Installation on v-server as a subfolder with other services in subfolders using apache

Sure, I pasted it here: http://pastebin.com/i7E4m8y7

For privacy reasons I changed following info to default
DISCOURSE_DEVELOPER_EMAILS
DISCOURSE_HOSTNAME

and deleted the mailsever infos (but that part worked during my first attempt without the right subfolder configuration)

Thanks for looking into it!

There seems to be missing a whitespace in the pasted code at the beginning of line 17.
I just thought that’s it, but it seems correct (two whitespace) in my local file…

That’s highly suspicious. Are you 100% certain that these are two spaces, not a single tab?

As sure as I can get, which would never be 100% though…

To confirm again, I edited the file with notepad++on my local machine, deleting the two whitespaces and the linebreak, hitting enter and adding two whitespaces manually. another copy to pastebin has the same result: http://pastebin.com/rYPc5xSg

At last, I edited the file on the server the same way, using nano, copy from there to pastebin: same strange result: http://pastebin.com/MBVPXkV5

Definitly highly suspicius, but I am out of ideas…

The last two lines of your file are not indented correctly, compared to the other parts of the run: section.

2 Likes

That was it! It works. Thank you so much!

The activation link still starts with “http://http://…”, could this be caused by discourse.conf in the nginx/conf.d? I copied it from the howto on Running other websites on the same machine as Discourse, only altering the server_name.

Or could this be caused by my nginx “sites-enabled”? The “location ~ .php$”-part ended up beeing a mix out of “How To Configure Nginx as a Reverse Proxy for Apache” (How To Configure Nginx as a Reverse Proxy for Apache | DigitalOcean) and “Running other websites on the same machine as Discourse” (Running other websites on the same machine as Discourse):

location ~ \.php$ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:; proxy_set_header Host $http_host; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }

1 Like

Ah, I didn’t catch that before:

DISCOURSE_HOSTNAME: 'http://domain.com'

That’s wrong, you shoud only include the hostname itself, i.e. domain.com.

2 Likes

That was easy. Thanks again :smiley:

It seems it is working great now, the last part is to enable ssl. As I see it, I need to

  1. change /etc/nginx/conf.d/discourse.conf as described in the howto on Running other websites on the same machine as Discourse.

  2. Put my ssl certificate files into /var/discourse/shared/standalone/ssl/ and change the file names according to the howto

  3. ? Is that it, or do I also need to make changes to nginx.conf and/or nginx/conf.d/discourse.conf?

My recommendation would be:

  1. Change your current server block to be the block for SSL.
  2. Make a new server block that redirects all HTTP requests to HTTPs.

For reference, here is such a redirect block:

server {
        listen 80;
        server_name domain.com;
        return 301 https://$host$request_uri;
}

Here’s how the SSL configuration could look like:

server {
        listen 443 ssl;
        server_name domain.com;

        ssl_certificate /etc/ssl/certs/cert.crt;
        ssl_trusted_certificate /etc/ssl/certs/cert.crt;
        ssl_certificate_key /etc/ssl/private/cert.key;

        ssl_ciphers "AES256+EECDH";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        add_header Strict-Transport-Security "max-age=63072000;";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        ssl_stapling on;
        ssl_stapling_verify on;

        client_max_body_size 20m;

        location / {
                proxy_pass http://unix:/var/discourse/shared/vorkurs/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                # proxy_redirect http://vorkurs-discourse.cs.uni-saarland.de/ https://vorkurs-discourse.cs.uni-saarland.de/;
        }
}

Watch out: My example enables HSTS. If your site goes live with this configuration, visitors that have seen it will refuse to use http for up to 2 years.

1 Like

Ok, your last warning made me rather try the SSL config from the howto on running other websites on the same machine as Discourse.

I have a partial success: when I enter the old http domain, it routes me to the https site and shows the correct certificate. But there is no discourse, only a bad gateway (502).

Also, I had to stop apache2 for enabling the new nginx config, probably because apache2 was still listening on port 443. So now I assume I have to change the port in the in the apache config that listens to SSL to another port, to which nginx needs to forward requests to subfolders it cannot find. How do I configure nginx to do this?

