Welcome! Log In Create A New Profile

Advanced

Nginx only serves 1 App

Posted by Nginx-Chris 
Nginx-Chris
Nginx only serves 1 App
May 15, 2018 10:40AM
Root Server with Ubuntu 16.04.
Nginx Version: 1.10.3

I have an Nginx server that serves 1 Application: An open source Cloud
Server from Seafile that listens on cloud.mydomain.com

I now tried to add another Application to my server: A Mattermost server
that should listen on chat.mydomain.com

When I am adding the Nginx config for Mattermost, then it only is available
when I deactivate the Seafile nginx config.

So the server only serves one application at a time and that's always the
Seafile Server.
Then no nginx error.logs or access.logs get any data from the Mattermost
login attempts.

I am pasting the configs below and am hoping that someone could give me a
tip what I have a done wrong or what I need to change.
I don't understand why Nginx does not listen for chat.mydomain.com

Any help would be very much appreciated!

SEAFILE NGINX CONFIG:

server {

listen 80 http2;
listen [::]:80 http2;
server_name cloud.mydomain.com;

rewrite ^ https://$http_host$request_uri? permanent; # force redirect
http to https

# Enables or disables emitting nginx version on error pages and in the
"Server" response header field.
server_tokens off;

}

server {
listen 443 ssl http2; # managed by Certbot
listen [::]:443 http2;
ssl on;

server_name cloud.mydomain.com;

ssl_session_cache shared:SSL:5m;
server_tokens off;

ssl_certificate /etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem;
# managed by Certbot
ssl_certificate_key
/etc/letsencrypt/live/cloud.mydomain.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

proxy_set_header X-Forwarded-For $remote_addr;

add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";

location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;

proxy_read_timeout 1200s;

# used for view/edit office file via Office Online Server
client_max_body_size 0;

access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}

location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;

proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;

proxy_request_buffering off;
}

location /media {
root /home/user/seafile.cloud/seafile-server-latest/seahub;
}

location /webdav {
fastcgi_pass 127.0.0.1:8080;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;

fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;

client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;

# This option is only available for Nginx >= 1.8.0. See more details
below.
proxy_request_buffering off;

access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
}




MATTERMOST NGINX CONFIG:

upstream backend {
server 127.0.0.1:8065;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
max_size=3g inactive=120m use_temp_path=off;

server {
listen 80;
listen [::]:80;
server_name chat.mydomain.com;

location ~/api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_pass http://backend;
}

location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass http://backend;
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279794#msg-279794

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Friscia, Michael
Re: Nginx only serves 1 App
May 15, 2018 01:30PM
What happens if you only use one config file and put all of that in it?

Nothing really stands out to me in your config. I run about 600 domain names through one Nginx server with many sub-domains in separate server blocks. I've had issues where a subdomain was not served correctly before. I ended up dumbing down the config to just server blocks with only access logs and a bunch of custom headers to make sure the request was being handled in the block I thought it would be in.

___________________________________________
Michael Friscia
Office of Communications
Yale School of Medicine
(203) 737-7932 - office
(203) 931-5381 - mobile
http://web.yale.edu http://web.yale.edu/

´╗┐On 5/15/18, 4:35 AM, "nginx on behalf of Nginx-Chris" <[email protected] on behalf of nginx-forum@forum.nginx.org> wrote:

Root Server with Ubuntu 16.04.
Nginx Version: 1.10.3

I have an Nginx server that serves 1 Application: An open source Cloud
Server from Seafile that listens on cloud.mydomain.com

I now tried to add another Application to my server: A Mattermost server
that should listen on chat.mydomain.com

When I am adding the Nginx config for Mattermost, then it only is available
when I deactivate the Seafile nginx config.

So the server only serves one application at a time and that's always the
Seafile Server.
Then no nginx error.logs or access.logs get any data from the Mattermost
login attempts.

I am pasting the configs below and am hoping that someone could give me a
tip what I have a done wrong or what I need to change.
I don't understand why Nginx does not listen for chat.mydomain.com

Any help would be very much appreciated!

