Telegram webhook doesn't connect to my server with selfsigned certificate - ruby

Have the issue that Telegram webhook doesn't connect to my server with selfsigned cert(no any connections in logs from telegram API). Any ideas?
Configuration:
CERT=config/ssl/production/cert.pem
Telegram.bot.get_webhook_info
{"ok"=>true,
"result"=>
{"url"=>"https://<IP>/telegram/NY71J1pPAzfGCf90Fc-Ssybo",
"has_custom_certificate"=>true,
"pending_update_count"=>1,
"last_error_date"=>1674396736,
"last_error_message"=>"Connection timed out",
"max_connections"=>40,
"ip_address"=>"<IP>"}}
Rails.application.routes.url_helpers.telegram_webhook_url
=> "https://<IP>/telegram/NY71J1pPAzfGCf90Fc-Ssybo"
Puma started with nginx:
sm_app | => Booting Puma
sm_app | => Rails 7.0.4 application starting in production
sm_app | => Run `bin/rails server --help` for more startup options
sm_app | Puma starting in single mode...
sm_app | * Puma version: 6.0.2 (ruby 3.2.0-p0) ("Sunflower")
sm_app | * Min threads: 5
sm_app | * Max threads: 5
sm_app | * Environment: production
sm_app | * PID: 1
sm_app | * Listening on ssl://0.0.0.0:3000?cert=config%2Fssl%2Fproduction%2Fcert.pem&key=config%2Fssl%2Fproduction%2Fkey.pem&verify_mode=none
upstream sm_app {
server 'sm_app:3000';
}
server {
listen 80;
server_name _;
return 301 https://sm_app$request_uri;
}
server {
listen 443 ssl;
client_max_body_size 100m;
keepalive_timeout 5;
root $APP_PATH/public;
access_log $APP_PATH/log/nginx.ssl.access.log;
error_log $APP_PATH/log/nginx.ssl.error.log info;
ssl_certificate $APP_PATH/ssl/cert.pem;
ssl_certificate_key $APP_PATH/ssl/key.pem;
ssl on;
ssl_protocols TLSv1.2;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass https://sm_app;
}
}
root#11941b39b560:/app/log# cat nginx.ssl.access.log
root#11941b39b560:/app/log#
I've tested these configurations:
https://core.telegram.org/bots/webhooks
https://core.telegram.org/bots/self-signed (part of the previous one)
telegram-bot-rb/telegram_bot_app#7 (comment)
I tried to make a direct request from my local computer from different countries (using VPN) to the bot server(postman request example below).
All this time I got the status 200, and the bot processed this request and sent me a message, as expected.

Related

Puma - No such file or directory - connect(2). No idea where it's getting this location from

So, I'm trying to deploy a Sinatra app with Capistrano. I have deployed the app successfully, however I am unable to start Puma. When I enter my app's current diretory and run pumactl -F config/puma.rb start I get the following error:
ubuntu#ip-10-0-0-195:/srv/apps/cx/current$ pumactl -F config/puma.rb start
[18512] Puma starting in cluster mode...
[18512] * Version 4.3.5 (ruby 2.5.1-p57), codename: Mysterious Traveller
[18512] * Min threads: 2, max threads: 6
[18512] * Environment: staging
[18512] * Process workers: 1
[18512] * Phased restart available
No such file or directory - connect(2) for /srv/apps/cx/releases/shared/tmp/sockets/puma.sock
I have no idea how or why it's looking in the cx/releases directory. I've attached some of my files below and maybe someone can tell me what I'm doing wrong here.
Puma.rb
# Change to match your CPU core count
workers 1
# Min and Max threads per worker
threads 2, 6
app_dir = File.expand_path('../../..', __FILE__)
shared_dir = "#{app_dir}/shared"
# Default to production
rails_env = ENV['RAILS_ENV'] || 'staging'
environment rails_env
# Set up socket location
bind "unix://#{shared_dir}/tmp/sockets/puma.sock"
# Logging
stdout_redirect "#{shared_dir}/logs/puma.stdout.log", "#{shared_dir}/logs/puma.stderr.log", true
daemonize
# Set master PID and state locations
pidfile "#{shared_dir}/pids/puma.pid"
state_path "#{shared_dir}/pids/puma.state"
activate_control_app
on_worker_boot do
require 'active_record'
ActiveRecord::Base.connection.disconnect! rescue ActiveRecord::ConnectionNotEstablished
ActiveRecord::Base.establish_connection(YAML.load_file("#{app_dir}/current/config/database.yml")[rails_env])
end
lowlevel_error_handler do |ex, env|
Raven.capture_exception(
ex,
message: ex.message,
extra: { puma: env },
transaction: 'Puma'
)
# note the below is just a Rack response
[500, {}, ['An error has occurred, and engineers have been informed. Please reload the page']]
end
Puma.service
[Unit]
Description=Connect-Puma Server
After=network.target
[Service]
Type=simple
User=ubuntu
# EnvironmentFile=/srv/apps/cx-api/current/.rbenv-vars
Environment=RAILS_ENV=staging
WorkingDirectory=/srv/apps/cx/current/
ExecStart=/usr/bin/rbenv exec bundle exec puma -C /srv/apps/cx/current/config/puma.rb
ExecStop=/usr/bin/rbenv exec bundle exec pumactl -F /srv/apps/cx/current/config/puma.rb stop
ExecReload=/usr/bin/rbenv exec bundle exec pumactl -F /srv/apps/cx/current/config/puma.rb phased-restart
TimeoutSec=15
Restart=always
KillMode=process
[Install]
WantedBy=multi-user.target
etc/nginx/sites-enabled/cx
pstream sinatra {
server unix:/srv/apps/cx/shared/tmp/puma.sock;
}
server {
root /srv/apps/cx/current/public;
server_name staging.ldelivers.com;
location / {
try_files $uri $uri/index.html #puma;
}
location #puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://sinatra;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/staging.lmdelivers.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/staging.lmdelivers.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = staging.lmdelivers.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name staging.lmdelivers.com;
return 404; # managed by Certbot
}
As you can see I'm not calling to the /releases directory anywhere. If anyone can get me pointed in the right direction I would appreciate it soo soo much.
Thanks
Try this
app_dir = File.expand_path('../../../..', __FILE__)
Also, the socket path is set as .../tmp/puma.sock in one configuration file and .../tmp/sockets/puma.sock in another.

