From nobody Tue Sep 13 00:29:43 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MRPVs1HfGz4bnQK for ; Tue, 13 Sep 2022 00:29:57 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MRPVr31lYz423t for ; Tue, 13 Sep 2022 00:29:56 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: by mail-pl1-x636.google.com with SMTP id d12so10156245plr.6 for ; Mon, 12 Sep 2022 17:29:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date; bh=+0V0MTLPZxbpMOGeKpY8LF4d150QzPxVfW49QaXlmzI=; b=JIlL+3kLT5Nw+uiTSC5PyEpT8ZFVLD/eFI3lqFNyH7CzKj5B1loUV0T6PawOrN8iwJ 6D9zrRqkY2BggwQezKPdu3ewVPqiX05pJIKmnWJFt+uAbM4fbUnBV7ZQM4S6OSdztCoE /h+zioUVdRtz9q7mxJFLZMmQDJSizPANXg6kCXI9I+3hh8ucJPkKpFRr9GqICMhIkyUr sCbIzgyyzi0XusAQDsroE7zj1/4NhW/FrTvxbagpFBHIV5SX+/SKDvz6tjvHG+IYSASd dLpUYVG6oYYsM2Fb7xJ7aaTm7oLEs5DXGQZ5WIOSVA0us/zOjqaUjHBV4I2PYPH5RVWE mgcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=+0V0MTLPZxbpMOGeKpY8LF4d150QzPxVfW49QaXlmzI=; b=ScabFbxuBmiR6tE8X1tbZkssKfvQDppnHlxqe5oXgOhDJpTxUI9yv8BfWeMc8e5rAg bMh8h531OrNbQS9ybmIn+yuxYoMViP3l8sSY9p2qPYPNZEtJf/hbsmbyVGMXYNJ0Y2jH N5PmOBpb1+V31byumGxrC8JbhxT6Q0sbIwu2pVl/vwVLqs7rdUj66S5fE7fn4gcHYAfs 6S1aETDU+BL7nu2joMNJqWLpzMXwZ4Lzr3wPMHdgSExGt/1mbAzYWb0Rv+IKTrI/Gj3p nrtjDC4fRPyp1uZGWq7eDosytu5RkFfPn2VhaGFEagZOlj+7XP+2ZMxtmRY+iK3GFNN+ QS7Q== X-Gm-Message-State: ACgBeo2C42WF4r6R8gORpRxWRNPlWAbQOg90SMxEHtLVWOrfkzb1Z1KK bbVhfZov+/9pjtbevr50+1rvUNqil5ifVS1ncHLZG5EVFwWSGw== X-Google-Smtp-Source: AA6agR6+Hszj/plX2gqMkkGyEIERfEShNmbdzWfKjnrt8Rj8F+PAqiO01iyWE1L4FEPbyi7bl9/dd7NTyzHvXZOC3qc= X-Received: by 2002:a17:90b:4d8e:b0:200:73b4:4da2 with SMTP id oj14-20020a17090b4d8e00b0020073b44da2mr1070374pjb.197.1663028994741; Mon, 12 Sep 2022 17:29:54 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> In-Reply-To: From: Waitman Gobble Date: Tue, 13 Sep 2022 00:29:43 +0000 Message-ID: Subject: Re: any nginx/letsencrypt experts out there? To: freebsd-questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4MRPVr31lYz423t X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=JIlL+3kL; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of gobble.wa@gmail.com designates 2607:f8b0:4864:20::636 as permitted sender) smtp.mailfrom=gobble.wa@gmail.com X-Spamd-Result: default: False [-2.86 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.86)[-0.856]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::636:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TAGGED_FROM(0.00)[]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Mon, Sep 12, 2022 at 11:46 PM paul beard wrote: > > > > On Mon, Sep 12, 2022 at 11:45 AM paul beard wrote: >> >> >> >> On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble wro= te: >>> >>> On Mon, Sep 12, 2022 at 2:01 PM paul beard wrote: >>> > >>> > >>> > >>> > On Sun, Sep 11, 2022 at 9:27 PM paul beard wrot= e: >>> >> >>> >> >>> >> >>> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John wrot= e: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --- >>> >>> >>> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com> w= rote: >>> >>> > > >>> >>> > > That order should be fine. The more specific locations should = be listed first which is what you have. The redirect will trigger a new req= uest which will match the first stanza. >>> >>> > > >>> >>> > > Anyway, it looks fine to me as long as the certs themselves ar= e right. >>> >>> > > I just checked the certs on https://paulbeard.org, https://www= .paulbeard.org and https://cloud.paulbeard.org and they all seem fine to me= . >>> >>> > > I suspect it might be a browser issue as you mentioned. What h= appens in safari? >>> >>> >>> >> >>> > >>> > Hmm. So Safari is still having issues. It is able to load the root as= www.paulbeard.org but not without it. And the link to wordpress explicitly= uses www but it gets rewritten without and then fails for lack of a secure= connection. I'll need to track down how that rewriting is happening. Who k= new Safari was so rigorous? >>> > >>> > This is the unadorned/non-www stanza: do I even need that in the year= 2022? >>> > >>> > 71 server { >>> > >>> > 72 #listen 443 ssl http2; >>> > >>> > 73 listen [::]:443 ssl http2; >>> > >>> > 74 server_name paulbeard.org; >>> > >>> > 75 # if ($request ~* https://paulbeard.org) { >>> > >>> > 76 # return 301 https://www.paulbeard.org; >>> > >>> > 77 # } >>> > >>> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard= .org/fullchain.pem; # managed by Certbot >>> > >>> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulb= eard.org/privkey.pem; # managed by Certbot >>> > >>> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf= ; # managed by Certbot >>> > >>> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; = # managed by Certbot >>> > >>> > 82 >>> > >>> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; >>> > >>> > 84 # add Strict-Transport-Security to prevent man in the mid= dle attacks >>> > >>> > 85 add_header Strict-Transport-Security "max-age=3D15552000;= includeSubDomains" always; >>> > >>> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; #+ >>> > >>> > 87 #return 301 https://$host$request_uri; >>> > >>> > 88 >>> > >>> > 89 >>> > >>> > 90 root /usr/local/www/; >>> > >>> > 91 disable_symlinks off; >>> > >>> > 