SEAFILE NGINX CONFIG:

server {

listen 80 http2;
listen [::]:80 http2;
server_name cloud.mydomain.com;

rewrite ^ https://urldefense.proofpoint.com/v2/url?u=https-3A__-24http-5Fhost-24request-5Furi-3F&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=RHIGJiTdHoUwX9sbfZHknM9vfW647qp6UbptEz7e1Ws&e= permanent; # force redirect
http to https

# Enables or disables emitting nginx version on error pages and in the
"Server" response header field.
server_tokens off;

}

server {
listen 443 ssl http2; # managed by Certbot
listen [::]:443 http2;
ssl on;

server_name cloud.mydomain.com;

ssl_session_cache shared:SSL:5m;
server_tokens off;

ssl_certificate /etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem;
# managed by Certbot
ssl_certificate_key
/etc/letsencrypt/live/cloud.mydomain.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

proxy_set_header X-Forwarded-For $remote_addr;

add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";

location / {
proxy_pass https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8000&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=gaiThb6kszw6w9RjDjoPsqAw_Um42XnUU_AeFGxjfZE&e=;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;

proxy_read_timeout 1200s;

# used for view/edit office file via Office Online Server
client_max_body_size 0;

access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}

location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8082&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=Y_70ReunmjI-s6NoOEW1_cBCwVu9_331wqcubeYDf1k&e=;
client_max_body_size 0;

proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;

proxy_request_buffering off;
}

location /media {
root /home/user/seafile.cloud/seafile-server-latest/seahub;
}

location /webdav {
fastcgi_pass 127.0.0.1:8080;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;

fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;

client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;

# This option is only available for Nginx >= 1.8.0. See more details
below.
proxy_request_buffering off;

access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
}




MATTERMOST NGINX CONFIG:

upstream backend {
server 127.0.0.1:8065;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
max_size=3g inactive=120m use_temp_path=off;

server {
listen 80;
listen [::]:80;
server_name chat.mydomain.com;

location ~/api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_pass https://urldefense.proofpoint.com/v2/url?u=http-3A__backend&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=Edm0IJLfbdHxa8wFWaoQGtzNOXNUh9kb8EBRlGiBcmg&e=;
}

location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass https://urldefense.proofpoint.com/v2/url?u=http-3A__backend&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=Edm0IJLfbdHxa8wFWaoQGtzNOXNUh9kb8EBRlGiBcmg&e=;
}
}

Posted at Nginx Forum: https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.nginx.org_read.php-3F2-2C279794-2C279794-23msg-2D279794&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=iPwBJ99Xcf6Z2_mmfGEtm69A7wJxKyFdm2smjj5f67s&e=

_______________________________________________
nginx mailing list
nginx@nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwICAg&c=cjytLXgP8ixuoHflwc-poQ&r=wvXEDjvtDPcv7AlldT5UvDx32KXBEM6um_lS023SJrs&m=hLxgGEO_FMF7bre2y4zwEhuWxrmd6FLB6h2-H3GY8gI&s=UHkg6MTq4jm3GNg71q3ks25pomQ8zPhnmlYw3IRuF6A&e=


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Moshe Katz
Re: Nginx only serves 1 App
May 15, 2018 03:20PM
Looks to me like your problem is that Seafile is using HTTPS but Mattermost
is not.

That said, I don't understand how you are able to get to Mattermost at all,
since you are setting HSTS headers that should prevent your browser from
going to a non-secure page on your domain.

Add HTTPS configuration for Mattermost and see if that helps.

--
Moshe Katz
-- kohenkatz@gmail.com
-- +1(301)867-3732


On Tue, May 15, 2018 at 4:35 AM Nginx-Chris <[email protected]>
wrote:

