Discobot's certificate and hijack.rb are in a bar

…and web.socketed.template enters :grin:

This one puzzles me… I have a seemingly perfectly fine https discourse, except for the certificate.svg which doesn’t load. (error 500, it’s not a bug, it’s my setup for sure :sob: )

  • I use the web.socketed.template and handle ssl outside the container (so web.ssl.template is still commented out in the app.yml)
  • the rails log says : Failed to process hijacked response correctly : Failed to open TCP connection to my.domain:443 (Connection refused - connect(2) for "my.domain" port 443)

I entered the container to see what is in /etc/nginx/conf.d/discourse.conf, as expected i didn’t see any https block (which would have appeared with web.ssl.template enabled I believe).

Is it possible that this part of web.socketed.template:

 - replace:
  filename: "/etc/nginx/conf.d/discourse.conf"
  from: /listen 443 ssl http2;/
  to: |
    listen unix:/shared/nginx.https.sock ssl http2;
    set_real_ip_from unix:;

could not be applied because web.ssl.template is not enabled and then somehow makes hijack fail?

But why only for discobot’s certificate ? Isn’t hijack used a lot, like for oneboxing? Arg… I’m at the fringes of my knowledge, my head hurts :sweat_smile:

ps. the ssl snippet

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off;

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security 'max-age=31536000';

and the nginx block

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name my.domain;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
    include /etc/nginx/snippets/ssl.conf;

    client_max_body_size 0;

    http2_idle_timeout 5m; 

    location / {
        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
    }
}