Running other websites on the same machine as Discourse

riking · November 11, 2020, 5:52pm

If you want to run other websites on the same machine as Discourse, you need to set up an extra NGINX or HAProxy proxy in front of the Docker container.

This guide assumes you already have Discourse working - if you don’t, it may be hard to tell whether or not the configuration is working.

Install nginx outside the container

First, make sure the container is not running:

cd /var/discourse
./launcher stop app

Then install nginx from its PPA (Ubuntu ships by default a very old version, 1.4.0):

sudo add-apt-repository ppa:nginx/stable -y
sudo apt-get update && sudo apt-get install nginx

Change the container definition

This is where we change how Discourse actually gets set up. We don’t want the container listening on ports - instead, we’ll tell it to listen on a special file.

Change your /var/discourse/containers/app.yml to look like this:

# base templates used; can cut down to include less functionality per container templates:
  # - "templates/cron.template.yml" # cron is now included in base image
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/sshd.template.yml"
  - "templates/web.template.yml"
  # - "templates/web.ssl.template.yml" # remove - https will be handled by outer nginx
  - "templates/web.ratelimited.template.yml"
  - "templates/web.socketed.template.yml"  # <-- Added
# which ports to expose?
# expose: comment out entire section

Be sure to remove the next line containing

- "80:80" # fwd host port 80 to container port 80 (http)

Create an NGINX ‘site’ for the outer nginx

For an HTTPS site, put this in /etc/nginx/sites-enabled/discourse.conf, making sure to change the server_name:

server {
    listen 80; listen [::]:80;
    server_name forum.example.com;  # <-- change this

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;  listen [::]:443 ssl http2;
    server_name forum.example.com;  # <-- change this

    ssl_certificate      /var/discourse/shared/standalone/ssl/ssl.crt;
    ssl_certificate_key  /var/discourse/shared/standalone/ssl/ssl.key;
    ssl_dhparam          /var/discourse/shared/standalone/ssl/dhparams.pem;
    ssl_session_tickets off;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

    http2_idle_timeout 5m; # up from 3m default

    location / {
        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

For an HTTP-only site:

server {
	listen 80; listen [::]:80;
	server_name forum.example.com;  # <-- change this

	location / {
		proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
		proxy_set_header Host $http_host;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Real-IP $remote_addr;
	}
}

Make sure that the default site is either disabled or has the correct server_name set.

Then, in a shell:

# Make sure that Discourse isn't running
/var/discourse/launcher stop app || true

# test configuration
sudo nginx -t
# Important: If nginx -t comes back with an error, correct the config before reloading!
sudo service nginx reload

# Rebuild the container to apply changes
/var/discourse/launcher rebuild app

Create your other sites

You’re done with the Discourse section!

Make other NGINX “sites”, then link and enable them, as in the last step above.

angus · March 11, 2018, 9:51am

The guide in the first post is great and, on the whole, still works just fine

There are three things worth noting:

I initially missed some of the app.yml changes. There are 3 things you need to change in your app.yml. If you miss any of these things it won’t work:
1. Comment out all ssl templates in the templates. If you are using letsencrypt you will have two:
```
# - "templates/web.ssl.template.yml"
# - "templates/web.letsencrypt.ssl.template.yml"
```
2. Add a socket template:
```
- "templates/web.socketed.template.yml" 
```
3. Comment out all exposed ports:
```
# - "80:80"   # http
# - "443:443" # https
```

As others mentioned, I had to change the ssl cert and key names in the discourse.conf:

ssl_certificate      /var/discourse/shared/standalone/ssl/discourse.angusmcleod.com.au.cer;
ssl_certificate_key  /var/discourse/shared/standalone/ssl/discourse.angusmcleod.com.au.key;

Turns out my site didn’t have a dhparams.pem key (dh stands for Diffie Hellman, there’s some good explanations of what this is here). You can generate this yourself:
```
openssl dhparam -out /var/discourse/shared/standalone/ssl/dhparams.pem 2048
```

Some other things you may find useful:

sudo netstat -tulpn: This will tell you what ports are being used
/var/log/nginx/error.log: Is the location of the nginx log on ubuntu. This will tell you what the error is when you get a 502 Bad Gateway error.
You may finish a ./launcher rebuild app, excitedly go to your domain to see if it worked and be greeted with a depressing 502 Bad Gateway error. Before giving up in frustration, try restarting nginx one more time:

sudo service nginx restart

This clinched it for me.

Now my sandbox is using nginx outside the container (although I haven’t added the extra website yet).

Canapin · May 19, 2018, 8:12pm

Hi, I’m a bit puzzled.
I have a server with several web applications (Wordpress).

When I try to Install Discourse, I got this message:
root@canapin:/var/discourse# ./discourse-setup
Port 80 appears to already be in use.

This will show you what command is using port 80
COMMAND   PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
nginx   16526  root   26u  IPv4 2931156      0t0  TCP canapin.com:http (LISTEN)
nginx   17035 nginx   26u  IPv4 2931156      0t0  TCP canapin.com:http (LISTEN)

If you are trying to run Discourse simultaneously with another web
server like Apache or nginx, you will need to bind to a different port

See https://meta.discourse.org/t/17247

This topic and several others I read ask to edit containers/app.yml as a first step, but I have no such a file in my containers directory.

What am I supposed to do?

itsbhanusharma · May 19, 2018, 8:18pm

If I’m not mistaken your app.yml is generated after you have successfully bootstrapped.

You may have to stop your running webserver (apache/nginx/whatever) until discourse is installed and you have modified app.yml to use either an alternative port or an alternative method e.g. sockets to make your forum run behind a proxy i.e. your webserver.

riking · May 19, 2018, 8:19pm

The app.yml is generated during discourse-setup - you can bootstrap/rebuild separately by following the old Docker install instructions.

