Hi there!
I’ve successfully installed erpNext using bench on Ubuntu - all fine so far, http (port 80) is running smoothly.
Now I’d like to secure the instance with HTTPS.
→ created certificates, set common name to correct domain, signed, etc … all good.
→ created ssl config file for nginx, reloading, no complaints.
=> Problem: when attempting to access the site via https, i get “ERR_CONNECTION_REFUSED” in Chrome and the error.log and access.log in /var/log/nginx/ remain unchanged as if no attempt to connect was made.
Here are my configs:
/etc/nginx/conf.d/frappe.conf:
server_names_hash_bucket_size 64;
upstream frappe {
server 127.0.0.1:8000 fail_timeout=0;
}
upstream socketio-server {
server 127.0.0.1:3000 fail_timeout=0;
}
server {
listen 80 default ;
client_max_body_size 4G;
# server_name frappe_default_site;
server_name my-custom-domain.com;
keepalive_timeout 5;
sendfile on;
root /home/ubuntu/frappe-bench/sites;
location /assets {
try_files $uri =404;
}
location ~ ^/protected/(.*) {
internal;
try_files /site1.local/$1 =404;
}
location /socket.io {
proxy_pass http://socketio-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Frappe-Site-Name site1.local;
proxy_set_header Origin $scheme://$http_host;
proxy_set_header Host $host;
}
location / {
try_files /site1.local/public/$uri @magic;
}
location @magic {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frappe-Site-Name site1.local;
proxy_set_header Host $host;
proxy_set_header X-Use-X-Accel-Redirect True;
proxy_read_timeout 120;
proxy_redirect off;
proxy_pass http://frappe;
}
}
/etc/nginx/conf.d/frappe-ssl.conf:
server {
listen 433 ssl;
client_max_body_size 4G;
# server_name frappe_default_site;
server_name my-custom-domain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
keepalive_timeout 5;
sendfile on;
root /home/ubuntu/frappe-bench/sites;
location /assets {
try_files $uri =404;
}
location ~ ^/protected/(.*) {
internal;
try_files /site1.local/$1 =404;
}
location /socket.io {
proxy_pass http://socketio-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Frappe-Site-Name site1.local;
proxy_set_header Origin $scheme://$http_host;
proxy_set_header Host $host;
}
location / {
try_files /site1.local/public/$uri @magic;
}
location @magic {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frappe-Site-Name site1.local;
proxy_set_header Host $host;
proxy_set_header X-Use-X-Accel-Redirect True;
proxy_read_timeout 120;
proxy_redirect off;
proxy_pass http://frappe;
}
}
When I change frappe-ssl.conf to
location /socket.io {
proxy_pass https://socketio-server;
....
}
....
location @magic {
....
proxy_pass https://frappe;
}
i receive
nginx: [emerg] host not found in upstream “socketio-server” in /etc/nginx/conf.d/frappe-ssl.conf:32
When i add the upstream statements from frappe.conf to frappe-ssl.conf as well, i get
nginx: [emerg] duplicate upstream “frappe” in /etc/nginx/conf.d/frappe.conf:4
so that also doesn’t seem to get me anywhere
All is running in an AMS EC2 and the security group is configured to let ports 22, 80 and 443 through from anywhere. Since it runs smoothly without the ssl I guess the ports 8000 and 3000 are not meant to be accessible from outside anyways.
Seem like i can’t see the wood for the trees.
Any advice is greatly appreciated!
Cheers
Fabian