https-portal icon indicating copy to clipboard operation
https-portal copied to clipboard
verified publisher icon SteveLTN

Redirect is not working for me.

Open ironwren opened this issue 6 years ago • 14 comments

I have:

DOMAINS: 'www.howismy.com => https://howismy.com, howismy.com -> http://api:3000'

image image but going to www.howismy.com redirects to image

here is the redirect: image

ironwren avatar Sep 09 '19 17:09 ironwren

Hi,

I can't reproduce the problem. Could you see which version is your nginx-portal? Maybe try to upgrade to the latest?

SteveLTN avatar Sep 10 '19 20:09 SteveLTN

I just upgraded to the latest:

/var/www/howismy# dc images
howismy_https-portal_1   steveltn/https-portal   1        25827a1239fd   284 MB

I also removed the redirect:

DOMAINS: 'howismy.com -> http://api:3000'

its still sending the 301 redirect to the wrong place:

/etc/nginx# cat conf.d/howismy.com.conf 
server {
    listen       80;
    server_name  howismy.com;
    
    location / {
      return    301 https://$server_name$request_uri;
    }
          location /.well-known/acme-challenge/ {
          allow all;
          alias /var/www/default/challenges/;
          try_files $uri =404;
      }
}

Is it possible that 301 could some how turn www.howismy.com to https://https://howismy.com?

ironwren avatar Sep 11 '19 18:09 ironwren

That doesn't look like the latest code to me. Before, you only needed to do example.com => another.com, but people constantly put https: there. So I made a modification that either with or without https prefix, it works in both cases.

Please make sure it says 1.7.3 when launching. You can specifically write 1.7.3 in docker-compose.yml and do a docker-compose pull https-portal.

SteveLTN avatar Sep 11 '19 18:09 SteveLTN 

  https-portal:
    image: steveltn/https-portal:1.7.3
    ports:
      - '80:80'
      - '443:443'
    links:
      - api
    restart: always
    environment:
      DOMAINS: 'www.howismy.com => howismy.com,howismy.com -> http://api:3000'
      STAGE: 'production'

3fe0eba7cd93        steveltn/https-portal:1.7.3   "/init"                  4 minutes ago       Up 4 minutes           0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   howismy_https-portal_1

root@3fe0eba7cd93:/etc/nginx# cat conf.d/howismy.com.conf 
server {
    listen       80;
    server_name  howismy.com;
    location / {
      return    301 https://$server_name$request_uri;
    }
    location /.well-known/acme-challenge/ {
          allow all;
          alias /var/www/default/challenges/;
          try_files $uri =404;
      }
}
root@3fe0eba7cd93:/etc/nginx# cat conf.d/www.howismy.com.conf 
server {
    listen       80;
    server_name  www.howismy.com;

    location / {
      return    301 https://howismy.com$request_uri;
    }
          location /.well-known/acme-challenge/ {
          allow all;
          alias /var/www/default/challenges/;
          try_files $uri =404;
      }
}

Still getting: image

ironwren avatar Sep 12 '19 05:09 ironwren

Its now working:

  https-portal:
    image: steveltn/https-portal:latest
    ports:
      - '80:80'
      - '443:443'
    links:
      - api
    restart: always
    environment:
      DOMAINS: 'www.howismy.com => howismy.com,howismy.com -> http://api:3000'
      STAGE: 'production'

It now works. Maybe update the docs to use latest and to remove the https from the redirect example. Thank you so much @SteveLTN. This image is amazing and has made my life soo much better!

ironwren avatar Sep 12 '19 17:09 ironwren

Latest is 1.7.3 . I don't know how, but you seems to be stuck with an old version.

SteveLTN avatar Sep 12 '19 17:09 SteveLTN

My sysop friend just got back to me: image Does the container handle this?

ironwren avatar Sep 12 '19 18:09 ironwren

HTTPS-PORTAl create two certs for each site you specify in the DOMAIN. In this case, you have

DOMAINS: 'www.howismy.com => howismy.com,howismy.com -> http://api:3000'

which will create two certs, one for www.howismy.com and another for howismy.com, served on the two domains respectively.