*1539 768 worker_connections are not enough while connecting to upstream

Deployed ruby backend api project to digitalocean server, i'm having issues configuring nagix and passenger
when I make this api call "http://159.65.65.203/api/v1/items" using postman i get this error
based on cat /var/log/nginx/error.log
2020/07/08 02:59:11 [alert] 2769#2769: *1539 768 worker_connections are not enough while
connecting to upstream, client: 159.65.65.203, server: borroup.com, request: "GET
/api/v1/items HTTP/1.0", upstream: "http://159.65.65.203:80/api/v1/items", host:
"159.65.65.203"
when i visit http://159.65.65.203/ i get this error
404 Not Found
nginx/1.18.0
using Ubuntu 16.04.6 (LTS) x64 ruby 2.4.1
here is sudo nano /etc/nginx/sites-available/default
upstream app {
server 159.65.65.203:80 fail_timeout=0;
}
# Default server configuration
server {
listen 80;
server_name borroup.com;
allow 159.65.65.203;
# this is where my react-app is located
root /var/www/development/ram/public/;
index index.html index.htm;
# Serve the static content (React app)
location / {
try_files $uri /index.html =404;
}
location /api {
# Insert your public app path
root /your/rails-app/path/public;
proxy_pass http://app;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
here is sudo nano /etc/nginx/nginx.conf
user deploy;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
here is netstat -plunta
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program
name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2769/nginx:
worker
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 976 159.65.65.203:22 222.186.30.167:11710 ESTABLISHED -
tcp 0 0 159.65.65.203:22 70.176.141.88:54472 ESTABLISHED -
tcp 0 604 159.65.65.203:22 184.101.50.220:55467 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.1:37075 127.0.0.1:37075 ESTABLISHED -
every time i change port i get similar but different wording errors
Note: This is a backend project does not have front end just used for api's

Why is nginx running on port 8080 but not 81?

