Can't find 301 redirect source
I'm running two websites from a Raspberry Pi. Until recently it all worked very well. Then I moved house and now nothing works. I don't think the moving of the house is the issue for various reasons. My set up is: Internet -> ISP Router -> Internal Router -> Raspberry Pi. I have port forwarding on ISP router 80:80 and 443:443. Same on Internal Router. Why two routers? ISP won't allow you to use your own, so I'm running an ethernet cable from theirs to mine (LAN 1 to WAN) and it works very well for all the devices. I can even access the internet from the Raspberry Pi, so I think that is a Herring Rouge. If I run
curl --head -iL sarahcorballis.com
I eventually get:
curl: (7) Failed to connect to sarahcorballis.com port 80: Connection timed out
Running ping against the IP Address works.
If I run letsencrypt --nginx then I get this:
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.corballis.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.corballis.co.uk/.well-known/acme-challenge/aPRcvEhOaTd6kpM5yQQ07VuXRQNWExFocU8U8yW3ywg: Timeout during connect (likely firewall problem), www.sarahcorballis.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.sarahcorballis.com/.well-known/acme-challenge/gFOXzmgjZpHO1DIhgmQkAy8XEi47j7kJUHyo6ftzbuM: Timeout during connect (likely firewall problem), corballis.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://corballis.co.uk/.well-known/acme-challenge/w4cSZkJZWrAcmDSPQAFuKVgGhP73Lv9SMB59ShFb_uQ: Timeout during connect (likely firewall problem), sarahcorballis.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sarahcorballis.com/.well-known/acme-challenge/8QzVJ45bWes3yjXWTg5DkRIG5gxAjAyIia53tQ3o3HY: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.corballis.co.uk
Type: connection
Detail: Fetching
http://www.corballis.co.uk/.well-known/acme-challenge/aPRcvEhOaTd6kpM5yQQ07VuXRQNWExFocU8U8yW3ywg:
Timeout during connect (likely firewall problem)
Domain: www.sarahcorballis.com
Type: connection
Detail: Fetching
http://www.sarahcorballis.com/.well-known/acme-challenge/gFOXzmgjZpHO1DIhgmQkAy8XEi47j7kJUHyo6ftzbuM:
Timeout during connect (likely firewall problem)
Domain: corballis.co.uk
Type: connection
Detail: Fetching
http://corballis.co.uk/.well-known/acme-challenge/w4cSZkJZWrAcmDSPQAFuKVgGhP73Lv9SMB59ShFb_uQ:
Timeout during connect (likely firewall problem)
Domain: sarahcorballis.com
Type: connection
Detail: Fetching
http://sarahcorballis.com/.well-known/acme-challenge/8QzVJ45bWes3yjXWTg5DkRIG5gxAjAyIia53tQ3o3HY:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
It looks as though traffic is being redirected from http to https because if I look in /var/log/nginx I get this
2021/01/16 16:41:37 [error] 21244#21244: *1461 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:37 [error] 21244#21244: *1462 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:37 [error] 21244#21244: *1463 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:39 [error] 21244#21244: *1464 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:39 [error] 21244#21244: *1465 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:40 [error] 21244#21244: *1466 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:41 [error] 21244#21244: *1467 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:43 [error] 21244#21244: *1468 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:43 [error] 21244#21244: *1469 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:53:32 [error] 21244#21244: *1470 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 114.119.157.139, server: 0.0.0.0:443
But there is no redirect in the nginx configuration files. Here is the output of sudo nginx -T:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
load_module modules/ngx_http_auth_pam_module.so;
load_module modules/ngx_http_dav_ext_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_http_image_filter_module.so;
load_module modules/ngx_http_subs_filter_module.so;
load_module modules/ngx_http_upstream_fair_module.so;
load_module modules/ngx_http_xslt_filter_module.so;
load_module modules/ngx_mail_module.so;
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/corballis.co.uk:
server {
listen 80;
listen 443 ssl;
# listen [::]:80;
# listen [::]:443 ssl;
server_name corballis.co.uk www.corballis.co.uk;
# Following line changed to remove nginx-root from the end of the line
root /var/www/corballis.co.uk/system/;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
}
# configuration file /etc/nginx/sites-enabled/sarahcorballis.com:
server {
listen 80;
listen 443 ssl;
listen [::]:80;
listen [::]:443 ssl;
server_name sarahcorballis.com www.sarahcorballis.com;
root /var/www/sarahcorballis.com/;
index index.html;
try_files $uri $uri/ /index.html;
location ~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
client_max_body_size 50m;
}
Here is the output from nslookup sarahcorballis.com
Server: 10.1.0.1
Address: 10.1.0.1#53
Non-authoritative answer:
Name: sarahcorballis.com
Address: 83.86.93.178
And here's the result of an nmap scan:
Nmap scan report for sarahcorballis.com (83.86.93.178) Host is up (0.16s latency). rDNS record for 83.86.93.178: 83-86-93-178.cable.dynamic.v4.ziggo.nl
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
110/tcp filtered pop3
143/tcp filtered imap
443/tcp open https
3389/tcp filtered ms-wbt-server
Which is weird because Port 80 isn't filtered at all, it's open for TCP on both routers and the Raspberry Pi. Here is the output from ufw status:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
Nginx Full ALLOW Anywhere
5900:5910/tcp ALLOW Anywhere
631/tcp ALLOW Anywhere
9191/tcp ALLOW Anywhere
3306 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
5900:5910/tcp (v6) ALLOW Anywhere (v6)
631/tcp (v6) ALLOW Anywhere (v6)
9191/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
The nmap ports don't appear to agree with the ufw status. The firewall is on on both routers but turning it off on either independently or both at once has no effect.
Any suggestions would be very welcome. This has been driving me nuts for weeks!
Solution 1:
OK, I solved it. In case anyone has a similar set up and encounters the same issue in the future the problem was that I'd deleted a third site (didn't need it anymore); however, that site had the ssl certs which covered all three sites and were now gone. Worse, I'm not using Letsencrypt but instead am using Cloudflare origin certificates with HSTS to ensure more robust security. Cloudflare was causing the redirect that was then failing due to there being no certificate. Solution:
- Generate a new certificate - one for each site
- Save the certificates (both pem and key) to directories on the server
- Amend the server blocks in nginx (/etc/nginx/sites-enabled) to point at the right directories and ensure http2 is enabled
- Ensure SSL Strict selected in Cloudflare.
Here's the nginx config block for one of the sites:
# configuration file /etc/nginx/sites-enabled/<website>.com:
server {
listen 80;
listen [::]:80;
server_name sarahcorballis.com www.<website>.com;
return 302 http://$server_name$request_uri;
}
server {
# SSL Configuration for Cloudflare
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/certs/<website>.com.pem;
ssl_certificate_key /etc/ssl/private/<website>.com.key;
server_name <website>.com www.<website>.com;
root /var/www/sarahcorballis.com/;
index index.html;
try_files $uri $uri/ /index.html ;
client_max_body_size 50m;
}
You'd need to change to whatever the website is you have and make sure that the suffix is the same as yours, if you happened to copy the block above.