hope you can help.
My setup: ubuntu 20.04 HestiaCP v1.6
From the Error log:
08:06:30 [error] 1197401#1197401: *11270 connect() failed (111: Connection refused) while connecting to upstream, client: 77.102.184.93, server: gldn.page, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:8080/", host: "gldn.page"
I am trying to make HestiaCP use the letsencrypt certificates I have for gldn.page and *.gldn.page. and use the server more efficiently.
Since both nginx and Apache are on the same host and the host is secure, it’s a waste of resources to encrypt and decrypt using HTTPS between Nginx and Apache. I would rather just have nginx terminate the TLS and reverse proxy it to http://127.0.0.1:8080 using just plain HTTP. That way I don’t need the certificates for the apache.
These are my config files
First the Nginx listen on port 80 - does a 301 redirect to https (from include)
server {
listen 78.110.163.102:80;
server_name gldn.page *.gldn.page;
include /home/dave/conf/web/gldn.page/nginx.forcessl.conf*;
## return 301 https://$host$request_uri;
location / {
proxy_pass http://78.110.163.102:8080;
location ~* ^.+\.(jpg|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/dave/web/gldn.page/public_html;
access_log /var/log/apache2/domains/gldn.page.log combined;
access_log /var/log/apache2/domains/gldn.page.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/dave/web/gldn.page/document_errors/;
}
location @fallback {
proxy_pass http://78.110.163.102:8080;
}
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
include /home/dave/conf/web/gldn.page/nginx.conf_*;
}
Next the Nginx listen on port 443 - does a proxy to 8080
server {
listen 78.110.163.102:443 ssl http2;
server_name gldn.page *.gldn.page;
ssl_certificate /etc/letsencrypt/live/gldn.page/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/gldn.page/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
error_log /var/log/apache2/domains/gldn.page.error.log error;
include /home/dave/conf/web/gldn.page/nginx.hsts.conf*;
location / {
proxy_pass http://127.0.0.1:8080;
location ~* ^.+\.(jpg|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/dave/web/gldn.page/public_html;
access_log /var/log/apache2/domains/gldn.page.log combined;
access_log /var/log/apache2/domains/gldn.page.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/dave/web/gldn.page/document_errors/;
}
location @fallback {
proxy_pass https://78.110.163.102:8443;
}
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
proxy_hide_header Upgrade;
include /home/dave/conf/web/gldn.page/nginx.ssl.conf_*;
}
Now the apache config for port 8080
Perhaps the ServerName should be localhost ?
<VirtualHost 127.0.0.1:8080>
ServerName gldn.page
ServerAlias *.gldn.page
ServerAdmin info@gldn.page
DocumentRoot /home/dave/web/gldn.page/public_html
ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
Alias /vstats/ /home/dave/web/gldn.page/stats/
Alias /error/ /home/dave/web/gldn.page/document_errors/
#SuexecUserGroup dave dave
CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
CustomLog /var/log/apache2/domains/gldn.page.log combined
ErrorLog /var/log/apache2/domains/gldn.page.error.log
IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*
<Directory /home/dave/web/gldn.page/stats>
AllowOverride All
</Directory>
<Directory /home/dave/web/gldn.page/public_html>
AllowOverride All
Options +Includes -Indexes +ExecCGI
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
I am getting a 5000 server error and the error log shows this:
08:06:30 [error] 1197401#1197401: *11270 connect() failed (111: Connection refused) while connecting to upstream, client: 77.102.184.93, server: gldn.page, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:8080/", host: "gldn.page"
Hope someone can help me get this working.
UPDATE
I TRIED CHANGING THE APACHE CONFIG TO THIS ...
<VirtualHost 127.0.0.1:8080>
ServerName localhost
DocumentRoot /home/dave/web/gldn.page/public_html
ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
Alias /vstats/ /home/dave/web/gldn.page/stats/
Alias /error/ /home/dave/web/gldn.page/document_errors/
#SuexecUserGroup dave dave
CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
CustomLog /var/log/apache2/domains/gldn.page.log combined
ErrorLog /var/log/apache2/domains/gldn.page.error.log
IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*
<Directory /home/dave/web/gldn.page/stats>
AllowOverride All
</Directory>
<Directory /home/dave/web/gldn.page/public_html>
AllowOverride All
Options +Includes -Indexes +ExecCGI
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
I STILL GET THIS ERROR
2022/06/20 13:26:26 [error] 1317338#1317338: *12028 connect() failed (111: Connection refused) while connecting to upstream, client: 77.102.184.93, server: gldn.page, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:8080/", host: "gldn.page"
The suggested resource says ...
If the error message says the remote service is on "127.0.0.1" or "localhost" that means the configuration file is telling the client that the service is on the local server. If your client is trying to talk to a remote system, then your configuration is broken.