Based on brew info nginx the terminal output is telling me that nginx is running on port 8080 by default:
The default port has been set in /usr/local/etc/nginx/nginx.conf to
8080 so that nginx can run without sudo.
This is the full output:
$ brew info nginx
nginx: stable 1.19.0 (bottled), HEAD
HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server
https://nginx.org/
/usr/local/Cellar/nginx/1.19.0 (25 files, 2.1MB) *
Poured from bottle on 2020-06-16 at 17:55:46
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/nginx.rb
==> Dependencies
Required: openssl#1.1 ✔, pcre ✔
==> Options
--HEAD
Install HEAD version
==> Caveats
Docroot is: /usr/local/var/www
The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.
nginx will load all files in /usr/local/etc/nginx/servers/.
To have launchd start nginx now and restart at login:
brew services start nginx
Or, if you don't want/need a background service you can just run:
nginx
==> Analytics
install: 33,973 (30 days), 101,534 (90 days), 407,985 (365 days)
install-on-request: 33,387 (30 days), 99,128 (90 days), 394,576 (365 days)
build-error: 0 (30 days)
My Mac OS is Catalina 10.15
However, when I go to look at the nginx.conf in /usr/local/etc/nginx/nginx.conf I do not see that the nginx port is open on 8080. I see it open on port 81:
server {
listen 81;
server_name localhost;
....
....
When I go to visit http://localhost:8080/ I get the nginx welcome message. However when I go to visit http://localhost:81/ I get a "site can't be reached" ERR_CONNECTION_REFUSED error.
How is nginx running on port 8080 without such a specification in the nginx.conf file? And why is nginx not running on port 81 which the conf appears to suggest it should.
Here's the full nginx.conf:
# cat /usr/local/etc/nginx/nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 81;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
include servers/*;
}
Have you tried to restart/reload Nginx yet? In order for the configuration change to take effect, you need to reload it.
You can use this command on Mac OSX to reload Nginx: sudo nginx -s reload

connect() to unix:///tmp/web2py.socket failed (13: Permission denied) in mac

I have followed below tutorial to setup nginx+web2py+uwsgi but nginx couldn't access uwsgi socket. below is my configuration file. when i am opening localhost it is showing 502 bad gateway and nginx error log is showing permission denied while trying to access web2py.socket
setup web2py+uwsgi+nginx on ubuntu
nginx conf file in /usr/local/etc/nginx/nginx.conf
#user nobody;
worker_processes 1;
error_log /var/log/nginx/nginx_error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name $hostname;
###to enable correct use of response.static_version
location ~* ^/(\w+)/static(?:/_[\d]+\.[\d]+\.[\d]+)?/(.*)$ {
alias /Users/sudhakar/Desktop/web2py/applications/$1/static/$2;
expires max;
### if you want to use pre-gzipped static files (recommended)
### check scripts/zip_static_files.py and remove the comments
# include /etc/nginx/conf.d/web2py/gzip_static.conf;
}
###
location / {
#uwsgi_pass 127.0.0.1:9001;
uwsgi_pass unix:///tmp/web2py.socket;
include uwsgi_params;
uwsgi_param UWSGI_SCHEME $scheme;
uwsgi_param SERVER_SOFTWARE nginx/$nginx_version;
###remove the comments to turn on if you want gzip compression of your pages
# include /etc/nginx/conf.d/web2py/gzip.conf;
### end gzip section
### remove the comments if you use uploads (max 10 MB)
#client_max_body_size 10m;
###
}
}
server {
listen 443 default_server ssl;
server_name $hostname;
ssl_certificate /usr/local/etc/nginx/ssl/web2py.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/web2py.key;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
keepalive_timeout 70;
location / {
#uwsgi_pass 127.0.0.1:9001;
uwsgi_pass unix:///tmp/web2py.socket;
include uwsgi_params;
uwsgi_param UWSGI_SCHEME $scheme;
uwsgi_param SERVER_SOFTWARE nginx/$nginx_version;
###remove the comments to turn on if you want gzip compression of your pages
# include /etc/nginx/conf.d/web2py/gzip.conf;
### end gzip section
### remove the comments if you want to enable uploads (max 10 MB)
#client_max_body_size 10m;
###
}
###to enable correct use of response.static_version
location ~* ^/(\w+)/static(?:/_[\d]+\.[\d]+\.[\d]+)?/(.*)$ {
alias /Users/sudhakar/Desktop/web2py/applications/$1/static/$2;
expires max;
### if you want to use pre-gzipped static files (recommended)
### check scripts/zip_static_files.py and remove the comments
# include /etc/nginx/conf.d/web2py/gzip_static.conf;
}
###
}
include servers/*;
}
uwsgi conf file in /etc/uwsgi/web2py.ini
[uwsgi]
socket = /tmp/web2py.socket
chmod-socket = 600
uid = _www
gid = _www
pythonpath = /Users/sudhakar/Desktop/web2py/
mount = /=wsgihandler:application
processes = 4
master = true
harakiri = 60
reload-mercy = 8
cpu-affinity = 1
stats = /tmp/stats.socket
max-requests = 2000
limit-as = 512
reload-on-as = 256
reload-on-rss = 192
touch-reload = /Users/sudhakar/Desktop/web2py/routes.py
cron = 0 0 -1 -1 -1 python /Users/sudhakar/Desktop/web2py/web2py.py -Q -S welcome -M -R scripts/sessions2trash.py -A -o
no-orphans = true
below command is use to run uwsgi
exec /usr/local/bin/uwsgi --ini /etc/uwsgi/web2py.ini
You need to run nginx and uwsgi processes with same user. Alternatively, you can change socket file permission but it's not recommended because of security issues.
Solution 1:
Change #user nobody; line as user _www; in your /usr/local/etc/nginx/nginx.conf file (to run Nginx process with _www user)
Then restart nginx service
Solution 2:
Change chmod-socket = 600 line as chmod-socket = 666 in your /etc/uwsgi/web2py.ini file. (Not recommended)
Then restart uwsgi service