EDIT: Reading through the SSL tutorial again reminded me I needed to add the “templates/web.ssl.template.yml” which I deleted before. Rebuilding took for ever, because “Generating DH parameters” - but in the end, still the same result (bad gateway). I bet I missed to enable SSL in some config file…

You don’t actually needed that, as you want the outer nginx to handle SSL, not Discourse’s internal nginx instance.

If my HSTS remark scared you off, you can just comment out the line that sets Strict-Transport-Security or decrease the number there to a low number of seconds.

Ah, I see. I will try with your config and “add_header Strict-Transport-Security “max-age=60;”;” then. Restarting nginx gave me complaints about the cert now, so I am rebuilding the app again without the web.ssl.template.yml. Another 6 long minutes…

Is it correct for the same reason I do not need to expose port 443 within the app.yml, because all the port handeling happens outside of the container, or could there be an error? I deleted the lines "expose: - “80:80"” "expose: - “443:443"” and and added “templates/web.socketed.template.yml” instead (as explained in the howto on running other websites on the same machine as Discourse).

No improvement :frowning:
The rebuild was unnecessary I guess, I should have adjusted the certificate paths. Now nginx starts correctly again, but still bad gatway on every domain and subfolder.
Do I need to configure SSL within my nginx sites enabled? Because that I haven’t done yet…

Yes, that sounds right. You want the Discourse (and its inner nginx instance) to simply listen to normal HTTP traffic on the socket, all handling of HTTPS (and sorting traffic between Discourse and Apache) is handled by the outer nginx.

(The configurations I posted above are slightly cleaned up versions of what I run in production.)

I’m a bit surprised by that. As long as you took the original port-80-configuration block and simply changed the port to 443 and added the relevant SSL options, nothing in the routing should change, i.e. you should see the same behavior, just over HTTPS instead of HTTP.

I think I got it. Embarassing to say, but I missed one path at your redirect block needed adjustment to my setup
proxy_pass http://unix:/var/discourse/shared/vorkurs/nginx.http.sock:; must be
proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
for me and it works… I have a secure discourse setup :smile:

But how do I forward the subfolders from my owncloud and dokuwiki to the apache?

1 Like

Oops, I forgot to clean up that path :slightly_smiling:

As the other paths are on the same hostname as far as I understand, you want to add blocks like this to the same server block:

        location /example/ {
                proxy_pass http://localhost:8080/example/;
                proxy_redirect http://domain.com/example/ https://domain.com/example/;
                proxy_redirect http://domain.com:8080/example/ https://domain.com/example/;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

You may have to experiment with these a bit, especially the proxy_redirect ones. You can read up details in the nginx documentation.

Ok, I need to send requests that went to

https://domain.com/owncloud
http://domain.com/owncloud

on to the apache, I configured ports.conf as follows:

NameVirtualHost 127.0.0.1:8080
Listen 127.0.0.1:8080

so it listens on port 8080 (and only on that, because nginx will not start if apache blocks a port that nginx wants to use).

In the nginx sites-enabled I added the following location part

    location /owncloud/ {
            proxy_pass http://localhost:8080/owncloud/;
            proxy_redirect http://domain.com/owncloud/ https://domain.com/owncloud/;
            proxy_redirect http://domain.com:8080/owncloud/ https://domain.com/owncloud/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
    }

but https://domain.com/owncloud and http://domain.com/owncloud still send me to a discourse site saying the site is not available…

Did you make sure that the location-block sending traffic to Discourse only matches the subfolder Discourse is running in?

That soulds like a good source of error for my problem. But if that is what the location part from the howto on Running other websites on the same machine as Discourse does, it is included:

location /forum/ {
  proxy_pass https://unix:/var/discourse/shared/standalone/nginx.https.sock:;
  proxy_set_header Host $http_host;
  proxy_http_version 1.1;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} 

is it correct to put the discourse subfolder into the first line? It is not in the howto, but it isn’t meant for subfolder config…