Setting up Nginx on CentOS 7 as a reverse proxy

JaredBusch

[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/unms.bundystl.com.conf 
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name unms.bundystl.com;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/unms.bundystl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/unms.bundystl.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass https://10.254.0.39:443;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}
server {
    client_max_body_size 40M;
    listen 80;
    server_name unms.bundystl.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

wirestyle22

@jaredbusch Understood. Thanks. I bet multiple configs makes it easier organizationally and also when troubleshooting so you have less to go through.

JaredBusch

@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:

@jaredbusch Understood. Thanks. I bet multiple configs makes it easier organizationally and also when troubleshooting so you have less to go through.

That is my preference, yes.

JaredBusch

@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I prefer to have each server block for each domain/subdomain in it's own config file.

wow, you are hosting a lot there.

Not really. Just everything is broken out.

wirestyle22

So I ran into this

but the nginx documentation here points to this: https://nginx.org/en/docs/http/server_names.html

Is there an error here I'm not seeing? I mean, there must be. Each time I make a change I systemctl reload nginx

wirestyle22

This post is deleted!

wirestyle22

This post is deleted!

wirestyle22

Actually I think I figured it out. made a mistake with the .conf files

zachary715

@wirestyle22 Share your resolution if you will. I was trying to install nginx on a server with wiki.js the other day and was running into the same error.

JaredBusch

I never run certbot with one of the specific switches like --nginx or --apache. Ever.

Fuck letting some 3rd party script edit my configuration files.

I run in standalone mode and edit the conf files myself.

I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.

black3dynamite

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I never run certbot with one of the specific switches like --nginx or --apache. Ever.

Fuck letting some 3rd party script edit my configuration files.

I run in standalone mode and edit the conf files myself.

I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.

But doesn’t ‘certonly’ keeps it from editing the files?

Dashrender

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I never run certbot with one of the specific switches like --nginx or --apache. Ever.

Fuck letting some 3rd party script edit my configuration files.

I run in standalone mode and edit the conf files myself.

I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.

LOL - JB doesn't trust scripts from LE or whomever made them, but he for some reason trusts other people's scripts.... LOL

black3dynamite

@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I never run certbot with one of the specific switches like --nginx or --apache. Ever.

Fuck letting some 3rd party script edit my configuration files.

I run in standalone mode and edit the conf files myself.

I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.

LOL - JB doesn't trust scripts from LE or whomever made them, but he for some reason trusts other people's scripts.... LOL

I thought he said something about magic scripts that he doesn’t like?

JaredBusch

@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I never run certbot with one of the specific switches like --nginx or --apache. Ever.

Fuck letting some 3rd party script edit my configuration files.

I run in standalone mode and edit the conf files myself.

I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.

LOL - JB doesn't trust scripts from LE or whomever made them, but he for some reason trusts other people's scripts.... LOL

Scripts that install software is different than scripts that change your configuration files.

I run the certbot scripts, no problem. Just not in a way that lets them fuck up my configuration.

Dashrender

@black3dynamite said in Setting up Nginx on CentOS 7 as a reverse proxy:

@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I never run certbot with one of the specific switches like --nginx or --apache. Ever.

Fuck letting some 3rd party script edit my configuration files.

I run in standalone mode and edit the conf files myself.

I also include multiple SAN on my certs, so the same SSL file is in multiple conf files.

LOL - JB doesn't trust scripts from LE or whomever made them, but he for some reason trusts other people's scripts.... LOL

I thought he said something about magic scripts that he doesn’t like?

What makes them magic?

wirestyle22

@zachary715 said in Setting up Nginx on CentOS 7 as a reverse proxy:

@wirestyle22 Share your resolution if you will. I was trying to install nginx on a server with wiki.js the other day and was running into the same error.

That occurs if you don't create actual entries for the server in the config files. I definitely agree with @JaredBusch now that I have gone through the configs and mostly know whats going on. As far as I can see it there are two ways to config.

One is editing /etc/nginx/nginx.conf. This is one huge config and you have to add your server entries all into it, which is what it is referring to when it tells you to add a server_name directive to your nginx configuration. Example of a server entry that you would put into the nginx.conf from JB's gude:

server {
	client_max_body_size 40M;
	listen 443 ssl;
	server_name www.domain.com domain.com;	#change to your domain name
	ssl          on;
	ssl_certificate /etc/ssl/cacert.pem;	#this needs to be the path to your certificate information
	ssl_certificate_key /etc/ssl/privkey.pem;	#this needs to be the path to your certificate information

	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-NginX-Proxy true;
		proxy_pass https://10.0.0.2:443;	#change to your internal server IP
		proxy_redirect off;
	}
}

Inside of this config you will see a line that tells you any .conf file contained within /etc/nginx/conf.d/ will be used en lieu of the main nginx config. Those config files are identical to what I list above. As JB said you would name them your subdomain/domain name. subdomain.domain.conf <---not .com

It's definitely better to do it the way JB did with separate config files just from an organizational standpoint as he said above.

Check your files and make sure this is the case.

Thanks to @scottalanmiller for taking time with me to explain some nginx stuff last night. Definitely helped me a lot conceptually

wirestyle22

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I run in standalone mode and edit the conf files myself

I'm interested if you're willing to write something up on that. I think I mostly understand this, but clarification would be great.

brandon220

Just an FYI - to get semanage to work on Fedora 27, I had to install policycoreutils-python-utils

JaredBusch

@brandon220 said in Setting up Nginx on CentOS 7 as a reverse proxy:

Just an FYI - to get semanage to work on Fedora 27, I had to install policycoreutils-python-utils

Yeah, I really need to write a new guide.

Alex Sage

@wirestyle22 said in Setting up Nginx on CentOS 7 as a reverse proxy:

As JB said you would name them your subdomain/domain name. subdomain.domain.conf <---not .com

I name mine subdomain.domain.tld.conf