SSL, Django, Gunicorn, NGINX - Site can't be reached using https:// + domain.com

Question

I have recently launched a site that uses SSL, specifically Comodo PositiveSSL.

They only issue I am having is that I cannot reach the site using

https://example.com

I have set up redirects in NGINX for http. Here is my config:

upstream myapp {
    server localhost:8000;
}

server {
    listen 80;
    server_name www.example.com example.com;
    root /var/www/;
    if ($host !~* ^(example.com|www.example.com)$ ) {
        return 444;
    }
    return 301 https://$host$request_uri;
}

server {
    listen 443 default ssl;
    root /var/www/;
    server_name www.example.com example.com;
    if ($host !~* ^(example.com|www.example.com)$ ) {
      return 444;
    }

    ssl_certificate      /etc/nginx/ssl/my_crt.crt;
    ssl_certificate_key  /etc/nginx/ssl/my_crt.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/myapp_access.log;
    error_log /var/log/nginx/myapp_error.log;
    gzip on;
    gzip_http_version 1.0;
    gzip_proxied any;
    gzip_types text/css application/x-javascript;
    gzip_vary on;
    client_max_body_size 0;
    try_files $uri @myapp;

    location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 365d;
    }

    location @myapp {
        client_max_body_size 0;
        proxy_pass http://domain;
        proxy_redirect off;
        proxy_read_timeout 5m;
        proxy_set_header Host            $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

My DNS registrar is namecheap and I also have a url redirect set up in my cpanel:

host: @
value: http://www.example.com

With this I am able to successfully hit my site using:

example.com = 302 Moved Temporarily
www.example.com = 302 Moved Temporarily
http://example.com = 302 Moved Temporarily
http://www.example.com = 302 Moved Temporarily

Here, not so much:

https://example.com = Failed to connect to domain.com port 443: Connection refused

I am currently making sure that my SSL cert allows for both:

https://example.com
https://www.example.com

It seems that there documentation states as much:

Secures: www.site.com and site.com

Any insight as to what I might be doing wrong to help correct this would be greatly appreciated.

Thank you.

Update: netstat -an | grep 443 output:

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 6131379 /tmp/ssh-Cpqcfwspdv/agent.25443

@drookie `tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN unix 2 [ ACC ] STREAM LISTENING 6131379 /tmp/ssh-Cpqcfwspdv/agent.25443` — frozenpaw, Nov 07 '16 at 04:51

score 0 · Answer 1 · answered Nov 07 '16 at 05:09

Since you're getting Connection refused error while having a listening socket on a tcp/443 I'd say it's definitely a packet filter on the way. Check your firewall configuration on the host, or, if it's disabled, check any intermediary firewall on the way.

score 0 · Answer 2 · answered Nov 07 '16 at 10:15

If your anonymization of your NGINX configuration is correct, then your proxy_pass directive is most likely wrong. In its current state, a connection to http://example.com gets redirected to https://example.com where you hit the try_files directive which first tries to serve the file from /var/www/ and if not, passes the request to the named location @myapp.

And this is where it looks weird to me. I imagine this should be hitting the Gunicorn instance (the upstream myapp) but instead, it proxies the request to http://domain while it should most likely be passed to http://myapp.

It doesn't explain why http://domain seems to be converted to https://domain.com but anyway, I suggest you give it a go.

score 0 · Answer 3 · answered Nov 07 '16 at 17:17

Thank you @drookie and @Ginnungagap for your guidance. With that I was able to eliminate server connections and NGINX configs as a potential cause. The ultimate solution was made in two parts, part of which I received from my domain registrar namecheap. The solution was:

1) Create A records to point my bare domain (example.com) to my servers IP address. 2) Update my nginx config to account for traffic going to both example.com and www.example.com

@Ginnungagap the in attempting to pseudo my nginx config in my original question, I typed my proxy_pass directive incorrectly. It was being passed to http://myapp.

I found a more optimized and more secure config here nginx config

I adapted my config around his (adding the extra SSL security directives for good measure) but it essentially ended up looking very similar.

Again, thank you very much for you time and guidance on this matter.

SSL, Django, Gunicorn, NGINX - Site can't be reached using https:// + domain.com

3 Answers3