Can't get full site ssl

I’m using the docker image to intall ghost. I pulled the latest image 3.9.0 then run it with

docker run -d --name ghostx -e url=http://blog.writ.design -p 3001:2368 --restart=always -v /home/ubuntu/ghost/blog:/var/lib/ghost/content ghost

And I intalled nginx for reverse proxy and ssl. It seems work fine, but I find the admin page shows Mixed Content, google it for some help get two related issues.


Then I run the image with url=https,I fall into a endless redir loop. No matter how I modify the nginx configuration file, it is useless. Here is my current configuration

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
   
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:3001;
        proxy_redirect off;
    }

}

Then I try to curl the docker port.

curl -I 127.0.0.1:3001                             
HTTP/1.1 301 Moved Permanently
X-Powered-By: Express
Cache-Control: public, max-age=31536000
Location: https://127.0.0.1/
Vary: Accept, Accept-Encoding
Content-Type: text/plain; charset=utf-8
Content-Length: 52
Date: Thu, 05 Mar 2020 19:47:33 GMT
Connection: keep-alive

curl -I https://127.0.0.1:3001                       
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

I used to deploy rocket.chat, which is also a node.js app. It runs with ROOT_URL=http://localhost:3000.
but it works fine behind nginx.

-e url=http://blog.writ.design

This needs to be -e url=https://blog.writ.design if you are using https.

pls read the complete question, I tried change it to https.
It cause a endless redirect loop.

If I change nginx conf at the same time like proxy_pass https://127.0.0.1:3001;
It cause a ssl handshake failed.

[error] 16464#16464: *11 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 38.147.160.61, server: blog.writ.design, request: "HEAD / HTTP/2.0", upstream: "https://127.0.0.1:3001/", host: "blog.writ.design"

That sounds like you’re missing the x-forwarded-proto header.

You can see example nginx setup in the Ghost-CLI package which is the official/supported install method https://github.com/TryGhost/Ghost-CLI/blob/master/extensions/nginx/templates/nginx-ssl.conf

1 Like