[mezzanine-users] Re: SSL problem

[Paullo]

And my settings.py:

SSL_ENABLED = True
SSL_FORCE_URL_PREFIXES = ("/admin", "/account")
SSL_FORCE_HOST = "www.mrphunt.net"
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')

I've tried with and without SECURE_PROXY_SSL_HEADER using 
'HTTP_X_FORWARDED_PROTOCOL' and 'HTTP_X_FORWARDED_PROT' (Seen both in 
different web pages/forums...) head hurts now.




On Saturday, 9 May 2015 15:16:50 UTC+1, Paullo wrote:
>
> Hi,
>
> I'm in the process of testing Mezzanine with Django 1.8/Python 3.4. I've 
> been trying to get SSL working for the admin section. I'm fairly new to 
> nginx/supervisor so I guess it's a config problem, hopefully someone here 
> can tell me how I'm being stoopid :) Apologies if this isn't mezzanine 
> specific. 
>
> I can't find any errors in logs except for this nginx error which occurs 
> when the browser eventually gives up trying to load the /admin page:-
>
> 2015/05/09 14:31:03 [info] 9769#0: *60 peer closed connection in SSL 
> handshake while SSL handshaking to upstream, client: 80.192.66.17, server: 
> www.mrphunt.net, request: "GET /admin/ HTTP/1.1", upstream: 
> "https://unix:/home/paul/webapps/mrphunt/mrphunt/gunicorn.sock:/admin/";, 
> host: "www.mrphunt.net"
>
>
> My nginx.conf is pretty much the default fabfile configuration except i'm 
> redirecting to the www version from the non-www version.
>
> upstream mrphunt {
>     server unix:/home/paul/webapps/mrphunt/mrphunt/gunicorn.sock 
> fail_timeout=0;
> }
>
> server {
>         server_name mrphunt.net;
>         return 301 $scheme://www.mrphunt.net$request_uri;
> }
>
> server {
>
>     listen 80;
>     listen 443 ssl;
>     server_name www.mrphunt.net;
>     client_max_body_size 10M;
>     keepalive_timeout    15;
>     error_log /home/paul/logs/mrphunt_error_nginx.log info;
>     access_log /home/paul/logs/mrphunt_access_nginx.log;
>
>     ssl on;
>     ssl_certificate      conf/mrphunt.crt;
>     ssl_certificate_key  conf/mrphunt.key;
>     ssl_session_cache    shared:SSL:10m;
>     ssl_session_timeout  10m;
>     ssl_ciphers 
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
>     ssl_prefer_server_ciphers on;
>
>     # Deny illegal Host headers
>     #if ($host !~* ^(mrphunt|mrphunt.net|www.mrphunt.net)$) {
>     if ($host !~* ^(www.mrphunt.net)$) {
>         return 444;
>     }
>
>     location / {
>         proxy_redirect      off;
>         proxy_set_header    Host                    $host;
>         proxy_set_header    X-Real-IP               $remote_addr;
>         proxy_set_header    X-Forwarded-For         
> $proxy_add_x_forwarded_for;
>         proxy_set_header    X-Forwarded-Protocol    $scheme;
>         proxy_pass          http://mrphunt;
>     }
>
>     location /static/ {
>         root            /home/paul/webapps/mrphunt/mrphunt;
>         access_log      off;
>         log_not_found   off;
>         expires 30d;
>     }
>
>     location /robots.txt {
>         root            /home/paul/webapps/mrphunt/mrphunt/static;
>         access_log      off;
>         log_not_found   off;
>     }
>
>     location /favicon.ico {
>         root            /home/paul/webapps/mrphunt/mrphunt/static/img;
>         access_log      off;
>         log_not_found   off;
>     }
> }
>
> gunicorn config:
>
> from __future__ import unicode_literals
> import multiprocessing
>
> bind = "unix:/home/paul/webapps/mrphunt/mrphunt/gunicorn.sock"
> workers = 2
> errorlog = "/home/paul/logs/mrphunt_error.log"
> loglevel = "error"
> proc_name = "mrphunt"
>
>
>
>
> My /etc/supervisor/conf.d/mrphunt.conf:
>
>
> [program:gunicorn_mrphunt]
> command=/home/paul/webapps/mrphunt/bin/gunicorn -c gunicorn.conf.py -p 
> gunicorn.pid wsgi:application
> directory=/home/paul/webapps/mrphunt/mrphunt
> user=paul
> autostart=true
> stdout_logfile = /home/paul/logs/mrphunt_supervisor
> autorestart=true
> redirect_stderr=true
> environment=LANG="en_US.UTF-8",LC_ALL="en_US.UTF-8",LC_LANG="en_US.UTF-8"
>
>
>
> SSL cert was generated as per fabfile.py:
>
> cd /etc/nginx/conf
> sudo openssl req -new -x509 -nodes -out mrphunt.crt -keyout mrphunt.key 
> -subj '/CN=www.mrphunt.net' -days 3650
>
> I'm all out of ideas about the SSL problem :( Everything else I've tried 
> has worked with no problems though yay.
>
> Paullo
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Mezzanine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.