Configuration problem (Nginx, proxy, config.json, letsencrypt)

FrankM

Hello NodeBB Experts,

i run in an little problem(?).

I have an NodeBB installation on port 4567, using nginx to proxy and Let'sEncrypt.

When someone register you got this mail:

VIELEN DANK FÜR DIE REGISTRIERUNG BEI FRANK-MANKEL.ORG!
Um dein Konto vollständig zu aktivieren, müssen wir überprüfen, ob du Besitzer
der E-Mail-Adresse bist, mit der du dich registriert hast.

Klicke hier, um deine E-Mail-Adresse zu bestätigen.
[http://frank-mankel.org:4567/confirm/b87468d3-eb87-4bea-9afc-65e7xxxxxxxx]
DANKE!
frank-mankel.org

When i klick on this link i get this error:

Fehler: Gesicherte Verbindung fehlgeschlagen

Sorry for german. In english

Error: Secure connection failed

What do i wrong?

config.json

{
    "url": "http://frank-mankel.org",
    "port": "4567",
    "secret": "xxxxx",
    "database": "redis",
    "redis": {
        "host": "127.0.0.1",
        "port": "6379",
        "password": "xxxxxx",
        "database": "0"
    },
    "type": "literal"
}

nginx default

server {
listen               80;
listen               443 ssl spdy;
server_name          www.frank-mankel.org;
ssl_certificate      /etc/letsencrypt/xxx/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/xxx/privkey.pem;


return 301 $scheme://frank-mankel.org$request_uri;
}

server {
listen               80;
listen               443 ssl spdy;
server_name          frank-mankel.org;
ssl_certificate      /etc/letsencrypt/xxx/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/xxx/privkey.pem;


# enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# disables all weak ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES$
#ssl_ciphers 'AES128+EECDH:AES128+EDH';
#ssl_ciphers         HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/dhparams.pem;

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;

    proxy_pass http://127.0.0.1:4567;  # no trailing slash
    proxy_redirect off;

    # Socket.IO Support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

}

As an bad workaround i have edit the email template Welcome

This post notification was sent to you due to your subscription settings. <a href="frank-mankel.org/{uid}/settings">Click here to alter those settings</a>.

that's remove the port 4567 and it's work. But this is an dirty fix

Sorry for any mistakes. English is not my native language.

<baris>

@frankm said in Welcome Message:

"url": "http://frank-mankel.org",

change that to "url": "https://frank-mankel.org", and restart NodeBB. Does it still happen after that?

PitaJ

Also you shouldn't be listening on ports 80 and 443 from nginx. Instead, redirect http (aka port 80) to https

FrankM

@baris One little "s" and it works Many Thanks

FrankM

@pitaj Thanks for your tipp, i will try to optimize nginx.