Error 500, Are these Nginx and apache configs correct?

Question

hope you can help.

My setup: ubuntu 20.04 HestiaCP v1.6

From the Error log:

08:06:30 [error] 1197401#1197401: *11270 connect() failed (111: Connection refused) while connecting to upstream, client: 77.102.184.93, server: gldn.page, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:8080/", host: "gldn.page"

I am trying to make HestiaCP use the letsencrypt certificates I have for gldn.page and *.gldn.page. and use the server more efficiently.

Since both nginx and Apache are on the same host and the host is secure, it’s a waste of resources to encrypt and decrypt using HTTPS between Nginx and Apache. I would rather just have nginx terminate the TLS and reverse proxy it to http://127.0.0.1:8080 using just plain HTTP. That way I don’t need the certificates for the apache.

These are my config files

First the Nginx listen on port 80 - does a 301 redirect to https (from include)

server {
    listen      78.110.163.102:80;
    server_name gldn.page *.gldn.page;

    include /home/dave/conf/web/gldn.page/nginx.forcessl.conf*;
          ## return 301 https://$host$request_uri;  

    location / {
        proxy_pass      http://78.110.163.102:8080;
        location ~* ^.+\.(jpg|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
            root           /home/dave/web/gldn.page/public_html;
            access_log     /var/log/apache2/domains/gldn.page.log combined;
            access_log     /var/log/apache2/domains/gldn.page.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   /home/dave/web/gldn.page/document_errors/;
    }

    location @fallback {
        proxy_pass      http://78.110.163.102:8080;
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    include /home/dave/conf/web/gldn.page/nginx.conf_*;
}

Next the Nginx listen on port 443 - does a proxy to 8080

server {
    listen      78.110.163.102:443 ssl http2;
    server_name gldn.page *.gldn.page;
    ssl_certificate      /etc/letsencrypt/live/gldn.page/cert.pem;
    ssl_certificate_key  /etc/letsencrypt/live/gldn.page/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    error_log  /var/log/apache2/domains/gldn.page.error.log error;

    include /home/dave/conf/web/gldn.page/nginx.hsts.conf*;

    location / {
        proxy_pass      http://127.0.0.1:8080;
        location ~* ^.+\.(jpg|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
            root           /home/dave/web/gldn.page/public_html;
            access_log     /var/log/apache2/domains/gldn.page.log combined;
            access_log     /var/log/apache2/domains/gldn.page.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   /home/dave/web/gldn.page/document_errors/;
    }

    location @fallback {
        proxy_pass      https://78.110.163.102:8443;
    }

    location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    proxy_hide_header Upgrade;

    include /home/dave/conf/web/gldn.page/nginx.ssl.conf_*;
}

Now the apache config for port 8080

Perhaps the ServerName should be localhost ?

<VirtualHost 127.0.0.1:8080>
    ServerName gldn.page
    ServerAlias *.gldn.page
    ServerAdmin info@gldn.page
    DocumentRoot /home/dave/web/gldn.page/public_html
    ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
    Alias /vstats/ /home/dave/web/gldn.page/stats/
    Alias /error/ /home/dave/web/gldn.page/document_errors/
    #SuexecUserGroup dave dave
    CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
    CustomLog /var/log/apache2/domains/gldn.page.log combined
    ErrorLog /var/log/apache2/domains/gldn.page.error.log

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*

    <Directory /home/dave/web/gldn.page/stats>
        AllowOverride All
    </Directory>
    <Directory /home/dave/web/gldn.page/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

I am getting a 5000 server error and the error log shows this:

08:06:30 [error] 1197401#1197401: *11270 connect() failed (111: Connection refused) while connecting to upstream, client: 77.102.184.93, server: gldn.page, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:8080/", host: "gldn.page"

Hope someone can help me get this working.

UPDATE

I TRIED CHANGING THE APACHE CONFIG TO THIS ...

<VirtualHost 127.0.0.1:8080>

    ServerName localhost

    DocumentRoot /home/dave/web/gldn.page/public_html
    ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
    Alias /vstats/ /home/dave/web/gldn.page/stats/
    Alias /error/ /home/dave/web/gldn.page/document_errors/
    #SuexecUserGroup dave dave
    CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
    CustomLog /var/log/apache2/domains/gldn.page.log combined
    ErrorLog /var/log/apache2/domains/gldn.page.error.log

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*

    <Directory /home/dave/web/gldn.page/stats>
        AllowOverride All
    </Directory>
    <Directory /home/dave/web/gldn.page/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

I STILL GET THIS ERROR

2022/06/20 13:26:26 [error] 1317338#1317338: *12028 connect() failed (111: Connection refused) while connecting to upstream, client: 77.102.184.93, server: gldn.page, request: "GET / HTTP/2.0", upstream: "http://127.0.0.1:8080/", host: "gldn.page"

The suggested resource says ...

