Hi Paullo, I'm not sure if anyone here is going to have answers for you. It's very likely an nginx issue. AFAIK by the time a request makes it to Mezzanine it's already been decrypted and the SSL handshake has already occurred.
Did you deploy directly with the included fabfile? if so did you deploy to a completely fresh system? If you aren't too far in I would recommend trying a fresh deploy. Django 1.8 isn't officially supported yet (that's coming soon) so it is possible you have uncovered a bug in the fabfile, but I think that's unlikely because nginx shouldn't care what version of Django you are using. On Sat, May 9, 2015 at 10:29 AM, Paullo <[email protected]> wrote: > And my settings.py: > > SSL_ENABLED = True > SSL_FORCE_URL_PREFIXES = ("/admin", "/account") > SSL_FORCE_HOST = "www.mrphunt.net" > # SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') > > I've tried with and without SECURE_PROXY_SSL_HEADER using > 'HTTP_X_FORWARDED_PROTOCOL' and 'HTTP_X_FORWARDED_PROT' (Seen both in > different web pages/forums...) head hurts now. > > > > > On Saturday, 9 May 2015 15:16:50 UTC+1, Paullo wrote: > >> Hi, >> >> I'm in the process of testing Mezzanine with Django 1.8/Python 3.4. I've >> been trying to get SSL working for the admin section. I'm fairly new to >> nginx/supervisor so I guess it's a config problem, hopefully someone here >> can tell me how I'm being stoopid :) Apologies if this isn't mezzanine >> specific. >> >> I can't find any errors in logs except for this nginx error which occurs >> when the browser eventually gives up trying to load the /admin page:- >> >> 2015/05/09 14:31:03 [info] 9769#0: *60 peer closed connection in SSL >> handshake while SSL handshaking to upstream, client: 80.192.66.17, server: >> www.mrphunt.net, request: "GET /admin/ HTTP/1.1", upstream: >> "https://unix:/home/paul/webapps/mrphunt/mrphunt/gunicorn.sock:/admin/";, >> host: "www.mrphunt.net" >> >> >> My nginx.conf is pretty much the default fabfile configuration except i'm >> redirecting to the www version from the non-www version. >> >> upstream mrphunt { >> server unix:/home/paul/webapps/mrphunt/mrphunt/gunicorn.sock >> fail_timeout=0; >> } >> >> server { >> server_name mrphunt.net; >> return 301 $scheme://www.mrphunt.net$request_uri; >> } >> >> server { >> >> listen 80; >> listen 443 ssl; >> server_name www.mrphunt.net; >> client_max_body_size 10M; >> keepalive_timeout 15; >> error_log /home/paul/logs/mrphunt_error_nginx.log info; >> access_log /home/paul/logs/mrphunt_access_nginx.log; >> >> ssl on; >> ssl_certificate conf/mrphunt.crt; >> ssl_certificate_key conf/mrphunt.key; >> ssl_session_cache shared:SSL:10m; >> ssl_session_timeout 10m; >> ssl_ciphers >> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; >> ssl_prefer_server_ciphers on; >> >> # Deny illegal Host headers >> #if ($host !~* ^(mrphunt|mrphunt.net|www.mrphunt.net)$) { >> if ($host !~* ^(www.mrphunt.net)$) { >> return 444; >> } >> >> location / { >> proxy_redirect off; >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Protocol $scheme; >> proxy_pass http://mrphunt; >> } >> >> location /static/ { >> root /home/paul/webapps/mrphunt/mrphunt; >> access_log off; >> log_not_found off; >> expires 30d; >> } >> >> location /robots.txt { >> root /home/paul/webapps/mrphunt/mrphunt/static; >> access_log off; >> log_not_found off; >> } >> >> location /favicon.ico { >> root /home/paul/webapps/mrphunt/mrphunt/static/img; >> access_log off; >> log_not_found off; >> } >> } >> >> gunicorn config: >> >> from __future__ import unicode_literals >> import multiprocessing >> >> bind = "unix:/home/paul/webapps/mrphunt/mrphunt/gunicorn.sock" >> workers = 2 >> errorlog = "/home/paul/logs/mrphunt_error.log" >> loglevel = "error" >> proc_name = "mrphunt" >> >> >> >> >> My /etc/supervisor/conf.d/mrphunt.conf: >> >> >> [program:gunicorn_mrphunt] >> command=/home/paul/webapps/mrphunt/bin/gunicorn -c gunicorn.conf.py -p >> gunicorn.pid wsgi:application >> directory=/home/paul/webapps/mrphunt/mrphunt >> user=paul >> autostart=true >> stdout_logfile = /home/paul/logs/mrphunt_supervisor >> autorestart=true >> redirect_stderr=true >> environment=LANG="en_US.UTF-8",LC_ALL="en_US.UTF-8",LC_LANG="en_US.UTF-8" >> >> >> >> SSL cert was generated as per fabfile.py: >> >> cd /etc/nginx/conf >> sudo openssl req -new -x509 -nodes -out mrphunt.crt -keyout mrphunt.key >> -subj '/CN=www.mrphunt.net' -days 3650 >> >> I'm all out of ideas about the SSL problem :( Everything else I've tried >> has worked with no problems though yay. >> >> Paullo >> >> -- > You received this message because you are subscribed to the Google Groups > "Mezzanine Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
