Run other websites on the same machine as Discourse

Hi,

I am just doing a fresh install of Discourse.
I am very surprised that :

  • The setup script does not simply allow to setup on a different port, disabling SSL support, and then it’s up to us to do reverse proxy as we want (Apache, Nging) : It seems such a common setup, it would save hundreds of hours of life to humanity
  • I am even more surprised that the setup redirects us to an outdated forum topic, in which we need to dig for the proper information, instead of a proper documentation page, kept up to date.

Thanks guys anyway for your work, but I think there is room for improvement here.
Cheers

10 Likes

Just wanted to share how I accomplished this, it was a little easier than I first thought.

From an already running machine, with Caddy acting as a reverse proxy for a number of existing Docker containers already.

  1. Clone discourse as per the official instructions
  2. Copy /var/discourse/samples/standalone.yml -> /var/discourse/containers/app.yml
  3. Fill in SMTP settings and website address
  4. Comment out 443:443 from the expose: section
  5. Replace 80:80 -> 3001:80, 3001 being the port I’m serving via Caddy
  6. Run ./launcher rebuild app
  7. Done

Whop!

9 Likes

@TheBestPessimist I swapped the order of the HTTP/HTTPS sections, it works better than adding a “don’t do this!” notice :slight_smile:

6 Likes

I would recommend just doing double NGINX, it is far more complex to set it up direct and has virtually no performance cost. Getting it right would be very hard cause we serve some files direct and have a layer of caching that is tricky to configure.

Note, customizing NGINX is easy with mixin templates have a look at the various example templates here: https://github.com/discourse/discourse_docker/tree/master/templates

6 Likes

PSA: If you want to allow uploads larger than 1MB to your site, you’ll also have to set client_max_body_size 100M in any nginx config that sits in front of your site.

For reference, here’s the full nginx config I use:

nginx config for other sites on same host
server {
    if ($host = discourse.mysite.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = backupname.mysite.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80; listen [::]:80;
    server_name discourse.mysite.org;
    server_name backupname.mysite.org;

    location / {
        proxy_pass http://unix:/var/discourse/shared/mysite/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

# nginx 1.14.1 | intermediate profile | OpenSSL 1.1.0f | link

server {
    listen 443 ssl http2;  listen [::]:443 ssl http2;
    server_name discourse.mysite.org;
    server_name backupname.mysite.org;

    # from discourse examples
    http2_idle_timeout 5m; # up from 3m default
    client_max_body_size 50M; # allow 50M uploads

    location / {
        proxy_pass http://unix:/var/discourse/shared/mysite/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP $remote_addr;
    }
    ssl_certificate /etc/letsencrypt/live/backupname.mysite.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/backupname.mysite.org/privkey.pem; # managed by Certbot

    ###### https://mozilla.github.io/server-side-tls/ssl-config-generator/ ####

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/backupname.mysite.org/chain.pem;

    resolver 1.1.1.1;

}
9 Likes

16 posts were split to a new topic: Using Nginx Proxy Manager to manage multiple sites with Discourse

angus’s instructions still work; I have a question, though: will LetsEncrypt still work automatically with this after 3 months when it’s time to renew the certificates? (I assume/hope the answer is yes since the host nginx reads them directly from /var/discourse/shared/standalone?)

1 Like

@Godmar_Back I ran into this problem right now, and my certificate was NOT renewed.

@angus - since we use the letsencrypt certs created by discourse, but commented out the relevant parts in app.yml, I guess the update script is no longer being started. Did you find a solution for that?

1 Like

I tried entering the app and

 "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" --force

which kind of showed me at least a problem.

my.site.com:Verify error:Fetching https://my.seite.com/.well-known/acme-challenge/XXXXXXXedited-out-XXXXXXXXXXXXXXXXXXXX: Error getting validation data
[Mi 25. Aug 10:41:37 UTC 2021] Please check log file for more details: /shared/letsencrypt/acme.sh.log

Acme.sh.log pretty much repeats the error message. But it also tells me that all config files are empty.

On the otherhand acme.sh updated itself, so I assume it has not been started in the background for a while, probably since I changed to the outer nginx.

1 Like

You’ll need to handle those outside the container. Follow whatever guide is for let’s encrypt and nginx.

1 Like

As it’s past the period you can edit it yourself, you could flag it. You can flag a post, including your own, by clicking the ellipsis followed by the flag icon at the bottom of the post.

In this case you would choose to flag it as “Something Else” and explain that your email reply included the content from the previous post.

1 Like
1 Like

I’ve just got my new install of discourse on my new server, and after restoring the backup, now I get an issue with SSL.

It says that “parts of this page are not secure, such as images” and after a quick google search I seen that it means the images and fonts etc are not being served over https. However everything appears that it is.

I just copied the NGINX config, and it wasn’t there before I restored the backup.

Any ideas?

1 Like

You could check your force_https is enabled in your admin settings. There have been a few issues with that recently.

3 Likes

If I had Discourse docker on server, but it was using port in 980 and 9443 (reserve proxy)
Could I use ./discourse-setup to set up another Discourse? (Pull another folder of discourse)
It seems more simple by this way, isn’t it?

1 Like

Why would you do that over running multi-site?

1 Like

You can create appy.yml but you can’t use discourse-setup. Copy the other one and edit it.

It is sort of more complicated and requires all sites to use same mail and plugins. For most people it’s easier to just run another server, I think.

1 Like

Yes, exactly
And the single one will be supported more by discourse team

Could you explain how to do it?

  1. I had app.yml
    Could I copy other discourse folder, and app02.yml?

  2. Could I run ./discourse-setup when I copied discourse02 folder and app02.yml?
    How could I config it here?
    I want to be sure that two of container not conflict each other.

  3. My current container named “app”.
    Could I changed its name by rename app.yml?

You will have to make changes by hand to make it work behind the reverse proxy. Assuming that you know how to do that and do it after you create the app.yml with
This might work:

./launcher destroy app
mv containers/app.yml first_app.yml
./launcher rebuild first_app
./discourse-setup

Then you’d edit app.yml to be behind the reverse proxy.

2 Likes

Getting mixed content warnings when discourse is listening on a unix socket. Fresh install.

1 Like