If the error message says the remote service is on "127.0.0.1" or "localhost" that means the configuration file is telling the client that the service is on the local server. If your client is trying to talk to a remote system, then your configuration is broken.

Check that there isn't an entry for your hostname mapped to 127.0.0.1 or 127.0.1.1 in /etc/hosts (Ubuntu is notorious for this).

I have this:

root@expressresponse:/var/log/apache2/domains# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       no.ukservers.com        no

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 expressresponse.net

Just checked with Telnet

root@expressresponse:/# telnet localhost 8080
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

So is the UFW blocking it ?

root@expressresponse:/# ufw status
Status: inactive

Maybe HestaiCP has it's own Firewall ?

Apache appears to be running

root@expressresponse:/# systemctl status apache2
* apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-06-20 03:11:02 BST; 10h ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 1099994 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
    Process: 1317164 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
   Main PID: 1100013 (apache2)
      Tasks: 56 (limit: 19071)
     Memory: 21.4M
     CGroup: /system.slice/apache2.service
             |-1100013 /usr/sbin/apache2 -k start
             |-1317206 /usr/sbin/apache2 -k start
             |-1317207 /usr/sbin/apache2 -k start
             `-1317208 /usr/sbin/apache2 -k start

Jun 20 13:25:10 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:10 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:15 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:15 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:32 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:32 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:33 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:33 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.
Jun 20 13:25:38 expressresponse.net systemd[1]: Reloading The Apache HTTP Server.
Jun 20 13:25:38 expressresponse.net systemd[1]: Reloaded The Apache HTTP Server.

Result from journalctl -xe -u apache2

 A reload job for unit apache2.service has finished.
--
-- The job identifier is 95031 and the job result is done.

Result from : root@expressresponse:/# ss -tnlp | grep apache2


LISTEN 0      511                        94.46.186.222:8443        0.0.0.0:*     users:(("apache2",pid=1317208,fd=8),("apache2",pid=1317207,fd=8),("apache2",pid=1317206,fd=8),("apache2",pid=1100013,fd=8))
LISTEN 0      511                       78.157.211.222:8443        0.0.0.0:*     users:(("apache2",pid=1317208,fd=6),("apache2",pid=1317207,fd=6),("apache2",pid=1317206,fd=6),("apache2",pid=1100013,fd=6))
LISTEN 0      511                       78.110.163.102:8443        0.0.0.0:*     users:(("apache2",pid=1317208,fd=4),("apache2",pid=1317207,fd=4),("apache2",pid=1317206,fd=4),("apache2",pid=1100013,fd=4))
LISTEN 0      511                        94.46.186.222:8080        0.0.0.0:*     users:(("apache2",pid=1317208,fd=9),("apache2",pid=1317207,fd=9),("apache2",pid=1317206,fd=9),("apache2",pid=1100013,fd=9))
LISTEN 0      511                       78.157.211.222:8080        0.0.0.0:*     users:(("apache2",pid=1317208,fd=7),("apache2",pid=1317207,fd=7),("apache2",pid=1317206,fd=7),("apache2",pid=1100013,fd=7))
LISTEN 0      511                       78.110.163.102:8080        0.0.0.0:*     users:(("apache2",pid=1317208,fd=5),("apache2",pid=1317207,fd=5),("apache2",pid=1317206,fd=5),("apache2",pid=1100013,fd=5))
LISTEN 0      511                            127.0.0.1:8081        0.0.0.0:*     users:(("apache2",pid=1317208,fd=3),("apache2",pid=1317207,fd=3),("apache2",pid=1317206,fd=3),("apache2",pid=1100013,fd=3))
root@expressresponse:/#

