Nginx.conf_redirect files being removed

andrewnewby · November 20, 2024, 7:29am

Hi,

I’m not too sure whats going on here. My redirect files seem to have vanished! Looking at the backup vs the current conf folder, I can see nginx.conf_redirect , nginx.ssl.conf_redirect and nginx.forcessl.conf are missing:

Its done this on multiple user accounts. I also had it on another server, which we noticed stopped stopped doing a SSL redirect

I’m not looking forward to fixing this. We have hundreds of sites on the servers

Has anyone else seen this behaviour? My job now is to go back over and fix up all the sites - not how I envisinged spending my day

BTW, in system.log, I can see the commands doing it:

v-delete-web-domain-redirect  'montferlandinbe' 'montferlandinbeeld.nl'
v-delete-web-domain-ssl-force  'montferlandinbe' 'montferlandinbeeld.nl'

I can see back further in the log, it seems to remove and then re-add:

2024-11-05 02:03:03 v-delete-web-domain-redirect  'hallomontfer' 'hallomontferland.nl'
2024-11-05 02:03:04 v-restart-service  'apache2' ''
2024-11-05 02:03:05 v-restart-service  'nginx' ''
2024-11-05 02:03:05 v-delete-web-domain-ssl-force  'hallomontfer' 'hallomontferland.nl'
2024-11-05 02:03:07 v-restart-service  'nginx' ''
2024-11-05 02:03:17 v-restart-service  'nginx' ''
2024-11-05 02:03:28 v-generate-ssl-cert  'hallomontferland.nl' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' 'www.hallomontferland.nl'
2024-11-05 02:03:30 v-update-web-domain-ssl 
2024-11-05 02:03:31 v-restart-service  'apache2' ''
2024-11-05 02:03:31 v-restart-service  'nginx' ''
2024-11-05 02:03:31 v-add-web-domain-ssl-force  'hallomontfer' 'hallomontferland.nl'
2024-11-05 02:03:31 v-add-web-domain-redirect  'hallomontfer' 'hallomontferland.nl' 'http://hallo.montferland.nl' '301'

This time it removed them the same, but then failed to re-add them.

Cheers

Andy

eris · November 20, 2024, 8:04am

It looks like it is don during Letsencrypt generation but if it is only used for redirecting to https:// v-add-web-domain-redirect is not needed

andrewnewby · November 20, 2024, 8:17am

Odd. Its worked perfectly before. It happened across several servers on v1.8.12.

If its any help, I think the common thing is that the sites have SSL enabled, but are redirecting to a new URL. So for example:

test.com
has ssl (lets encrypt)
has force ssl redirect

Then it gets set to forward to somenewsite.com as a 301.

Could this be the issue? (its worked fine with this login ever since I’ve used it)

Cheers

Andy

erador · November 20, 2024, 12:01pm

I’m having the same issue.

We use hestia to redirect to www for ~800 domains, and these have letsencrypt enabled, so that https:// also works. The www is pointed to a CNAME elsewhere, but I don’t see that that should have any bearing on this.

Seems like it happens on LE renewal, it removes the auto https redirect and the standard redirect to www!

It’s very annoying.

Are there any workarounds?

erador · November 20, 2024, 12:10pm

I re-added it on the 15th, and then on the 16th it’s removed again! along with 5 attempts to renew the cert (i presume) - but it’s valid till Dec 15.

2024-11-15 17:33:40 v-add-web-domain-ssl-hsts  'user' 'xxx.co.uk'
2024-11-15 17:33:41 v-add-web-domain-redirect  'user' 'xxx.co.uk' 'www.xxx.co.uk'
2024-11-15 17:33:47 v-add-web-domain-ssl-force  'user' 'xxx.co.uk'
2024-11-16 07:25:20 v-delete-web-domain-redirect  'user' 'xxx.co.uk'
2024-11-16 07:25:25 v-delete-web-domain-ssl-force  'user' 'xxx.co.uk'
2024-11-16 07:25:41 v-generate-ssl-cert  'xxx.co.uk' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' ''
2024-11-17 07:25:38 v-generate-ssl-cert  'xxx.co.uk' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' ''
2024-11-18 07:25:36 v-generate-ssl-cert  'xxx.co.uk' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' ''
2024-11-19 07:25:37 v-generate-ssl-cert  'xxx.co.uk' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' ''
2024-11-20 07:25:43 v-generate-ssl-cert  'xxx.co.uk' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' ''

andrewnewby · November 20, 2024, 12:32pm

Its good to know its not just me then!