Now that you got howismy.com certs on www.howismy.com. That doesn't make any sense to me. I have no idea how it would behave like this. Apart from that, when I proceed with the invalid cert, the page doesn't perform its redirection as expected, but returns RemoteDisconnected. Seems like HTTPS-PORTAL is not functioning at all.

As a example, here is my full docker-compose.yml.

version: '3'

services:
  https-portal:
    image: steveltn/https-portal:latest
    ports:
      - '80:80'
      - '443:443'
    restart: always
    environment:
      DOMAINS: 'test2.steveltn.me => test.steveltn.me,test.steveltn.me'
      STAGE: 'production'

You can visit test2.steveltn.me to try it out.

SteveLTN avatar Sep 12 '19 21:09 SteveLTN

Could you cat /etc/nginx/conf.d/www.howismy.com.ssl.conf in your container?

SteveLTN avatar Sep 12 '19 21:09 SteveLTN

It doesn't exist

root@3fe0eba7cd93:~# ls -l /etc/nginx/conf.d/
total 12
-rw-r--r-- 1 root root  308 Sep 12 05:14 howismy.com.conf
-rw-r--r-- 1 root root 1088 Sep 12 05:14 howismy.com.ssl.conf
-rw-r--r-- 1 root root  311 Sep 12 05:14 www.howismy.com.conf

ironwren avatar Sep 12 '19 22:09 ironwren 

Traceback (most recent call last):
  File "/bin/acme_tiny", line 198, in <module>
    main(sys.argv[1:])
  File "/bin/acme_tiny", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/bin/acme_tiny", line 150, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for www.howismy.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303003853/ZaaPsg', u'token': u'2OLbfoGOSybwjF5ypRYhMSrCOC4_7WHPcbZylgnK4Dw', u'type': u'http-01', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:dns', u'detail': u'DNS problem: NXDOMAIN looking up A for www.howismy.com'}}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303003853/g3dFbA', u'token': u'2OLbfoGOSybwjF5ypRYhMSrCOC4_7WHPcbZylgnK4Dw', u'type': u'dns-01'}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303003853/zotFxA', u'token': u'2OLbfoGOSybwjF5ypRYhMSrCOC4_7WHPcbZylgnK4Dw', u'type': u'tls-alpn-01'}], u'identifier': {u'type': u'dns', u'value': u'www.howismy.com'}, u'expires': u'2019-09-19T05:14:10Z'}
================================================================================
Failed to sign www.howismy.com, is DNS set up properly?
================================================================================
Failed to obtain certs for www.howismy.com

ironwren avatar Sep 12 '19 22:09 ironwren

image

ironwren avatar Sep 12 '19 22:09 ironwren

Sorry for the late reply. I sort of forgot about this after a vacation :-(

Did you have any luck? Try update to the latest version plz, if you are still on it.

SteveLTN avatar Jan 02 '20 09:01 SteveLTN

The 301 redirect was served from disk cache, where it can be stored indefinitely, as it is labelled as a permanent redirect. So you probably were using a => redirect earlier, which is still cached in the browser. Clearing the browser cache manually should fix that one (and #295 changes the default to temporary redirects).

BTW: I think your DNS configuration looks dangerous. I think with a CNAME to the apex @ (www and ftp lines), you are likely to run into trouble, as the CNAME mirrors everything, not only the A (address), but also NS (name servers) and an increasing number of other configuration records further down the line. (The opposite, having a CNAME from @, is definitely not possible.)

So, A www 206.189.73.129 and A ftp 206.189.73.129 would be safer (or A host 206.189.73.129, CNAME www host, and CNAME ftp host, if you wanted to limit the number of places where you have to change the IP address down to 2, which I believe is the minimum).

MarcelWaldvogel avatar Nov 22 '21 11:11 MarcelWaldvogel