Subfolder with SSL and nginx reverse proxy


#1

Hey guys,

I looked around but I couldn’t see a guide on how to host Discourse on domain.com/forum with SSL, using nginx as a reverse proxy. Currently, I’m running the forum on a subdomain - forum.domain.com and What I have in mind is, I’ll use nginx to secure the connection between the user and my server, and then call discourse locally unsecured via reverse proxy since they’re on the same machine, as per the latest set up tutorial.

I already have Ghost running the same way, and it works flawlessly.

This is my old location statement for the reverse proxy for forum.domain.com and it worked, though not securely.

#       location / {
#               proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
#               proxy_set_header Host $http_host;
#               proxy_http_version 1.1;
#               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#               proxy_set_header X-Forwarded-Proto $scheme;
#       }
}

When I set this same proxy pass on location /forum in the main server block, I’m getting 404 errors for all assets, even though they’re being loaded via /forum/

location /forum {
        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

}

The error console shows these assets are missing:

Strangely enough, the 404 pages almost work consistently, but are still missing image assets:

What I also notice is that when I do discourse remap domain.com/ domain.com/forum, there’s an error remapping theme_fields

image

Is there a way I can check these rows specifically and see what the problem is?

The easiest solution would be a wildcard certificate but that’s beyond my budget range at this point.

Any help would be appreciated and I do apologise if this issue was already resolved elsewhere, I just couldn’t find this specific scenario.

Update: Here’s the env variables in app.yml

env:
  LANG: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 8

  ## TODO: The domain name this Discourse instance will respond to
  DISCOURSE_HOSTNAME: legiochristi.com
  DISCOURSE_RELATIVE_URL_ROOT: /forum

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  DOCKER_USE_HOSTNAME: true

(Joshua Rosenfeld) #2

Here’s what I’d suggest.

Follow this guide to setup subfolder support:

Next, follow this guide to setup the NGINX reverse proxy with Let’s Encrypt SSL support. You can add the offline page, or skip that part of the NGINX config:

Note, I’d highly suggest ensuring that your site works completely from example.com/forum (the first guide above) before setting up NGINX.


#3

Thanks for the reply. I tried the subfolder tutorial earlier today but it wouldn’t rebuild after I entered the run commands at the end of app.yml

root@legio:/var/discourse# ./launcher rebuild app
Ensuring launcher is up to date
Fetching origin
Launcher is up-to-date
Stopping old container
+ /usr/bin/docker stop -t 10 app
app
(<unknown>): did not find expected key while parsing a block mapping at line 96 column 5 -e LANG=en_US.UTF-8
YAML syntax error. Please check your containers/*.yml config files.

Any ideas?


(Joshua Rosenfeld) #4

That means you have a syntax error in your app.yml file. Try copying your yml into http://www.yamllint.com/ and see what errors are thrown. If that doesn’t help, please share the file here, making sure to remove/redact credentials.


#5

Yeah, I gathered as much, but it does build properly without the run commands from that guide.

I’ll try a few more things and get back to you with the file. If anyone else has any ideas, let me know.


(Joshua Rosenfeld) #6

Just for reference, unless something changed in the last month, I used both those guides without issue (before I joined the team).


#7

The thing is, I don’t think it’s necessary to use the docker ports at all. All I want to do is reverse proxy into Discourse from /forum, and have it work.

Now rebuilding the app closes my SSH session as soon as it starts chowning /var/www/discourse and it’s driving me up the wall.


#8

Okay what I did was entered the app, then moved all of the assets in /var/www/discourse/public into a subdirectory called forum, then I moved back images/ and uploads/ and it all works great.

I think the issue is that the subdirectory got called for some assets, but not others.

I think this might cause an issue when I update Discourse next, but hopefully not.

I know I’m probably going full retard but I couldn’t find any other way.


(Jeff Atwood) #9

I strongly advise you to not run subfolder. You are signing up for a lot of suffering.


#10

Can’t afford a wildcard certificate at this point, otherwise I wouldn’t think about it twice. :frowning:

Out of curiosity though, what kind of suffering? @codinghorror


(Joshua Rosenfeld) #11

To start, as you are discovering it is substantially more work to set up. There are also many more places where something can go wrong, like SSL and your reverse proxy. Historically there have also been a fair number of subfolder specific bugs, and they are harder to debug.

You’ve mentioned “can’t afford a wildcard certificate” a few times now. Is there any reason you can’t set up Let’s Encrypt? It’s 100% free.


(Jeff Atwood) #12

See


#13

Indeed. Maybe I’ll change my setup until wildcards become available with letsencrypt. :slight_smile:


Only showing the default avatar?
(Jeff Atwood) #14

Are wildcards available on Let’s Encrypt yet?