Faire fonctionner d'autres sites web sur la même machine que Discourse

@pfaffman a lourdement édité ceci le 24.02.2022. Blâmez-moi si quelque chose ne fonctionne pas.

Si vous souhaitez exécuter d’autres sites web sur la même machine que Discourse, vous devez configurer un proxy NGINX ou HAProxy supplémentaire devant le conteneur Docker.

NOTE : Ceci est destiné aux administrateurs avancés

Ce guide suppose que vous avez déjà configuré Discourse - si ce n’est pas le cas, il peut être difficile de savoir si la configuration fonctionne ou non.

Vous ne pouvez pas utiliser ./discourse-setup pour configurer Discourse si un autre serveur utilise les ports 80 ou 443. Vous devrez copier et modifier samples/standalone.yml avec votre éditeur de texte préféré.

Installer nginx à l’extérieur du conteneur

Tout d’abord, assurez-vous que le conteneur n’est pas en cours d’exécution :

cd /var/discourse
./launcher stop app

Ensuite, installez nginx et certbot :

sudo apt-get update && sudo apt-get install nginx certbot python3-certbot-nginx

Modifier la définition du conteneur

C’est ici que nous modifions la manière dont Discourse est réellement configuré. Nous ne voulons pas que le conteneur écoute sur des ports - au lieu de cela, nous allons lui dire d’écouter sur un fichier spécial.

Vous devez modifier /var/discourse/containers/app.yml pour désactiver le ssl et ajouter un modèle pour créer le socket nginx. Il devrait ressembler à ceci :

# modèles de base utilisés ; peut être réduit pour inclure moins de fonctionnalités par modèles de conteneur :
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
  # - "templates/web.ssl.template.yml" # supprimer - https sera géré par nginx externe
  # - "templates/web.letsencrypt.ssl.template.yml" # supprimer -- https sera géré par nginx externe
  - "templates/web.socketed.template.yml"  # <-- Ajouté

Assurez-vous de supprimer ou de commenter les ports exposés en plaçant un # devant chaque ligne.

# quels ports exposer ?
# expose: commenter la section entière en plaçant un # devant chaque ligne
# - "80:80"   # http
# - "443:443" # https

Maintenant, vous pouvez

/var/discourse/launcher rebuild app

pour reconstruire Discourse afin de rendre ses données accessibles au socket.

Si vous utilisez un autre proxy inverse qui ne peut pas utiliser de socket web, vous pouvez exposer un port différent dans la section ci-dessus, par exemple - 8080:80.

Créer un ‘site’ NGINX pour le nginx externe

Créez un fichier de site pour Discourse :

cd /etc/nginx/sites-available
cp default discourse.example.com
cd ../sites-enabled
ln -s ../sites-available/discourse.example.com

Ensuite, modifiez ce fichier en commentant ces lignes :

        #listen 80 default_server;
        #listen [::]:80 default_server;

et en modifiant la stanza server_name et location comme ceci :

    server_name discourse.example.com;  # <-- changez ceci

location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;

}

Si vous utilisez une installation à deux conteneurs, la ligne du socket sera :

                proxy_pass http://unix:/var/discourse/shared/web-only/nginx.http.sock:;

Ensuite, dans un shell :

certbot --nginx

Et suivez les instructions. Si vous ne comprenez pas les invites, vous ne devriez probablement pas faire cela, mais vous pouvez consulter la documentation certbot pour obtenir de l’aide.

@pfaffman pense que certbot fera cela pour vous, mais si vous modifiez la configuration nginx, vous devrez

sudo service nginx reload

Créez vos autres sites

Vous avez terminé avec la section Discourse !

Créez d’autres “sites” NGINX, puis liez-les et activez-les, comme à l’étape précédente.

Conseils

• sudo netstat -tulpn : Ceci vous indiquera quels ports sont utilisés
• /var/log/nginx/error.log : Est l’emplacement du journal nginx sur ubuntu. Il vous indiquera quelle est l’erreur lorsque vous obtenez une erreur 502 Bad Gateway.