> Root Server with Ubuntu 16.04.
> Nginx Version: 1.10.3
>
> I have an Nginx server that serves 1 Application: An open source Cloud
> Server from Seafile that listens on cloud.mydomain.com
>
> I now tried to add another Application to my server: A Mattermost server
> that should listen on chat.mydomain.com
>
> When I am adding the Nginx config for Mattermost, then it only is available
> when I deactivate the Seafile nginx config.
>
> So the server only serves one application at a time and that's always the
> Seafile Server.
> Then no nginx error.logs or access.logs get any data from the Mattermost
> login attempts.
>
> I am pasting the configs below and am hoping that someone could give me a
> tip what I have a done wrong or what I need to change.
> I don't understand why Nginx does not listen for chat.mydomain.com
>
> Any help would be very much appreciated!
>
> SEAFILE NGINX CONFIG:
>
> server {
>
> listen 80 http2;
> listen [::]:80 http2;
> server_name cloud.mydomain.com;
>
> rewrite ^ https://$http_host$request_uri? permanent; # force
> redirect
> http to https
>
> # Enables or disables emitting nginx version on error pages and in the
> "Server" response header field.
> server_tokens off;
>
> }
>
> server {
> listen 443 ssl http2; # managed by Certbot
> listen [::]:443 http2;
> ssl on;
>
> server_name cloud.mydomain.com;
>
> ssl_session_cache shared:SSL:5m;
> server_tokens off;
>
> ssl_certificate /etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem
> ;
> # managed by Certbot
> ssl_certificate_key
> /etc/letsencrypt/live/cloud.mydomain.com/privkey.pem; # managed by Certbot
>
> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>
> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>
> proxy_set_header X-Forwarded-For $remote_addr;
>
> add_header Strict-Transport-Security "max-age=31536000;
> includeSubDomains";
>
> location / {
> proxy_pass http://127.0.0.1:8000;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host $server_name;
> proxy_set_header X-Forwarded-Proto https;
>
> proxy_read_timeout 1200s;
>
> # used for view/edit office file via Office Online Server
> client_max_body_size 0;
>
> access_log /var/log/nginx/seahub.access.log;
> error_log /var/log/nginx/seahub.error.log;
> }
>
> location /seafhttp {
> rewrite ^/seafhttp(.*)$ $1 break;
> proxy_pass http://127.0.0.1:8082;
> client_max_body_size 0;
>
> proxy_connect_timeout 36000s;
> proxy_read_timeout 36000s;
> proxy_send_timeout 36000s;
> send_timeout 36000s;
>
> proxy_request_buffering off;
> }
>
> location /media {
> root /home/user/seafile.cloud/seafile-server-latest/seahub;
> }
>
> location /webdav {
> fastcgi_pass 127.0.0.1:8080;
> fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> fastcgi_param PATH_INFO $fastcgi_script_name;
>
> fastcgi_param SERVER_PROTOCOL $server_protocol;
> fastcgi_param QUERY_STRING $query_string;
> fastcgi_param REQUEST_METHOD $request_method;
> fastcgi_param CONTENT_TYPE $content_type;
> fastcgi_param CONTENT_LENGTH $content_length;
> fastcgi_param SERVER_ADDR $server_addr;
> fastcgi_param SERVER_PORT $server_port;
> fastcgi_param SERVER_NAME $server_name;
> fastcgi_param HTTPS on;
> fastcgi_param HTTP_SCHEME https;
>
> client_max_body_size 0;
> proxy_connect_timeout 36000s;
> proxy_read_timeout 36000s;
> proxy_send_timeout 36000s;
> send_timeout 36000s;
>
> # This option is only available for Nginx >= 1.8.0. See more
> details
> below.
> proxy_request_buffering off;
>
> access_log /var/log/nginx/seafdav.access.log;
> error_log /var/log/nginx/seafdav.error.log;
> }
> }
>
>
>
>
> MATTERMOST NGINX CONFIG:
>
> upstream backend {
> server 127.0.0.1:8065;
> }
>
> proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
> max_size=3g inactive=120m use_temp_path=off;
>
> server {
> listen 80;
> listen [::]:80;
> server_name chat.mydomain.com;
>
> location ~/api/v[0-9]+/(users/)?websocket$ {
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> client_max_body_size 50M;
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Frame-Options SAMEORIGIN;
> proxy_buffers 256 16k;
> proxy_buffer_size 16k;
> proxy_read_timeout 600s;
> proxy_pass http://backend;
> }
>
> location / {
> client_max_body_size 50M;
> proxy_set_header Connection "";
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Frame-Options SAMEORIGIN;
> proxy_buffers 256 16k;
> proxy_buffer_size 16k;
> proxy_read_timeout 600s;
> proxy_cache mattermost_cache;
> proxy_cache_revalidate on;
> proxy_cache_min_uses 2;
> proxy_cache_use_stale timeout;
> proxy_cache_lock on;
> proxy_pass http://backend;
> }
> }
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,279794,279794#msg-279794
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx-Chris
Re: Nginx only serves 1 App
May 15, 2018 10:40PM
Dear Moshe

I did switch off the seafile configuration and that means that the normal
chat.mydomain.com works again with nginx.,

I did then do

> sudo certbot --nginx

and the sitechat.mydomain.com now runs on with SSL.

So then I switch seafile conf on again --> Seafile works as always.

AND mattermost on chat.mydomain.com works, but ONLY if I add https:// in
front of the web address.

So:

chat.mydomain.com <-- does only work when seafile off (then redirects)
http://chat.mydomain.com <-- does only work when seafile off (then
redirects)

https://chat.mydomain.com <-- works when seafile is on and/or off.

Why does nginx not redirect the chat.mydomain.com to https?

