502 Bad gateway error after switching to SSL


(Matt) #1

Hi, I’m getting started with running Discourse on a Digital Ocean Ubunto 14.04 LEMP droplet, alongside WordPress. Everything was running fine, using the SSO WordPress plugin for Discourse. Discourse is in a subdomain.

I subsequently installed a wildcard SSL. WordPress is running fine, but when I try to connect to Discourse I get a 502 Bad gateway error. I have tried editing the /etc/nginx/sites-enabled/default file and /etc/nginx/conf.d/discourse.conf with no success. This isn’t really my area and I can see I’m going to make things worse if it keep tinkering…

This is the content of /etc/nginx/conf.d/discourse.conf

server {
        listen 80; listen [::]:80;
        server_name forum.mydomain.com;  # <-- change this
        return 301 https://$host$request_uri;
}
server {
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;
    server_name forum.mydomain.com;  # <-- change this

    ssl on;
    ssl_certificate     /usr/local/etc/ssl/pusslcert.crt;
    ssl_certificate_key /usr/local/etc/ssl/pusslcertprivate.key;
    ssl_dhparam        /usr/local/etc/ssl/dhparam.pem;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM$

    # enable SPDY header compression
    spdy_headers_comp 6;
    spdy_keepalive_timeout 300; # up from 180 secs default

    location / {
        proxy_pass https://unix:/var/discourse/shared/standalone/nginx.https.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

This is the content of cd /etc/nginx/sites-enabled/default

server {
        listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.php index.html index.htm;
        # Make site accessible from http://localhost/
        server_name mydomain.com;
        location / {
                 try_files $uri $uri/ /index.php?$args;
        }

	location ~ \.php$ {
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
	}
}

# HTTPS server
# 
server {
        listen 443 default ssl;
        listen [::]:443 ssl;
        server_name mydomain.com; 
        ssl_certificate /usr/local/etc/ssl/pusslcert.crt;
        ssl_certificate_key /usr/local/etc/ssl/pusslcertprivate.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES25$
        ssl_prefer_server_ciphers on;
        root /usr/share/nginx/html;
        index index.php index.html index.htm;
	location / {
                 try_files $uri $uri/ /index.php?$args;
        }
	location ~ \.php$ {
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
	}
}

These are from the /var/log/nginx/error.log

2016/04/29 21:54:21 [crit] 3680#0: *1299 connect() to unix:/var/discourse/shared/standalone/nginx.https.sock failed (2: No such file or directory) while connecting to upstream, client: 58.175.118.49, server: forum.mydomain.com, request: "GET / HTTP/1.1", upstream: "https://unix:/var/discourse/shared/standalone/nginx.https.sock:/", host: "forum.mydomain.com"
2016/04/29 21:54:22 [crit] 3680#0: *1299 connect() to unix:/var/discourse/shared/standalone/nginx.https.sock failed (2: No such file or directory) while connecting to upstream, client: 58.175.118.49, server: forum.mydomain.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://unix:/var/discourse/shared/standalone/nginx.https.sock:/favicon.ico", host: "forum.mydomain.com", referrer: "https://forum.mydomain.com/"

I’m afraid I’m not sure what this is telling me or what needs to be done to fix it. Obviously mydomain.com has been changed and is correct in the actual files.

In /var/discourse/containers/app.yml the following ports are exposed:

 - "2222:22" # If you don't need to use ./launcher ssh app, you can remove this too

Can anyone advise me on what I need to edit? If its a bigger job I’m happy to pay someone with the expertise to fix this. Perhaps PM me if that’s the case.


(Matt) #2

After more researching it look like there is a problem with nginx.https.sock because even if it is present (after rebuilding the app) the error of file not found still shows up.

I have tried deleting the file as per the instructions here:

However it makes no difference to the log error or the 502 error. If anyone is able to advise I’d be very grateful.


(Glynhudson) #3

I’m having the same issue, https.sock does not exist. I have ensured that SSL and socket template are present in app.yaml. Have you made any progress debugging?


(Glynhudson) #4

Solved it!

I think swapping the order of the templates so web.ssl template is listed before the web.socketed template and re-build:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
  - "templates/web.ssl.template.yml"
  - "templates/web.socketed.template.yml"

/var/discourse/shared/standalone/nginx.https.sock now exists and Nginx proxy can connect to it :slight_smile:


(Matt) #5

Well done. Unfortunately because I am running it alongside WordPress I’m not including “templates/web.ssl.template.yml”, and looking at that file it is just inserting what I have in my config files already.

I have found this post which is talking about inserting

upstream discourse {
    server 127.0.0.1:80 fail_timeout=0;
}

into a file. But he isn’t clear which file it need to go into and how the relates to the {listen 443;} block. He talks about putting it it into /etc/nginx/conf.d/default.conf but if I create that file and add a listen 443; block it then has duplicate error when testing nginx.

So, I have added the upstream to nano /etc/nginx/conf.d/discourse.conf and changed the location / in listen 443 to:

location / {
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_redirect off;
  proxy_pass http://discourse;
}

however now the browser gives an error about it having redirected too many times. Nothing is showing in /var/log/nginx/error.log though. I am guessing this means it isn’t redirecting properly. I’m a little confused about how the upstream relates to port 80 as this is being used by the outer nginx for WordPress.

Anyway, if I can’t find a problem for this soon I am going to have to abandon Discourse and go for another forum platform. I can’t afford to waste any more time on what should be such a simple thing to fix.


(Glynhudson) #6

I am also running other websites on my server. As described in this post I am running Discouse in a Docker container with Nginx running on my server. Nginx proxy all traffic to the Discourse docker via a web socket. I have then setup other virtual hosts in Nginx for my others sizes, which then inturn proxy to Apache:


(Matt) #7

That post you referenced says to comment out “templates/web.ssl.template.yml” so it shouldn’t work according to the docs on this site. I tried what you’re suggesting and I’m back to errors saying nginx.https.sock doesn’t exist. What is in this mythical file? Is it possible to create it manually seeing the install doesn’t seem to be doing it?


(Kane York) #8

Change your proxy pass line to nginx.http.sock.