My website (Django/nginx/gunicorn/mysql) which is hosted on a remote box was working fine, until I decided to restart remote box for some reason. So after the restart, in the remote box when I say curl -IL -H -GET my.web.address it works fine. However, when I try the same command from outside, it reports curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my.web.address.
Any help is appreciated. Please find below the relevant things which I checked for.
I’m using a CentOS 7 remote server system, and I predominantly followed this tutorial.
nginx is listening on the right ports
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3425/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3425/nginx: master
Firewall (see ufw result) is allowing my ports
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (SSH) ALLOW IN Anywhere
224.0.0.251 5353/udp (mDNS) ALLOW IN Anywhere
22 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (SSH (v6)) ALLOW IN Anywhere (v6)
ff02::fb 5353/udp (mDNS) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
sestatus
SELinux status: disabled
Output of nmap to check the port status
nmap -sT my.ip.address
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
Content of the nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
server blocks of my nginx.conf
server {
server_name my.ip.address my.web.address;
error_log /srv/www/myweb/logs/error.log;
access_log /srv/www/myweb/logs/access.log;
charset utf-8;
location /static/{
alias /srv/www/myweb/latestRelease/mywebDB/app/src/static/;
}
location /{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my.web.address/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.web.address/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my.ip.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = my.web.address) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name my.ip.address my.web.address;
return 404; # managed by Certbot
}
I’ve checked my sock file permissions, they are spinning up correctly by the respective user. The file permissions are set correctly.
contents of the gunicorn.service file
[Unit]
Description=gunicorn daemon
After=network.target
[Service]
User=user
Group=nginx
WorkingDirectory=/srv/www/myweb/latestRelease/mywebDB/app/src
ExecStart=/srv/www/myweb/latestRelease/mywebDB/app/bin/gunicorn --workers 3 --bind unix:/srv/www/myweb/latestRelease/mywebDB/mywebdb.sock app.wsgi:application
[Install]
WantedBy=multi-user.target
``````code```This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
So the problem is fixed!
The problem was that somehow, UFW rules didn’t update the iptables entry to allow the ports 80/443.
I modified it manually with the below commands.
iptables -I INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
Thanks @bobbyiliev for your inputs.
Hi there @deman23,
I could suggest a few things:
- First run a Nginx config test to make sure that there are no errors that could be causing this:
sudo nginx -t
- Check your Nginx error log for more information:
tail -100 /var/log/nginx/error.log
- As this only happened after a restart, I think that you might have a server block which could be causing the problem, make sure to check your
/etc/nginx/sites-enabled/folder for any other server blocks and make sure that they are configured correctly.
Let me know how it goes! Regards, Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.