Cannot connect to SSL from outside ubuntu

Question

I've got a very strange problem connecting to my newly configured SSL site. This is an Ubuntu VPS hosted on Amazon lightsail.

I have docker container serving port 80 and 443 as you can see here:

CONTAINER ID        IMAGE                                                                           COMMAND                  CREATED             STATUS              PORTS                                      NAMES
ce7114e8383a        nginx:alpine                                                                    "nginx -g 'daemon of…"   43 minutes ago      Up 7 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   app_nginx_1
ffe588588a67        registry.gitlab.com/example/example-personal-website:latest   "/bin/sh -c 'npm run…"   43 minutes ago      Up 7 minutes        0.0.0.0:9000->9000/tcp                     app_web_1

From inside the server I can make a curl request to that container and get a proper response on SSL. I get this same response on port 80.

ubuntu@ip-172-26-13-199:~$ curl -k https://0.0.0.0:443
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="x-ua-compatible" content="ie=edge"/>
... // rest of served HTML

I have temporarily disabled the firewall entirely just to rule it out.

ubuntu:~$ sudo ufw disable
Firewall stopped and disabled on system startup
ubuntu:~$ sudo ufw status
Status: inactive

Yet from the outside I cannot access https://www.example.com/ only http://www.example.com/

This is my nginx default configuration so far. It's a reverse proxy to another docker image.

upstream node-app {
  server web:9000;
}

server {
  listen 80;
  listen 443 ssl;

  server_name www.example.com;

  ssl_certificate /certbot/live/www.example.com/fullchain.pem;
  ssl_certificate_key /certbot/live/www.example.com/privkey.pem;

  location / {
    proxy_pass         http://node-app;
    proxy_redirect     off;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host $server_name;
  }
}

And this is included by an otherwise default nginx configuration.

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile        on;
  #tcp_nopush     on;

  keepalive_timeout  65;

  #gzip  on;

  include /etc/nginx/conf.d/*.conf;
}

Edit #1 - Output from Test-NetConnection

C:\Users\Richard> Test-NetConnection -Port 443 -ComputerName www.example.com -InformationLevel Detailed
WARNING: TCP connect to ([server_ip] : 443) failed
WARNING: Ping to [server_ip] failed with status: TimedOut


ComputerName            : www.example.com
RemoteAddress           : [server_ip]
RemotePort              : 443
NameResolutionResults   : [server_ip]
MatchingIPsecRules      :
NetworkIsolationContext : Internet
IsAdmin                 : False
InterfaceAlias          : WiFi
SourceAddress           : 192.168.1.103
NetRoute (NextHop)      : 192.168.1.1
PingSucceeded           : False
PingReplyDetails (RTT)  : 0 ms
TcpTestSucceeded        : False

C:\Users\Richard> Test-NetConnection -Port 80 -ComputerName www.example.com -InformationLevel Detailed


ComputerName            : www.example.com
RemoteAddress           : [server_ip]
RemotePort              : 80
NameResolutionResults   : [server_ip]
MatchingIPsecRules      :
NetworkIsolationContext : Internet
IsAdmin                 : False
InterfaceAlias          : WiFi
SourceAddress           : 192.168.1.103
NetRoute (NextHop)      : 192.168.1.1
TcpTestSucceeded        : True

There is more than one firewall involved - Understanding public network ports and firewall settings in Amazon Lightsail — Steffen Ullrich, Commented Jan 19, 2019 at 15:14
Thank you so much. I didn't have to do this on Digital Ocean. Please add your answer so I can give you internet points. — Richard Vanbergen, Commented Jan 19, 2019 at 15:24

Steffen Ullrich · Accepted Answer · 2019-01-19 15:31:43Z

If local connection to port 443 and port 80 from local system is possible but from remote only port 80 can be reached there are usually two possibilities: a) port 443 is bound to a different IP address (not the case here) or b) port 443 is blocked by some firewall.

Note that there can be several firewalls involved here since there are several hops between the remote system and the local system. While you've disabled the firewall on the local system there is at least another one in your setup: Understanding public network ports and firewall settings in Amazon Lightsail.

While some might consider it a nuisance that there is another firewall which need to be explicitly opened, this kind of defense in depth might actually protect several setups where users unknowingly opened databases or other services to the outside.

Stack Exchange Network

Cannot connect to SSL from outside ubuntu

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
ubuntu
ssl
docker
nginx
vps
.

Hot Network Questions

Cannot connect to SSL from outside ubuntu

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged ubuntussldockernginxvps.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
ubuntu
ssl
docker
nginx
vps
.