1

I'm a newbee of NGINX and it really gives me headaches...

I have a server with several services running: confluent/kafka, grafana. Each of these services is reachable via http://:port from other computers in the domain.

I would like to reverse-proxy each of these services with HTTPS to increase security so that confluent and grafana are only reachable via URIs

  • https://<hostname>/grafana
  • https://<hostname>/confluent
  • https://<hostname>/more to come

Ok would as well

  1. https://grafana.<hostname>
  2. https://confluent.<hostname>
  3. https://more_to_come.<hostname>
  4. List item

What I have up to now is an nginx.conf (more or less the default template):

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
   ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
... # mail all commented out

I created two *.conffiles in conf.d. grafana.conf works if no other *.conf (server config) is present:

server {

  listen 80;
  listen [::]:80;

  listen 443 ssl;
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  root /var/www/<hostname>/html;
  index index.html index.htm;

  server_name <hostname>;

  location / {
    proxy_pass http://localhost:3000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Server $host;
  }
}

Note: a dummy webpage is present at /var/www/<hostname>/html/index.html. However, if I only have the one grafana.confit is not pulled, but the Grafana application at the URI https://<hostname> (more or less as expected).

If I add another .conf file, say confluent.conflike:

server {

  listen 80;
  listen [::]:80;

  listen 443 ssl;
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  root /var/www/<hostname>/confluent/html;
  index index.html index.htm;

  server_name <hostname>;

  location /confluent {
    proxy_pass http://localhost:9091;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Server $host;
  }
}

The systems returns:

  • http://<hostname> --> /var/www/<hostname>/html/index.html
  • https://<hostname> --> /var/www/<hostname>/html/index.html
  • https://<hostname>/confluent --> 502 Bad Gateway
WolfiG
  • 133
  • 5

1 Answers1

1

I'd stick to a single server configuration, using a map to define the roots and pools for each hostname. Something like this:

map $http_host $docroot {
    grafana.statnamen.de /var/www/www.statnamen.de/html;
    confluent.statnamen.de /var/www/www.statnamen.de/confluent/html;
    moretocome.statnamen.de /var/www/www.statnamen.de/moretocome/html;
    default /var/www/html;
}

map $http_host $pool {
    grafana.statnamen.de localhost:3000;
    confluent.statnamen.de localhost:9091;
    moretocome.statnamen.de 127.0.0.1:9092;
    default 127.0.0.1:3000;
}


server {

    listen 80;
    listen [::]:80;

    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    root /var/www/$docroot;
    index index.html index.htm;

    server_name grafana.statnamen.de confluent.statnamen.de moretocome.statnamen.de;

    location / {
        proxy_pass http://$pool;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Server $host;
    }
}
Gerard H. Pille
  • 2,469
  • 1
  • 12
  • 10
  • Sorry, this did not solve my problems. One (maybe idiotic) question: has the site name e.g. "grafana.hostname" to be a registered host name at our DNS-servers? – WolfiG Jun 19 '20 at 09:26
  • 1
    Unless you put it in the hosts file of every user. How would you expect a domain name to be resolved to the IP address of your server? – Gerard H. Pille Jun 20 '20 at 08:13