nginxdocker-composehttpswebserverhetzner-cloud

HTTPS/SSL Response gets blocked, HTTP Response works fine

My Website http://bavarian-joke-generator.org is running. Sadly I was not able to get the HTTPS version working because I have been encountering the following problem since enabling it via a certificate by letsencrypt.org via Certbot:

The Response from my server seems to either get blocked or intercepted somehow

My Question is:

What am I missing here? I'll list the following things already and really seem to be out of resources on what the issue can be caused by.

Details:

As seen from the NGINX logs below, the response is successfully sent by my Nginx container.

The Server is provided by Hetzner and the following UFW Firewall settings are active (blocked IP address is not mine): UFW status

The whole code can be seen on its GitHub repository

But I specifically want to mention the NGINX config used. Also note, that NGINX is running as a container as part of ad docker-compose file:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    sendfile on;
    #tcp_nopush on;

    keepalive_timeout 65;

    gzip on;
    proxy_max_temp_file_size 0;

    include /etc/nginx/conf.d/*.conf;
}

server {
    server_name bavarian-joke-generator.org www.bavarian-joke-generator.org;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/nginx/ssl/live/bavarian-joke-generator.org/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/bavarian-joke-generator.org/privkey.pem;
    listen 80;
    listen [::]:80;
    add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload' always;

    add_header Content_Security-Policy "default-src 'self'; script-src 'sha384-7FvcOpf85HsGS89sLrvOOHZYqgaEqbfUi87HhpbqbndTSFw+XpzbDMK5ZcxD28fe'; frame-ancestors: 'self'; form-action 'self'; base-uri 'self';";
    add_header X-Content-Type-Options: "nosniff";
    root /usr/share/nginx/html;
    error_page 400 /errors/400_wrong_input.html;
    error_page 404 /errors/404_joke_not_found.html;

    location / {
    }

    # SSL Certificate:
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location /errors/ {
        root /usr/share/nginx/html;
        internal;
    }

    location ^~ /assets/ {
        root /usr/share/nginx;
    }

    location ^~ /RegEx/ {
        root /usr/share/nginx;
    }

    location ^~ /ssr/ {
        # pass will exchange ssr/ for /:
        proxy_pass "http://${SSR_HOST}:${SSR_PORT}/";
        proxy_http_version 1.1;
        proxy_set_header   "Connection" "";
        proxy_intercept_errors on;
    }

    location ^~ /auth/ {
        # pass will exchange auth/ for /:
        proxy_pass "http://${AUTH_HOST}:${AUTH_PORT}/";
        proxy_http_version 1.1;
        proxy_set_header   "Connection" "";
        # No error pages -> Do not intercept errors
    }

    location ~ \.(?:js|.css)$ {
        root /usr/share/nginx/html;
    }
}

I already tried:

Solution

  • So I could not solve the issue but I was able to circumvent it:

    I now have a parent NGINX process running on my main Hetzner provided server and the NGINX child process inside a container as stated in my compose file above.

    For some reason the outgoing HTTPS response from the container got blocked, while the new setup only has outgoing HTTPS responses from the main server directly.

    If this is a Hetzner issue or an issue with any of my configs has to further investigated.

    More info can be found here: