I've been struggling for a few hours now and went through lots of similar questions on SE. However, I couldn't manage to fix my probelm .
To answer the obvious questions:
- there's no firewall on my ec2 (ubuntu) instance running
- the 443 port is open for in/outbound
- ssl files created with
sudo certbot certonly --standalone - non-encrypted requests work fine
- I've setup my domain’s A-Record to point to the public DNS of my EC2 instance. There are no options for Namespace records though.
- Yes indeed, I'm an idiot
I haven't touched the nginx.conf-file besides adding:
include /etc/nginx/sites-enabled/*;
My nginx-conf in /etc/nginx/sites-available/myapp.conf (with symbolic link in ...../sites-enabled/myapp.conf):
server {
listen 80;
listen 443 default ssl;
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
server_name mydomain;
location /static/ {
autoindex on;
alias /home/ubuntu/MYAPP/static/;
}
location /data/ {
autoindex off;
alias /home/ubuntu/MYAPP/data/;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/ubuntu/MYAPP/app.sock;
}
}
In my APPS's settings.py I've added:
ALLOWED_HOSTS = [
'localhost',
'127.0.0.1',
'mywebsite.com']
For now, I've commented out the following
#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
#SECURE_SSL_REDIRECT = True
#SESSION_COOKIE_SECURE = True
#CSRF_COOKIE_SECURE = True
Issuing nc -vz localhost 443 gives Connection to localhost 443 port [tcp/https] succeeded!
netstat -ntlp gives
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
However, curl -v localhost:443 results in
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
> GET / HTTP/1.1
> Host: localhost:443
> User-Agent: curl/7.71.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 08 Jan 2021 15:14:04 GMT
< Content-Type: text/html
< Content-Length: 264
< Connection: close
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Closing connection 0
And trying to access my domain via https://... results in a time-out.
EDIT: As Steffen points out, my curl command was wrong. Here's the right one
curl -v https://localhost:443
gving rise to
* Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/ubuntu/anaconda3/ssl/cacert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=mydomain.com
* start date: Jan 8 10:37:06 2021 GMT
* expire date: Apr 8 10:37:06 2021 GMT
* subjectAltName does not match localhost
* SSL: no alternative certificate subject name matches target host name 'localhost'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Now, /var/log/nginx/error.log doesn't show any errors.
/var/log/nginx/access.log
doesn't show any request when I try to open via https in my browser. With just http, the requests are logged. So its seems like the request don't even arrive at nginx, right?
I've never used nginx (or anything server/backend-related really) before and I'm absolutely clueless.
EDIT2: Do I need an elastic ip for this to work? Any suggestions?
curl -v https://localhost:443(or simplyhttps://localhostw/o port) instead ofcurl -v localhost:443, i.e. use HTTPS and not HTTP.mydomain.com, yet you're accessing it withlocalhost. Trycurl -v --insecure https://localhost.