Installation on v-server as a subfolder with other services in subfolders using apache

#21

That was easy. Thanks again :smiley:

It seems it is working great now, the last part is to enable ssl. As I see it, I need to

  1. change /etc/nginx/conf.d/discourse.conf as described in the howto on Running other websites on the same machine as Discourse.

  2. Put my ssl certificate files into /var/discourse/shared/standalone/ssl/ and change the file names according to the howto

  3. ? Is that it, or do I also need to make changes to nginx.conf and/or nginx/conf.d/discourse.conf?

(Felix Freiberger) #22

My recommendation would be:

  1. Change your current server block to be the block for SSL.
  2. Make a new server block that redirects all HTTP requests to HTTPs.

For reference, here is such a redirect block:

server {
        listen 80;
        server_name domain.com;
        return 301 https://$host$request_uri;
}

Here’s how the SSL configuration could look like:

server {
        listen 443 ssl;
        server_name domain.com;

        ssl_certificate /etc/ssl/certs/cert.crt;
        ssl_trusted_certificate /etc/ssl/certs/cert.crt;
        ssl_certificate_key /etc/ssl/private/cert.key;

        ssl_ciphers "AES256+EECDH";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        add_header Strict-Transport-Security "max-age=63072000;";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        ssl_stapling on;
        ssl_stapling_verify on;

        client_max_body_size 20m;

        location / {
                proxy_pass http://unix:/var/discourse/shared/vorkurs/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                # proxy_redirect http://vorkurs-discourse.cs.uni-saarland.de/ https://vorkurs-discourse.cs.uni-saarland.de/;
        }
}

Watch out: My example enables HSTS. If your site goes live with this configuration, visitors that have seen it will refuse to use http for up to 2 years.

1 Like
#23

Ok, your last warning made me rather try the SSL config from the howto on running other websites on the same machine as Discourse.

I have a partial success: when I enter the old http domain, it routes me to the https site and shows the correct certificate. But there is no discourse, only a bad gateway (502).

Also, I had to stop apache2 for enabling the new nginx config, probably because apache2 was still listening on port 443. So now I assume I have to change the port in the in the apache config that listens to SSL to another port, to which nginx needs to forward requests to subfolders it cannot find. How do I configure nginx to do this?

EDIT: Reading through the SSL tutorial again reminded me I needed to add the “templates/web.ssl.template.yml” which I deleted before. Rebuilding took for ever, because “Generating DH parameters” - but in the end, still the same result (bad gateway). I bet I missed to enable SSL in some config file…

(Felix Freiberger) #24

You don’t actually needed that, as you want the outer nginx to handle SSL, not Discourse’s internal nginx instance.

If my HSTS remark scared you off, you can just comment out the line that sets Strict-Transport-Security or decrease the number there to a low number of seconds.

#25

Ah, I see. I will try with your config and “add_header Strict-Transport-Security “max-age=60;”;” then. Restarting nginx gave me complaints about the cert now, so I am rebuilding the app again without the web.ssl.template.yml. Another 6 long minutes…

Is it correct for the same reason I do not need to expose port 443 within the app.yml, because all the port handeling happens outside of the container, or could there be an error? I deleted the lines "expose: - “80:80"” "expose: - “443:443"” and and added “templates/web.socketed.template.yml” instead (as explained in the howto on running other websites on the same machine as Discourse).

#26

No improvement :frowning:
The rebuild was unnecessary I guess, I should have adjusted the certificate paths. Now nginx starts correctly again, but still bad gatway on every domain and subfolder.
Do I need to configure SSL within my nginx sites enabled? Because that I haven’t done yet…

(Felix Freiberger) #27

Yes, that sounds right. You want the Discourse (and its inner nginx instance) to simply listen to normal HTTP traffic on the socket, all handling of HTTPS (and sorting traffic between Discourse and Apache) is handled by the outer nginx.

(The configurations I posted above are slightly cleaned up versions of what I run in production.)

(Felix Freiberger) #28

I’m a bit surprised by that. As long as you took the original port-80-configuration block and simply changed the port to 443 and added the relevant SSL options, nothing in the routing should change, i.e. you should see the same behavior, just over HTTPS instead of HTTP.

#29

I think I got it. Embarassing to say, but I missed one path at your redirect block needed adjustment to my setup
proxy_pass http://unix:/var/discourse/shared/vorkurs/nginx.http.sock:; must be
proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
for me and it works… I have a secure discourse setup :smile:

But how do I forward the subfolders from my owncloud and dokuwiki to the apache?

1 Like
(Felix Freiberger) #30

Oops, I forgot to clean up that path :slightly_smiling:

As the other paths are on the same hostname as far as I understand, you want to add blocks like this to the same server block:

        location /example/ {
                proxy_pass http://localhost:8080/example/;
                proxy_redirect http://domain.com/example/ https://domain.com/example/;
                proxy_redirect http://domain.com:8080/example/ https://domain.com/example/;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

You may have to experiment with these a bit, especially the proxy_redirect ones. You can read up details in the nginx documentation.

#31

Ok, I need to send requests that went to

https://domain.com/owncloud
http://domain.com/owncloud

on to the apache, I configured ports.conf as follows:

NameVirtualHost 127.0.0.1:8080
Listen 127.0.0.1:8080

so it listens on port 8080 (and only on that, because nginx will not start if apache blocks a port that nginx wants to use).

In the nginx sites-enabled I added the following location part

    location /owncloud/ {
            proxy_pass http://localhost:8080/owncloud/;
            proxy_redirect http://domain.com/owncloud/ https://domain.com/owncloud/;
            proxy_redirect http://domain.com:8080/owncloud/ https://domain.com/owncloud/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
    }

but https://domain.com/owncloud and http://domain.com/owncloud still send me to a discourse site saying the site is not available…

(Felix Freiberger) #32

Did you make sure that the location-block sending traffic to Discourse only matches the subfolder Discourse is running in?

#33

That soulds like a good source of error for my problem. But if that is what the location part from the howto on Running other websites on the same machine as Discourse does, it is included:

location /forum/ {
  proxy_pass https://unix:/var/discourse/shared/standalone/nginx.https.sock:;
  proxy_set_header Host $http_host;
  proxy_http_version 1.1;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} 

is it correct to put the discourse subfolder into the first line? It is not in the howto, but it isn’t meant for subfolder config…

#34

…included in the domain config within the nginx sites-enabled, not in the nginx/conf.d/discourse.conf. Replacing the locations part there with the one mentioned above there leeds to 404 and 502 all over…

(Felix Freiberger) #35

Hm, not good. Your configuration is probably too specific to debug this remotely, so here is some more general advice:

  • You absolutely must configure your nginx to only route /forum/ traffic to Discourse, or it will – surpsrise – route all traffic to Discourse.
  • Because you followed the subfolder tutorial, Discourse now expects all requests to go to /forum/somewhere. Therefore, the outer nginx must not strip the /forum from the request, or Discourse will rightfully respond with 404 errors.
  • You can configure nginx to create quite extensive logs, which is key when debugging complex configurations :slight_smile:

Also, your proxy_pass directive above looks fishy: nginx should speak HTTP to Discourse, not HTTPS.

1 Like
#36

Ok, you are right, it has allready become quite specific…

Thanks a lot for your patience and walking me through to this point. I will try to figure out the rest and hopefully get back to this thread with a positive result.

Thanks again for your effort, I got the main part working thanks to you and I learned a lot, which is worth even more to me :smiley:

1 Like
#37

Sweet, it works now - all perfect :sunglasses:

One remaining problem was proxy_pass needed to be
https://localhost:8080/subfolder instead of
http://localhost:8080/subfolder

And there was an apache misconfiguration (rewrite rules that enforced https before, which is now handeled by nginx)

fefrei, I would not have gotten near this far without your patient help, thank you very much!

1 Like
(Felix Freiberger) #38

Thanks for reporting back!

If you want, you can post a cleaned-up version of your configuration here, in case someone else has a similar setup. :slight_smile:

#39

Of course, that’s a good idea and the least I can do!

I attached the files to this post, because the format seems to get broken by some characters inside the files. The ending .txt must of course be deleted, but I needed to add this to be allowed to upload the files here… and the capitalized parts of the code need to be changed to the individual system.

I think all the changes I made were in these files:

I hope I this might help someone someday :wink:

Cheers!

1 Like
(Ben) #40

Here is a solution how it works with nginx. http://www.benjaminroesner.com/blog/install-discourse-with-docker-in-subfolder-with-ssl-and-serve-other-content-under-the-same-domain/