Avatar, Site Logos, and Cert Errors

markcichy · May 25, 2020, 2:55pm

Okay. Thanks for comments.

Here is my Nginx server block, FYI:

server {
# ssl
listen 443 ssl http2;
listen [::]:443 ssl http2;
   server_name discourse.mobiusnode.io;

   location / {
           #http trafic
           proxy_pass http://192.168.86.108;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header Host $http_host;
           proxy_http_version 1.1;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto https;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";

   }
ssl on;
ssl_certificate /path/to/certificate/domain.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /path/to/certificate/domain.io/privkey.pem; # managed by Certbot

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

add_header Strict-Transport-Security "max-age=63072000;";
ssl_stapling on;
ssl_stapling_verify on;

client_max_body_size 0;

}

server {
if ($host = discourse.mobiusnode.io) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
listen [::]:80;

server_name discourse.mobiusnode.io;
return 404; # managed by Certbot

}

markcichy · May 25, 2020, 2:59pm

The behaviour I am experience is under those conditions above.

Beginning of app.yml looks like this:

## this is the all-in-one, standalone Discourse Docker container template
##
## After making changes to this file, you MUST rebuild
## /var/discourse/launcher rebuild app
##
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed

templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
#- "templates/web.ssl.template.yml"
#- "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
- "80:80" # http
- "443:443" # https

params:
db_default_text_search_config: "pg_catalog.english"

## Set db_shared_buffers to a max of 25% of the total memory.
## will be set automatically by bootstrap based on detected RAM, or you can override
db_shared_buffers: "1024MB"

## can improve sorting performance, but adds memory usage per-connection
#db_work_mem: "40MB"

## Which Git revision should this container use? (default: tests-passed)
#version: tests-passed

RGJ · May 25, 2020, 3:02pm

You are connecting to port 80 on the second nginx, so it thinks you’re connecting to http and not https.

Try to find the X-Forwarded-Proto in the inner nginx and change proxy_set_header X-Forwarded-Proto $thescheme; to proxy_set_header X-Forwarded-Proto https;

or forward your traffic to https proxy_pass https://192.168.86.108

itsbhanusharma · May 25, 2020, 3:02pm

This part needs to be changed

rossierd · May 25, 2020, 5:49pm

What does the log/production.log (in the running docker) say when you try to log in with failure (hence with force_https=true) ?

markcichy · May 25, 2020, 5:38pm

@RGJ – I like your solution! Do I force-https with the last suggestion? RE proxy_pass https.
EDIT: I get a 502 if all I do is use proxy_pass https://192.168.86.108
EDIT2: I concealed 80 on Discourse via app.yml and it was still broke–I just re-read your post, does the Discourse container possess it’s own instance of Nginx? So, in effect, I am passing a proxy to a proxy? Sorry, I am really confused at this point.

markcichy · May 25, 2020, 5:31pm

@itsbhanusharma do I comment out 80:80 #http and use @RGJ’s advise to proxy_pass https?

Stephen · May 25, 2020, 5:51pm

Why aren’t you following the supported process for multisite here? You’re effectively reinventing a very fragile wheel.

markcichy · May 25, 2020, 5:53pm

So many links have been provided now, @Stephen-- that I am at a loss to make sense of it all. I thought I was following supported processes. Are the comments above not supported?

Stephen · May 25, 2020, 5:56pm

Yes because you weren’t using force_https, hence the #unsupported-install tag above. If you deviate from a supportable track then you won’t receive much assistance.

Start here:

There’s a separate guide to handle SSL encapsulation with multisite.

markcichy · May 25, 2020, 5:58pm

So, does the standard container only run http? How is what I am trying to do multi-site? I’m not attempting to host multiple domains? I have a single domain. Can you please clarify how that addresses my issue?

Stephen · May 25, 2020, 6:05pm

What did you mean by:

I’ve setup Discourse servers in a about 5 instances now and all seem to be exhibiting odd behaviour; not sure if it is indeed a Bug or if anyone else has experience same.

markcichy · May 25, 2020, 6:06pm

Independent infrastructures, not in anyway connected to one another.
But all with very similar settings as per above.

Stephen · May 25, 2020, 6:09pm

So why is nginx proxying the host at all? What else is happening on the machines?

markcichy · May 25, 2020, 6:16pm

We have several VM’s that are not exposed externally, the traffic is routed through the proxy (is exposed externally), to the Discourse VM internally. Similar situation in each of the separate installs. Does that clarify?

Stephen · May 25, 2020, 6:19pm

Not really, but one way or another this is technical pain you’re just going to have to live with. It’s impossible to comment on whether there’s a better approach when the use case and topology is so ambiguous.

markcichy · May 25, 2020, 6:33pm

I believe the right *mix of solutions was as follows:

As per @itsbhanusharma:
EDIT /var/discourse/containers/app.yml and amend ports to some custom, I used:

- "8080:80" #http
- "4343:443" #https

Did a ./launcher rebuild app

I then modified our externally accessible proxy to forward requests on 80/443 to http://internal_ip:8080

After a sudo nginx -t and sudo systemctl restart nginx I logged into https://discourse.mobiusnode.io server (which was still exhibiting the issues above) and enabled force_https, at which point it appears all is working.

I am now going to reproduce this on the remaining servers/infrastructures.

markcichy · May 25, 2020, 6:37pm

Attached is an icognito window of login to site with SSL key active, images, appear, etc.

itsbhanusharma · May 25, 2020, 6:38pm

Just to be clear, this isn’t what I suggested.

I only asked you to expose port 80 on a local IP and terminate ssl on your reverse proxy.

markcichy · May 25, 2020, 6:41pm

So, to not use SSL on my externally facing proxy but rather forward plain http requests onto Discourse server and allow force_https to handle those requests? How does the cert then get passed? Via the first the Nginx instance? This is where things break down for me.