Website cannot be reached from Local network via IP, but via SSL URL its working

pronext · October 3, 2018, 12:11am

Dear ERPNext Lovers,

I noticed on a fresh installed instance working fine with SSL over a valid Domain that it cannot reached over a local ip in the same network (https://192.168.2.1). Before configuring SSL it was no problem, but after "sudo bench setup lets-encrypt" it only shows the “We will be back soon” screen from ERPNext.

The Web GUI ist still working when reaching over https://domain.com which was configured for it.

We have tried all stuff like: update, nginx reload, config reset etc. but still not possible to login via local IP only through the SSL domain.

Maybe you know why and how to fix it?

Thank you and Warm Regards

VamYip · October 3, 2018, 8:59am

Can you post contents of nginx.conf?

Most likely will be found at below path.

~/frappe-bench/config/nginx.conf

Regards,
Vamyip

pronext · October 3, 2018, 10:33am

-Yes this is my nginx.conf:

upstream frappe-bench-frappe {
server 127.0.0.1:8000 fail_timeout=0;
}

upstream frappe-bench-socketio-server {
server 127.0.0.1:9000 fail_timeout=0;
}

setup maps

server blocks

server {
listen 443;
server_name
erpnext.domain.com
;

root /home/frappe/frappe-bench/sites;




ssl on;
ssl_certificate      /etc/letsencrypt/live/erpnext.domain.com/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/erpnext.domain.com/privkey.pem;
ssl_session_timeout  5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers   on;


location /assets {
	try_files $uri =404;
}

location ~ ^/protected/(.*) {
	internal;
	try_files /$host/$1 =404;
}

location /socket.io {
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header X-Frappe-Site-Name $host;
	proxy_set_header Origin $scheme://$http_host;
	proxy_set_header Host $host;

	proxy_pass http://frappe-bench-socketio-server;
}

location / {
	try_files /$host/public/$uri @webserver;
}

location @webserver {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Frappe-Site-Name $host;
	proxy_set_header Host $host;
	proxy_set_header X-Use-X-Accel-Redirect True;
	proxy_read_timeout 120;
	proxy_redirect off;

	proxy_pass  http://frappe-bench-frappe;
}

# error pages
error_page 502 /502.html;
location /502.html {
	root /home/frappe/.bench/bench/config/templates;
	internal;
}

# optimizations
sendfile on;
keepalive_timeout 15;
client_max_body_size 50m;
client_body_buffer_size 16K;
client_header_buffer_size 1k;

# enable gzip compresion
# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
gzip on;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/rss+xml
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/font-woff
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/svg+xml
	image/x-icon
	text/css
	text/plain
	text/x-component
	;
	# text/html is always compressed by HttpGzipModule

}

http to https redirect

server {
	listen 80;
	server_name
		erpnext.domain.com
		;

	return 301 https://$host$request_uri;
}

Regards

trentmu · October 3, 2018, 4:32pm

server_name
erpnext.domain.com
192.168.2.1
;

should work

pronext · October 4, 2018, 10:13am

I tried adding the local IP loike trentmu suggested, but still after nginx and server reboot it is the same error page " We will be back soon" and trying over the url it is working fine. I also had a hostname in the site_config.json which I have deleted.

Could it be that this is something about the erpnext firewall “sudo bench setup firewall”?
This is activated on this host but there is no command to deactivate is again, or is there?

trentmu · October 4, 2018, 10:15am

You may also need to give the certificate the 192.168.2.1 “alias”

pronext · October 4, 2018, 1:22pm

how would that work when it is a valid lets-encrypt certificate?

trentmu · October 4, 2018, 1:24pm

When the cerificate is created, you can specify additional server names to be included in the certificate.

Your alternative is to add an entry in the hosts file of the client machine
192.168.2.1 your.valid.server.name

chabad360 · October 4, 2018, 9:02pm

I do not believe this is possible without setting nginx not to redirect port 80 to 443. Also, Let’s Encrypt only gives a cert for a domain, not for an IP address.

pronext · October 4, 2018, 9:16pm

Tried is all, but it did not work. The final solution was a static local DNS Resolver entry and/or DNS Rebind exeption for the ErpNext domain if no DNS Resolver is present.