that also makes no sense to me too. However I’ve got that from @Sergiz in this topic. I removed it from my /etc/nginx/conf.d/discourse.conf
and It works. so I suppose that was a redundant line?
anyway, I think I got it working However I’m not pretty much sure if I’m doing everything right. so I share it here.
for future reference. My discourse is running with VestaCP on Centos 7, which I managed to configure it here.
to make it working with https, I changed the following files thanks to @fefrei and @riking
1- /etc/nginx/conf.d/discourse.conf
:
server {
listen 185.51.200.214:80;
server_name talk.zabanshenas.com;
location /.well-known/acme-challenge/ {
root /home/admin/web/talk.zabanshenas.com/public_html;
}
location / {
proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
proxy_http_version 1.1;
}
}
server {
listen 185.51.200.214:443 http2 ssl;
server_name talk.zabanshenas.com; # <-- change this
ssl on;
ssl_certificate /etc/letsencrypt/live/talk.zabanshenas.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/talk.zabanshenas.com/privkey.pem;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
client_max_body_size 0;
location / {
proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
2- /home/admin/conf/web/snginx.conf
:
server {
listen 185.51.200.214:443 http2 ssl;
server_name talk.zabanshenas.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/talk.zabanshenas.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/talk.zabanshenas.com/privkey.pem;
error_log /var/log/httpd/domains/talk.zabanshenas.com.error.log error;
location / {
proxy_pass https://185.51.200.214:8443;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|odt|ods|odp|odf|tar|wav|bmp|rtf|js|mp3|avi|mpeg|flv|html|htm)$ {
root /home/admin/web/talk.zabanshenas.com/public_html;
access_log /var/log/httpd/domains/talk.zabanshenas.com.log combined;
access_log /var/log/httpd/domains/talk.zabanshenas.com.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias /home/admin/web/talk.zabanshenas.com/document_errors/;
}
location @fallback {
proxy_pass https://185.51.200.214:8443;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
include /home/admin/conf/web/snginx.talk.zabanshenas.com.conf*;
}
3- /home/admin/conf/web/shttpd.conf
:
<VirtualHost 185.51.200.214:8443>
ServerName talk.zabanshenas.com
ServerAlias www.talk.zabanshenas.com
ServerAdmin info@talk.zabanshenas.com
DocumentRoot /home/admin/web/talk.zabanshenas.com/public_html
ScriptAlias /cgi-bin/ /home/admin/web/talk.zabanshenas.com/cgi-bin/
Alias /vstats/ /home/admin/web/talk.zabanshenas.com/stats/
Alias /error/ /home/admin/web/talk.zabanshenas.com/document_errors/
#SuexecUserGroup admin admin
CustomLog /var/log/httpd/domains/talk.zabanshenas.com.bytes bytes
CustomLog /var/log/httpd/domains/talk.zabanshenas.com.log combined
ErrorLog /var/log/httpd/domains/talk.zabanshenas.com.error.log
<Directory /home/admin/web/talk.zabanshenas.com/public_html>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/admin/web/talk.zabanshenas.com/public_html:/home/admin/tmp
php_admin_value upload_tmp_dir /home/admin/tmp
php_admin_value session.save_path /home/admin/tmp
</Directory>
<Directory /home/admin/web/talk.zabanshenas.com/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid admin admin
RGroups apache
</IfModule>
<IfModule itk.c>
AssignUserID admin admin
</IfModule>
IncludeOptional /home/admin/conf/web/shttpd.talk.zabanshenas.com.conf*
</VirtualHost>
Now normally, I should put the following in the shttpd.conf
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /etc/letsencrypt/live/talk.zabanshenas.com/cert.pem;
SSLCertificateKeyFile /etc/letsencrypt/live/talk.zabanshenas.com/privkey.pem;
SSLCertificateChainFile /etc/letsencrypt/live/talk.zabanshenas.com/chain.pem;
However when I added that and restarted httpd
, It gave error telling that cert.pem
is missing while it was obviously there. So I removed all of these lines and restarted httpd
and it worked. So at this point, I dont know if I’m doing something wrong.