…and web.socketed.template enters
This one puzzles me… I have a seemingly perfectly fine https discourse, except for the certificate.svg which doesn’t load. (error 500, it’s not a bug, it’s my setup for sure )
- I use the web.socketed.template and handle ssl outside the container (so web.ssl.template is still commented out in the app.yml)
- the rails log says :
Failed to process hijacked response correctly : Failed to open TCP connection to my.domain:443 (Connection refused - connect(2) for "my.domain" port 443)
I entered the container to see what is in /etc/nginx/conf.d/discourse.conf
, as expected i didn’t see any https block (which would have appeared with web.ssl.template enabled I believe).
Is it possible that this part of web.socketed.template:
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /listen 443 ssl http2;/
to: |
listen unix:/shared/nginx.https.sock ssl http2;
set_real_ip_from unix:;
could not be applied because web.ssl.template is not enabled and then somehow makes hijack fail?
But why only for discobot’s certificate ? Isn’t hijack used a lot, like for oneboxing? Arg… I’m at the fringes of my knowledge, my head hurts
ps. the ssl snippet
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security 'max-age=31536000';
and the nginx block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.domain;
ssl on;
ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
include /etc/nginx/snippets/ssl.conf;
client_max_body_size 0;
http2_idle_timeout 5m;
location / {
proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}