Nginx only serves 1 App
Root Server with Ubuntu 16.04.
Nginx Version: 1.10.3
I have an Nginx server that serves 1 Application: An open source Cloud
Server from Seafile that listens on cloud.mydomain.com
I now tried to add another Application to my server: A Mattermost server
that should listen on chat.mydomain.com
When I am adding the Nginx config for Mattermost, then it only is available
when I deactivate the Seafile nginx config.
So the server only serves one application at a time and that's always the
Seafile Server.
Then no nginx error.logs or access.logs get any data from the Mattermost
login attempts.
I am pasting the configs below and am hoping that someone could give me a
tip what I have a done wrong or what I need to change.
I don't understand why Nginx does not listen for chat.mydomain.com
Any help would be very much appreciated!
SEAFILE NGINX CONFIG:
server {
listen 80 http2;
listen [::]:80 http2;
server_name cloud.mydomain.com;
rewrite ^ https://$http_host$request_uri? permanent;# force redirect
http to https
# Enables or disables emitting nginx version on error pages and in the
"Server" response header field.
server_tokens off;
}
server {
listen 443 ssl http2; # managed by Certbot
listen [::]:443 http2;
ssl on;
server_name cloud.mydomain.com;
ssl_session_cache shared:SSL:5m;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem;
# managed by Certbot
ssl_certificate_key
/etc/letsencrypt/live/cloud.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 1200s;
# used for view/edit office file via Office Online Server
client_max_body_size 0;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
proxy_request_buffering off;
}
location /media {
root /home/user/seafile.cloud/seafile-server-latest/seahub;
}
location /webdav {
fastcgi_pass127.0.0.1:8080;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING$query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE$content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
# This option is only available for Nginx >= 1.8.0. See more details
below.
proxy_request_buffering off;
access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
}
MATTERMOST NGINX CONFIG:
upstream backend {
server 127.0.0.1:8065;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
max_size=3g inactive=120m use_temp_path=off;
server {
listen 80;
listen [::]:80;
server_name chat.mydomain.com;
location ~/api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_pass http://backend;
}
location / {
client_max
Re: Nginx only serves 1 App
Dear Moshe
I did switch off the seafile configuration and that means that the normal
chat.mydomain.com works again with nginx.,
I did then do
> sudo certbot --nginx
and the sitechat.mydomain.com now runs on with SSL.
So then I switch seafile conf on again --> Seafile works as always.
AND mattermost on chat.mydomain.com works, but ONLY if I add https:// in
front of the web address.
So:
chat.mydomain.com <-- does only work when seafile off (then redirects)
http://chat.mydomain.com <-- does only work when seafile off (then
redirects)
https://chat.mydomain.com <-- works when seafile is on and/or off.
Why does nginx not redirect the chat.mydomain.com to https?
The new config for chat.mydomain.com is this. it got changed by certbot
automatically.
MATTERMOST:
server 127.0.0.1:8065;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
max_size=3g inactive=120m use_temp_path=off;
server {
server_name chat.mydomain.com;
location ~/api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_pass http://backend;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass http://backend;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/chat.mydomain.com/fullchain.pem; #
managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.mydomain.com/privkey.pem;
# managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = chat.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name chat.mydomain.com;
return 404; # managed by Certbot
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,279794,279806#msg-279806
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx only serves 1 App
Thanks a lot Moshe for all the efforts. The gist is pretty cool. I will check it out and have a go with it. I will also look closer at the config: > include /etc/letsencrypt/options-ssl-nginx.conf; Maybe there is something in there that's strange. I will get back to you here in this thread. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279809#msg-279809 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx only serves 1 App
The config that you propose does not require to switch nginx off for letsencrypt refreshs, correct? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279810#msg-279810 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx only serves 1 App
Here is what makes everything work ok:
In the cloud.conf (Seafile) I deleted the "http2" in the server part that
listens on port 80 and redirects.
It looks like this now:
server {
listen 80;
listen [::]:80;
server_name cloud.mydomain.com;
rewrite ^ https://$http_host$request_uri? permanent;# force redirect
http to https
# Enables or disables emitting nginx version on error pages and in the
"Server" response header field.
server_tokens off;
}
Noe everything works fine.
I am not sure what advantage / disadvantage http2 had, to be honest.
Maybe the http2 part should only be inside the config part that configures
the 443 access?
Well, this did the trick at least.
I am still interested in the config that you posted on gist though.
It looks really tidy and well organised.
So I would still like to know if I can leave Nginx running for letsencrypt
bot to work ;-))
Greetings, Chris
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,279794,279811#msg-279811
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx only serves 1 App
Hi Moshe I wanted to come back to you again to thank you very much. I changed my nginx config file arrangement according to your proposal on https://gist.github.com/kohenkatz/08a74d757e0695f4ec3dc34c44ea4369#file-redirect-all-http-to-https-conf And I think it's awesome :-) Very well structured and works perfect. The only thing I do not understand is how I can add letsencrypt certificates to a new webpage. Let's say I have a new web root in /var/www/new.page.com If I run sudo certbot --nginx would get an error for missing certificates? Or how would I do that. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279934#msg-279934 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx only serves 1 App
I mean how would the nginx config for new.page.com look like? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279935#msg-279935 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx only serves 1 App
Hi Moshe
This works absolutely perfect. Thank you so much for letting me (us) know
how to use the config arrangement.
Let me summarize the steps also for other users that might stumble over this
thread (and please feel free to correct/improve if required).
After performing the certbot command that you provided above the
certificates were produced.
Then I added the Website folder for new.page.com under /var/www/new.page.com
and added a simple "hello world" index.html website to it.
Then I made the folder and its contents owned by nginx:nginx
> sudo chown -R nginx:nginx /var/www/new.page.com
Then I added the simple nginx config file that listens on 443 and refers to
the website folder:
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name new.page.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/new.page.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/new.page.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
root /var/www/new.page.com;
}
}
opening new.page.com in the webbrowser will open the "Hello World" page with
https.
Now the certificate can be renewed with the command
> sudo certbot renew
This can be checked by performing
> sudo certbot renew --dry-run
This is important because the command "certbot renew" can easily be added to
a crontab for automatic renewal of the certificates.
I hope the above helps other people as well.
Thank you again Moshe.
Until another given time ;-)
Chris
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,279794,279944#msg-279944
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
