Setting up Nginx on CentOS 7 as a reverse proxy
-
@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
I never run
certbot
with one of the specific switches like--nginx
or--apache
. Ever.Fuck letting some 3rd party script edit my configuration files.
I run in standalone mode and edit the conf files myself.
I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.
LOL - JB doesn't trust scripts from LE or whomever made them, but he for some reason trusts other people's scripts.... LOL
Scripts that install software is different than scripts that change your configuration files.
I run the
certbot
scripts, no problem. Just not in a way that lets them fuck up my configuration. -
@black3dynamite said in Setting up Nginx on CentOS 7 as a reverse proxy:
@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
I never run
certbot
with one of the specific switches like--nginx
or--apache
. Ever.Fuck letting some 3rd party script edit my configuration files.
I run in standalone mode and edit the conf files myself.
I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.
LOL - JB doesn't trust scripts from LE or whomever made them, but he for some reason trusts other people's scripts.... LOL
I thought he said something about magic scripts that he doesn’t like?
What makes them magic?
-
@zachary715 said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 Share your resolution if you will. I was trying to install nginx on a server with wiki.js the other day and was running into the same error.
That occurs if you don't create actual entries for the server in the config files. I definitely agree with @JaredBusch now that I have gone through the configs and mostly know whats going on. As far as I can see it there are two ways to config.
One is editing
/etc/nginx/nginx.conf
. This is one huge config and you have to add your server entries all into it, which is what it is referring to when it tells you to add a server_name directive to your nginx configuration. Example of a server entry that you would put into thenginx.conf
from JB's gude:server { client_max_body_size 40M; listen 443 ssl; server_name www.domain.com domain.com; #change to your domain name ssl on; ssl_certificate /etc/ssl/cacert.pem; #this needs to be the path to your certificate information ssl_certificate_key /etc/ssl/privkey.pem; #this needs to be the path to your certificate information location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://10.0.0.2:443; #change to your internal server IP proxy_redirect off; } }
Inside of this config you will see a line that tells you any
.conf
file contained within/etc/nginx/conf.d/
will be used en lieu of the main nginx config. Those config files are identical to what I list above. As JB said you would name them your subdomain/domain name.subdomain.domain.conf
<---not.com
It's definitely better to do it the way JB did with separate config files just from an organizational standpoint as he said above.
Check your files and make sure this is the case.
Thanks to @scottalanmiller for taking time with me to explain some nginx stuff last night. Definitely helped me a lot conceptually
-
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
I run in standalone mode and edit the conf files myself
I'm interested if you're willing to write something up on that. I think I mostly understand this, but clarification would be great.
-
Just an FYI - to get semanage to work on Fedora 27, I had to install policycoreutils-python-utils
-
@brandon220 said in Setting up Nginx on CentOS 7 as a reverse proxy:
Just an FYI - to get semanage to work on Fedora 27, I had to install policycoreutils-python-utils
Yeah, I really need to write a new guide.
-
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
-
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
-
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
Yeah, when I was writing I typed in the actual web address accidentally.
nc.domain.com instead of nc.domain.conf or nc.domain.com.conf
-
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
Yeah, when I was writing I typed in the actual web address accidentally.
nc.domain.com instead of nc.domain.conf or nc.domain.com.conf
I did the same today, total facepalm.
-
@dbeato said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
Yeah, when I was writing I typed in the actual web address accidentally.
nc.domain.com instead of nc.domain.conf or nc.domain.com.conf
I did the same today, total facepalm.
You can name them whatever you want. I just personally like this format.
-
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@dbeato said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
Yeah, when I was writing I typed in the actual web address accidentally.
nc.domain.com instead of nc.domain.conf or nc.domain.com.conf
I did the same today, total facepalm.
You can name them whatever you want. I just personally like this format.
Well, yeah but the configuration looks for all *.conf files which failed on loading the site at first.
-
@dbeato said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@dbeato said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
Yeah, when I was writing I typed in the actual web address accidentally.
nc.domain.com instead of nc.domain.conf or nc.domain.com.conf
I did the same today, total facepalm.
You can name them whatever you want. I just personally like this format.
Well, yeah but the configuration looks for all *.conf files which failed on loading the site at first.
Right, you can name it
wtf.conf
if you want is what I mean.I just personally like thefqdn.conf
structure, so that is how I wrote the guide. -
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@dbeato said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@dbeato said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:
@aaronstuder said in Setting up Nginx on CentOS 7 as a reverse proxy:
@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:
As JB said you would name them your subdomain/domain name.
subdomain.domain.conf
<---not.com
I name mine subdomain.domain.tld.conf
Yeah, mine are the full thing with a
.conf
at the end.daerma.com.conf obelisk.daerma.com.conf
Yeah, when I was writing I typed in the actual web address accidentally.
nc.domain.com instead of nc.domain.conf or nc.domain.com.conf
I did the same today, total facepalm.
You can name them whatever you want. I just personally like this format.
Well, yeah but the configuration looks for all *.conf files which failed on loading the site at first.
Right, you can name it
wtf.conf
if you want is what I mean.I just personally like thefqdn.conf
structure, so that is how I wrote the guide.The guide was awesome and worked perfectly.
-
@JaredBusch I setup a reverse proxy with nginx for ScreenConnect, but the relay port isn't working. Can you provide your setup for how your relay is setup? Does it require two different IPs?
-
@zenbu said in Setting up Nginx on CentOS 7 as a reverse proxy:
@JaredBusch I setup a reverse proxy with nginx for ScreenConnect, but the relay port isn't working. Can you provide your setup for how your relay is setup? Does it require two different IPs?
That's not HTTP traffic. You would have to set Nginx up for TCP/UDP load balancing
-
@zenbu said in Setting up Nginx on CentOS 7 as a reverse proxy:
@JaredBusch I setup a reverse proxy with nginx for ScreenConnect, but the relay port isn't working. Can you provide your setup for how your relay is setup? Does it require two different IPs?
First, do you need a revere proxy for that? It's not web traffic. If you do, I'd recommend HA-Proxy.
Second, don't use CentOS 7 today. This guide is very old.
-
@scottalanmiller said in Setting up Nginx on CentOS 7 as a reverse proxy:
@zenbu said in Setting up Nginx on CentOS 7 as a reverse proxy:
@JaredBusch I setup a reverse proxy with nginx for ScreenConnect, but the relay port isn't working. Can you provide your setup for how your relay is setup? Does it require two different IPs?
First, do you need a revere proxy for that? It's not web traffic. If you do, I'd recommend HA-Proxy.
Right, you port forward the relay traffic. It is encrypted by the clients on each end. You SSL certificates do not apply to it anyway.
-
@scottalanmiller said in Setting up Nginx on CentOS 7 as a reverse proxy:
Second, don't use CentOS 7 today. This guide is very old.
Well the new guide is old already too. But at least it is still the same on Fedora 31 as it was on Fedora 27...
https://www.mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27
-
@flaxking Good point, I found out about that and have been reading up on it. Using ngx_stream_ssl_preread_module seems like it may be the solution. It will let you differentiate between HTTP SSL traffics and non HTTP ssl traffic. That way I'm hoping to use port 443 for both the web portal and the ScreenConnect relay.