Using a certificate when Discourse is installed behind a reverse proxy

Ok, made some more progress. Been following THIS guide mostly, although I’ve followed THIS guide’s advice of not including the ssl_certificate nor the ssl_certificate_key in the Nginx CONF file, as nginx -t was reporting errors.

nginx -t on the Nginx Server nor Discourse Rebuild are reporting errors right now, however localhost will not bring up the “Congratulations” message, but https://boards.myreserveddns.com:2045/ will bring up a “Secure Connection Failed” in the VM’s local browser (SSL received a record that exceeded the maximum permission length) and I get a “Connection Timeout” outside of the VM’s local browser.

All I’ve done on my router is Port Forwarded the following:

Port IP Address Explanation
80 192.168.0.101 Nginx VM (HTTP)
443 192.168.0.101 Nginx VM (HTTPS)
2045 192.168.0.104 Discourse VM (Port exposed in place of 80)

And I have the following DNS Settings (and let’s say my Local IP is 1.2.3.4):

Host IP Address Explanation
ngx.myreserveddns.com 1.2.3.4 Nginx DNS
board.myreserveddns.com 192.168.0.104 Discourse DNS

Right now I am assuming I should also set the Discourse DNS to 1.2.3.4 … but I don’t want to touch anything on the DNS right now until I receive recommendation based on the rest of my setup below.

Here is the /etc/nginx/sites-available/discourse.conf file in the Nginx VM:

server {
    listen 192.168.0.101:80; listen [::]:80;
    server_name boards.myreserveddns.com;

    return 301 https://$host$request_uri;
}

server {
# The IP that you forwarded in your router (nginx proxy)
 listen 192.168.0.101:443 ssl http2;

# SSL config
# ssl on;
# ssl_certificate /etc/nginx/ssl/0000_csr-certbot.pem;
# ssl_certificate_key /etc/nginx/ssl/0000_key-certbot.pem;
 include /etc/nginx/snippets/ssl.conf;

# Make site accessible from http://localhost/
 server_name boards.myreserveddns.com;

# The internal IP of the VM that hosts your Apache config
 set $upstream 192.168.0.104:2045/;

 location / {

 proxy_pass http://$upstream;
 proxy_set_header Host $host;
 proxy_set_header X-Forward-Proto $scheme; #X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_http_version 1.1;
 proxy_redirect http://$upstream https://boards.myreserveddns.com/;

 }
}

And here is the /var/discourse/container/app.yml file in the Discourse VM:

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache/nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "2045:80" # http

params:
  db_default_text_search_config: "pg_catalog.english"

  ## Set db_shared_buffers to a max of 25% of the total memory.
  ## will be set automatically by bootstrap based on detected RAM, or you can override
  db_shared_buffers: "768MB"

  ## can improve sorting performance, but adds memory usage per-connection
  #db_work_mem: "40MB"

  ## Which Git revision should this container use? (default: tests-passed)
  #version: tests-passed

env:
  LANG: en_US.UTF-8
  # DISCOURSE_DEFAULT_LOCALE: en

  ## How many concurrent web requests are supported? Depends on memory and CPU cores.
  ## will be set automatically by bootstrap based on detected CPUs, or you can override
  UNICORN_WORKERS: 4

  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: board.myreserveddns.com

  ## Uncomment if you want the container to be started with the same
  ## hostname (-h option) as specified above (default "$hostname-$config")
  #DOCKER_USE_HOSTNAME: true

  ## TODO: List of comma delimited emails that will be made admin and developer
  ## on initial signup example 'user1@example.com,user2@example.com'
  DISCOURSE_DEVELOPER_EMAILS: 'admin@myreserveddns.com,postmaster@myreserveddns.com'
  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: smtp.sparkpostmail.com
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: SMTP_Injection
  DISCOURSE_SMTP_PASSWORD: "<SMTP_Password>"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  #LETSENCRYPT_ACCOUNT_EMAIL: admin@myreserveddns.com

  ## The http or https CDN address for this Discourse instance (configured to pull)
  ## see https://meta.discourse.org/t/14857 for details
  #DISCOURSE_CDN_URL: https://discourse-cdn.example.com

## The Docker container is stateless; all data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared
  - volume:
      host: /var/discourse/shared/standalone/log/var-log
      guest: /var/log

## Plugins go here
## see https://meta.discourse.org/t/19157 for details
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/discourse/discourse-chat-integration.git

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
# - exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
# - exec: rails r "SiteSetting.notification_email='postmaster.myreserveddns.com'"
  - exec: echo "End of custom commands"

One thing I did notice was that I have been unable to Bootstrap the app.yml file (./launcher bootstrap app). What could be the problem here?

FAILED
--------------------
Pups::ExecError: socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1 failed with return #<Process::Status: pid 44 exit 1>
Location of failure: /pups/lib/pups/exec_command.rb:112:in `spawn'
exec failed with the params "socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1"
<SMTP_Password>
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one

<SMTP_Password> is not literal, just keeping out of the post.

Keep in mind that ./launcher rebuild app reports no errors … so I’m stumped with the Bootstrap error.

EDIT: Ah, just read this topic. Looks like there is no need to Bootstrap if I can rebuild the project without errors. I suppose the main issue is related to the “Secure Connection Failed”, which I suspect is an issue with the Key/Cert and/or the Address Reservation settings on my Router.

1 Like