92 >>> > >>> > 93 } >>> > >>> > >>> > >>> >>> >>> >>> Maybe your certs are kinda jumbled up? >>> >> >> This is pretty accurate. I realized I wasn't pulling a certificate for t= he base domain/host name, since i had commented it out in the config. Seems= like things have gotten jumbled indeed. I don't touch any of the config th= at certbot adds so I am wary of how I can unmuddle it. I have since restore= d that but now I see what I think is the real problem. >> >> This is the full list of certs I have=E2=80=A6I seem to have gotten host= and domain mixed up here, as these are hosts, not domains, and ideally sho= uld have just one certificate for all of them. Some cleanup seems to be req= uired. >> >> Found the following certs: >> >> Certificate Name: cloud.paulbeard.org >> >> Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330 >> >> Key Type: RSA >> >> Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org >> >> Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/cloud.paulbeard.or= g/fullchain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/cloud.paulbeard.or= g/privkey.pem >> >> Certificate Name: paulbeard.org >> >> Serial Number: 44c82383b1da739543404608a77c9174d79 >> >> Key Type: RSA >> >> Domains: paulbeard.org >> >> Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/paulbeard.org/full= chain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/paulbeard.org/priv= key.pem >> >> Certificate Name: www.paulbeard.org-0001 >> >> Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13 >> >> Key Type: RSA >> >> Domains: www.paulbeard.org >> >> Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org-= 0001/fullchain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org-= 0001/privkey.pem >> >> Certificate Name: www.paulbeard.org >> >> Serial Number: 4a730b954fead25d08fb8281c374c11014e >> >> Key Type: RSA >> >> Domains: cloud.paulbeard.org www.paulbeard.org >> >> Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days) >> >> Certificate Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org/= fullchain.pem >> >> Private Key Path: /usr/local/etc/letsencrypt/live/www.paulbeard.org/= privkey.pem > > > Some things about this are not making sense=E2=80=A6sometimes the wordpre= ss pages will load but not always. Sometimes different servers answer to th= e generic "paulbeard.org" URI (the cloud instance, for some reason, would b= e served). Something to do with listen [::]:443 ssl http2; being set wh= ich makes no sense at all. I have removed it everywhere for now. IP6 traffi= c is far down my list of things to be bothered with. > > My main issue seems to be URI rewriting that I can't seem to find in the = config. I get an error about 20 redirects and I don't see where that is hap= pening. The rewrites are being logged=E2=80=A6 > > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: "http= s://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: paulbeard.o= rg, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org", referrer: "= https://www.paulbeard.org/" > > > This is the paulbeard.org stanza: > > 74 server { > > 75 listen 443 ssl http2; > > 76 server_name paulbeard.org; > > 77 root /usr/local/www/; > > 78 ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org= /fullchain.pem; # managed by Certbot > > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard= .org/privkey.pem; # managed by Certbot > > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # = managed by Certbot > > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # ma= naged by Certbot > > 82 > > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; > > 84 # add Strict-Transport-Security to prevent man in the middle = attacks > > 85 add_header Strict-Transport-Security "max-age=3D15552000; inc= ludeSubDomains" always; > > 86 rewrite ^(.*) https://www.paulbeard.org$1 permanent; > > 87 #return 301 https://$host$request_uri; > > 88 > > 89 > > 90 disable_symlinks off; > > 91 > > 92 } > > > The only active thing that looks like a rewrite is on line 86 and if I co= mment that out, the php pages are downloaded, rather than parsed and displa= yed. That's not what I want. > > I have no idea how this got so messed up. I am working from a config that= worked 3-4 days ago. I tried ripping out that stanza but something somewh= ere depends on it. > -- > Paul Beard / www.paulbeard.org/ It looks like you just want to redirect traffic to your www. ? 034 This is all you need for that. I don't know what that Terry Pratchett header is but whatevers, and I think you don't really need http2 for a redirect but it probably shouldn't break anything. You don't presently have an AAAA record for your domain in DNS so IPv6 isn't going to be an issue. server { listen 443 ssl http2; server_name paulbeard.org; ssl_certificate /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed by Certbot ssl_certificate_key /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed by Certbot include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot add_header X-Clacks-Overhead "GNU Terry Pratchett"; add_header Strict-Transport-Security "max-age=3D15552000; includeSubDomains" always; return 301 https://www.paulbeard.org$request_uri; } --=20 Waitman Gobble