate_key /opt/psa/var/certificates/scfETmI6V;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_2>";
}
client_max_body_size 128m;
root "/var/www/vhosts/<website_2>/httpdocs";
access_log "/var/www/vhosts/system/<website_2>/logs/proxy_access_ssl_log";
error_log "/var/www/vhosts/system/<website_2>/logs/proxy_error_log";
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location ~ /\.ht {
deny all;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
auth_basic "Domain statistics";
auth_basic_user_file "/var/www/vhosts/system/<website_2>/pd/d..httpdocs#plesk-stat";
autoindex on;
location ~ ^/plesk-stat(.*) {
alias /var/www/vhosts/system/<website_2>/statistics/$1;
}
location ~ ^/awstats-icon(.*) {
alias /usr/share/awstats/icon/$1;
}
location ~ ^/(.*) {
alias /var/www/vhosts/system/<website_2>/statistics/$1;
}
}
location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
alias /var/www/vhosts/<website_2>/web_users/$1/$2;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ \.php(/.*)?$ {
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ /$ {
index "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml";
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/<website_2>/conf/vhost_nginx.conf";
}
server {
listen <vps_ip>:80;
server_name www.<website_2>;
location / {
return 301 http://<website_2>$request_uri;
}
}
server {
listen <vps_ip>:80;
server_name <website_2>;
server_name ipv4.<website_2>;
error_page 400 "/error_docs/bad_request.html";
error_page 401 "/error_docs/unauthorized.html";
error_page 403 "/error_docs/forbidden.html";
error_page 404 "/error_docs/not_found.html";
error_page 500 "/error_docs/internal_server_error.html";
error_page 405 "/error_docs/method_not_allowed.html";
error_page 406 "/error_docs/not_acceptable.html";
error_page 407 "/error_docs/proxy_authentication_required.html";
error_page 412 "/error_docs/precondition_failed.html";
error_page 414 "/error_docs/request_uri_too_long.html";
error_page 415 "/error_docs/unsupported_media_type.html";
error_page 501 "/error_docs/not_implemented.html";
error_page 502 "/error_docs/bad_gateway.html";
error_page 503 "/error_docs/maintenance.html";
location ^~ /error_docs {
root "/var/www/vhosts/<website_2>";
}
client_max_body_size 128m;
root "/var/www/vhosts/<website_2>/httpdocs";
access_log "/var/www/vhosts/system/<website_2>/logs/proxy_access_log";
error_log "/var/www/vhosts/system/<website_2>/logs/proxy_error_log";
#extension letsencrypt begin
location ^~ /.well-known/acme-challenge/ {
root /var/www/vhosts/default/htdocs;
types { }
default_type text/plain;
satisfy any;
auth_basic off;
allow all;
location ~ ^/\.well-known/acme-challenge.*/\. {
deny all;
}
}
#extension letsencrypt end
#extension sslit begin
#extension sslit end
location ~ /\.ht {
deny all;
}
location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
return 301 https://$host$request_uri;
}
location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
alias /var/www/vhosts/<website_2>/web_users/$1/$2;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ \.php(/.*)?$ {
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass "unix:///var/www/vhosts/system/<website_2>/php-fpm.sock";
include /etc/nginx/fastcgi.conf;
}
location ~ /$ {
index "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml";
}
add_header X-Powered-By PleskLin;
include "/var/www/vhosts/system/<website_2>/conf/vhost_nginx.conf";
}
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
# configuration file /var/www/vhosts/system/<website_2>/conf/vhost_nginx.conf:
location / { return 200 "OK \n"; }
root#localhost:~#
curl -v <website_2.de>
curl -v https://<website_2.de>
* Trying <plesk IP>:443...
