Install Nginx as a Reverse Proxy on Fedora 27

wirestyle22

Great guide. Probably your best yet.

hobbit666

Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

hobbit666

But going to redo my nginx install using this guide Monday.

Might just use certbot anyway for the new servers as I redo and sort them

JaredBusch

@hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

100% correct.

NashBrydges

This guide is fortuitous. I had this planned for migration from Ubuntu this week. This makes my job easier. Thanks!

NashBrydges

I'm assuming you would recommend using the .well-known addition to the conf files in the server block to avoid shutting down Nginx?

   location /.well-known/acme-challenge {
            root /var/www/letsencrypt;
         }

JaredBusch

@nashbrydges said in Install Nginx as a Reverse Proxy on Fedora 27:

I'm assuming you would recommend using the .well-known addition to the conf files in the server block to avoid shutting down Nginx?

   location /.well-known/acme-challenge {
            root /var/www/letsencrypt;
         }

Not in this example as I am using the certbot --nginx switch. It knows how to handle things because of that.

But if you were doing something else? yes.

JaredBusch

@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:

Received following error:

nginx: [warn] could not build optimal types_hash, you should increase either nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

I went into /etc/nginx/nginx.conf and changed types_hash_max_size to a higher value as instructed. Removed the error.

1. This is only a warning.
2. Unless you are hosting hundred of domains behind Nginx, this really doesn't matter.
3. If you increase it to not have a warning, keep it as small as possible.

I just went through jumping down in halves from 3000 until I found what made it stop complaining on my system.

    types_hash_max_size 2249;

2248 threw the warning still.

Reference to what this is: http://nginx.org/en/docs/hash.html

hobbit666

@jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:

@hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

100% correct.

Last question.

What's the answer for this part of the question
"Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx"

JaredBusch

@hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

@jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:

@hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

100% correct.

Last question.

What's the answer for this part of the question
"Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx"

Each server block needs it. Or you can use an include I guess like this.

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

Just make your own file with all the ssl settings you want and drop the include in the various conf files.

hobbit666

@jaredbusch Thanks

momurda

@JaredBusch This is transparent to the www application server? I mean, Nextcloud server itself has no https configuration, it all handled through this proxy?
If so, this same process could be done using IIS sites in addition to apache correct?

scottalanmiller

@momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

@JaredBusch This is transparent to the www application server? I mean, Nextcloud server itself has no https configuration, it all handled through this proxy?
If so, this same process could be done using IIS sites in addition to apache correct?

Can be, and is, used with anything that has a web interface. Apache, Nginx, IIS, NodeJS, it doesn't care. A Reverse proxy is just a proxy in front of whatever HTTP traffic is behind it. So the platform behind it doesn't matter. Mix and match anything and everything.

momurda

@scottalanmiller So if i set this up to work with an IIS site, this IIS site has an existing cert, i would first uninstall that ssl cert, and not install another? This is what I picture.

scottalanmiller

@momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

@scottalanmiller So if i set this up to work with an IIS site, this IIS site has an existing cert, i would first uninstall that ssl cert, and not install another? This is what I picture.

You can do either, with small adjustments. Your servers behind your reverse proxy can use HTTP or HTTPS as you desire. but there is rarely much point to the overhead of HTTPS, so many of us skip it unless there is a specific reason to have it (like you are using it without the reverse proxy for LAN based access.)

JaredBusch

@scottalanmiller said in Install Nginx as a Reverse Proxy on Fedora 27:

@momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

@scottalanmiller So if i set this up to work with an IIS site, this IIS site has an existing cert, i would first uninstall that ssl cert, and not install another? This is what I picture.

You can do either, with small adjustments. Your servers behind your reverse proxy can use HTTP or HTTPS as you desire. but there is rarely much point to the overhead of HTTPS, so many of us skip it unless there is a specific reason to have it (like you are using it without the reverse proxy for LAN based access.)

If the existing server is designed for HTTP, I usually do not remove it. I just point the Nginx server block at it.

Even if it is expired or self signed, it is sitll encyrpted between the proxy and the backend server.

Now if the backend server has no encryption, I will not add it for no reason.

Finally, if the backend server is across a public IP space, I will always use at least a self signed SSL cert for the connection.

Alex Sage

Here is the command if you want a wildcard cert:

sudo certbot  -i nginx -d "*.aaronstuder.com" -d aaronstuder.com --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns

JaredBusch

@aaronstuder said in Install Nginx as a Reverse Proxy on Fedora 27:

Here is the command if you want a wildcard cert:

sudo certbot  -i nginx -d "*.aaronstuder.com" -d aaronstuder.com --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns

Wildcard form LE is useless until you automate the DNS challenge.

Alex Sage

@jaredbusch It's coming. Right now it just pauses and you update DNS manually, or you can use acme.sh

EddieJennings

If you're using one reverse proxy to serve traffic to more than one server, do you typically put all of the configurations in one file, or have a main configuration file, and use include to reference other files? Methinks the way to go is just have one file with server blocks for however many servers you need.