HTTPS site set up
Closed this issue · 5 comments
So I spent a very long time trying to get this to work with Nginx and uWSGI and certbot. To no avail. Then I tried with httpd (Apache) both got me about the same result. I'm running the flask app at port 5005 and listening on port 80/443 for the domain phencards-dev.wglab.org which thanks to Kai and certbot actually works. But for some reason in both solutions the proxy_pass redirect seems not to work because I get "bad gateway" for Nginx or "503 service unavailable" for Apache. I have tried using wsgi.py to run app.py and running app.py by itself no good results either way.
My /etc/httpd/conf.d/phencards.conf
file:
ServerName phencards-dev.wglab.org
<VirtualHost *:80>
ServerName phencards-dev.wglab.org
Redirect / https://phencards-dev.wglab.org
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/var/www/html/phencards-dev.wglab.org"
ServerName phencards-dev.wglab.org
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
RewriteOptions inherit
WSGIScriptAlias /dquest /data/html/phencards/app.wsgi
DefaultType text/plain
ErrorLog logs/phencards-error_log
CustomLog logs/phencards-access_log common
<Directory /data/html/phencards/FlaskApp/>
Order allow,deny
Allow from all
</Directory>
<Directory "/data/html/phencards/cgi-bin">
Options +ExecCGI
Order allow,deny
Allow from all
</Directory>
ProxyPass / http://localhost:5005/
ProxyPassReverse / http://localhost:5005/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/phencards-dev.wglab.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/phencards-dev.wglab.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/phencards-dev.wglab.org/chain.pem
</VirtualHost>
The app works fine by itself if I use a random port, so I know there's nothing wrong with the Flask app.
@kaichop is the reigning expert at this, so I figure I'd ask for input. I'll keep at it.
I did not manually create some of these files. Perhaps I have to create a .wsgi file?
had to add:
(because of SELinux on droplet)
setsebool -P httpd_can_network_connect 1
https site now works. will document in lab share.
According to certbot documentation, best renewal method is as follows (I slightly modified this for apache):
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q --apache" | sudo tee -a /etc/crontab > /dev/null
This is now set in cron tab. It should automatically renew.
I have documented this process with some assistance from @kaichop here:
https://github.com/WGLab/LabShare/blob/master/Computing/HTTPSServer.md