andrewnewby · November 21, 2024, 6:24am

There is definatly something funky going on. It did it on 2 domains again last night. One of them being bestemmingmontferland.nl , looking at the logs I can see:

2024-11-21 00:00:37 v-add-web-domain-backend  'bestemmingm' 'bestemmingmontferland.nl' 'default' ''
2024-11-21 00:00:38 v-delete-web-domain-ssl-force  'bestemmingm' 'bestemmingmontferland.nl' 'no' 'yes'
2024-11-21 00:00:38 v-add-web-domain-ssl-force  'bestemmingm' 'bestemmingmontferland.nl' 'no' 'yes'

That seems at midnight. Then at 2am, when it runs the next time - I get:

2024-11-21 02:03:52 v-delete-web-domain-redirect  'bestemmingm' 'bestemmingmontferland.nl'
2024-11-21 02:03:52 v-restart-service  'apache2' ''
2024-11-21 02:03:52 v-restart-service  'nginx' ''
2024-11-21 02:03:52 v-delete-web-domain-ssl-force  'bestemmingm' 'bestemmingmontferland.nl'
2024-11-21 02:03:54 v-restart-service  'nginx' ''
2024-11-21 02:04:04 v-restart-service  'nginx' ''
2024-11-21 02:04:15 v-generate-ssl-cert  'bestemmingmontferland.nl' '[email protected]' 'US' 'California' 'San Francisco' 'Hestia' 'IT' 'www.bestemmingmontferland.nl'

So it removes the forced ssl, and redirect, and then doesn’t put it back

Just as an update - the issue only seems to occur on sites that have a LE cert, and “force ssl”, and a redirect to another site. I tried doing it without the LE cert, but it won’t do the 301’s ok on the https, due to there obviously not being a valid certificate any more

Cheers

Andy

eris · November 25, 2024, 11:06pm

https://github.com/hestiacp/hestiacp/issues/4640https://github.com/hestiacp/hestiacp/issues/4640

Need to look into it…

sahsanu · November 27, 2024, 1:07pm

I only took a quick look to v-add-letsencrypt-domain, but the problem seems to be this:

if [ -n "$mail" ]; then
        root_domain=$domain
        domain="mail.$root_domain"
        webmail=$(get_object_value "mail" "DOMAIN" "$root_domain" '$WEBMAIL')
        if [ -n "$webmail" ]; then
                aliases="$WEBMAIL_ALIAS.$root_domain"
        fi
else
        parse_object_kv_list $(grep "DOMAIN='$domain'" $USER_DATA/web.conf)

        domain_redirect="$REDIRECT"
        if [[ -n "$domain_redirect" ]]; then
                domain_redirect_code="$REDIRECT_CODE"
                $BIN/v-delete-web-domain-redirect $user $domain
        fi

        domain_forcessl="$SSL_FORCE"
        if [[ "$domain_forcessl" == 'yes' ]]; then
                $BIN/v-delete-web-domain-ssl-force $user $domain
        fi
fi

When adding or updating a certificate, if the domain has a redirect or is enforcing SSL, the script removes these configurations. The problem arises if the certificate is not issued for any reason: the script will exit, but neither the redirect nor the SSL enforcement will be re-created.

The function check_result terminates the script if an error occurs. There are 17 calls to check_result between the deletion of the redirect/SSL enforcement and their re-creation, meaning:

1.- We could remove the deletion of the redirect and/or SSL enforcement, but I’m not entirely sure why these are removed at the start of the process.

or

2.- We could create a function to reapply the redirect/SSL enforcement (if they previously existed) before calling check_result.

As mentioned, I only took a quick look and did not debug or test this, so there may be additional factors to consider.

eris · November 27, 2024, 6:04pm

it is removed otherwise ssl request wont work.

But we probally need to add een exception for well-know dir