And, if it's helpful ... ss -tnlp | grep nginx

LISTEN 0      511                        94.46.186.222:443         0.0.0.0:*     users:(("nginx",pid=1317344,fd=83),("nginx",pid=1317343,fd=83),("nginx",pid=1317342,fd=83),("nginx",pid=1317341,fd=83),("nginx",pid=1317340,fd=83),("nginx",pid=1317339,fd=83),("nginx",pid=1317338,fd=83),("nginx",pid=1317337,fd=83),("nginx",pid=314698,fd=83))
LISTEN 0      511                       78.157.211.222:443         0.0.0.0:*     users:(("nginx",pid=1317344,fd=82),("nginx",pid=1317343,fd=82),("nginx",pid=1317342,fd=82),("nginx",pid=1317341,fd=82),("nginx",pid=1317340,fd=82),("nginx",pid=1317339,fd=82),("nginx",pid=1317338,fd=82),("nginx",pid=1317337,fd=82),("nginx",pid=314698,fd=82))
LISTEN 0      511                       78.110.163.102:443         0.0.0.0:*     users:(("nginx",pid=1317344,fd=81),("nginx",pid=1317343,fd=81),("nginx",pid=1317342,fd=81),("nginx",pid=1317341,fd=81),("nginx",pid=1317340,fd=81),("nginx",pid=1317339,fd=81),("nginx",pid=1317338,fd=81),("nginx",pid=1317337,fd=81),("nginx",pid=314698,fd=81))
LISTEN 0      511                        94.46.186.222:80          0.0.0.0:*     users:(("nginx",pid=1317344,fd=80),("nginx",pid=1317343,fd=80),("nginx",pid=1317342,fd=80),("nginx",pid=1317341,fd=80),("nginx",pid=1317340,fd=80),("nginx",pid=1317339,fd=80),("nginx",pid=1317338,fd=80),("nginx",pid=1317337,fd=80),("nginx",pid=314698,fd=80))
LISTEN 0      511                       78.157.211.222:80          0.0.0.0:*     users:(("nginx",pid=1317344,fd=79),("nginx",pid=1317343,fd=79),("nginx",pid=1317342,fd=79),("nginx",pid=1317341,fd=79),("nginx",pid=1317340,fd=79),("nginx",pid=1317339,fd=79),("nginx",pid=1317338,fd=79),("nginx",pid=1317337,fd=79),("nginx",pid=314698,fd=79))
LISTEN 0      511                       78.110.163.102:80          0.0.0.0:*     users:(("nginx",pid=1317344,fd=78),("nginx",pid=1317343,fd=78),("nginx",pid=1317342,fd=78),("nginx",pid=1317341,fd=78),("nginx",pid=1317340,fd=78),("nginx",pid=1317339,fd=78),("nginx",pid=1317338,fd=78),("nginx",pid=1317337,fd=78),("nginx",pid=314698,fd=78))
LISTEN 0      511                              0.0.0.0:8083        0.0.0.0:*     users:(("hestia-nginx",pid=3722039,fd=6),("hestia-nginx",pid=3722037,fd=6))
LISTEN 0      511                            127.0.0.1:8084        0.0.0.0:*     users:(("nginx",pid=1317344,fd=84),("nginx",pid=1317343,fd=84),("nginx",pid=1317342,fd=84),("nginx",pid=1317341,fd=84),("nginx",pid=1317340,fd=84),("nginx",pid=1317339,fd=84),("nginx",pid=1317338,fd=84),("nginx",pid=1317337,fd=84),("nginx",pid=314698,fd=84))
root@expressresponse:~#

BTW I have a mailserver running.

and apparently HestiaCP uses Iptables as firewall.

I found the "Firewall" in HestiaCP

I have opened port 8085

and service hestia restart service apache2 restart

and cat /home/dave/conf/web/gldn.page/apache2.conf

<VirtualHost 127.0.0.1:8085>

    ServerName localhost

    DocumentRoot /home/dave/web/gldn.page/public_html
    ScriptAlias /cgi-bin/ /home/dave/web/gldn.page/cgi-bin/
    Alias /vstats/ /home/dave/web/gldn.page/stats/
    Alias /error/ /home/dave/web/gldn.page/document_errors/
    #SuexecUserGroup dave dave
    CustomLog /var/log/apache2/domains/gldn.page.bytes bytes
    CustomLog /var/log/apache2/domains/gldn.page.log combined
    ErrorLog /var/log/apache2/domains/gldn.page.error.log

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.forcessl.conf*

    <Directory /home/dave/web/gldn.page/stats>
        AllowOverride All
    </Directory>
    <Directory /home/dave/web/gldn.page/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php8.0-fpm-gldn.page.sock|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional /home/dave/conf/web/gldn.page/apache2.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

