Connection timeout on SSL with shared hosting
Thomas Ward
teward at thomas-ward.net
Thu Aug 13 19:33:42 UTC 2020
You said this is "shared hosting" - when you say "shared hosting" do you
mean this is *not* a dedicated machine but one machine out of many in a
shared environment?
Have you tested briefly by disabling your firewall just to see if that
fixes the issue?
What is the backend? You're passing everything to 8080 which suggests
the backend might be having issues too.
Thomas
On 8/13/20 3:04 PM, nathanpgibson wrote:
> Hi All,
> Newbie question. I posted this on Stack Overflow but haven't gotten any
> replies yet.
> https://stackoverflow.com/questions/63391424/why-do-i-get-connection-timeout-on-ssl-even-though-nginx-is-listening-and-firewa
>
> Most/many visitors to my site https://example.org get a connection timeout.
> Some visitors get through, possibly ones redirected from http://example.org
> or those who've previously visited the site.
>
> I'm trying to determine if this is a firewall issue or an nginx
> configuration issue.
>
> Firewall
>
> I'm using UFW as a firewall, which has the following rules:
>
> To Action From
> -- ------ ----
> SSH ALLOW Anywhere
> Nginx Full ALLOW Anywhere
> 80/tcp ALLOW Anywhere
> 443/tcp ALLOW Anywhere
> SSH (v6) ALLOW Anywhere (v6)
> Nginx Full (v6) ALLOW Anywhere (v6)
> 80/tcp (v6) ALLOW Anywhere (v6)
> 443/tcp (v6) ALLOW Anywhere (v6)
>
> I could give some relevant rules from iptables if anyone needs that, but I'd
> need some direction on what to look for.
>
> For sudo netstat -anop | grep LISTEN | grep ':443' I get
>
> tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
> 120907/nginx: worke off (0.00/0/0)
> tcp6 0 0 :::443 :::* LISTEN
> 120907/nginx: worke off (0.00/0/0)
>
> Not sure what "worke off" means.
>
> nginx
>
> It's a virtual host with the server name myservername.com which serves up
> two websites, example.org and example.com/directory. Example.org points to a
> docker container running eXist-db. Example.com/directory is serving up a
> directory on localhost:8080 proxied from another server where example.com
> lives. Example.com/directory is running smoothly on https when I access it
> in the browser -- I presume this is because it actually talks to the
> example.com host over http.
>
> Example.org and myservername.com both have certs from let's encrypt
> generated by certbot.
>
> When I try nmap from my local machine I get some results I can't explain.
> Notice the discrepancy between ports 80 and ports 443 and between IPv4 and
> IPv6
>
> $ nmap -A -T4 -p443 example.org
> 443/tcp filtered https
>
> $ nmap -A -T4 -p443 my.server.ip.address
> 443/tcp filtered https
>
> $ nmap -A -T4 -p443 -6 my:server:ip::v6:address
> 443/tcp open ssl/http nginx 1.10.3
>
> $ nmap -A -T4 -p80 example.org
> 80/tcp open http nginx 1.10.3
>
> $ nmap -A -T4 -p80 my.server.ip.address
> 80/tcp open http nginx 1.10.3
>
> My nginx.conf is
>
> user www-data;
> worker_processes auto;
> pid /run/nginx.pid;
> include /etc/nginx/modules-enabled/*.conf;
>
> events {
> worker_connections 768;
> # multi_accept on;
> }
>
> http {
>
> ##
> # Basic Settings
> ##
>
> client_max_body_size 50M;
> sendfile on;
> tcp_nopush on;
> tcp_nodelay on;
> keepalive_timeout 65;
> types_hash_max_size 2048;
> # server_tokens off;
>
> server_names_hash_bucket_size 64;
> # server_name_in_redirect off;
>
> include /etc/nginx/mime.types;
> default_type application/octet-stream;
>
> ##
> # SSL Settings
> ##
>
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
> ssl_prefer_server_ciphers on;
>
> ##
> # Logging Settings
> ##
>
> access_log /var/log/nginx/access.log;
> error_log /var/log/nginx/error.log;
>
> ##
> # Gzip Settings
> ##
>
> gzip on;
> gzip_disable "msie6";
>
> # gzip_vary on;
> # gzip_proxied any;
> # gzip_comp_level 6;
> # gzip_buffers 16 8k;
> # gzip_http_version 1.1;
> # gzip_types text/plain text/css application/json
> application/javascript text/xml application/xml application/xml+rss
> text/javascript;
>
> ##
> # Virtual Host Configs
> ##
>
> include /etc/nginx/conf.d/*.conf;
> include /etc/nginx/sites-enabled/*;
> }
>
> and my nginx server blocks:
>
> server {
> listen 80 default_server;
> listen [::]:80 default_server;
>
> server_name _ myservername.com;
> return 301 https://myservername.com$request_uri;
> }
>
> server {
> # SSL configuration
> #
> listen 443 ssl default_server;
> listen [::]:443 ssl default_server;
>
> server_name _ myservername.com;
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_pass http://localhost:8080;
> }
>
> ssl_certificate
> /etc/letsencrypt/live/myservername.com/fullchain.pem;
> ssl_certificate_key
> /etc/letsencrypt/live/myservername.com/privkey.pem;
> }
>
> server {
> listen 80;
> listen [::]:80;
>
> server_name example.com www.example.com;
>
> gzip off;
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_pass http://localhost:8080;
> }
> }
>
> server {
> listen 80;
> listen [::]:80;
>
> server_name example.org www.example.org;
> return 301 https://example.org$request_uri;
> }
>
> server {
>
> # SSL configuration
> #
> listen 443 ssl;
> listen [::]:443 ssl;
>
> server_name example.org www.example.org;
>
> gzip off;
>
> location / {
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_pass
> http://docker.container.ip.address:port/exist/apps/example/;
> }
>
> location /workshop2020/ {
> return 302 http://example.org/forum2020/;
> }
>
>
> location /exist/apps/example/ {
> rewrite ^/exist/apps/example/(.*)$ /$1;
> }
>
>
> ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; #
> managed by Certbot
> ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; #
> managed by Certbot
>
> }
>
> Very grateful for any help!!
> Nathan
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289099,289099#msg-289099
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200813/7cb5f4c6/attachment-0001.htm>
More information about the nginx
mailing list