Nginx refused to connect to port 443

nginx ssl firewall lets-encrypt gunicorn

15,105

I solved the problem but this is not a general solution. In my case, Docker was interferring with iptables and didn't allow connections on port 443. After I exposed the port from Docker, it started to work.

15,105

Dani Mateo

Updated on September 18, 2022

Comments

Dani Mateo over 1 year

So, I am trying make Nginx serve my website via https, but it keeps hitting me with a refused to connect error.

So here are the outputs for:

curl https://juristnet.ro (this is the website)

curl: (7) Failed to connect to juristnet.ro port 443: Connection refused

netstat -anltp

tcp        0      0 0.0.0.0:80              0.0.0.0:*                  LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -               
tcp        0      0 46.101.111.197:80       66.249.64.215:60905     TIME_WAIT   -               
tcp        0      0 46.101.111.197:80       66.249.64.211:57434     ESTABLISHED -               
tcp        0      0 46.101.111.197:22       82.208.159.43:26902         ESTABLISHED -               
tcp        0    476 46.101.111.197:22       82.208.159.43:11648     ESTABLISHED -               
tcp        0      0 46.101.111.197:22       223.99.60.37:16862      ESTABLISHED -               
tcp6       0      0 :::8080                 :::*                      LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::30845                :::*                    LISTEN      -

As you can see, port 443 is open and Nginx is listening

80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
5432/tcp open  postgresql

Nmap shows port is open.

UFW is inactive, so not firewall issues. It's a droplet at digitalocean, so no forwarding problems on their side.

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             localhost            tcp spts:1024:65535 dpt:https state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp  dpt:https

My Nginx.conf:

user admin root;
worker_processes auto;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    include /etc/nginx/conf.d/*.conf;
}

My other conf ( for the server blocks):

server {

listen 80;
listen 443 ssl;

server_name  juristnet.ro www.juristnet.ro;
keepalive_timeout   70;

ssl_certificate /etc/letsencrypt/live/juristnet.ro/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/juristnet.ro/privkey.pem;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;

root /var/test/proiect;
client_max_body_size 10M;

location = /favicon.ico
{
    access_log off; log_not_found off;
            alias /var/test/proiect/favicon.ico;
}

location /static/
{
    autoindex on;
}

    location /assets/
{
            autoindex on;
            alias /var/test/proiect/assets/;
}

    location  ~ /.well-known/
{
            allow all;
}

location / {
    include /etc/nginx/fastcgi_params;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://unix:/var/test/proiect/Tutorial2.sock;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;


}

There is also another subdomain, but i'm guessing that's not relevant.

The error logs and access logs for nginx don't show anything special.

The certificates were obtained from letsencrypt. If I try binding gunicorn
as it is on 0.0.0.0:8000, with the --keyfile and --certfile options, it does work with https, so I am guessing this is an nginx issue. Or maybe i need to add those settings somewhere? Anyway, I have been bashing my head on this for 2 days, so if anybody has any solution to this, I would be very thankful.

Tim about 7 years

Can you curl port 443 from the droplet / instance itself? If so then the issue is a firewall or other kind of port blocking.
Dani Mateo about 7 years

If you mean doing curl localhost:443, it shows this : <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx/1.10.2</center> </body> </html>
Tim about 7 years

Ok, so Nginx is listening fine on port 443, the next thing to work out is where it it being blocked. If you can try the same thing from another server in the same data centre or logical network that would give you more information.
Tero Kilkanen about 7 years

Try curl https://localhost. curl localhost:443 will try to make a HTTP connection to the https port of your server, which is not correct.
Dani Mateo about 7 years

I solved it, it had something to do with Docker. Thanks for the help guys!

ibaralf almost 7 years

Could you post the solution you did - I mean how you exposed the port in docker. I have a similar situation and would like to see if that helps. Thanks.
D.R. over 6 years

@ibaralf Hello. Did you solved this issue?
D.R. over 6 years

@Dani Mateo. Looks like I also have the same issue. Could you post your solution?
Dani Mateo about 6 years

hello, sorry for the late reply. I didn't have any use for Docker and just uninstalled it and it seemed to work afterwards. Look for third parties that may interfere with the ports. Good luck!
ibaralf about 6 years

@D.R. unfortunately I cannot remember if or how I resolved it since I am not working on this project anymore. With Dani's last comment, I think this was not a solution.
Do Async over 5 years

Just add line "EXPOSE 443" to you Dockerfile (and recreate the container)