403 Forbidden on Rails app w/ Nginx, Passenger, unix

Hi i am having the 403 error despite following the steps from here
403 Forbidden on Rails app w/ Nginx, Passenger
My app folder permissions
namei -l /home/ubuntu/resume_consumer/current/public
f: /home/ubuntu/resume_consumer/current/public
drwxr-xr-x root root /
drwxr-xr-x root root home
drwxr-xr-x ubuntu ubuntu ubuntu
drwxrwxr-x ubuntu ubuntu resume_consumer
lrwxrwxrwx ubuntu ubuntu current -> /home/ubuntu/resume_consumer/releases/20150815211156
drwxr-xr-x root root /
drwxr-xr-x root root home
drwxr-xr-x ubuntu ubuntu ubuntu
drwxrwxr-x ubuntu ubuntu resume_consumer
drwxrwxr-x ubuntu ubuntu releases
drwxrwxr-x ubuntu ubuntu 20150815211156
drwxrwxr-x ubuntu ubuntu public
The Nginx app is running as nobody
ps waux | grep nginx
root 12005 0.0 0.0 42480 900 ? Ss Jul28 0:00 nginx: master process /opt/nginx/sbin/nginx
nobody 12006 0.0 0.1 42804 2016 ? S Jul28 0:00 nginx: worker process
My nginx config looks as follows
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /home/ubuntu/.rvm/gems/ruby-2.2.1/gems/passenger-5.0.14;
passenger_ruby /home/ubuntu/.rvm/wrappers/ruby-2.2.1/ruby;
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name qa.enterprise.getmeed.com;
root /home/ubuntu/resume/current/public;
passenger_enabled on;
#charset koi8-r;
#access_log logs/host.access.log main;
# location / {
# root html;
# index index.html index.htm;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root html;
#}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
server {
listen 80;
server_name qa.getmeed.com;
root /home/ubuntu/resume_consumer/current/public;
index index.html index.htm;
passenger_enabled on;
rails_env production;
passenger_friendly_error_pages on;
# location / {
# root html;
# index index.html index.htm;
# }
}
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
When i look at logs, i find an alert that says PassengerAgent not found another error that the directory is forbidden. I am not sure if the alert is related.
2015/08/15 23:40:41 [notice] 20858#0: signal process started
2015/08/15 23:40:41 [alert] 12005#0: Unable to start Phusion Passenger: Support binary PassengerAgent not found (tried: /home/ubuntu/.rvm/gems/ruby-2.2.1/gems/passenger-5.0.14/buildout/support-binaries/PassengerAgent and /root/.passenger/support-binaries/5.0.14/PassengerAgent). This probably means that your Phusion Passenger installation is broken or incomplete, or that your 'passenger_root' setting contains the wrong value. Please reinstall Phusion Passenger or adjust the setting (see: https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html#PassengerRoot). (-1: Unknown error)
2015/08/15 23:45:04 [error] 20859#0: *375 directory index of "/home/ubuntu/resume_consumer/current/public/" is forbidden, client: 104.135.15.7, server: qa.getmeed.com, request: "GET / HTTP/1.1", host: "qa.getmeed.com"
You simply need to see if you can read the file inside /home/ubuntu/resume_consumer/current/public. You are showing us the permissions set in the home directory of Ubuntu, but current and public will have their own permissions as well.
First assuming there is an index.html inside of public, does the following return an error:
sudo -u nobody /home/ubuntu/resume_consumer/current/public
If so then you have a permission problem. You could resolve this by adding the nobody user to the same ubuntu group:
sudo adduser nobody ubuntu
and then ensure the group ubuntu users have the same access as the ubuntu user.
sudo chmod -R g=u /home/ubuntu/resume_consumer
Thanks all! it turns out there is no issue with the nginx. There was an error about passenger in nginx logs, which i wan't sure was related initially, But it turns out that was the root cause.
I had passenger installed but the passenger was not installed for the application specifically. I had to go to the application directory and install passenger gem and then use the passenger_root corresponding to the gem in application in nginx config. That fixed the issue.

Resources