502 error in subfolder installation, multiple servers sharing a domain


(Oleg Shishkov) #1

Hi friends,
sorry for space in www .example.com address, but I really need your help, but forum forbids to publish my post with correct links.
I have 2 DO droplets. First droplet serves principal site www. example.com and second droplet serves discourse forum.example.com. I want proxy all traffic from www. example.com/forum/ to subdomain forum.example.com. I read a lot of forum posts and articles and eventually used following comment Discourse in a subfolder, multiple servers sharing a domain to implement my requirements. I also have virtual hosts www .example2.com and www .example3.com they are used as domains for different language versions and they work fine. I also use free Cloudflare plan to process traffic for both sites with full strict ssl option enabled.

Result

  1. www .example.com works fine
  2. forum.example.com works fine
  3. www .example.com/forum/ shows 502 http error

I have 2 separate ssl certificates installed on both sites. Certificates support www and non-www site versions.

Here are principal example.com nginx configurations

/etc/nginx/sites-available/default

root /var/www/example.com/public;
index index.php index.html index.htm;

server {
   server_name  example.com;
   rewrite ^(.*) https://www.example.com$1 permanent;
}

server {
   server_name example2.com;
   rewrite ^(.*) https://www.example2.com$1 permanent;
}



server {
   server_name example3.com;
   rewrite ^(.*) https://www.example3.com$1 permanent;
}

server {
  listen 443 ssl;

  server_name www .example.com www.example2.com www.example3.com;

  if ($request_method = "GET" ) {
     rewrite ^([^.]*[^/])$ $1/ permanent;
  }

  include /etc/nginx/conf.d/location;
  include /etc/nginx/conf.d/ssl;
  include /etc/nginx/conf.d/gzip;
}

/etc/nginx/conf.d/location

location / {
   try_files $uri $uri/ /index.php?$query_string;
   }

  location /forum {
  rewrite  ^/forum/(.*)  /$1 break;
  proxy_pass https://forum.example.com:443;

  proxy_redirect off;
  proxy_buffering off;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  location ~ \.php$ {
  try_files $uri =404;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  include fastcgi_params;
  }

  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|svg|woff|woff2|ttf)\$ {
  expires 1M;
  access_log off;
  add_header Cache-Control "public";
  }

/etc/nginx/conf.d/ssl

ssl_certificate /home/oleg/ssl/www .example.com.chained.crt;
ssl_certificate_key /home/oleg/ssl/www .example.com.key;

# disable ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# optimizing the cipher suites
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

# connection credentials caching
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;

# strict transport security
add_header Strict-Transport-Security "max-age=31536000";

/etc/nginx/conf.d/gzip

gzip_vary on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
   text/plain
   text/css
   text/js
   text/xml
   text/javascript
   application/javascript
   application/x-javascript
   application/json
   application/xml
   application/xml+rss;

forum.example.com nginx configuration

upstream discourse {
    server 127.0.0.1:8080;
}

server {
    listen 80 default_server;
    server_name forum.example.com;
    return 301 https://forum.example.com$request_uri;
}

server {
    listen 443 default_server ssl;

    root /var/www/discourse/public;
    index index.html index.htm;

    server_name forum.example.com;

    ssl_certificate /home/oleg/ssl/forum.example.com.chained.crt;
    ssl_certificate_key /home/oleg/ssl/forum.example.com.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    location ~ /.well-known {
       allow all;
    }

    location / {
        proxy_pass http://discourse;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

/var/discourse/containers/app.yml

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
 
expose:
  - "127.0.0.1:8080:80"
  - "5432:5432"

params:
  db_default_text_search_config: "pg_catalog.english"
  db_shared_buffers: "256MB"

env:
  LANG: en_US.UTF-8
  UNICORN_WORKERS: 4
  DISCOURSE_HOSTNAME: forum.example.com
  DOCKER_USE_HOSTNAME: true
  DISCOURSE_DEVELOPER_EMAILS: 'myadminemail'

## smtp settings and credentials removed from this dump, but they work fine

volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/discoursehosting/discourse-sitemap.git
          - git clone https://github.com/discourse/discourse-spoiler-alert.git

run:
  - exec: echo "Beginning of custom commands"

www .example.com nginx version is nginx/1.13.0
www .example.com openssl version is 1.0.2k-1+deb.sury.org~trusty+5

forum.example.com nginx version is nginx version: nginx/1.13.0
forum.example.com openssl version is 1.0.2g-1ubuntu4.1

www .example.com nginx error log

2017/05/12 05:15:01 [error] 5478#5478: *24473 connect() to [2400:cb00:2048:1::681b:a191]:443 failed (101: Network is unreachable) while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a191]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a191]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [error] 5478#5478: *24473 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.161.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.161.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [error] 5478#5478: *24473 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.160.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.160.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [error] 5478#5478: *24473 connect() to [2400:cb00:2048:1::681b:a091]:443 failed (101: Network is unreachable) while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a091]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a091]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"

I appeciate any thoughts how to fix 502 error on www .example.com/forum/


(John Wright) #2

anybody able to help?