The guide in the first post is great and, on the whole, still works just fine

There are three things worth noting:

1. I initially missed some of the app.yml changes. There are 3 things you need to change in your app.yml. If you miss any of these things it won’t work:

   1. Comment out all ssl templates in the templates. If you are using letsencrypt you will have two:

      # - "templates/web.ssl.template.yml"
      # - "templates/web.letsencrypt.ssl.template.yml"
      

   2. Add a socket template:

      - "templates/web.socketed.template.yml" 
      

   3. Comment out all exposed ports:

      # - "80:80"   # http
      # - "443:443" # https
      

2. As others mentioned, I had to change the ssl cert and key names in the discourse.conf:

   ssl_certificate      /var/discourse/shared/standalone/ssl/discourse.angusmcleod.com.au.cer;
   ssl_certificate_key  /var/discourse/shared/standalone/ssl/discourse.angusmcleod.com.au.key;
   

3. Turns out my site didn’t have a dhparams.pem key (dh stands for Diffie Hellman, there’s some good explanations of what this is here). You can generate this yourself:

   openssl dhparam -out /var/discourse/shared/standalone/ssl/dhparams.pem 2048
   

Some other things you may find useful:

• sudo netstat -tulpn: This will tell you what ports are being used

• /var/log/nginx/error.log: Is the location of the nginx log on ubuntu. This will tell you what the error is when you get a 502 Bad Gateway error.

• You may finish a ./launcher rebuild app, excitedly go to your domain to see if it worked and be greeted with a depressing 502 Bad Gateway error. Before giving up in frustration, try restarting nginx one more time:

  sudo service nginx restart

  This clinched it for me.

Now my sandbox is using nginx outside the container (although I haven’t added the extra website yet).

Hi,

I am just doing a fresh install of Discourse.
I am very surprised that :

• The setup script does not simply allow to setup on a different port, disabling SSL support, and then it’s up to us to do reverse proxy as we want (Apache, Nging) : It seems such a common setup, it would save hundreds of hours of life to humanity
• I am even more surprised that the setup redirects us to an outdated forum topic, in which we need to dig for the proper information, instead of a proper documentation page, kept up to date.

Thanks guys anyway for your work, but I think there is room for improvement here.
Cheers

Just wanted to share how I accomplished this, it was a little easier than I first thought.

From an already running machine, with Caddy acting as a reverse proxy for a number of existing Docker containers already.

1. Clone discourse as per the official instructions
2. Copy /var/discourse/samples/standalone.yml -> /var/discourse/containers/app.yml
3. Fill in SMTP settings and website address
4. Comment out 443:443 from the expose: section
5. Replace 80:80 -> 3001:80, 3001 being the port I’m serving via Caddy
6. Run ./launcher rebuild app
7. Done

Whop!

@TheBestPessimist I swapped the order of the HTTP/HTTPS sections, it works better than adding a “don’t do this!” notice

I would recommend just doing double NGINX, it is far more complex to set it up direct and has virtually no performance cost. Getting it right would be very hard cause we serve some files direct and have a layer of caching that is tricky to configure.

Note, customizing NGINX is easy with mixin templates have a look at the various example templates here: discourse_docker/templates at master · discourse/discourse_docker · GitHub

PSA: If you want to allow uploads larger than 1MB to your site, you’ll also have to set client_max_body_size 100M in any nginx config that sits in front of your site.

