Nginx reverse proxy help with nginx.conf file thx!


#1

Hi!
am going through the pain barrier now
only half understand what i am doing

get bad gateway 502
so if i put in http it is changing nicely to https and good certificate via certbot

my rocketchat server is running i think

[root@localhost nginx]# systemctl status rocketchat.service
● rocketchat.service - The Rocket.Chat server
Loaded: loaded (/usr/lib/systemd/system/rocketchat.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-09-29 19:51:47 UTC; 40min ago
Main PID: 45640 (node)
CGroup: /system.slice/rocketchat.service
└─45640 /usr/local/bin/node /opt/Rocket.Chat/main.js

Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | Rocket.Chat Version: 0.70.0 |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | NodeJS Version: 8.9.3 - x64 |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | Platform: linux |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | Process Port: 80 |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | Site URL: https://domain |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | ReplicaSet OpLog: Disabled |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | Commit Hash: 40b50f3164 |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | Commit Branch: HEAD |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ | |
Sep 29 19:52:03 localhost rocketchat[45640]: ➔ ±-----------------------------------------------------+
site_url ok??? and port???

vi /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf; **###nothing there tho anyway**

server {
if ($host = www.xyz.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = xyz.com) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  .domain www.domain;
return 404; # managed by Certbot

}

Upstreams

upstream backend {
server 127.0.0.1:3000; ###no idea what this backend is!!! :slight_smile:
}

server {
    server_name   xyz.com;

     error_log /var/log/nginx/rocketchat.access.log;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf; **###nothing there anyway!**

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xyz.com/fullchain.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xyz.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xyz.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

#  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE

##### the above commented out as otherwise says duplicate… don’t know where it is ###loading other

ssl_dhparam /etc/ssl/certs/dhparam.pem; ##added by dmhz



location / {
    proxy_pass http://backend/; **###is this right????**
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;

    proxy_redirect off;
}

}
} ###think this is http close

[root@localhost nginx]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

anyway thanks for reading this far!!!
any advice embraced
ta
richard


#2

Hi,

first I wouldn’t run the RC on port 80, but on an unprivileged port > 1024, e.g. on the standard port 3000.

In your “location” section “http://backend/” is correct, if the DNS name resolution for “backend” also points to your RC server. For this, at least in the local /etc/hosts of the server running Nginx, an entry for “backend” should be set.

Here you can find an example of a Nginx configuration where RC runs on http://localhost:3000 and the Nginx on the same server on port 443 (SSL) as reverse proxy submits the requests to the local RC on port 3000. Port 80 is redirected to port 443.

/etc/nginx/sites-available/rocketchat.conf:

server {
	listen 80;
  	server_name yourdomain.tld;
  
	# 301 = permanent redirect, 302 = temporary redirect
	return 301  https://yourdomain.tld$request_uri;
}

server {
    listen	80 default_server;
    server_name	_; # some invalid name that won't match anything
    return	444;
}

server {
        listen 443 ssl http2;
        server_name yourdomain.tld;

        index index.html index.htm;

	error_page 497 https://$server_name:$server_port$request_uri;

	ssl on;

	# Server Zertifikat
	ssl_certificate  /etc/nginx/ssl/rocketchat.crt;
	ssl_certificate_key /etc/nginx/ssl/rocketchat.key;

	# OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/ssl/rocketchat_ocsp-chain.crt;
	resolver 192.168.1.1 valid=300s;

	# Session Cache
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 4h;

	ssl_protocols TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE-2014-3566)
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE
-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-EC
DSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-A
ES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA25
6:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-
RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
	ssl_prefer_server_ciphers on;

	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# optional
	# include /etc/nginx/shared_headers.conf;

	# allowed host names
	if ($host !~ ^(yourdomain.tld)$ ) {
        	return 444;
	}

        location / {
                proxy_pass              http://localhost:3000/;

		# WebSocket Proxy
		proxy_http_version 	1.1;
		proxy_set_header	Upgrade $http_upgrade;
        	proxy_set_header	Connection "upgrade";
                proxy_set_header        Host $http_host;

                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forward-Proto http;
		proxy_set_header	Proxy "";

                proxy_redirect          off;

		client_body_buffer_size	100K;
        }
}

shared_headers.conf:

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

#3

More Information about configuring of “ssl reverse proxy” can be found here:

https://rocket.chat/docs/installation/manual-installation/configuring-ssl-reverse-proxy/


#4

Hi LG. thanks very much for taking the time to reply!!.

Admittedly i had already changed the PORT from 80 to 3000 in the rocketchat config and then all worked.
i still don’t understand at all what backend is though so any further explanation of that would be fantastic.
thanks again
richard


#5

“backend” is just the DNS name of the backend server, in this case the RC. You can call it “myrocketchat”, but then “myrocketchat” has to resolve to the IP of your RC server. If nginx and RC run on the same machine, you can use “localhost:3000”. This is just DNS addressing.


#6

again thanks for this but where is the name backend defined?


#7

What does

dig backend

say? Is the name set /etc/hosts? Is it the hostname itself? Send a request using nslookup to the dns server/s set in /etc/resolv.conf


#8

Hi LG … i don’t have dns set up on server … hostname just has localhost … the dns servers in resolv.conf are IP addresses linked to my VPS.
i guess i should put a reference to backend in my hosts file? anyway i think i need to go away and look up backend! thanks R


#9

Backend is usually defined in another nginx config file.
For my installation I use multiple backends for load balancing.
My example config looks like this:

# Upstreams
upstream backend {
    server 127.0.0.1:3000;
    server 127.0.0.1:3001;
    server 127.0.0.1:3002;
    server 127.0.0.1:3003;
    server 127.0.0.1:3004;
}

#10

thanks very much archang3l
i will go ‘hunting’ for the reference to backend and report back!