Difference between socket- and port-based connection to outer NGINX?

(Christoph) #1

If I understand things correctly there are two ways of configuring your discourse instance behind an NGINX server:

  1. with a socket connection (as described here)
  2. by exposing some port of the container and telling the outer NGINX to forward traffic for discourse to that port (as suggested here and here).

Since the how-to here on meta uses the socket method, I suppose that is the preferred method. But what exactly are the benefits compared to the port-method?

I can’t seem to get the the socket version to work even though I followed the instructions here. I just get ERR_CONNECTION_REFUSED when trying to access the discourse subdomain. Other webpages served by the same NGINX are working fine.

(Matt Palmer) #2

UNIX sockets (as opposed to TCP sockets) are faster and more efficient, and less prone to accidental disclosure to places you don’t want connections coming from. A misconfiguration can potentially cause a listening TCP socket to be exposed to the Internet, whereas there’s absolutely no way you can make a mistake such that a UNIX socket is exposed directly to the Internet.

(Christoph) #3

OK, so I’ll continue trying the UNIX socket. What would be some steps for trouble shooting why a UNIX socket is not working? (I already have the default_server listening on port 81 for the time being, just to have it out of the way)

(Lutz Biermann) #4

I think there is a typo in the tutorial. At the end of the first line is a colon too much. Don’t forget to rebuild!

For https installations It should be:

        proxy_pass              http://unix:/var/discourse/shared/standalone/nginx.http.sock;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        Host $host;
        proxy_http_version      1.1;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto "https";

Remove the last line if you do not use https. If this does not work, please type the following at the console and show us the result:

ls -al /var/discourse/shared/standalone/nginx.http.sock
updatedb && locate nginx.http.sock

If “locate” ist not found, you can install it:

apt-get install locate

Discourse socketed: Nginx in front of discourse: no IP adresses
(Christoph) #5

I already tried both with and without the extra colon. But good to know that it should definitely be without the colon. Regarding rebuild: this is the config for the outer NGINX, so I don’t see why a rebuilt would be necessary. Or did I miss something? Or do you mean restart the NGINX?

I am on http for the moment, just to avoid any additional sources of error. This is my discourse.conf:

server {
    listen 80; listen [::]:80;
    server_name test.mydomain.com;

location / {
    proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
    proxy_set_header Host $http_host;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

ls -al /var/discourse/shared/standalone/nginx.http.sock gives me
srw-rw-rw- 1 root root 0 Mar 29 02:53 /var/discourse/shared/standalone/nginx.http.sock

sudo updatedb && locate nginx.http.sockgives me (after quite a bit of delay)

(Kai Liu) #6

You need to put the whole location block inside the server block.

(Christoph) #7

Opps, how embarassing. :dizzy_face: But also interesting that sudo nginx -t did not complain about the extra }.

Unfortunately, however, that was apparently not the only problem as I still get ERR_CONNECTION_REFUSED :frowning:

(Kai Liu) #8

Where did you get this ERR_CONNECTION_REFUSED error? On a client machine? If so then your nginx is just not listening on port 80.

(Christoph) #9

Yes, the error is on a client machine. Okay, then I suspect the problem is with my /etc/nginx/sites-available/default. For the time being I set it to listen to port 81:

server {
        listen 81 default_server;
        listen [::]:81 default_server;
        server_name 88.99.**.** mydomain.net www.mydomain.net;

In my mind, this should imply that /etc/nginx/sites-available/default will not interfere with the settings in discourse.conf and indeed: if I change the defauklt server to port 80, I get the BGINX welcome page instead of ERR_CONNECTION_REFUSED.

So maybe my discourse.conf is simply not being included in the nginx.conf? That would also explain why NGINX din’t complain about the extra }… And indeed, I had my discourse.conf in the wrong path (sites-available instead of sites-enabled).

But when I fixed that, I saw the NGINX welcome page even when calling test.mydomain.net. So, for lack of other ideas, I tried starting the conainer but uit said it was already started. So I stopped and re-started it and now I’m getting 502 bad gateway.

So I did a cleanup based on this suggestion (plus a stop and restart of the container) and tada it is finally working. :tada:

So, to draw some lessons from this that might be useful for others: what puzzles me is how exactly the container interacts with the outer NGINX. As I indicated earlier, I was assuming that they are two separate entities that are merely linked in that they are sending packets back and forth between them. In other words: changes in the NGINX-configuration will not affect the container at all, as long as those packets are still sent back and forth. But now it looks like the container “fixed itself” after I fixed the outer NGINX?!?

Or maybe this is just a combination of several independent issues? In other words: if I had done a container cleanup earlier, and then fixed the outer NGINX, the result would have been the same?