Help with nginx+letsencrypt reverse proxy config

C.G.B.Spender · July 31, 2020, 9:46pm

My domain is: turbomrak.ddns.net
My web server is (include version): nginx/1.19.0
The operating system my web server runs on is (include version): Ubuntu 20
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): neither of those commands exist on my system, but the autorenewing works

Hi,
I'm banging my head against this for over a month not really getting anywhere on account of me not understanding how the underlying technology works at all. I have a question with the relevant config files open on stackoverflow here, but the answer I got only further confused me.

Long story short, I have turbomrak.ddns.net registered with noip.com, ports 80 and 443 forwarded to a local machine turbomrak.lan where I have nginx setup with autorenewing certificate from letsencrypt which has been working flawlessly without me touching anything for over a year and still does.

I remember making the letsencrypt certificate work and autorenewing for turbomrak.ddns.net brought me alternatively to tears and seething rage until I got there in the end (using a script from a now defunct blog which did it all for me without me understanding what's really going on I'll admit). This is not a critique of how letsencrypt works, but an actual description of my linux related "abilities". Which is why I would rather not go through the same process for every new local machine I would wish to access from outside my lan.

What I would like to achieve is being able to convert the existing config into an reverse proxy to allow me access to multiple local machines while preserving current status quo.

disclaimer: My knowledge of nginx config is non-existent. I've no idea if what I want is possible how I envision it, please enlighten me.

At this point I'd literally pay for having it altered to work like this:
turbomrak.ddns.net working as is
turbomrak.ddns.net/machine1 proxied to local1.lan
turbomrak.ddns.net/machine2 proxied to local2.lan
etc
while using 1 certificate for turbomrak.ddns.net

I tried adding

location = /machine1 {
proxy_pass local1.lan:someport
}

at various positions in my nginx config which alternatively didn't work, loaded the turbomrak.ddns.net regardless or displayed an error about file not found.

2nd best thing would be:
turbomrak.ddns.net working as is
turbomrak.ddns.net:1234 proxied to local1.lan
turbomrak.ddns.net:2345 proxied to local2.lan
etc

I tried creating new server blocks like this:

server {
listen 1234 ssl;
location / {
proxy_pass http://local1.lan:someport;
}

which didn't work at all

What I finally ended up with which sort of works is registering new ddns.net domain at noip.com then created a new server block like this:

server {
listen 443 ssl;
server_name new_domain.ddns.net;

location / {
proxy_pass http://local1.lan:someport;
}
}

which works when I access https://new_domain.ddns.net, but of course complains the certificate is for turbomrak.ddns.net not new_domain.ddns.net

Knowing my shortcomings I'm prepared to accept that's the best I'll get, but could anyone at least please let me know how "safe" is this? As in I do not really care about the browsers complaining about the certificate being for different domain, as I am actually hundred percent sure the certificate is valid.

stevenzhu · July 31, 2020, 10:32pm

Hi,

As you are trying to do the reverse proxy, what steps do you want?

I think this is quite achievable, you just might need to adjust some configurations based on your application.

You might also want to try

location ~/machine1/ {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass  http://local1.lan:someport
}
location ~/machine2/ {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass  http://local2.lan:someport
}

Try the above and see if there's any output from your nginx error log file.
I just don't think it should be location = /machine1.

P.S. The configuration file that StackOverflow user posted looks much more organized.

C.G.B.Spender · July 31, 2020, 11:59pm

I get the other users answer is better organised, but I don't understand the commands and can't adapt them to my config, not to mention they're written for docker config which is another order of "nope, don't get that at all" above where I am currently.

