search

jlecour / ssl-gandi-nginx-debian

Un guide pour configurer un certificat SSL (Gandi) pour Nginx sur Debian
MIT License
17 stars 6 forks source link

connect: Connection refused, connect:errno=111 #8

Closed kopax closed 9 years ago

kopax commented 9 years ago

Resalut,

Cela fais plusieurs jours que j'essai de configurer SSL pour mon domain avec un certificat signer. J'ai fini par tomber sur ton tuto, que j'ai suivi à la lettre, malheureusement cela ne fonctionne toujours pas.

Je test mon certificat :

openssl s_client -showcerts -connect www.domain.com:443
connect: Connection refused
connect:errno=111

je test nginx en accedant à l'url https://www.domain.com 

 Page Web inaccessible

ERR_CONNECTION_REFUSED

Je pense donc à une erreur de firewall sur la machine, mais le port 443 semble bien ouvert

$ sudo iptables -L INPUT -n --line-numbers
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Un telnet www.domain.com 80 pour tester le nginx me répond correctement 

 HTTP/1.1 400 Bad Request
Server: nginx/1.9.2
Date: Sun, 12 Jul 2015 08:33:23 GMT
Content-Type: text/html
Content-Length: 172
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.9.2</center>
</body>
</html>

Un telnet www.domain.com 443 pour tester le port 443 et nginx

Connecting To www.domain.com...Could not open connection to the host, on port 443: Connect failed

Configuration Nginx

nginx.conf

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;

events {
  worker_connections 1024;
}

http {
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

sites-enabled/gitlab.conf

server {
  # FROM https://github.com/jlecour/ssl-gandi-nginx-debian
  # listen 80;
  # rewrite ^ https://$host$request_uri? permanent;

  listen 80;
  server_name www.domain.com;
  server_tokens off;
  root /dev/null;
  rewrite ^ https://$server_name$request_uri permanent;
}

upstream git {
  server gitlab:10080;
}

server {
  listen 443 ssl spdy;

  server_name www.domain.com;
  server_tokens off;
  root /dev/null;

  ## Increase this if you want to upload large attachments
  ## Or if you want to accept large git objects over http
  client_max_body_size 20m;

  add_header Strict-Transport-Security max-age=63072000;
  # add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  ## Individual nginx logs for this vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  ## include domain ssl config
  include /etc/nginx/domain_com.ssl.conf;

  ## proxy pass the request to upsteam.
  location / {
    ## If you use https make sure you disable gzip compression
    ## to be safe against BREACH attack.
    gzip off;

    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Frame-Options     SAMEORIGIN;

    proxy_pass http://git;
  }

}

_domaincom.ssl.conf

ssl on;

# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/ssl/certs/domain_com.chain.pem;
ssl_certificate_key /etc/ssl/private/domain_com.key.pem;
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:10m;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits or better
ssl_dhparam /etc/ssl/dhparam-2048.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

## OCSP Stapling ---
## fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/certs/gandi-standardssl-2.chain.pem;

resolver 127.0.0.1;

Etant donné l'echec du telnet sur le port 443 et le message ERR_CONNECTION_REFUSED, je pencherai vers un problème de parfeu, mais tout semble en ordre.

Est-ce que cette erreur peut provenir d'un problème de configuration SSL ?

En prenant en compte que ce Nginx est un container docker, utiliser resolver 127.0.0.1 est peut être problématique ? Je n'ai pas très bien compris l'explication dans la doc(http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver)

Merci d'avance pour les explications ;)

kopax commented 9 years ago

J'ai trouvé, c'était une erreur de mapping sur le port 443 de nginx que j'avais mis en 433, merci pour ton aide :)