Solved Nginx reverse proxy problem with subdomains
-
I just spun up a new CentOS box with nothing on it except nginx.
I opened port 80 and port 443.
I configured some sites in /etc/nginx/conf.d/
The basic sites work perfectly. daerma.com for example#/etc/nginx/conf.d/daerma.com.conf server { client_max_body_size 40M; listen 443 ssl; server_name www.daerma.com daerma.com; ssl on; ssl_certificate /etc/ssl/cacert.pem; ssl_certificate_key /etc/ssl/privkey.pem; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://10.254.0.101:443; proxy_redirect off; } } server { client_max_body_size 40M; listen 80; server_name www.daerma.com daerma.com; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://10.254.0.101:80; proxy_redirect off; } }But I also want a proxy to community.daerma.com
This one gives me a 502.#/etc/nginx/conf.d/community.daerma.com.conf server { client_max_body_size 40M; listen 80; server_name community.daerma.com; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://10.254.0.106:4567; proxy_redirect off; } } -
You are putting the NGinx proxy on a different node than the NodeBB process?
-
Have you made sure that port 4567 is open on 10.254.0.106?
-
It is not jsut node BB that I am trying to proxy. but yes. all sites are open from the proxy host.
from the host I can "curl 10.254.0.106:4567" and see the output
I am also setting up my screen connect. same result.
-
@scottalanmiller said:
You are putting the NGinx proxy on a different node than the NodeBB process?
Yes different box.
-
NodeBB from proxy
http://i.imgur.com/hiHJMbf.jpgScreenConnect from proxy
Screenconnect has long been a port forward on http://support.bundystl.com:8040
I want that port gone, because users.....
http://i.imgur.com/GYBMZUY.jpg -
Here is the screenconnect proxy info for reference
#/etc/nginx/conf.d/support.bundystl.com.conf server { client_max_body_size 40M; listen 80; server_name support.bundystl.com; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://10.254.0.22:8040; proxy_redirect off; } } -
@JaredBusch said:
10.254.0.106
I did an nmap on community.daerma.com and this is all I got:
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
8081/tcp closed blackice-icecap
8090/tcp open unknown
8443/tcp open https-alt -
I couldn't ping 10.254.0.106 either.
-
@johnhooks said:
@JaredBusch said:
10.254.0.106
I did an nmap on community.daerma.com and this is all I got:
PORT STATE SERVICE
80/tcp open http
443/tcp open httpsThese ports are routed to other services on other domain names the are behind the same public IP.
8080/tcp open http-proxy
8081/tcp closed blackice-icecap
8090/tcp open unknown
8443/tcp open https-altPort 8040-8041 are also port forwarded to a server that answers not sure why nmap did not see them.
-
@johnhooks said:
I couldn't ping 10.254.0.106 either.
Of course not. it is the internal IP.
-
@JaredBusch said:
@johnhooks said:
I couldn't ping 10.254.0.106 either.
Of course not. it is the internal IP.
Oh I thought these were all public facing and you were just forwarding to them. Nevermind.
-
What happens if you disable SELinux and firewalld?
-
@johnhooks said:
What happens if you disable SELinux and firewalld?
The nginx proxy can reach the internal IP and port as noted above.
The external ports 80/443 and port forwarded to the nginx proxy.
6 domains are currently currently on the same server are daerma.com and all work perfectly. All of the working proxied domains are only domain.com and www.domain.com redirecting to 80/443 on a single internal IP
-
7 sites now. I forgot about jaredbusch.com and just added another conf file.
-
This post insinuates that I should not need to do anything else to reroute.
http://mangolassi.it/topic/5470/reverse-proxy/15
As well as my google searching
-
Ya that's weird. The only time I've ever got a 502 is when either PHP-FPM isn't running or node isn't running.
What do your nginx logs say?
-
@johnhooks said:
What happens if you disable SELinux and firewalld?
selinux.....
did not think about that.. I was not doing anything special.
setenforce 0and they work. -
@JaredBusch said:
@johnhooks said:
What happens if you disable SELinux and firewalld?
selinux.....
did not think about that.. I was not doing anything special.
setenforce 0and they work.Ya I don't understand how it's determined which ports are allowed through SELinux and which aren't.
-
@johnhooks said:
@JaredBusch said:
@johnhooks said:
What happens if you disable SELinux and firewalld?
selinux.....
did not think about that.. I was not doing anything special.
setenforce 0and they work.Ya I don't understand how it's determined which ports are allowed through SELinux and which aren't.
right. so now to learn that because i like not setting permissive
