0

I currently have to master a difficult setup: I want nginx to serve webcontent AND deeply redirect to content on localhosts (local apps) with altered posts. I want every request to use https using nginx capabilities and certification from letsEncrypt.

I have achieved a lot so far:

a) Certification is up and running and works just fine (to my understanding) b) webserver runs just fine c) ONE subdomain works good, all the others do not

Yet I am a beginner and am thankful for every improvement you can point me too. I also noticed that redirects are laggy and errorprone but I cannot point my finger to it :/.

Let's look at the config, which is rather large (I show you my sites-enabled config):

server {

    # Make it harder for attackers to know we are alive

    listen      80;
    server_name "";
    return      444;
}

So this should not be our problem ...

server {

    # Company homepage

    if ($host = www.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Project Management

    if ($host = pjm.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Organization Development Kanbanboard

    if ($host = organization.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = org.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Web Development Kanbanboard

    if ($host = development.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = dev.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Marketing Development Kanbanboard

    if ($host = marketing.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = mkt.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    # Sales Development Kanbanboard

    if ($host = sales.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = sls.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 80;
  server_name all_the_above_servernames_without_fail;
    return 404; # managed by Certbot
}

server {
  server_name website.com www.website.com;
  root /media/data/webserver/website.com;
  index index.html index.htm;
  location / {
        try_files $uri $uri/ =404;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

This also seems to be pretty commonly used, so I think it is alright (Is it?). The website runs flawlessly and there are no problems here.

Now to the configuation of the reverse proxys:

server {
  server_name pjm.website.com;
  location / {

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    # Fix the “It appears that your reverse proxy set up is broken" error.
    proxy_pass          http://localhost:1030;
    proxy_read_timeout  90;

    proxy_redirect      http://localhost:1030 https://pjm.website.com;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

The PJM service also works. It is however slow and sometimes the app tells you to reload. ...

server {
  server_name organization.website.com;
  location / {

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    # Fix the “It appears that your reverse proxy set up is broken" error.
    proxy_pass          http://localhost:1030/ORG/ST;

    proxy_read_timeout  90;
    proxy_redirect      http://localhost:1030/ORG/ST https://organization.website.com;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

This service however does not work. I can however get to it when accessing pjm and working my way up which is tedious.

How can one resolve this issue?

jcor
  • 1
  • 1
  • Do the apps work fast when you are not reverse proxying to them? Do the apps realise that they are behind a reverse proxy and adjust accordingly? – Tero Kilkanen Mar 13 '19 at 20:58
  • There is no problem with the apps when run without a proxy. I am not sure what you mean by "realise" when it comes to reverse proxying. There is no setting for that in these apps. In fact one of the reasons I want to do reverse proxying is that they only support http and I of course want https in 2019. Therefore the idea is to have nginx handle "security" while the apps deliver the content. Hopefully this makes any sense to you guys out there ... :) – jcor Mar 14 '19 at 10:42
  • Yes, your goal makes sense and is reasonable. However, sometimes there are issues in applications that prevent them from running properly when they are behind a reverse proxy. And such issues are hard to detect. – Tero Kilkanen Mar 14 '19 at 20:19

0 Answers0