Check that there isn't an entry for your hostname mapped to 127.0.0.1 or 127.0.1.1 in /etc/hosts (Ubuntu is notorious for this).
I have this:
root@expressresponse:/var/log/apache2/domains# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 no.ukservers.com no
The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 expressresponse.net
Just checked with Telnet
root@expressresponse:/# telnet localhost 8080
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
So is the UFW blocking it ?
root@expressresponse:/# ufw status
Status: inactive
Maybe HestaiCP has it's own Firewall ?
Apache appears to be running
root@expressresponse:/# systemctl status apache2
* apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-06-20 03:11:02 BST; 10h ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 1099994 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Process: 1317164 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Main PID: 1100013 (apache2)
Tasks: 56 (limit: 19071)
Memory: 21.4M
CGroup: /system.slice/apache2.service
|-1100013 /usr/sbin/apache2 -k start
|-1317206 /usr/sbin/apache2 -k start
|-1317207 /usr/sbin/apache2 -k start
`-1317208 /usr/sbin/apache2 -k start
Jun 20 13:25:10 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:10 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:15 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:15 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:32 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:32 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:33 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:33 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:38 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:38 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Result from journalctl -xe -u apache2
A reload job for unit apache2.service has finished.
--
-- The job identifier is 95031 and the job result is done.
Result from : root@expressresponse:/# ss -tnlp | grep apache2
LISTEN 0 511 94.46.186.222:8443 0.0.0.0:* users:(("apache2",pid=1317208,fd=8),("apache2",pid=1317207,fd=8),("apache2",pid=1317206,fd=8),("apache2",pid=1100013,fd=8))
LISTEN 0 511 78.157.211.222:8443 0.0.0.0:* users:(("apache2",pid=1317208,fd=6),("apache2",pid=1317207,fd=6),("apache2",pid=1317206,fd=6),("apache2",pid=1100013,fd=6))
LISTEN 0 511 78.110.163.102:8443 0.0.0.0:* users:(("apache2",pid=1317208,fd=4),("apache2",pid=1317207,fd=4),("apache2",pid=1317206,fd=4),("apache2",pid=1100013,fd=4))
LISTEN 0 511 94.46.186.222:8080 0.0.0.0:* users:(("apache2",pid=1317208,fd=9),("apache2",pid=1317207,fd=9),("apache2",pid=1317206,fd=9),("apache2",pid=1100013,fd=9))
LISTEN 0 511 78.157.211.222:8080 0.0.0.0:* users:(("apache2",pid=1317208,fd=7),("apache2",pid=1317207,fd=7),("apache2",pid=1317206,fd=7),("apache2",pid=1100013,fd=7))
LISTEN 0 511 78.110.163.102:8080 0.0.0.0:* users:(("apache2",pid=1317208,fd=5),("apache2",pid=1317207,fd=5),("apache2",pid=1317206,fd=5),("apache2",pid=1100013,fd=5))
LISTEN 0 511 127.0.0.1:8081 0.0.0.0:* users:(("apache2",pid=1317208,fd=3),("apache2",pid=1317207,fd=3),("apache2",pid=1317206,fd=3),("apache2",pid=1100013,fd=3))
root@expressresponse:/#
And, if it's helpful ... ss -tnlp | grep nginx
LISTEN 0 511 94.46.186.222:443 0.0.0.0:* users:(("nginx",pid=1317344,fd=83),("nginx",pid=1317343,fd=83),("nginx",pid=1317342,fd=83),("nginx",pid=1317341,fd=83),("nginx",pid=1317340,fd=83),("nginx",pid=1317339,fd=83),("nginx",pid=1317338,fd=83),("nginx",pid=1317337,fd=83),("nginx",pid=314698,fd=83))
LISTEN 0 511 78.157.211.222:443 0.0.0.0:* users:(("nginx",pid=1317344,fd=82),("nginx",pid=1317343,fd=82),("nginx",pid=1317342,fd=82),("nginx",pid=1317341,fd=82),("nginx",pid=1317340,fd=82),("nginx",pid=1317339,fd=82),("nginx",pid=1317338,fd=82),("nginx",pid=1317337,fd=82),("nginx",pid=314698,fd=82))
