HTTPS site set up

Question

HTTPS site set up

Closed this issue 4 years ago · 5 comments

So I spent a very long time trying to get this to work with Nginx and uWSGI and certbot. To no avail. Then I tried with httpd (Apache) both got me about the same result. I'm running the flask app at port 5005 and listening on port 80/443 for the domain phencards-dev.wglab.org which thanks to Kai and certbot actually works. But for some reason in both solutions the proxy_pass redirect seems not to work because I get "bad gateway" for Nginx or "503 service unavailable" for Apache. I have tried using wsgi.py to run app.py and running app.py by itself no good results either way.

My /etc/httpd/conf.d/phencards.conf file:

ServerName phencards-dev.wglab.org

<VirtualHost *:80>
    ServerName phencards-dev.wglab.org
    Redirect / https://phencards-dev.wglab.org
</VirtualHost>


<VirtualHost *:443>
        DocumentRoot "/var/www/html/phencards-dev.wglab.org"
        ServerName phencards-dev.wglab.org

                SSLEngine on


                SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"


                RewriteOptions inherit


                WSGIScriptAlias /dquest /data/html/phencards/app.wsgi

        DefaultType text/plain
        ErrorLog logs/phencards-error_log
        CustomLog logs/phencards-access_log common
        <Directory /data/html/phencards/FlaskApp/>
                Order allow,deny
                Allow from all
        </Directory>
        <Directory "/data/html/phencards/cgi-bin">
                Options +ExecCGI
                Order allow,deny
                Allow from all
        </Directory>

        ProxyPass / http://localhost:5005/
        ProxyPassReverse / http://localhost:5005/

        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLCertificateFile /etc/letsencrypt/live/phencards-dev.wglab.org/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/phencards-dev.wglab.org/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/phencards-dev.wglab.org/chain.pem

</VirtualHost>

The app works fine by itself if I use a random port, so I know there's nothing wrong with the Flask app.

Answer 1 · 2020-07-17T01:09:27.000Z

@kaichop is the reigning expert at this, so I figure I'd ask for input. I'll keep at it.

Answer 2 · 2020-07-17T01:12:15.000Z

I did not manually create some of these files. Perhaps I have to create a .wsgi file?

Answer 3 · 2020-07-17T03:29:57.000Z

had to add:
(because of SELinux on droplet)
setsebool -P httpd_can_network_connect 1
https site now works. will document in lab share.

Answer 4 · 2020-07-17T03:44:27.000Z

According to certbot documentation, best renewal method is as follows (I slightly modified this for apache):
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q --apache" | sudo tee -a /etc/crontab > /dev/null
This is now set in cron tab. It should automatically renew.

Answer 5 · 2020-07-17T07:03:02.000Z

I have documented this process with some assistance from @kaichop here:
https://github.com/WGLab/LabShare/blob/master/Computing/HTTPSServer.md