nginx as reverse ssl proxy (Apache + Varnish) skips its own configuration

Question

I have a new Ubuntu 14.04 installation with the following steps taken:

Apache2 2.4.7
MariaDB last stable version
PHP 7.0.9 (and several modules)
Apache configured to work with PHP7-FPM *
mod_rpaf working with Apache2 **
PHPMyAdmin 4.6.3 working correctly with PHP7.0.9.
WordPress 4.6 ***
Varnish 4.0
NginX 1.10.1 with ssl certificate in /etc/nginx/ssl
and ** -> The issue happens before and after these configurations *** -> wp-config.php has code to force ssl login and ssl admin. Both work fine with only Apache/Varnish. Made an ssl certificate for Apache and everything worked fine if Apache set to listen to port 443.

This is my /etc/apache2/ports.conf:

#NameVirtualHost 192.168.1.86
ServerName 192.168.1.86
Listen 8080

#<IfModule ssl_module>
#   Listen 443
#</IfModule>

#<IfModule mod_gnutls.c>
#   Listen 443
#</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

This is my /etc/apache2/sites-available/000-default.conf:

<IfModule mod_fastcgi.c>

    AddHandler php7-fcgi-www-data .php
    Action php7-fcgi-www-data /php7-fcgi-www-data
    Alias /php7-fcgi-www-data /usr/lib/cgi-bin/php7-fcgi-www-data
    FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-www-data -socket /run/php/php7.0-fpm.www-data.sock -pass-header Authorization

    <Directory "/usr/lib/cgi-bin">
        Require all granted
    </Directory>

    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
        SetHandler php7-fcgi-www-data
    </FilesMatch>

</IfModule>

<VirtualHost *:8080>

    ServerAdmin karls@192.168.1.86
    DocumentRoot /var/www/html
    ServerName 192.168.1.86

    <Directory /var/www/html/>
      AllowOverride All
    </Directory>

    Alias /phpmyadmin "/usr/share/phpmyadmin/"
    <Directory "/usr/share/phpmyadmin/">
      Order allow,deny
      Allow from all
      Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

This is the 'backend' part in my /etc/varnish/default.vcl:

backend default {
    .host = "192.168.1.86";
    .port = "8080";
}

This is in my /etc/default/varnish:

DAEMON_OPTS="-a :80 \
         -T localhost:6082 \
         -f /etc/varnish/default.vcl \
         -S /etc/varnish/secret \
         -s malloc,256m"

This is my /etc/nginx/sites-available/default:

server {
    listen 443 ssl;

    server_name     192.168.1.86;
    ssl_certificate     /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    location / {
        proxy_pass http://192.168.1.86:80;

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header Host $host;
    }
}

NO trace of port 80 in /etc/nginx/nginx.conf.
/etc/apache2/sites-available/000-default.conf matches the one in sites-enabled
/etc/nginx/sites-available/default matches the one in sites-enabled
Tried a lot of combination in /etc/nginx/sites-available/default with the 'listen 443', like:

listen 443 ssl default_server; listen [::]:443 ssl default_server ipv6only=on;

THE PROBLEM

https://192.168.1.86/wp-admin (or https://192.168.1.86, etc) shows 'Unable to connect', no matter what I do in nginx conf files. Tried MANY things.

Nginx seems to be ok (syntax, configuration) but, when activated, doesn't work. Error log says:

2016/08/23 14:02:07 [emerg] 10857#10857: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/08/23 14:02:07 [emerg] 10857#10857: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/08/23 14:02:07 [emerg] 10857#10857: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/08/23 14:02:07 [emerg] 10857#10857: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/08/23 14:02:07 [emerg] 10857#10857: bind() to 0.0.0.0:80 failed (98: Address already in use)
2016/08/23 14:02:07 [emerg] 10857#10857: still could not bind()

For some reason, nginx is trying to take port 80, but it is supposed to be using 443.

I've seen other people having the same exact issue, for example: nginx trying to bind on the wrong port

Just to be clear: I DO know there is one server using port 80. What I DON'T know is why nginx is trying to use port 80 when it should be using 443.

Anyone can help, please? Thanks in advance

Did you try deliberately using bad nginx syntax to confirm that it is in fact using that config file? Did you check with "ps -ef | grep nginx" to see what config nginx thinks it is using? Tangentially, both apache and nginx can serve php, ssl, and cache for all but extreme cases, and really only at high scale is something like varnish needed. In that case; running all 3 of apache, nginx and varnish on a single host would be a mistake. Consider simplifying and just using nginx or apache, and not using varnish. — Jonah Benton, Aug 24 '16 at 01:59
Hi @JonahB, obviously a beginner here, but we need to do apache+varnish for normal http and nginx (https) for wp-admin, woocommerce and probably membership. Currently only https for admin. ps -ef | grep nginx gives: karls 10519 5414 0 13:00 pts/0 00:00:00 grep --color=auto nginx — Karls, Aug 24 '16 at 11:03
As for syntax, it doesn't like bad syntax, so it seems to be using the right conf file. — Karls, Aug 24 '16 at 11:10
Sure, everybody has been there, no worries. My point is apache by itself can satisfy all those needs. It serves http and https at the same time, and does page caching like varnish. Using one tool will greatly simplify the learning curve, operational load, and troubleshooting when things go wrong. In a single server scenario running fewer programs is more efficient. And apaches documentation is generally better than nginx or varnish. Give strong consideration to just running apache instead of all 3. — Jonah Benton, Aug 24 '16 at 12:59
Thanks @JonahB, will take that into consideration. But, just for the sake of it, I've seen this issue in other threads and no one seems to have the answer. There's some evidence that suggests that nginx doesn't behave as it is supposed to in some circumstances, and the solutions I've seen seem to be very convoluted or simply leading nowhere. Something (not in any .conf nor in init.d) makes nginx bind to port 80, even it is told not to. — Karls, Aug 24 '16 at 14:29
Yes, nginx has a lot of default intelligence, and the config parsing has some edge cases. Try consolidating config into a single file. Also, your ps indicates it is not running; change your varnish port to listen on 8888 or something, then nginx can start and you can fiddle with it more effectively. — Jonah Benton, Aug 24 '16 at 17:50

score 0 · Answer 1 · answered Sep 01 '16 at 03:48

You can try a couple of things around not messing around with the default file config

a) Create your own config file in /etc/nginx/sites-available and then enable it with a soft link in /etc/nginx/sites-enabled

b) disable default site entirely by deleting the default link in /etc/nginx/sites-enabled or simply change the port of the default config so nginx listens in port 81 (for example)

So in case Nginx insists on listening in http or whatever is causing this behavious, it will not take port 80 and allow Varnish to take it.

Alternatively upgrade to Ubuntu 16.04 LTS which would give you a much up-to-date of everything including Openssl v1.0.2+ so you can enable HTTP/2 support.

Yep, that seems to be the right track. I've been trying to setup an apache2+nginx as a reverse proxy with ssl termination install with no database, no varnish, no nothing, just the servers and some dummy index.html files and the typical info.php file. PHP7, php-fpm, fastcgi and rpaf. BUT ALSO setting up virtual hosts for both apache and nginx and deleting the defaults all the way. So making www/site-a/, www/site-b/ seems to work well. Still testing everything so I can come and give a proper answer if anyone else gets in the same trouble. Still, not a clue on the problem. Thanks @geliloabad — Karls, Sep 02 '16 at 18:09

nginx as reverse ssl proxy (Apache + Varnish) skips its own configuration

1 Answers1