by exposing some port of the container and telling the outer NGINX to forward traffic for discourse to that port (as suggested here and here).
Since the how-to here on meta uses the socket method, I suppose that is the preferred method. But what exactly are the benefits compared to the port-method?
I can’t seem to get the the socket version to work even though I followed the instructions here. I just get ERR_CONNECTION_REFUSED when trying to access the discourse subdomain. Other webpages served by the same NGINX are working fine.
UNIX sockets (as opposed to TCP sockets) are faster and more efficient, and less prone to accidental disclosure to places you don’t want connections coming from. A misconfiguration can potentially cause a listening TCP socket to be exposed to the Internet, whereas there’s absolutely no way you can make a mistake such that a UNIX socket is exposed directly to the Internet.
OK, so I’ll continue trying the UNIX socket. What would be some steps for trouble shooting why a UNIX socket is not working? (I already have the default_server listening on port 81 for the time being, just to have it out of the way)
I already tried both with and without the extra colon. But good to know that it should definitely be without the colon. Regarding rebuild: this is the config for the outer NGINX, so I don’t see why a rebuilt would be necessary. Or did I miss something? Or do you mean restart the NGINX?
I am on http for the moment, just to avoid any additional sources of error. This is my discourse.conf:
ls -al /var/discourse/shared/standalone/nginx.http.sock gives me srw-rw-rw- 1 root root 0 Mar 29 02:53 /var/discourse/shared/standalone/nginx.http.sock
sudo updatedb && locate nginx.http.sockgives me (after quite a bit of delay) /var/discourse/shared/standalone/nginx.http.sock
Yes, the error is on a client machine. Okay, then I suspect the problem is with my /etc/nginx/sites-available/default. For the time being I set it to listen to port 81:
In my mind, this should imply that /etc/nginx/sites-available/default will not interfere with the settings in discourse.conf and indeed: if I change the defauklt server to port 80, I get the BGINX welcome page instead of ERR_CONNECTION_REFUSED.
So maybe my discourse.conf is simply not being included in the nginx.conf? That would also explain why NGINX din’t complain about the extra }… And indeed, I had my discourse.conf in the wrong path (sites-available instead of sites-enabled).
But when I fixed that, I saw the NGINX welcome page even when calling test.mydomain.net. So, for lack of other ideas, I tried starting the conainer but uit said it was already started. So I stopped and re-started it and now I’m getting 502 bad gateway.
So I did a cleanup based on this suggestion (plus a stop and restart of the container) and tada it is finally working.
So, to draw some lessons from this that might be useful for others: what puzzles me is how exactly the container interacts with the outer NGINX. As I indicated earlier, I was assuming that they are two separate entities that are merely linked in that they are sending packets back and forth between them. In other words: changes in the NGINX-configuration will not affect the container at all, as long as those packets are still sent back and forth. But now it looks like the container “fixed itself” after I fixed the outer NGINX?!?
Or maybe this is just a combination of several independent issues? In other words: if I had done a container cleanup earlier, and then fixed the outer NGINX, the result would have been the same?
@tophee@Lutz pls give me some advice thx
I have 3 multisite running each of them disable https and run a nginx over the host, nginx.conf is like this.url is 522 error.
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
lua_shared_dict ssl_certs_cache 1m;
init_by_lua_block {
-- Define a funcction to determine which SNI domains to automatically
-- handle and register new certificates for. Defaults to not allowing
-- any domain, so this must be configured.
function allow_domain(domain)
if domain:find("antivte.com$") then
return true
end
return false
end
-- Initialize backend certificate server instance.
cert_server = (require "resty.ssl-cert-server").new({
backend = '127.0.0.1:8999',
allow_domain = allow_domain
})
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name bbs.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name bbs.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name ytb.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/ytb/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name ytb.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
# HTTPS Server
server {
listen 443 ssl;
# Works also with non-default HTTPS port.
listen 8443 ssl;
server_name cp.antivte.com; # <-- change this
# Dynamic handler for issuing or returning certs for SNI domains.
ssl_certificate_by_lua_block {
cert_server:ssl_certificate()
}
# Fallback certificate required by nginx, self-signed is ok.
# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
# -subj '/CN=sni-support-required-for-valid-ssl' \
# -keyout /etc/nginx/certs/fallback-self-signed.key \
# -out /etc/nginx/certs/fallback-self-signed.crt
ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;
location / {
proxy_pass http://unix:/var/discourse/shared/cp/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# HTTP Server
server {
listen 80;
server_name cp.antivte.com; # <-- change this
return 301 https://$host$request_uri;
# Endpoint used for performing domain verification with Let's Encrypt.
location /.well-known/acme-challenge/ {
content_by_lua_block {
cert_server:challenge_server()
}
}
}
}
Sorry, I can’t help you with this. The first and (almost) last time I looked at the details of NGINX was three years ago, when I set up my forum… And I have no experience with multi-site at all.