Ghost droplet with SSL troubles

August 1, 2014 1.9k views

I've been pulling my hair out trying to figure out how to get SSL encryption working on my Ghost install. I have Ghost 0.4.2 installed on an Ubuntu 12.04 droplet. I've followed every guide out there on how to configure Nginx to support SSL. I'm probably reaching a point of no return since I've copied and pasted so many things, and I've probably really screwed up somewhere along the way. Below is my Nginx configuration file. My SSL certificate works, and I can service nginx restart without a problem. However, no matter what page I go to, I cannot use https. Chrome sits for about 10 seconds, then takes me to "This webpage is not available."

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /usr/share/nginx/www;
        index index.html index.htm;

        server_name localhost;
        ssl_certificate /etc/nginx/ssl/redacted.com.crt;
        ssl_certificate_key /etc/nginx/ssl/redacted.key;

        location / {
                proxy_pass http://localhost:2368/;  
                proxy_set_header Host $host;  
                proxy_buffering off; 
        }
}

I have also tried manually adding 443 to my iptables, which doesn't fix anything either.

3 Answers

You Nginx configuration looks fine. It sounds like you might not have port 443 open. What was the iptables command you used?

Let's debug this a little further. On the droplet, run:

sudo netstat -plunt

If Nginx is listening on port 443, you should see it listed in the output.

Next, from a different machine run:

nmap your.ip.address

This will show what ports are open to the outside. Again, you should see port 443 in the output.

If it is in the output of netstat but not nmap that implies that your firewall is still getting in the way. If it is not in the netstat output at all, then your problem will most like be related to Nginx.

Here's the netstat output:

# sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      532/sshd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      886/nginx
tcp        0      0 127.0.0.1:2368          0.0.0.0:*               LISTEN      645/node
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      886/nginx
tcp6       0      0 :::22                   :::*                    LISTEN      532/sshd
tcp6       0      0 :::80                   :::*                    LISTEN      886/nginx

Nmap doesn't show 443. I had to run with -Pn since it was saying it was being blocked. I ran Nmap with my droplet IP address. Is this correct? Here's the output:

Host is up (0.018s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

The iptables command I used wasiptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT. However, I'm not seeing it in my iptables output. How do I save iptables after I've made a modification to it? service iptables save and service iptables restart do not work. Here's my iptables --list output:


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I seem to have figured it out.

First of all, my iptables wasn't saving, nor was it being applied to my rules. I needed to do these two commands:

iptables-save
sudo su -c 'iptables-save > /etc/iptables/rules.v4'  

That finally opened port 443. However, my Nginx configuration was still wrong. I kept getting endless redirect loop warnings, I'd tweak it a little, get some 404 errors, tweak it again and get "Welcome to Nginx". I finally found the right combination that I need to run https, and force it on my Admin page. My Nginx config is below:

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 default ssl;

        root /usr/share/nginx/www;
        index index.html index.htm;

        server_name localhost;
        ssl_certificate /etc/nginx/ssl/redacted.com.crt;
        ssl_certificate_key /etc/nginx/ssl/redacted.key;

        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://127.0.0.1:2368;
        }
}
Have another answer? Share your knowledge.