I pasted the block you suggested in my original config file to no avail. I then commented out pretty much everything and left only this:

server {
server_name turbomrak.ddns.net;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
client_max_body_size 10240M;
root /var/www/nextcloud/;

location ~/machine1 {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://fr24.lan:8765;
}
}

and in both cases accessing turbomrak.ddns.net/machine1 results in blank page saying:
Unable to find the specified file. The source of the page contains no html whatsoever just the string itself + the second attempt (understandably) completely kills the nextcloud functionality.

in /var/log/nginx/error.log there is nothing, but in /var/log/nginx/access.log this shows up:

[01/Aug/2020:00:12:01 +0000] "GET /machine1 HTTP/2.0" 404 34 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.122 Safari/537.36"

stevenzhu · August 1, 2020, 12:29am

Hi,

Two things:

You might want to try https://turbomrak.ddns.net/machine1/ (with a slash at the end)
Can you move your root /var/www/nextcloud/; down to the bottom?

C.G.B.Spender · August 1, 2020, 12:49am

The slash makes no difference regardless if included in the address or in the server block or in both.
But the 2nd suggestion is doing something. I moved the root /var/www/nextcloud/; at the very bottom above the last }

with proxy_pass http://fr24.lan:8765 I now get:
{“error”: “not found”}

and with proxy_pass http://fr24.lan or proxy_pass http://192.168.1.173 I get:
404 Not Found

All 3 variants of the http address are accessible from local lan. I hope we can continue the discussion later as it’s almost 2am and I’m literally falling asleep at the table.

Thanks for your help so far, this is the first progress I’ve seen in weeks even though it still doesn’t work.

stevenzhu · August 1, 2020, 12:50am

I would assume that this does not coming from your Nginx server, so it's probably time to check your other server. But, definitely get some sleep

C.G.B.Spender · August 1, 2020, 1:44am

I literally couldn't sleep because I kept thinking of this, and did some additional googling and IT FINALLY WORKS. I am so happy

I do not really understand what it does, but adding this line proxy_set_header Referer $http_referer; simply automagically makes everything copacetic. I even moved the root line from the bottom up to where it was before and it still works.

So the full working location block looks like:

location ~ /something {
         proxy_pass http://somehost.lan:someport;
         proxy_set_header Referer $http_referer;
         proxy_set_header X-Real-IP  $remote_addr;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header Host $host;
}

discussion that led me to the "discovery" : https://unix.stackexchange.com/questions/290141/nginx-reverse-proxy-redirection Bottom post, 1st comment.

Thanks @stevenzhu for pointing me at the proxy_whatever mumbo jumbo in the first place

Osiris · August 1, 2020, 8:55am

But you looked them up in the nginx documentation, right?

C.G.B.Spender · August 1, 2020, 9:13am

Sure did and all I got was an headache. This might come as a surprise to you but reading docs of linux apps, or output of man whatever (the so called rtfm) causes more problems than it explains for people in my position. The commands are explained with more technical terms I don’t understand. I ain’t gonna go down the rabbit hole of googling terms from explanation and then googling terms from explanation of that explanation etc. Sadly, there’s no man --explain-like-i-am-five

Same as with a car, the end goal is for it to “just work” I do not necessarily have to know what each of the pieces of engine are called and what they do as long as I have general idea of what’s achievable and what I want to make it do.

Hope that makes sense.

Osiris · August 1, 2020, 9:14am

But if a car breaks down, you take it to the garage. If your server breaks down, who are you going to call? The fact you’re asking here for help means you’re trying to fix it yourself. Personally, I wouldn’t drive a car I fixed without knowing anything I did during the “”“repairs”"".

The idea behind autodidactism is going from explanation to more explanations, which can indeed be an “exponentional” exercise. But in the end, if you manage to hang in there, you’ll get out of it with a lot more knowledge. Unless it’s too much effort. But then you might ask yourself: do I want to ride in this car I fixed myself?

system · August 31, 2020, 9:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Beginners Guide to nginx reverse proxy + several different webservers all secured Server	2	1833	April 11, 2017
Certbot on Apache server behind a Nginx reverse proxy Server	30	9073	March 16, 2017
.well-known/acme-challenge/ fail 404 in nginx proxy Help	19	8424	January 12, 2020
Certificates for backup servers using proxy pass Server	9	3314	June 23, 2017
How to get a certificate without a webroot (nginx reverse proxy) Server	4	5679	June 4, 2017

Help with nginx+letsencrypt reverse proxy config

Related topics