Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

503 on wildcard redirect #240

Open
tersor opened this issue Nov 28, 2018 · 11 comments
Open

503 on wildcard redirect #240

tersor opened this issue Nov 28, 2018 · 11 comments

Comments

@tersor
Copy link
Contributor

tersor commented Nov 28, 2018

When creating a site with SSL wildcard, the wildcard http --> https is returning 503.

$ curl -Ik http://bar.example.com 
HTTP/1.1 301 Moved Permanently
Location: https://bar.example.com/

$ curl -Ik https://bar.example.com
HTTP/2 200 

$ curl -Ik https://foo.bar.example.com
HTTP/2 200 

$ curl -Ik http://foo.bar.example.com 
HTTP/1.1 503 Service Temporarily Unavailable

Is this to be expected?

@kirtangajjar
Copy link
Contributor

@tersor I tried reproducing the issue but I couldn't. It's redirecting fine with me. @mbtamuli Can you try to reproduce it?

@tersor
Copy link
Contributor Author

tersor commented Nov 28, 2018

Ubuntu 18.04.1 LTS
Easyengine 4.0.1

I created the site with:

ee site bar.example.com --type=html --ssl=le --wildcard

Altso, the /opt/easyengine/sites/bar.example.com/logs/nginx/error.log is empty.

@kirtangajjar
Copy link
Contributor

@tersor you need to add DNS entries and then run ee site ssl bar.example.com after it.

Did you do it?

@tersor
Copy link
Contributor Author

tersor commented Nov 28, 2018

@kirtangajjar Yes, DNS entries added, and ee site ssl bar.example.com verified TXT records.

Altso, the wildcard subdomain responds with 200 OK, it is only the http redirect that returns 503.

@tersor
Copy link
Contributor Author

tersor commented Nov 28, 2018

I notice that I have this block in /opt/easyengine/services/nginx-proxy/conf.d/default.conf:

server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 80;
	access_log /var/log/nginx/access.log vhost;
	return 503;
}

Probably from nginx proxy:
https://github.com/EasyEngine/dockerfiles/blob/470ca0a61f971c8fea49adceb73a62605eadfbce/nginx-proxy/nginx.tmpl#L180

@kirtangajjar, do you have a similar config in your test?

@mrrobot47
Copy link
Member

@tersor provide the output of more /opt/easyengine/services/nginx-proxy/conf.d/* | cat so that the redirections created by EasyEngine on your system can be diagnosed.

@tersor
Copy link
Contributor Author

tersor commented Nov 29, 2018

Ok, this is the only site on a clean server install.

ee site create leif.mediebruket.no --type=html --ssl=le --wildcard

It was deleted and recreated a couple of times (with the same create command). The domain got verified after the last create with ee site ssl leif.mediebruket.no.

more /opt/easyengine/services/nginx-proxy/conf.d/* | cat
::::::::::::::
/opt/easyengine/services/nginx-proxy/conf.d/default.conf
::::::::::::::
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
	server_name _; # This is just an invalid value which will never trigger on a real hostname.
	listen 80;
	access_log /var/log/nginx/access.log vhost;
	return 503;
}
# leif.mediebruket.no/
upstream leif.mediebruket.no-42099b4af021e53fd8fd4e056c2568d7c2e3ffa8 {
	## Can be connected with "ee-global-frontend-network" network
	# leifmediebruketno_nginx_1_bb87dc37dc4c
	server 172.19.0.3:80;
	# Cannot connect to network of this container
	server 127.0.0.1 down;
}
server {
	server_name leif.mediebruket.no;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name leif.mediebruket.no;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/leif.mediebruket.no.crt;
	ssl_certificate_key /etc/nginx/certs/leif.mediebruket.no.key;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/leif.mediebruket.no.chain.pem;
	location / {
		proxy_pass http://leif.mediebruket.no-42099b4af021e53fd8fd4e056c2568d7c2e3ffa8/;
	}
	location /ee-admin/ {
		proxy_pass http://leif.mediebruket.no-42099b4af021e53fd8fd4e056c2568d7c2e3ffa8;
		auth_basic      "Restricted leif.mediebruket.no  Admin Tools";
		auth_basic_user_file    /etc/nginx/htpasswd/default_admin_tools;
		include /etc/nginx/vhost.d/default_acl;
	}
}
::::::::::::::
/opt/easyengine/services/nginx-proxy/conf.d/leif.mediebruket.no-redirect.conf
::::::::::::::
server {
	listen  80;
	server_name  www.leif.mediebruket.no;
	return  301 https://leif.mediebruket.no$request_uri;
}
server {
	listen  443;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/leif.mediebruket.no.crt;
	ssl_certificate_key /etc/nginx/certs/leif.mediebruket.no.key;
	server_name  www.leif.mediebruket.no;
	return  301 https://leif.mediebruket.no$request_uri;
}

@mbtamuli
Copy link
Contributor

mbtamuli commented Dec 6, 2018

@tersor I get this. Proper 301 redirects and 200 OK response

carbon

@tersor
Copy link
Contributor Author

tersor commented Dec 6, 2018

@mbtamuli The issue occurs with anything other than www as prefix. For example:

$ curl -s -IL foo.leif.mediebruket.no | grep -Fi 'http'
HTTP/1.1 503 Service Temporarily Unavailable

@baitasite
Copy link

I have same problema :/

Error 521 Web server is down (but i use cloduflare)

Have solution?

@tersor
Copy link
Contributor Author

tersor commented Feb 20, 2019

@baitasite How do you conclude that this is the same problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants