Reverse Proxy Into Discourse

I really hate to do something out of the ordinary here. I hate it as much as anyone else, but it’s all I know how to do and how every other self-hosted app I have is running.

I have my wildcard A record pointing to an internal IP on my network which has port 80 and 443 exported by nginx proxy manager, which has my ssl certificates all setup. I have most everything on my existing network setup using docker, so nginx proxy manager is safe to use because it just uses the docker network to proxy over http.

In the case of discourse, i have tried setting up discourse.MYDOMAIN.com to the separate local IP address under a separate A record and got it to resolve; however, however nginx proxy manager has lets encrypt setup works and how discourse has it setup does not for internal IPs.

So… I just want to reverse proxy. I am going to be attempting all sorts of nginx proxy configurations to get this to work. I am slightly concerned about man in the middle attacks, but I would like to figure out why nginx proxy manager lets encrypt config works with internal config and discourse does not.

There has to be a way!

(P.S. I know I am frazzle brained. Please ask specific questions and I can give clarity)

1 Like

I am looking at the dns-01 challenge option mentioned here.

how would, if possible, I do that with my discourse config?

1 Like

There are some topics about running Discourse behind nginx proxy manager. Basically, you configure Discourse not to bind to any ports and add the requisite labels in a labels: section in your app.yml.

2 Likes

If I go the nginx proxy manager route, which is how i have it setup right now (as opposed to setting up lets encrypt on the discourse VM itself)…

I would need to still bind to port 80 on the discourse VM because it is a separate machine in my case.

My experience currenlty is that I am getting Mixed Content errors with my current configuration of nginx proxy manager with the SSL setup there pointing at the ip address of the discourse VM at port 80.

I do not think this is possible to get rid of since the http:// references in the code are hard coded… or am i wrong? is that what this labels field you referenced would change?

I am going to try the socketd template mentioned here along with the config for nginx proxy manager in the advanced tab here.

There is a setting called force_https that you need to enable, either via ENV or rails console.

Also don’t forget to set a proper x-forwarded-proto on your proxy.

2 Likes

I will try that if the Unix socket setup does not work. Thank you @Falco and @pfaffman for the support. I will get back with what works.

I can not do the Unix socket setup… my discourse VM is on a separate machine. back to the original plan. Let me see if i can figure out the force_https enabling with some other posts on the forum. FYI, this is the step I can not do.

You actually need what Falco suggested.

2 Likes

in nginx proxy manager:

proxy_set_header X-Forwarded-Proto $scheme;

this to enable force_https?

2 Likes

DISCOURSE_FORCE_HTTPS=true I believe (env)
or
DISCOURSE_FORCE_HTTPS: true in app.yml in ENV section.

I was able to do so in the GUI as I mentioned before.

@Falco, @pfaffman, @Jagster, @merefield… thanks to you all, I have successfully setup the reverse proxy and I no longer have those Mixed Content errors.

Once I reverse proxied into port 80 of the discourse VM and I was able to register and such, it came down to setting force_https using the GUI and adding the x-forwarded-proto flag in the advanced tab of nginx proxy manager.

2 Likes