I’ve setup nginx on a Digital Ocean droplet with an attached domain, that is also running a VPN server. Its VPN IP is 10.19.49.1
I was able to successfully point my browser to my domain xyz.com (droplet) and nginx redirected it to a VPN client 10.19.49.2 running HA. It all worked and I could use the lovelace UI.
Excellent.
But
Then I installed fail2ban and tried various mods to the /etc/nginx/sites-enabled/default. Now all I get is the standard nginx greeting page - like when you first install nginx. I’ve done something to break it. I’ve tried uninstalling fail2ban and nginx, then reinstalling just nginx. No effect - still same. It used to work that’s the PITA.
This is my setup , but it’s not working. I guess I need to debug it somehow, but I dont know how. Strange, is that whatever I put in the location in the nginx default file, doest do anything.
configuration.yaml
http:
base_url: https://xyz.com
use_x_forwarded_for: true
trusted_proxies: 10.19.49.1 #-- my DO droplet's VPN IP
/etc/nginx/sites-enabled/default
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name xyz.com;
listen [::]:80 default_server ipv6only=off;
return 301 https://$host$request_uri;
}
server {
server_name xyz.com;
ssl_certificate /etc/letsencrypt/live/xyz.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xyz.com/privkey.pem;
listen [::]:443 ssl default_server ipv6only=off;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://10.19.49.2:8123; #-- My VPN client running HA
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
How do I debug whats going on?
jocnnor
(Jim O'Connor)
March 29, 2020, 7:00am
2
You didn’t post your /etc/nginx.conf
If nothing you do in location seems to change anything, you probably are missing the include in the .conf.
The following include should be in your http section in the conf…
include /etc/nginx/sites-enabled/*;
Otherwise, I can’t see any other obvious errors.
i haven’t changed that or any other nginx file
# cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
how do i diagnose, where do i start, please
jocnnor
(Jim O'Connor)
March 29, 2020, 4:07pm
4
Not sure where to start.
Check the logs (/var/log/nginx/error.log*).
Check systemctl I guess? sudo systemctl status nginx
… but it’s probably running since you can get to the welcome page.
Check permissions of the files in nginx. Should still be owned by root. My /etc/nginx/sites-enables/default is -rw-r--r--
Can you put literal syntax errors into the /sites-enabld/default file and still run?
Are you restarting nginx when you make changes? sudo systemctl restart nginx
Sorted.
algo or fail2ban had set iptables input policy to DROP and output to ACCEPT
I needed to explicitly allow http/https:
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
1 Like
jocnnor
(Jim O'Connor)
March 29, 2020, 8:10pm
7
Odd that you could still get to the NGINX welcome page with http blocking.
Good find, thanks for updating. You should mark yours as the solution so people searching “nginx fail2ban” might be able to solve it too.
No, I only got the nginx welcome page before I installed algo and fail2ban. When I did that, it all stopped working but I didnt know why. Now I do.