BUT still the port is not listening

root@expressresponse:~# ss -tnlp | grep apache2
LISTEN    0         511           94.46.186.222:8080            0.0.0.0:*        users:(("apache2",pid=75104,fd=9),("apache2",pid=75103,fd=9),("apache2",pid=75102,fd=9),("apache2",pid=75101,fd=9))
LISTEN    0         511          78.157.211.222:8080            0.0.0.0:*        users:(("apache2",pid=75104,fd=7),("apache2",pid=75103,fd=7),("apache2",pid=75102,fd=7),("apache2",pid=75101,fd=7))
LISTEN    0         511          78.110.163.102:8080            0.0.0.0:*        users:(("apache2",pid=75104,fd=5),("apache2",pid=75103,fd=5),("apache2",pid=75102,fd=5),("apache2",pid=75101,fd=5))
LISTEN    0         511               127.0.0.1:8081            0.0.0.0:*        users:(("apache2",pid=75104,fd=3),("apache2",pid=75103,fd=3),("apache2",pid=75102,fd=3),("apache2",pid=75101,fd=3))
LISTEN    0         511           94.46.186.222:8443            0.0.0.0:*        users:(("apache2",pid=75104,fd=8),("apache2",pid=75103,fd=8),("apache2",pid=75102,fd=8),("apache2",pid=75101,fd=8))
LISTEN    0         511          78.157.211.222:8443            0.0.0.0:*        users:(("apache2",pid=75104,fd=6),("apache2",pid=75103,fd=6),("apache2",pid=75102,fd=6),("apache2",pid=75101,fd=6))
LISTEN    0         511          78.110.163.102:8443            0.0.0.0:*        users:(("apache2",pid=75104,fd=4),("apache2",pid=75103,fd=4),("apache2",pid=75102,fd=4),("apache2",pid=75101,fd=4))
root@expressresponse:~#

what have I missed ?

root@expressresponse:~# telnet localhost 8085
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

How do I get 127.0.0.1:8085 opened and listened to ?

Thanks Dave.

Does this answer your question? [What causes the 'Connection Refused' message?](https://serverfault.com/questions/725262/what-causes-the-connection-refused-message) — user9517, Jun 20 '22 at 08:08
It gives some suggestions but as I have supplied all the config files, I am looking for a specific answer. — Dave, Jun 20 '22 at 11:29
No, you have not. Connection refused means nothing is listening on the given port on the given interface. Check if your services are actually running and on which interface they are listening. — Gerald Schneider, Jun 20 '22 at 11:36
I have this root@expressresponse:/var/log/apache2/domains# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 no.ukservers.com no # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.0.1 expressresponse.net — Dave, Jun 20 '22 at 12:35
So, Apache is not running. You can check the status with `systemctl status apache2` and check the log with `journalctl -xe -u apache2`, as well as your configured log files. — Gerald Schneider, Jun 20 '22 at 12:45

score 1 · Answer 1 · answered Jun 20 '22 at 13:20

1

Apache is not configured to listen to port 8080 on the 127.0.0.1 interface. Check the Listen directives in the rest of your Apache configuration.

answered Jun 20 '22 at 13:20

Gerald Schneider

23,274
8
57
89

It seems to be listening on 8081 correct? Shall I just change the nginx proxy target to 8081 and the virtual server for apache? – Dave Jun 20 '22 at 13:24
That's correct. – Gerald Schneider Jun 20 '22 at 13:25
Shall I just change the nginx proxy target to 8081 and the virtual server for apache? – Dave Jun 20 '22 at 13:26
It's an option. I don't know what else this will affect, so I can't give a recommendation here. – Gerald Schneider Jun 20 '22 at 13:30
Personally, I'd just add the `Listen 127.0.0.1:8080` directive. – Gerald Schneider Jun 20 '22 at 13:31
I updated the HestiaCP firewall, not sure where else to add that directive. – Dave Jun 20 '22 at 14:24
I also changed the Apache conf to and opened same port on the firewall and restarted hestia and apache2 – Dave Jun 20 '22 at 14:27

Pauchu · Answer 2 · 2023-05-17T16:03:47.573

0

By default, Apache will not listen on Port 8085, no matter if your servers firewall permits it or not. You need to specify Listen 8085 in your /etc/apache2/ports.conf file or any other config file, that Apache reads, in order to get Apache to listen on that Port, even if you set it in the VirtualHost address.

edited May 17 '23 at 16:03

answered May 02 '23 at 12:41

Pauchu

11
3

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 16 '23 at 11:32

score 0 · Answer 3 · answered Jun 25 '23 at 14:36

0

Nginx error 500 is usually caused by config files with issues, or permission issues. This article may help: https://www.copahost.com/blog/nginx-500-internal-server-error/

answered Jun 25 '23 at 14:36

Gustavo C

1
1

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/555082) – Quantim Jun 28 '23 at 06:26

Error 500, Are these Nginx and apache configs correct?

3 Answers3