The new config for chat.mydomain.com is this. it got changed by certbot
automatically.

MATTERMOST:

server 127.0.0.1:8065;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
max_size=3g inactive=120m use_temp_path=off;

server {
server_name chat.mydomain.com;

location ~/api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_pass http://backend;
}

location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass http://backend;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/chat.mydomain.com/fullchain.pem; #
managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.mydomain.com/privkey.pem;
# managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
if ($host = chat.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot



listen 80;
server_name chat.mydomain.com;
return 404; # managed by Certbot

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279806#msg-279806

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Moshe Katz
Re: Nginx only serves 1 App
May 16, 2018 05:50AM
That last "# managed by Certbot" section looks wrong - it shouldn't be
using "if ($host = ...", since that's inefficient and there are much better
ways to do it.

I have a very similar server, so here are the config files I use for it. I
don't like pasting them into emails, so I made a GitHub Gist:
https://gist.github.com/kohenkatz/08a74d757e0695f4ec3dc34c44ea4369 (that
also means I can edit it later if it doesn't work for you).

Note that with this configuration you have to run Certbot in "certonly"
mode instead of nginx mode. However, that is very easy.
I have eight servers configured in this exact way (though most of them with
applications other than Seafile and Mattermost, but it doesn't matter).

Here is the certbot command I use:
sudo certbot certonly --webroot -w /usr/share/nginx/html -d
domain-name-here.example.com
(If you changed the path for `.well-known` in the config files in my Gist,
you will also need to change it here.)

Let me know how this works for you.

Moshe

--
Moshe Katz
-- kohenkatz@gmail.com
-- +1(301)867-3732


On Tue, May 15, 2018 at 4:32 PM Nginx-Chris <[email protected]>
wrote:

> Dear Moshe
>
> I did switch off the seafile configuration and that means that the normal
> chat.mydomain.com works again with nginx.,
>
> I did then do
>
> > sudo certbot --nginx
>
> and the sitechat.mydomain.com now runs on with SSL.
>
> So then I switch seafile conf on again --> Seafile works as always.
>
> AND mattermost on chat.mydomain.com works, but ONLY if I add https:// in
> front of the web address.
>
> So:
>
> chat.mydomain.com <-- does only work when seafile off (then redirects)
> http://chat.mydomain.com <-- does only work when seafile off (then
> redirects)
>
> https://chat.mydomain.com <-- works when seafile is on and/or off.
>
> Why does nginx not redirect the chat.mydomain.com to https?
>
> The new config for chat.mydomain.com is this. it got changed by certbot
> automatically.
>
> MATTERMOST:
>
> server 127.0.0.1:8065;
> }
>
> proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m
> max_size=3g inactive=120m use_temp_path=off;
>
> server {
> server_name chat.mydomain.com;
>
> location ~/api/v[0-9]+/(users/)?websocket$ {
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> client_max_body_size 50M;
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Frame-Options SAMEORIGIN;
> proxy_buffers 256 16k;
> proxy_buffer_size 16k;
> proxy_read_timeout 600s;
> proxy_pass http://backend;
> }
>
> location / {
> client_max_body_size 50M;
> proxy_set_header Connection "";
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header X-Frame-Options SAMEORIGIN;
> proxy_buffers 256 16k;
> proxy_buffer_size 16k;
> proxy_read_timeout 600s;
> proxy_cache mattermost_cache;
> proxy_cache_revalidate on;
> proxy_cache_min_uses 2;
> proxy_cache_use_stale timeout;
> proxy_cache_lock on;
> proxy_pass http://backend;
> }
>
> listen 443 ssl; # managed by Certbot
> ssl_certificate /etc/letsencrypt/live/chat.mydomain.com/fullchain.pem;
> #
> managed by Certbot
> ssl_certificate_key /etc/letsencrypt/live/
> chat.mydomain.com/privkey.pem;
> # managed by Certbot
> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>
> }
>
>
> server {
> if ($host = chat.mydomain.com) {
> return 301 https://$host$request_uri;
> } # managed by Certbot
>
>
>
> listen 80;
> server_name chat.mydomain.com;
> return 404; # managed by Certbot
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,279794,279806#msg-279806
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx-Chris
Re: Nginx only serves 1 App
May 16, 2018 07:10AM
Thanks a lot Moshe for all the efforts. The gist is pretty cool.

I will check it out and have a go with it.

I will also look closer at the config:

> include /etc/letsencrypt/options-ssl-nginx.conf;

Maybe there is something in there that's strange.