LISTEN 0 511 78.110.163.102:443 0.0.0.0:* users:(("nginx",pid=1317344,fd=81),("nginx",pid=1317343,fd=81),("nginx",pid=1317342,fd=81),("nginx",pid=1317341,fd=81),("nginx",pid=1317340,fd=81),("nginx",pid=1317339,fd=81),("nginx",pid=1317338,fd=81),("nginx",pid=1317337,fd=81),("nginx",pid=314698,fd=81))
LISTEN 0 511 94.46.186.222:80 0.0.0.0:* users:(("nginx",pid=1317344,fd=80),("nginx",pid=1317343,fd=80),("nginx",pid=1317342,fd=80),("nginx",pid=1317341,fd=80),("nginx",pid=1317340,fd=80),("nginx",pid=1317339,fd=80),("nginx",pid=1317338,fd=80),("nginx",pid=1317337,fd=80),("nginx",pid=314698,fd=80))
LISTEN 0 511 78.157.211.222:80 0.0.0.0:* users:(("nginx",pid=1317344,fd=79),("nginx",pid=1317343,fd=79),("nginx",pid=1317342,fd=79),("nginx",pid=1317341,fd=79),("nginx",pid=1317340,fd=79),("nginx",pid=1317339,fd=79),("nginx",pid=1317338,fd=79),("nginx",pid=1317337,fd=79),("nginx",pid=314698,fd=79))
LISTEN 0 511 78.110.163.102:80 0.0.0.0:* users:(("nginx",pid=1317344,fd=78),("nginx",pid=1317343,fd=78),("nginx",pid=1317342,fd=78),("nginx",pid=1317341,fd=78),("nginx",pid=1317340,fd=78),("nginx",pid=1317339,fd=78),("nginx",pid=1317338,fd=78),("nginx",pid=1317337,fd=78),("nginx",pid=314698,fd=78))
LISTEN 0 511 0.0.0.0:8083 0.0.0.0:* users:(("hestia-nginx",pid=3722039,fd=6),("hestia-nginx",pid=3722037,fd=6))
LISTEN 0 511 127.0.0.1:8084 0.0.0.0:* users:(("nginx",pid=1317344,fd=84),("nginx",pid=1317343,fd=84),("nginx",pid=1317342,fd=84),("nginx",pid=1317341,fd=84),("nginx",pid=1317340,fd=84),("nginx",pid=1317339,fd=84),("nginx",pid=1317338,fd=84),("nginx",pid=1317337,fd=84),("nginx",pid=314698,fd=84))
root@expressresponse:~#
BTW I have a mailserver running.
and apparently HestiaCP uses Iptables as firewall.
I found the "Firewall" in HestiaCP
I have opened port 8085
and service hestia restart service apache2 restart
and cat /home/dave/conf/web/gldn.page/apache2.conf
<VirtualHost 127.0.0.1:8085>
ServerName localhost
DocumentRoot /home/dave/web/gldn.page/public_html
ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
Alias /vstats/ /home/dave/web/gldn.page/stats/
Alias /error/ /home/dave/web/gldn.page/document_errors/
#SuexecUserGroup dave dave
CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
CustomLog /var/log/apache2/domains/gldn.page.log combined
ErrorLog /var/log/apache2/domains/gldn.page.error.log
IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*
<Directory /home/dave/web/gldn.page/stats>
AllowOverride All
</Directory>
<Directory /home/dave/web/gldn.page/public_html>
AllowOverride All
Options +Includes -Indexes +ExecCGI
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
BUT still the port is not listening
root@expressresponse:~# ss -tnlp | grep apache2
LISTEN 0 511 94.46.186.222:8080 0.0.0.0:* users:(("apache2",pid=75104,fd=9),("apache2",pid=75103,fd=9),("apache2",pid=75102,fd=9),("apache2",pid=75101,fd=9))
LISTEN 0 511 78.157.211.222:8080 0.0.0.0:* users:(("apache2",pid=75104,fd=7),("apache2",pid=75103,fd=7),("apache2",pid=75102,fd=7),("apache2",pid=75101,fd=7))
LISTEN 0 511 78.110.163.102:8080 0.0.0.0:* users:(("apache2",pid=75104,fd=5),("apache2",pid=75103,fd=5),("apache2",pid=75102,fd=5),("apache2",pid=75101,fd=5))
LISTEN 0 511 127.0.0.1:8081 0.0.0.0:* users:(("apache2",pid=75104,fd=3),("apache2",pid=75103,fd=3),("apache2",pid=75102,fd=3),("apache2",pid=75101,fd=3))
LISTEN 0 511 94.46.186.222:8443 0.0.0.0:* users:(("apache2",pid=75104,fd=8),("apache2",pid=75103,fd=8),("apache2",pid=75102,fd=8),("apache2",pid=75101,fd=8))
LISTEN 0 511 78.157.211.222:8443 0.0.0.0:* users:(("apache2",pid=75104,fd=6),("apache2",pid=75103,fd=6),("apache2",pid=75102,fd=6),("apache2",pid=75101,fd=6))
LISTEN 0 511 78.110.163.102:8443 0.0.0.0:* users:(("apache2",pid=75104,fd=4),("apache2",pid=75103,fd=4),("apache2",pid=75102,fd=4),("apache2",pid=75101,fd=4))
root@expressresponse:~#
- what have I missed ?
root@expressresponse:~# telnet localhost 8085
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
How do I get 127.0.0.1:8085 opened and listened to ?
Thanks Dave.
