521 on self-hosted websites

I had a number of issues which boiled down to there being a new path for node which needed to be changed in order for my Ghost website to be fixed. However, in fixing that error, which was masquerading as a 502 bad gateway, I now have another: Error 521 Web server is down.

I have looked through #CommunityTip 521 and tried to follow the instructions but nothing seems to make a jot of difference. I even disabled SSL for a short while to see if that would help.

Sites: www.corballis.co.uk and www.sarahcorballis.com

SSL: Cloudflare Flexible (although once sorted, I would like to move to Strict)
Webserver: nginx/1.10.3

Here is the output of nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
    #
    # Next two lines added by Toby on 2 Jan 2021 to try and resolve Cloudflare 521 issue
    #
    ssl_client_certificate /etc/nginx/ssl/cloudflare.crt;
    ssl_verify_client on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    # gzip_types text/html text/plain text/css image/*;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

}

#mail {

# See sample authentication script at:

# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf:

load_module modules/ngx_http_auth_pam_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf:

load_module modules/ngx_http_dav_ext_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf:

load_module modules/ngx_http_echo_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:

load_module modules/ngx_http_geoip_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:

load_module modules/ngx_http_image_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf:

load_module modules/ngx_http_subs_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf:

load_module modules/ngx_http_upstream_fair_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:

load_module modules/ngx_http_xslt_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:

load_module modules/ngx_mail_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:

load_module modules/ngx_stream_module.so;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                           mml;
text/plain                            txt;
text/vnd.sun.j2me.app-descriptor      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/vnd.apple.mpegurl         m3u8;
application/vnd.ms-excel              xls;
application/vnd.ms-fontobject         eot;
application/vnd.ms-powerpoint         ppt;
application/vnd.wap.wmlc              wmlc;
application/vnd.google-earth.kml+xml  kml;
application/vnd.google-earth.kmz      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;

}

configuration file /etc/nginx/sites-enabled/corballis.co.uk:

server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;

server_name corballis.co.uk www.corballis.co.uk;
root /var/www/corballis.co.uk/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2368;
    
}

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;

}

configuration file /etc/nginx/sites-enabled/sarahcorballis.com:

server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;

server_name sarahcorballis.com www.sarahcorballis.com;
root /var/www/sarahcorballis.com/;

index index.html;

try_files $uri $uri/ /index.html;

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;

}

I see your conf listens on 443, but has no certs.

As it sounds like a few things got jumbled up, I suggest you “Pause Cloudflare on Site” for those (or switch those DNS entries to :grey: DNS Only, and get the sites up and running with HTTPS before you proxy them with Cloudflare.

Thanks @sdayman. So, I did this. Now, if I curl on http or https, I get the following respectively:

curl https://www.corballis.co.uk curl: (7) Failed to connect to www.corballis.co.uk port 443: Operation timed out curl http://www.corballis.co.uk
curl: (7) Failed to connect to www.corballis.co.uk port 80: Connection refused

The https I guess makes sense if there is no certificate there but the http one seems odd. Looking at both the nginx access and error logs yields no information. Looking at ufw.log the last ten lines are all the same:

[UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:01:04:d4:c4:4f:97:70:08:00 SRC=192.168.50.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=44632 DF PROTO=2

Which looks like noise about multicast router packets rather than anything pertinent to this issue.

EDIT: I realised that I wasn’t Port Forwarding on port 443 on my router (though I didn’t used to need to but I think that was down to Cloudflare magic noodles) so I enabled that and now if I curl to https, I get this error instead:

LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.corballis.co.uk:443
and in the nginx error log, I get:
[error] 21542#21542: *1 no “ssl_certificate” is defined in server listening on SSL port while SSL handshaking, client: 192.168.178.1, server: 0.0.0.0:443

So, I shall now attempt to create the ssl certs using certbot and see what happens.

EDIT 2: So, what happens is that the challenges fail :frowning:
Performing the following challenges:
http-01 challenge for corballis.co.uk
http-01 challenge for sarahcorballis.com
http-01 challenge for www.corballis.co.uk
http-01 challenge for www.sarahcorballis.com
Waiting for verification…
Challenge failed for domain sarahcorballis.com
Challenge failed for domain corballis.co.uk
Challenge failed for domain www.corballis.co.uk
Challenge failed for domain www.sarahcorballis.com
http-01 challenge for sarahcorballis.com
http-01 challenge for corballis.co.uk
http-01 challenge for www.corballis.co.uk
http-01 challenge for www.sarahcorballis.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

So, back to the drawing board!

EDIT 3: I ran wget on localhost twice and can see that I’m getting a 301 redirect, though I can’t find a return or rewrite in the config file so that’s confusing

Here’s the output running wget on localhost:2368

–2021-01-02 20:30:03-- http://localhost:2368/
Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:2368… failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:2368… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://localhost:2368/ [following]
–2021-01-02 20:30:03-- https://localhost:2368/
Connecting to localhost (localhost)|127.0.0.1|:2368… connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

and here it is when running wget on localhost:80
–2021-01-02 20:24:39-- http://localhost/
Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://localhost/ [following]
–2021-01-02 20:24:39-- https://localhost/
Connecting to localhost (localhost)|::1|:443… connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.

Not much difference there but when wget localhost:443 then I get

Resolving localhost (localhost)… ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443… connected.
HTTP request sent, awaiting response… Read error (Connection reset by peer) in headers.
Retrying.

(It retries 20 times before giving up)

My guess is there’s a redirect from port 80 to 443. This is a good idea if ssl is up and running but would seem to be a bad idea when it’s not because it (and this is a guess) means that certbot can’t do a successful challenge as it is rerouted to 443 which isn’t yet working. So, I think (gues, prey) that the thing is to track down how the redirect is occurring and temporarily disable it. I’ll keep searching Google but if anyone can point me in the right direction that would be amazing!

EDIT 4: Finally, for tonight, I did a curl -I localhost and this is what it threw up:

HTTP/1.1 301 Moved Permanently
X-Powered-By: Express
Cache-Control: public, max-age=31536000
Location: https://localhost:2368/
Vary: Accept, Accept-Encoding
Content-Type: text/plain; charset=utf-8
Content-Length: 57
Date: Sat, 02 Jan 2021 19:40:29 GMT
Connection: keep-alive
Keep-Alive: timeout=5

So, I am wondering if Express (node.js) is doing the redirect and that’s why I can’t find it in the nginx files. Unfortunately, I know nothing about node.js configuration so am clueless on where to look. Thus, I am going to have to wait until tomorrow and hope someone here knows more than me - the scant Googling I’ve done today has only thrown up pages that assume the reader already knows their onions when it comes to node.js / express.

This topic was automatically closed after 30 days. New replies are no longer allowed.