I will get back to you here in this thread.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279809#msg-279809

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx-Chris
Re: Nginx only serves 1 App
May 16, 2018 07:20AM
The config that you propose does not require to switch nginx off for
letsencrypt refreshs, correct?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279810#msg-279810

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx-Chris
Re: Nginx only serves 1 App
May 16, 2018 07:50AM
Here is what makes everything work ok:

In the cloud.conf (Seafile) I deleted the "http2" in the server part that
listens on port 80 and redirects.

It looks like this now:

server {

listen 80;
listen [::]:80;
server_name cloud.mydomain.com;

rewrite ^ https://$http_host$request_uri? permanent; # force redirect
http to https

# Enables or disables emitting nginx version on error pages and in the
"Server" response header field.
server_tokens off;

}

Noe everything works fine.

I am not sure what advantage / disadvantage http2 had, to be honest.

Maybe the http2 part should only be inside the config part that configures
the 443 access?

Well, this did the trick at least.

I am still interested in the config that you posted on gist though.
It looks really tidy and well organised.

So I would still like to know if I can leave Nginx running for letsencrypt
bot to work ;-))

Greetings, Chris

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279811#msg-279811

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Moshe Katz
Re: Nginx only serves 1 App
May 16, 2018 03:20PM
Somehow we all missed that - of course you can't run `http2` on port 80 and
have it work since `http2` requires SSL.
With that configuration, you would have been able to get to the chat
subdomain only by going to `https:// chat.mydomain .com:80/` - notice that
it is https but is forced back to port 80. (I purposely added spaces to
prevent that from being a link in many mail clients.)

To answer the question about LetsEncrypt renewal, you need to leave nginx
running in order for it to work since it still relies on nginx to serve the
`.well-known` files that make the domain verification work. If you would
stop nginx, you would be unable to run the validation.

The one thing that you do need to do is make sure that LetsEncrypt knows to
reload nginx when a certificate changes so that nginx can see the new
certificate file.
If you are on a system that uses SystemD, this is what you need to do:

Create a shell script in `/etc/letsencrypt/renewal-hooks/deploy` with the
following contents:

#!/bin/bash
/bin/systemctl reload nginx.service

Make sure to set it as executable, and then Certbot will run it
automatically for every renewal.

Alternatively, you can go into each file in `/etc/letsencrypt/renewal/*`
and add the following line in the `[renewalparams]` section:

deploy_hook = /bin/systemctl reload nginx

Of course, that means you need to modify the renewal file for each domain
separately.

Moshe
--
Moshe Katz
-- kohenkatz@gmail.com
-- +1(301)867-3732


On Wed, May 16, 2018 at 1:42 AM Nginx-Chris <[email protected]>
wrote:

> Here is what makes everything work ok:
>
> In the cloud.conf (Seafile) I deleted the "http2" in the server part that
> listens on port 80 and redirects.
>
> It looks like this now:
>
> server {
>
> listen 80;
> listen [::]:80;
> server_name cloud.mydomain.com;
>
> rewrite ^ https://$http_host$request_uri? permanent; # force
> redirect
> http to https
>
> # Enables or disables emitting nginx version on error pages and in the
> "Server" response header field.
> server_tokens off;
>
> }
>
> Noe everything works fine.
>
> I am not sure what advantage / disadvantage http2 had, to be honest.
>
> Maybe the http2 part should only be inside the config part that configures
> the 443 access?
>
> Well, this did the trick at least.
>
> I am still interested in the config that you posted on gist though.
> It looks really tidy and well organised.
>
> So I would still like to know if I can leave Nginx running for letsencrypt
> bot to work ;-))
>
> Greetings, Chris
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,279794,279811#msg-279811
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx-Chris
Re: Nginx only serves 1 App
May 23, 2018 10:20PM
Hi Moshe

I wanted to come back to you again to thank you very much.

I changed my nginx config file arrangement according to your proposal on
https://gist.github.com/kohenkatz/08a74d757e0695f4ec3dc34c44ea4369#file-redirect-all-http-to-https-conf

And I think it's awesome :-)

Very well structured and works perfect.

The only thing I do not understand is how I can add letsencrypt certificates
to a new webpage.

Let's say I have a new web root in /var/www/new.page.com

If I run sudo certbot --nginx would get an error for missing certificates?
Or how would I do that.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279934#msg-279934

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Nginx-Chris
Re: Nginx only serves 1 App
May 23, 2018 10:20PM
I mean how would the nginx config for new.page.com look like?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279794,279935#msg-279935

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login