curl -v <website_2.de>
* TCP_NODELAY set
* Connected to <website_2.de> (<plesk IP>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=<website_2.de>
* start date: Feb 22 18:06:21 2021 GMT
* expire date: May 23 18:06:21 2021 GMT
* subjectAltName: host "<website_2.de>" matched cert's "<website_2.de>"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x565382a48e10)
> GET / HTTP/2
> Host: <website_2.de>
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 403
< server: nginx
< date: Fri, 26 Feb 2021 08:37:59 GMT
< content-type: text/html
< content-length: 795
< etag: "6033f929-31b"
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>403 Forbidden</title>
<link rel="stylesheet" href="/error_docs/styles.css">
</head>
<body>
<div class="page">
<div class="main">
<h1>Server Error</h1>
<div class="error-code">403</div>
<h2>Forbidden</h2>
<p class="lead">You do not have permission to access this document.</p>
<hr/>
<p>That's what you can do</p>
<div class="help-actions">
Reload Page
Back to Previous Page
Home Page
</div>
</div>
</div>
</body>
* Connection #0 to host <website_2.de> left intact
I found a configuration that works for me.
First I checked the box in nginx settings "Proxy mode"
I have set the proxy, not in Nginx, but in Additional Apache directives -> "Additional directives for HTTP/HTTPS"
<Proxy *>
Order deny, allow
Allow from all
</Proxy>
ProxyPreserveHost On
<Location "/">
ProxyPass "http://127.0.0.1:9080/"
ProxyPassReverse "http://127.0.0.1:9080/"
</Location>
This worked. I can access both flask websites via domain name.
I have a flask app that I can run by doing python app.py from the command line, and can view it by going to localhost:5000. I'm trying to run it as a service with gunicorn/nginx, and have an nginx.conf file that looks like this
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name myserver.com;
root /home/user/app/deviceapp/templates;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8001;
}
}
}
My nginx isn't great. I'm getting the error
2018/05/07 16:12:49 [error] 10419#0: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 10.8.5.79, server: server.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8001/", host: "server.com"
along with a 502 Bad Gateway message. Is there something in my nginx.conf that's an obvious culprit?
My Jupyter config like this:
# encoding=utf-8
c = get_config()
c.IPKernelApp.pylab = 'inline'
c.NotebookApp.certfile = u'/root/.ipython/profile_txz_server/mycert.pem'
c.NotebookApp.client_ca = u'/root/.ipython/profile_txz_server/mycert.pem'
c.NotebookApp.password = u'sha1:4a46aefd018f:170840e2f9af032488....' # txzing_token
c.NotebookApp.ip = '127.0.0.1'
c.NotebookApp.port = 8888
c.NotebookApp.open_browser = False
c.NotebookApp.trust_xheaders = True
And My Nginx HTTP Config like this:
upstream notebook {
server localhost:8888;
}
server {
listen 80;
server_name xx.xx.com;
rewrite ^/(.*) https://xx.xx.com/$1 permanent;
}
server{
listen 443 ssl;
index index.html;
server_name xx.xx.com;
ssl_certificate /root/.ipython/profile_txz_server/mycert.pem;
ssl_certificate_key /root/.ipython/profile_txz_server/mycert.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
}
Finally I try to visit url : https://xx.xx.com
Jupyter get error like this:
SSL Error on 9 ('127.0.0.1', 43378): [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:749)
How can I deal this question?
I deal this question. And I try to do like this:
# c.NotebookApp.certfile = u'/root/.ipython/profile_txz_server/mycert.pem'
# c.NotebookApp.client_ca = u'/root/.ipython/profile_txz_server/mycert.pem'
I had a working configuration of nginx proxying to an upstream daphne server for django channels. However, when I moved my site to ssl, I started running into issues 403 errors with the websocket requests. This is from my error log:
None - - [24/Apr/2017:02:43:36] "WSCONNECTING /pulse_events" - -
None - - [24/Apr/2017:02:43:36] "WSREJECT /pulse_events" - -
2017/04/24 02:43:37 [info] 465#465: *10 client 69.203.115.135 closed keepalive
connection
And from the access log:
- - [24/Apr/2017:02:48:54 +0000] "GET /pulse_events HTTP/1.1" 403 5 "-" "-"
- - [24/Apr/2017:02:49:03 +0000] "GET /pulse_state/ HTTP/2.0" 200 1376 "-" "Pulse/1 CFNetwork/811.4.18 Darwin/16.1.0"
My nginx config is as follows:
upstream pulse_web_server {
server unix:/home/pulseweb/run/gunicorn.sock fail_timeout=0;
}
upstream pulse_web_sockets {
server unix:/home/pulseweb/run/daphne.sock;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name backend.com;
return 301 https://$host$request_uri;
}
server {
listen 443 http2 ssl;
server_name backend.com;
root /var/www/vhosts/backend.com;
location ~ /.well-known {
allow all;
}
include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/backend.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/backend.com/privkey.pem;
client_max_body_size 4G;
access_log /var/log/nginx/pulse-access.log;
error_log /var/log/nginx/pulse-error.log info;
location /static/ {
alias /var/www/vhosts/backend.com/static/;
}
location /pulse_events {
proxy_pass http://pulse_web_sockets;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_http_version 1.1;
server_tokens off;
proxy_buffering on;
if (!-f $request_filename) {
proxy_pass http://pulse_web_server;
break;
}
}
}
This is my requirements.txt:
asgi-redis==0.14.0
asgiref==0.14.0
asyncio==3.4.3
autobahn==0.16.0
channels==0.17.2
daphne==0.14.3
Django==1.10
django-extensions==1.7.2
django-webpack-loader==0.3.3
djangorestframework==3.4.4
msgpack-python==0.4.8
python-dateutil==2.5.3
redis==2.10.5
requests==2.11.0
six==1.10.0
Twisted==16.2.0
txaio==2.5.1
zope.interface==4.2.0
Any insight would be greatly appreciated.
I do have a working configuration for Django+Daphne+nginx+ssl without any issues, I run daphne via supervisor with the following config file:
[program:project]
directory=<project_directory>
command=daphne -u <path_to_socket>/daphne.sock --root-path=<project_directory> <project>.asgi:channel_layer
stdout_logfile = <log_path>
stderr_logfile= <error_log_path>
[program:project_asgi_workers]
command=python <project_directory>/manage.py runworker
stdout_logfile=<log_file_path_2>
stderr_logfile=<log_error_path_2>
process_name=asgi_worker%(process_num)s
numprocs=2
environment=LANG=en_US.UTF-8,LC_ALL=en_US.UTF-8 ; Set UTF-8 as default encoding
autostart=true
autorestart=true
redirect_stderr=true
stopasgroup=true
To stop and start these workers I run the commands:
sudo supervisorctl stop all
sudo supervisorctl start all
Inside nginx I have the following configuration to connect to my websockets:
location /pulse_events/ {
proxy_pass http://unix:<path_to_socket>/daphne.sock;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
I used on this project daphne version 1.4.1, asgi-redis 1.4.3, redis 2.10.6 and channels 1.1.8.
If you still have issues, maybe it's also a good idea to check your routing and consumers for django channels.
your nginx expects a wss request not a ws request.
I use Django + Daphne + Nginx + SSL and here is my nginx mysite.conf. Your conf file is missed for handling /ws request. And ws and wss will be handle with this parameters. Please be sure you have a backend socket server like Daphne(i see you have), and run this server in bash and accept request in 8443(this is important because most servers permit only in this socket). And enjoy it..
location /ws {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8443;
}
server {
#https
listen 443 ssl;
server_name my_site.com www.my_site.com my_ip;
root /usr/share/nginx/html;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 3000;
fastcgi_send_timeout 3000;
fastcgi_read_timeout 3000;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
#your SSL configuration
ssl on;
ssl_certificate /home/django/ssl/my_site.com.chained.crt;
ssl_certificate_key /home/django/ssl/my_site.key;
client_max_body_size 4G;
keepalive_timeout 500;
add_header Strict-Transport-Security "max-age=31536000";
include /etc/nginx/default.d/*.conf;
# Your Django project's media files - amend as required
location /media {
alias /home/django/media;
}
# your Django project's static files - amend as required
location /static {
alias /home/django/static;
}
# Proxy the static assests for the Django Admin panel
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://unix:/home/django/mysite.sock;
}
location /ws {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8443;
}
}
server {
listen 80;
listen [::]:80;
server_name my_site.com www.my_site.com my_ip;
return 301 https://$server_name$request_uri;
}