My domain is: kaidesign.uk
I have recently run the DNS challenge using Cloudflare from my nginx server and received my certificate
however when i goto the website https://mmserver.kaidesign.uk i couldn't get in
I am not sure how to map the nginx server to the mattermost server (mmserver) so that my mmserver can get the https instead of http
what I can only do is
http://mmserver.kaidesign.uk:8065 to log into my mattermost server
how do I solve this?Install Mattermost on RHEL — Mattermost documentation
I don't know the exact config but you probably want to setup mmserver.kaidesign.uk in your nginx configuration (with ssl file paths configured and port set to standard https 443) and reverse proxy it to your port 8065 server (which can still run as http and probably doesn't need to be publicly accessible on that port). NGINX Reverse Proxy | NGINX Documentation
That way you can access that domain as https without specifying a port number (because nginx is handling the default port 443 traffic) and it will proxy the traffic to the actual service.
2 Likes
This is my code for my nginx server which i put my mmserver into it
upstream backend {
server 192.168.242.189:8065;
keepalive 32;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
server {
server_name mmserver.kaidesign.uk;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_http_version 1.1;
proxy_pass http://backend;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://backend;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mmserver.kaidesign.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mmserver.kaidesign.uk/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 1d;
# Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
ssl_protocols TLSv1.2 TLSv1.3;
# Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
# prevent replay attacks.
#
# @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
ssl_early_data on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = six months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
}
server {
if ($host = mmserver.kaidesign.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mmserver.kaidesign.uk;
return 404; # managed by Certbot
}
however my mmserver still output a http after the configuration
Sorry, could you fix the formatting in your post by wrapping the entire config in 3 backticks ``` (a set at the start and a set at the end) - I can't quite make sense of it.
1 Like
upstream backend {
server 192.168.242.189:8065;
keepalive 32;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
server {
server_name mmserver.kaidesign.uk;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_http_version 1.1;
proxy_pass http://backend;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://backend;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mmserver.kaidesign.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mmserver.kaidesign.uk/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_timeout 1d;
#Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
ssl_protocols TLSv1.2 TLSv1.3;
Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
# prevent replay attacks.
#
# @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
ssl_early_data on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = six months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
}
server {
if ($host = mmserver.kaidesign.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mmserver.kaidesign.uk;
return 404; # managed by Certbot
}
sorry, this is my configuration for my nginx server
1 Like
rg305
May 22, 2023, 3:23pm
6
The Internet won't be able to reach your server with it using this IP:
Name: mmserver.kaidesign.uk
Address: 192.168.242.189
3 Likes
That IPv4 address is part of the Private network - Wikipedia for IPv4 Address space.
1 Like
system
June 21, 2023, 3:42pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