Canapin · May 19, 2018, 8:27pm

From the official installation guide, on the /discourse-setup part:

This will generate an app.yml configuration file on your behalf, and then kicks off bootstrap.

And I can’t go past the ./discourse-setup part since the installation stops because of the port thing.

I’ll try to stop my webserver as you suggest.

itsbhanusharma · May 19, 2018, 8:28pm

Just stop the webserver beforehand and complete the ./discourse-setup script. You’ll have an app.yml file in the containers folder when the script completes successfully.

Canapin · May 19, 2018, 8:41pm

Yes I stopped apache and nginx and the install is working, thanks guys.

Canapin · May 19, 2018, 9:16pm

Well I then followed the steps on this thread and:
from /var/discourse/containers/app.yml,
- "templates/cron.template.yml" > I didn’t have this line and I didn’t add it since this guide doesn’t tell to add it.

Then the guide tells:

# expose: comment out entire section

And then

Be sure to remove the next line containing
- "80:80" # fwd host port 80 to container port 80 (http)

So, should I remove nor comment this line since it is from the # expose section? I commented it by the way.

For an HTTPS site, make /etc/nginx/sites-enabled/discourse.conf look like this:

I didn’t have such a file and I created it. Is the file supposed to be already here after installing Discourse, or is it normal that I had to create it?

Then I followed the remaining steps and I didn’t forget to restart nginx, but my Discourse installation doesn’t show up (I created my subdomain from Plesk):

Finally, I see that this guide mention:

This guide assumes you already have Discourse working

But what if we don’t have Discourse working, especially because we already have other web apps running? Is there another guide intended for this configuration?

itsbhanusharma · May 19, 2018, 9:19pm

Try searching for “offline page while rebuilding” guide here on meta and observe it’s nginx configuration.

Canapin · May 19, 2018, 9:25pm

Thank you. I don’t have any error message of any kind, my subdomain just shows up the default home page for any new subdomain created from plesk.

itsbhanusharma · May 19, 2018, 9:30pm

That is because it can’t reach discourse which is trapped inside docker until you show it the way to interact with outside world.

Canapin · May 19, 2018, 10:42pm

Hi, I started back from the beginning and I have Discourse working now ; I just need to read and apply this guide again, but still, I have quick questions before doing so. I don’t want to mess up.
I don’t have the /etc/nginx/sites-enabled/discourse.conf file. Is it supposed to be that way and do I have to create it?
Also the -templates/cron.template.yml" line in app.yml file which I don’t know if I have to add it or not since it’s not present in my own config file.

itsbhanusharma · May 20, 2018, 2:34am

Yes

If it’s not there and you don’t know the use of it then don’t bother about it.

Canapin · May 20, 2018, 12:50pm

Thank you again for your reply.

From what I see, the /sites-enabled/ directory is not included in my nginx.conf. However, this file contains :

include /etc/nginx/conf.d/*.conf;

So I created a discourse.conf file in this /conf.d/ directory. My discourse.conf contains among other lines these copy-pasted from the guide:

    ssl_certificate      /var/discourse/shared/standalone/ssl/ssl.crt;
    ssl_certificate_key  /var/discourse/shared/standalone/ssl/ssl.key;
    ssl_dhparam          /var/discourse/shared/standalone/ssl/dhparams.pem;

nginx tells me that these files don’t exist.
I replaced ssl.crt by forum.canapin.com.cer and ssl.key by forum.canapin.com.key as I these ones exist. But I can’t find any dhparams.pem.

Any idea?

itsbhanusharma · May 20, 2018, 12:55pm

If you’ve installed letsencrypt certificate then dhparams.pem should be generated in your working directory /etc/letsencrypt you can copy it from there.

Canapin · May 20, 2018, 1:20pm

Thank you, I’ve been able to get this file.

I think I’m very close to having Discourse working I had no error message whatsoever which is a new thing compared to my previous config attempts and I’ve been able to start the app after making all this configuration.

However, forum.canapin.com still shows the default page generated by Plesk.

Here 's my app.yml: https://pastebin.com/4bYXQJ7A (I edited some emails info)
Here’s my discourse.conf: https://pastebin.com/raw/FuPubCyA which is correctly loaded by nginx.
Also, I disabled the use of Apache for forum.canapin.com to use nginx instead:

So I guess I’m missing a little something somewhere…

itsbhanusharma · May 20, 2018, 1:58pm

Hmm … That sums it down. You may have to stop nginx from proxying requests for forum.canapin.com to apache2 and rather proxy them to the socket instead.

I’d hint on modifying the default nginx config (the other config in the conf.d folder) to be domain agnostic and specifically not handle requests for forum.canapin.com subdomain.

Canapin · May 20, 2018, 4:24pm

Hi,

I thought that’s what the checkbox unchecked would do since it mentions “turn off to stop using Apache”.
The only other files that I have in my conf.d folder are ssl.conf and zz010_psa_nginx.conf, the latter containing:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
include /etc/nginx/plesk.conf.d/server.conf;
include /etc/nginx/plesk.conf.d/webmails/*.conf;
include /etc/nginx/plesk.conf.d/vhosts/*.conf;
include /etc/nginx/plesk.conf.d/forwarding/*.conf;
include /etc/nginx/plesk.conf.d/wildcards/*.conf;

itsbhanusharma · May 20, 2018, 4:30pm

I’m not a plesk user so I don’t know much details about how it handles request but if nginx is responsible for everything after that checkbox is unchecked then it should definitely read the discourse.conf but looks like it’s not reading that.

I’ve gone through your configurations and both look okay so I don’t have much to say. I’d like to know if you have some way to alter configurations inside of your plesk panel. if so, try to edit the configuration from there.