Having followed the documentation thoroughly yet unable to access the instance on https.
My setup
Every setup is done. (Creation of user, postgresql, java, tomcat.). The tomcat is listening to port 80
server.xml at /tomcat/conf/server.xml uses port 8080
both port 80 and 8080 /apache full and nginx full are enabled in ufw
Now nginx server also listening default port 80 with reserverProxy at http://localhost:8080
With either apache2 or nginx can start at a time since they are listening to port 80.
When either apache port or nginx port is changed, application port to default apache page
Could it be that you’re being redirected to this default page because you’ve configured it at localhost rather than http://localhost:8080/<instance-name>?
I’m asking this question because I read this before mentioned in the LetsEncrypt installation when using ng-tools:
Web proxy
By default you will have installed an apache2 reverse proxy server with an SSL/TLS certificate from letsencrypt. You will be able to browse to your DHIS2 instances with https://<server_name>/<instance_name>. You will also be able to browse to the system monitor at https://server_name>/munin. It should soon be also possible to use an nginx proxy, but the apache2 one is currently the best tested.
If you browse to home page at https//:<server_name> you will reach the apache2 default page.
@fosuhene , I’m not really sure, just guessing, but I think it might help other experts and community members with more experience to help you if you share configuration settings (without sensitive info)
@fosuhene, also please, did you go over these steps from the docs:
Now, lets configure Apache by enabling the SSL modules and creating a default site.
a2enmod ssl
a2ensite default-ssl
Now, we need to edit the default-ssl (located at /etc/apache2/sites-enabled/default-ssl) file in order to enable the SSL transfer functionality of Apache.
Be sure that the *:80 section of this file is changed to port *:443, which is the default SSL port. Also, be sure to change the ServerAdmin to the webmaster’s email. Lastly, we need to be sure that the hostname is setup properly in /etc/hosts. Just under the “localhost” line, be sure to add the server’s IP address and domain name.
Good morning and thank you all for the swift response.
Here is what I am doing.
I am not using apache as the reverse proxy instead I am using nginx according to the documentation.
NB: I would be happy if a team member can share with me his apache proxy configuration.
This implies that I am not using the /etc/apache2/sites-available/default-ssl.conf but /etc/nginx/nginx.conf and /etc/nginx/sites-available/default
NB: I getting a bit confuse as @Gassim suggesting I should use the apache instead of the nginx since the apache has been tested and tried whiles the documentation is stating otherwise. I need someone to share with me his notes.
Here is a proposed reference setup for Nginx (1.18.0) + SSL. We assume that you already have your SSL certificates (from Letsencrypt or any other provider) in place.
Your /etc/nginx/sites-enabled/YOUR.HOST.NAME should contain:
server {
# Listen to the HTTP port both on IPv4 and IPv6
# (comment out the 2nd line if you have IPv4 only)
listen 80;
listen [::]:80;
# Listen to the HTTPS port both on IPv4 and IPv6
# (comment out the 2nd line if you have IPv4 only)
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Paths to SSL certificate
# (specific to Letsencrypt, can have different paths on other systems)
ssl_certificate /etc/letsencrypt/live/YOUR.HOST.NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR.HOST.NAME/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/YOUR.HOST.NAME/chain.pem;
# Redirect all HTTP requests to HTTPS
if ($scheme = http) {
return 301 https://$host$request_uri;
}
# Your virtual host name and root directory
# (should be empty, if you use a reverse proxy)
server_name YOUR.HOST.NAME;
root /var/www/YOUR.HOST.NAME;
# Ensure that you have a reasonable log rotation policy in place
# to avoid running out of disk space
access_log /var/log/nginx/YOUR.HOST.NAME.access.log;
error_log /var/log/nginx/YOUR.HOST.NAME.error.log;
# Specific to Letsencrypt, may be not needed in your configuration
location /.well-known/ {
alias /var/www/html/.well-known/;
}
location / {
# Pass all requests to our backend
proxy_pass http://localhost:8080/;
}
}
Tomcat with the DHIS2 backend application should run only as a non-privileged user on a port higher than 1024/tcp for security reasons. Requests are accepted on 80/tcp (redirected to HTTPS) and 443/tcp and then sent via reverse proxy (Nginx) to the backend.
Your /home/dhis/config/dhis.conf should contain the following lines:
# ----------------------------------------------------------------------
# Server
# ----------------------------------------------------------------------
# Enable secure settings if deployed on HTTPS, default 'off', can be 'on'
server.https = on
# Server base URL
server.base.url = https://YOUR.HOST.NAME
You can check if you have configured ports properly with the netstat command. In this example we assume that both Nginx and Tomcat are running on the same machine, and use only IPv4.
root@ubuntu:~# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 11082/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11082/nginx: master
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1018/java
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 1018/java
