Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal wont go over HTTPS #70

Closed
kevieman opened this issue Jan 16, 2019 · 18 comments
Closed

Proposal wont go over HTTPS #70

kevieman opened this issue Jan 16, 2019 · 18 comments

Comments

@kevieman
Copy link

Hey there,

I have Consul deployed on an Ubuntu server. I made the site secure with SSL with the use of certbot (Let's Encrypt certificate) The whole site is encrypted except for any of the proposal pages.
To be exact the following pages are not secure: /proposals/new, /legislation/processes/../proposals/new and /budgets/../investments

If I set [force_ssl] https://github.com/consul/consul/blob/master/config/environments/production.rb#L45) to true ill recieve an ERR_TOO_MANY_REDIRECTS error in browser.

these are my nginx conf files:
/etc/nginx/sites-enabled/default

upstream app {
        server unix:/home/deploy/consul/sockets/unicorn.sock;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /home/deploy/consul/public;

        server_name _;

        try_files $uri/index.html $uri @app;
        location @app {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_pass http://app;
        }
}

server {

        root /home/deploy/consul/public;
    server_name mydomain.com; # managed by Certbot

        try_files $uri/index.html $uri @app;
        location @app {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_pass http://app;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = consulemmen.ddns.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80 ;
        listen [::]:80 ;
    server_name consulemmen.ddns.net;
    return 404; # managed by Certbot
}

/etc/nginx/sites-available/default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}
@sturpin
Copy link

sturpin commented Jan 16, 2019

Hi @kevieman !!
On 443 SSL Block Server add proxy_set_header X-Forwarded-Proto https;

   location @ app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_pass http://app;
    }

later set config.force_ssl = true and it should work fine!! :)

@kevieman
Copy link
Author

That gives me the following error:

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

@sturpin
Copy link

sturpin commented Jan 16, 2019

What message does it return when you type "journalctl -xe" ?

@kevieman
Copy link
Author

It gives:

Jan 16 18:13:24 vps616142 sshd[6990]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[serverIP]
Jan 16 18:13:24 vps616142 sshd[6986]: Accepted password for consul from [myIP] port 63302 ssh2
Jan 16 18:13:24 vps616142 sshd[6986]: pam_unix(sshd:session): session opened for user consul by (uid=0)
Jan 16 18:13:24 vps616142 systemd[1]: Started Session 4 of user consul.

@sturpin
Copy link

sturpin commented Jan 16, 2019

Please give me the output "systemctl status nginx.service"

@kevieman
Copy link
Author

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-01-16 18:01:34 CET; 40min ago
  Process: 6681 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 6622 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 6754 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
 Main PID: 6625 (code=exited, status=0/SUCCESS)

Jan 16 18:01:34 vps616142 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jan 16 18:01:34 vps616142 nginx[6754]: nginx: [emerg] invalid location modifier "@" in /etc/nginx/sites-enabled/default:43
Jan 16 18:01:34 vps616142 nginx[6754]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 16 18:01:34 vps616142 systemd[1]: nginx.service: Control process exited, code=exited status=1
Jan 16 18:01:34 vps616142 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Jan 16 18:01:34 vps616142 systemd[1]: nginx.service: Unit entered failed state.
Jan 16 18:01:34 vps616142 systemd[1]: nginx.service: Failed with result 'exit-code'.

@sturpin
Copy link

sturpin commented Jan 16, 2019

You've an error on [emerg] invalid location modifier "@" in /etc/nginx/sites-enabled/default:43
What are you put?

@kevieman
Copy link
Author

kevieman commented Jan 16, 2019

Hi @kevieman !!
On 443 SSL Block Server add proxy_set_header X-Forwarded-Proto https;

   location @ app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_pass http://app;
    }

later set config.force_ssl = true and it should work fine!! :)

That was a problem with copy paste :).
This is the new output

systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-01-16 18:54:29 CET; 37s ago
  Process: 6681 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 7429 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 7425 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 7432 (nginx)
    Tasks: 2
   Memory: 2.1M
      CPU: 53ms
   CGroup: /system.slice/nginx.service
           ├─7432 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
           └─7433 nginx: worker process

Jan 16 18:54:29 vps616142 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jan 16 18:54:29 vps616142 systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument
Jan 16 18:54:29 vps616142 systemd[1]: Started A high performance web server and a reverse proxy server.

But i still have the ERR_TOO_MANY_REDIRECTS error.

@sturpin
Copy link

sturpin commented Jan 16, 2019

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx

@kevieman
Copy link
Author

Still the ERR_TOO_MANY_REDIRECTS error popping op in my browser.

@sturpin
Copy link

sturpin commented Jan 16, 2019

Show me your nginx.conf configuration with your 80 and 443 block server, pls

@kevieman
Copy link
Author

kevieman commented Jan 16, 2019

/etc/nginx/sites-enabled/default:

upstream app {
        server unix:/home/deploy/consul/sockets/unicorn.sock;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /home/deploy/consul/public;

        server_name _;

        try_files $uri/index.html $uri @app;
        location @app {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_pass http://app;
        }
}

server {

        root /home/deploy/consul/public;
    server_name consulemmen.ddns.net; # managed by Certbot

        try_files $uri/index.html $uri @app;
        location @app {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
                proxy_pass http://app;
        }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        location @app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect off;
            proxy_pass http://app;
        }
}

server {
    if ($host = consulemmen.ddns.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 ;
        listen [::]:80 ;
    server_name consulemmen.ddns.net;
    return 404; # managed by Certbot


}

@sturpin
Copy link

sturpin commented Jan 16, 2019

You've two Location @ app ...
leave only mine, with proxy_set_header X-Forwarded-Proto https;
Comment that one ->

   location @app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;
            proxy_pass http://app;
    }

@kevieman
Copy link
Author

kevieman commented Jan 16, 2019

I still get the error.

@sturpin
Copy link

sturpin commented Jan 17, 2019

Something like that:

upstream app {
        server unix:/home/deploy/consul/sockets/unicorn.sock;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /home/deploy/consul/public;
        server_name consulemmen.ddns.net;
        return 301 https://$server_name$request_uri;
}

server {
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
        root /home/deploy/consul/public;
        server_name consulemmen.ddns.net; # managed by Certbot
        try_files $uri/index.html $uri @app;
        location @app {
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto https;
                proxy_redirect off;
                proxy_pass http://app;
        }
}

@kevieman
Copy link
Author

Great that fixed the ERR_TOO_MANY_REDIRECTS issue!
/proposals/new and /legislation/processes/../proposals/new are now secure as well.
Only now when I make a new proposal on a budget investment ill receive error 500 but the proposal is created any way.

@sturpin
Copy link

sturpin commented Jan 17, 2019

Great that fixed the ERR_TOO_MANY_REDIRECTS issue!
/proposals/new and /legislation/processes/../proposals/new are now secure as well.
Only now when I make a new proposal on a budget investment ill receive error 500 but the proposal is created any way.

Fantastic @kevieman !!
It would be convenient to close this issue and open a new one :)
Can you check in the log what is the error?

@voodoorai2000
Copy link
Member

Thank you @sturpin, @kevieman 😌👏🎉❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants