configuring Atom

117 views
Skip to first unread message

Dana Miller

unread,
Feb 26, 2019, 12:50:17 PM2/26/19
to AtoM Users
I am trying to configure Atom nginx to use SSL and HSTS. Every configuration I have tried fails when nginx reloads. I have the certs in place and have no luck so far getting https to work.

Ricardo Pinho

unread,
Feb 26, 2019, 1:21:12 PM2/26/19
to ica-ato...@googlegroups.com
Hi Dana,
For AtoM/Ubuntu1604 we used the free https://letsencrypt.org/
from Electronic Frontier Foundation: https://www.eff.org/
Don't forget to donate to support the project!
https://supporters.eff.org/donate/support-work-on-certbot

Just install Certbot

https://certbot.eff.org/#ubuntuxenial-nginx


# Install python-certbot

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx


#Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs:


sudo certbot --nginx -d [your_atom_domain]


Just follow the instructions... and it will work like a charm... and update certs regularly.

Cheers


Dana Miller <dmill...@gmail.com> escreveu no dia terça, 26/02/2019 à(s) 17:50:
I am trying to configure Atom nginx to use SSL and HSTS. Every configuration I have tried fails when nginx reloads. I have the certs in place and have no luck so far getting https to work.

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To post to this group, send email to ica-ato...@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/3e5c8025-5cfc-47bb-a9d3-a931a3c4467f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Ricardo Pinho

David Hume

unread,
Feb 26, 2019, 6:38:56 PM2/26/19
to AtoM Users

Hi Dana,

Definitely concur with Ricardo on Let's Encrypt - we use the acmetool version ourselves - but you say you already have certs? Are they a variant on Let's Encrypt, or purchased from a Certificate Authority, or otherwise?  Did you have to assemble your certificate from a mix of files (local and intermediate e.g), I know that chain can sometimes not be as straightforward as it should be. May I ask what the /var/log/nginx/error.log entry is when the nginx reload fails? And indeed, what system are you running on?

I gather your actual site file is a variant on


server {

  listen 80;
  server_name _;

  # possibly other stuff
  # redirect to https
  location / {
    return 301 https://$host$request_uri;
  }

}
   
server {

  listen 443 ssl;
  server_name _;

  ssl_certificate  /path/to/fullchain;
  ssl_certificate_key /path/to/keyfile;
  # and so on
}


Thanks,

    Dave Hume, Artefactual Systems Administrator

Dana Miller

unread,
Feb 27, 2019, 6:10:44 AM2/27/19
to AtoM Users
Yes I have commercial certs from DigiCert.
I added the following to nginx.conf

user www-data;

worker_processes 4;

pid /run/nginx.pid;


events {

worker_connections 768;

# multi_accept on;

}


http {

    ssl_certificate     /etc/nginx/ssl/gsarcarchives2_gsfc_nasa_gov.pem;

    ssl_certificate_key /etc/nginx/ssl/gsarcarchives2_gsfc_nasa_gov.key;

    ssl_prefer_server_ciphers on;

    ssl_ciphers         ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_protocols       TLSv1.2;

    


atom.conf

##

upstream atom {

  server unix:/var/run/php5-fpm.atom.sock;

}


server {


  listen 80;

  root /usr/share/nginx/atom;


  # http://wiki.nginx.org/HttpCoreModule#server_name

  # _ means catch any, but it's better if you replace this with your server

  # name, e.g. archives.foobar.com

  server_name _;


  client_max_body_size 72M;


  # http://wiki.nginx.org/HttpCoreModule#try_files

  location / {

    try_files $uri /index.php?$args;

  }


  location ~ /\. {

    deny all;

    return 404;

  }


  location ~* (\.yml|\.ini|\.tmpl)$ {

    deny all;

    return 404;

  }


  location ~* /(?:uploads|files)/.*\.php$ {

    deny all;

    return 404;

  }


  location ~* /uploads/r/(.*)/conf/ {


  }


  location ~* ^/uploads/r/(.*)$ {

    include /etc/nginx/fastcgi_params;

    set $index /index.php;

    fastcgi_param SCRIPT_FILENAME $document_root$index;

    fastcgi_param SCRIPT_NAME $index;

    fastcgi_pass atom;

  }


  location ~ ^/private/(.*)$ {

    internal;

    alias /usr/share/nginx/atom/$1;

  }


  location ~ ^/(index|qubit_dev)\.php(/|$) {

    include /etc/nginx/fastcgi_params;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    fastcgi_split_path_info ^(.+\.php)(/.*)$;

    fastcgi_pass atom;

  }


  location ~* \.php$ {

    deny all;

    return 404;

  }


}

server {

    listen              443 ssl;

    listen              [::]:443 ssl  ;

    server_name         gsarcarchives2.gsfc.nasa.gov www.gsarcarchives2.gsfc.nasa.gov;

    root                /usr/share/nginx/atom;

    }


This gets the https to display the welcome page in https. When i modify it to make port 80 redirect perm to 443 and add in the other stuff to the 443 section it fails to start.

Dana Miller

unread,
Feb 27, 2019, 7:00:11 AM2/27/19
to AtoM Users
This is the error i get 2019/02/25 04:22:39 [emerg] 3342#0: "upstream" directive is not allowed here in /etc/nginx/sites-available/atom.ssl.conf:1

On Tuesday, February 26, 2019 at 12:50:17 PM UTC-5, Dana Miller wrote:

Dana Miller

unread,
Feb 27, 2019, 8:37:04 AM2/27/19
to AtoM Users
I got the site now to redirect and work in https. Now only have to configure HSTS. I have attached the configuration that worked with my commercial certs. Thanks for the help.


On Tuesday, February 26, 2019 at 12:50:17 PM UTC-5, Dana Miller wrote:
atom.ssl.conf
nginx.conf

David Hume

unread,
Feb 27, 2019, 6:40:45 PM2/27/19
to AtoM Users

Hi Dana - so to clarify, sounds like you've gotten past the "upstream" directive error you mentioned above?

So you just need (if you haven't already) HSTS definition (after the ssl_... entries for instance) like

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

a potentially useful reference if you haven't seen it already - https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/


Let us know how it's going - Cheers,

       Dave Hume, Artefactual Systems

Dana Miller

unread,
Feb 28, 2019, 7:25:24 AM2/28/19
to AtoM Users
Its all up and running in HSTS


On Tuesday, February 26, 2019 at 12:50:17 PM UTC-5, Dana Miller wrote:
Reply all
Reply to author
Forward
0 new messages