2

This is my yo_nginx.conf file:

upstream django {
    server unix:///home/ubuntu/test/yo/yo.sock; # for a file socket, check if the path is correct
}


# Redirect all non-encrypted to encrypted
server {
    server_name 52.89.220.11;
    listen 80;
    return 301 https://52.89.220.11$request_uri;
}


# configuration of the server
server {
    # the port your site will be served on
    listen      443 default ssl;
    # the domain name it will serve for
    server_name 52.89.220.11; # substitute your machine's IP address or FQDN
    charset     utf-8;

    ssl on;
    ssl_certificate /etc/ssl/certs/api.ajayvision.com.chain.crt;
    ssl_certificate_key /etc/ssl/private/api.ajayvision.com.key;

    # max upload size
    client_max_body_size 75M;   # adjust to taste


    # Finally, send all non-media requests to the Django server.
    location / {
        proxy_set_header X-Forwarded-Proto https;
        include /home/ubuntu/test/yo/uwsgi_params;
        uwsgi_param UWSGI_SCHEME https;
        uwsgi_pass_header X_FORWARDED_PROTO;
        uwsgi_pass django;

    }
}

All I want to do is implement SSL on my django app but when I open the domain, it opens up in normal HTTP port. Also when I open the domain using https, it says check your connection. Am I missing something in my conf file? Also, I don't have a proxy set up.

Improve this question

3 Answers 3

Reset to default
2

Below is most of the config we use. It ensures the appropriate headers are set. One word of caution, our ssl_ciphers list is probably not ideal as we need to support some clients on older devices.

server {
    listen       443;
    server_name  uidev01;

    ssl                  on;
    ssl_certificate      /etc/nginx/ssl/server.crt;
    ssl_certificate_key  /etc/nginx/ssl/server.key;



    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_stapling on;
    ssl_stapling_verify on;


    error_page 501 /static/ErrorPages/501.html;
    error_page 502 /static/ErrorPages/502.html;
    error_page 503 /static/ErrorPages/503.html;
    error_page 504 /static/ErrorPages/504.html;

    server_tokens off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;
    add_header Strict-Transport-Security "max-age=172800; includeSubdomains;";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Cache-Control "no-cache, no-store";
    add_header Pragma no-cache;
    expires 0s;

    location / {
        proxy_pass              http://localhost:8000;
        proxy_pass_header       Server;
        proxy_set_header        X-Real-IP  $remote_addr;
        add_header              X-Frame-Options sameorigin;
        add_header              X-Content-Type-Options nosniff;
        add_header              Cache-Control "no-cache, no-store";
        add_header              Pragma no-cache;
        add_header              Strict-Transport-Security "max-age=172800; includeSubdomains;";
        expires                 0s;
        proxy_read_timeout      1800;
        proxy_connect_timeout   1800;
        client_max_body_size    200M;
    }
}

As to redirecting from HTTP to HTTPS, we use this...

server {
    listen         80;
    return 301 https://$host$request_uri;
    server_tokens off;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I am not using proxy
Nor do I say you should do so... We host the django website via uwsgi on port 8000. We then proxy from the nginx (SSL) endpoint to the django website.
I anyway used your code on my website to try but it still behaves exactly the same way.
@user2507 Then you have a problem that isn't related to the contents of your config files. The config above should behave differently, even if it isn't exactly what you want (eg giving a 503 Service Unavailable if the django site is unavailable). The fact that you got identical results means your changes aren't being picked up. Are you sure you're editing the correct file(s) in the appropriate location and the nginx is loading them? If so, what errors are you seeing in the log files?
Thank you for your efforts though :)
|
2

All I had to do was add default_server and also change the permission of my socket in the uwsgi/sites/sample.ini file from 664 to 666.

server {
   listen 443 default_server ssl;
...
}
Improve this answer

Comments

0

For redirection from HTTP to HTTPS use:

server {
    listen      80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

But if your website is not working with HTTPS, it means you have invalid certificate. The reasons should be not-signed certificate or your browser should require chained certificate etc.

Improve this answer

5 Comments

I am going through another problem, I am changing the conf file but the changes are not taking effect! Eg. I commented major portion of the conf file but my website is still running on http port. And yes i restarted the server after doing that.
It's impossible. Because your 80th port doesn't pass proxy to uwsgi, only 443 does. May be other conf file is working?
I am editing in the sites-enabled directory. Let me be sure if some other conf file is not responsible for this.
If you're using newer versions of nginx, conf files should be in conf.d directory.
that directory is empty.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.