For reference, here’s the full nginx config I use:

server {
    if ($host = discourse.mysite.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = backupname.mysite.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80; listen [::]:80;
    server_name discourse.mysite.org;
    server_name backupname.mysite.org;

    location / {
        proxy_pass http://unix:/var/discourse/shared/mysite/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

# nginx 1.14.1 | intermediate profile | OpenSSL 1.1.0f | link

server {
    listen 443 ssl http2;  listen [::]:443 ssl http2;
    server_name discourse.mysite.org;
    server_name backupname.mysite.org;

    # from discourse examples
    http2_idle_timeout 5m; # up from 3m default
    client_max_body_size 50M; # allow 50M uploads

    location / {
        proxy_pass http://unix:/var/discourse/shared/mysite/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP $remote_addr;
    }
    ssl_certificate /etc/letsencrypt/live/backupname.mysite.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/backupname.mysite.org/privkey.pem; # managed by Certbot

    ###### https://mozilla.github.io/server-side-tls/ssl-config-generator/ ####

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/backupname.mysite.org/chain.pem;

    resolver 1.1.1.1;

}

16 posts were split to a new topic: Using Nginx Proxy Manager to manage multiple sites with Discourse

angus’s instructions still work; I have a question, though: will LetsEncrypt still work automatically with this after 3 months when it’s time to renew the certificates? (I assume/hope the answer is yes since the host nginx reads them directly from /var/discourse/shared/standalone?)

@Godmar_Back I ran into this problem right now, and my certificate was NOT renewed.

@angus - since we use the letsencrypt certs created by discourse, but commented out the relevant parts in app.yml, I guess the update script is no longer being started. Did you find a solution for that?

I tried entering the app and

 "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" --force

which kind of showed me at least a problem.

my.site.com:Verify error:Fetching https://my.seite.com/.well-known/acme-challenge/XXXXXXXedited-out-XXXXXXXXXXXXXXXXXXXX: Error getting validation data
[Mi 25. Aug 10:41:37 UTC 2021] Please check log file for more details: /shared/letsencrypt/acme.sh.log

Acme.sh.log pretty much repeats the error message. But it also tells me that all config files are empty.

On the otherhand acme.sh updated itself, so I assume it has not been started in the background for a while, probably since I changed to the outer nginx.

You’ll need to handle those outside the container. Follow whatever guide is for let’s encrypt and nginx.

As it’s past the period you can edit it yourself, you could flag it. You can flag a post, including your own, by clicking the ellipsis followed by the flag icon at the bottom of the post.

In this case you would choose to flag it as “Something Else” and explain that your email reply included the content from the previous post.

https://meta.discourse.org/t/upload-problem-with-https-or-http2-and-s3/202799/3

I’ve just got my new install of discourse on my new server, and after restoring the backup, now I get an issue with SSL.

It says that “parts of this page are not secure, such as images” and after a quick google search I seen that it means the images and fonts etc are not being served over https. However everything appears that it is.

I just copied the NGINX config, and it wasn’t there before I restored the backup.

Any ideas?

You could check your force_https is enabled in your admin settings. There have been a few issues with that recently.

Si j’avais Discourse docker sur un serveur, mais qu’il utilisait le port 980 et 9443 (proxy inverse)
Pourrais-je utiliser ./discourse-setup pour configurer un autre Discourse ? (Télécharger un autre dossier de discourse)
Cela semble plus simple de cette façon, n’est-ce pas ?

Pourquoi feriez-vous cela plutôt que d’exécuter plusieurs sites ?

Vous pouvez créer appy.yml mais vous ne pouvez pas utiliser discourse-setup. Copiez l’autre et modifiez-le.

C’est un peu plus compliqué et nécessite que tous les sites utilisent le même courrier et les mêmes plugins. Pour la plupart des gens, il est plus facile d’exécuter un autre serveur, je pense.

Oui, exactement
Et le seul sera davantage pris en charge par l’équipe de Discourse

Pourriez-vous expliquer comment faire ?

1. J’avais app.yml
   Puis-je copier un autre dossier discourse, et app02.yml ?

2. Puis-je exécuter ./discourse-setup lorsque j’ai copié le dossier discourse02 et app02.yml ?
   Comment puis-je le configurer ici ?
   Je veux être sûr que deux conteneurs ne s’affrontent pas.

3. Mon conteneur actuel s’appelle “app”.
   Puis-je changer son nom en renommant app.yml ?