Configuration problem (Nginx, proxy, config.json, letsencrypt)



  • Hello NodeBB Experts,

    i run in an little problem(?).

    I have an NodeBB installation on port 4567, using nginx to proxy and Let'sEncrypt.

    When someone register you got this mail:

    VIELEN DANK FÜR DIE REGISTRIERUNG BEI FRANK-MANKEL.ORG!
    Um dein Konto vollständig zu aktivieren, müssen wir überprüfen, ob du Besitzer
    der E-Mail-Adresse bist, mit der du dich registriert hast.

    Klicke hier, um deine E-Mail-Adresse zu bestätigen.
    [http://frank-mankel.org:4567/confirm/b87468d3-eb87-4bea-9afc-65e7xxxxxxxx]
    DANKE!
    frank-mankel.org

    When i klick on this link i get this error:

    Fehler: Gesicherte Verbindung fehlgeschlagen
    

    Sorry for german. In english

    Error: Secure connection failed
    

    What do i wrong?

    config.json

    {
        "url": "http://frank-mankel.org",
        "port": "4567",
        "secret": "xxxxx",
        "database": "redis",
        "redis": {
            "host": "127.0.0.1",
            "port": "6379",
            "password": "xxxxxx",
            "database": "0"
        },
        "type": "literal"
    }
    

    nginx default

    server {
    listen               80;
    listen               443 ssl spdy;
    server_name          www.frank-mankel.org;
    ssl_certificate      /etc/letsencrypt/xxx/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/xxx/privkey.pem;
    
    
    return 301 $scheme://frank-mankel.org$request_uri;
    }
    
    server {
    listen               80;
    listen               443 ssl spdy;
    server_name          frank-mankel.org;
    ssl_certificate      /etc/letsencrypt/xxx/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/xxx/privkey.pem;
    
    
    # enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
    # disables all weak ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES$
    #ssl_ciphers 'AES128+EECDH:AES128+EDH';
    #ssl_ciphers         HIGH:!aNULL:!MD5;
    
    ssl_prefer_server_ciphers on;
    
    ssl_dhparam /etc/nginx/dhparams.pem;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
    
        proxy_pass http://127.0.0.1:4567;  # no trailing slash
        proxy_redirect off;
    
        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    

    }

    As an bad workaround i have edit the email template Welcome

    [[email:notif.post.unsub.info]] <a href="frank-mankel.org/{uid}/settings">[[email:unsub.cta]]</a>. 
    

    that's remove the port 4567 and it's work. But this is an dirty fix ☹

    Sorry for any mistakes. English is not my native language.


  • Admin

    @frankm said in Welcome Message:

    "url": "http://frank-mankel.org",

    change that to "url": "https://frank-mankel.org", and restart NodeBB. Does it still happen after that?


  • Global Moderator

    Also you shouldn't be listening on ports 80 and 443 from nginx. Instead, redirect http (aka port 80) to https



  • @baris One little "s" and it works ✌ Many Thanks 👏



  • @pitaj Thanks for your tipp, i will try to optimize nginx.


 

| |