The original post: /r/nginx by /u/theannihilator on 2024-10-12 16:42:42.

I am wanting to know if i can safely install and run npm on each of my servers. I am using tailscale to route access from my subdomains to 2 servers internally and want the admin server to only be accessible to me and then the other server setup for family access. currently npm is setup to run both servers internally but my family has access to both servers. I am wanting to install npm on each server and route traffic independent of each other so family can only get to websites on server A and not B as well. the third npm is going to be used on my server with internet access.

The original post: /r/nginx by /u/mr_mgs11 on 2024-10-11 15:46:56.

I am setting up a poc for a piece of software we are demoing. The current implementation (just for PoC) is an nginx container and the software (has web gui) container running on a host in the same bridge network. They want to pass a mock user token to this software, and the docs said setup a reverse proxy in nginx. The person I am setting this up for wanted to curl a rest api that returns the fake user token, then insert that into the traffic going to the software to pass user information for logging and authorization. I assume unless there is forwarding logic on the api server itself, there is no way to forward traffic to the api and then off to software container using just the nginx reverse proxy.

My familiarity with nginx is mainly for simple layer 7 routing between containers. I was looking at the docs to make sure my initial assumption about traffic routing is correct, and thinking of the best way to just put the user token into the forwarded header. The software support team had suggested putting in "proxy_set_header X-ANONYMOUS-USER username;" into the location block as the software has a configuration to grab that header and username to log in, but that isn't really what I am trying to do. The use case is people logged into our stuff will be automatically logged into this bit of software via that token. What would you all suggest as the best way to set this up?

The original post: /r/nginx by /u/kai on 2024-10-11 11:10:53.

The original post: /r/nginx by /u/Defiant-Option-6833 on 2024-10-11 06:36:52.

I'm not sure if this should be in the nginx or Django Reddit, I posted in the django reddit and folks just told me to use whitenoise. My blog is running on Docker. Initially, all images in the static files folder *from the first set of articles I created while coding the blog* were accessible to nginx. However, when I tried adding articles from the admin panel after deployment, the new images returned a 404 error. I tried debugging by checking my code and realized I didn't include a path for the media folder in the settings.py file. After adding that line and rebuilding the container... well, the previously accessible images are returning 404 as well. I think my nginx server might not be configured correctly. *I've entered the container and verified that files are present.*

nginx conf:

user nginx;
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types {
        text/html html;
        text/css css;
        text/xml xml;
        image/gif gif;
        image/jpeg jpeg jpg;
        application/javascript js;
        application/atom+xml atom;
        application/rss+xml rss;
        fontopentype otf;
        fonttruetype ttf;
        fontwoff woff;
        fontwoff2 woff2;
    }

    server {
        listen 80;
        server_name www.redacted.com;  

        location / {
            proxy_pass http://web:8000;  
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /static/ {
            alias /usr/src/app/staticfiles/;
        }

        location /media/ {
            alias /usr/src/app/media/;
        }
    }
}

Dockerfile

# Use the official Python image from the Docker Hub
FROM python:3.11

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

# Set the working directory
WORKDIR /app

# Copy the requirements file into the container
COPY requirements.txt /app/

# Install the dependencies
RUN pip install --upgrade pip && pip install -r requirements.txt

# Copy the entire project into the container
COPY . /app/

# Collect static files
RUN python manage.py collectstatic --noinput

EXPOSE 1617

# Run the Gunicorn server
CMD ["gunicorn", "redacted.wsgi:application", "--bind", "0.0.0.0:1617"]

Docker compose yml

version: '3'

services:
  web:
    build: .
    command: gunicorn --workers 3 redacted.wsgi:application
    volumes:
      - .:/usr/src/app
    expose:
      - "1617"
    environment:
      DJANGO_SECRET_KEY: 'redacted'
      DJANGO_DEBUG: 'False'
    restart: always

  nginx:
    image: nginx:latest
    ports:
      - "1617:1617"
      - "400:400"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./staticfiles:/usr/src/app/staticfiles
      - ./media:/usr/src/app/media
    depends_on:
      - web
    restart: always

The original post: /r/nginx by /u/teammatekiller on 2024-10-10 14:46:47.

first of all, sorry for making you do my homework

I have two NGINX hosts, one is set up as proxy_pass http://my second super secret ip:3333;

other one is set up as proxy_pass http://some real scary government domain:3333;

and there is a host sending data over to my first server

which leads to access_log entries like

source server out of my control IP - - [date] "hexadecimal string" 400 157 "-" "-" "-"

but the second server iptables rules doesn't show any increase in traffic

except if I query with curl to the first server and port - I do get the 502 response from the second server (if I modify the config to reply me something else, like 200 - I do get it)

I don't request you to solve this

but please point me into some troubleshooting direction

The original post: /r/nginx by /u/Arthirion on 2024-10-09 19:30:51.

This question might have been asked a thousand times, but I can't find a solution,. (And sorry for me English)

First of all my network

UDM Pro local Network: 192.168.1.0

Nginx running in docker on 192.168.1.20

PiVPN Network running in docker on 192.168.1.30 gives subnet 10.165.67.0/24

The VPN is only routing LAN network for 192.168.1.0/24 and 10.165.67.0/24.

Everything else is routing via normal internet connection. (I have it set up this way so I don't overload the vpn)

Domain example.com routes to public WAN ip and nginx as reverse proxy routes it to the services. How do I setup so the domain is reachable only when on local network or connected to the vpn?

I tried:

allow 192.168.1.0/24; allow 10.165.67.0/24; deny all;

This works when really connected to 192.168.1.0/24 else deny but VPN connection doesn't allow me to get to the domain.

At this moment I have no clue.

The original post: /r/nginx by /u/zxcqirara on 2024-10-09 16:17:23.

I have different domain names (sub domains) associated with my server and I need to forward TCP/HTTP trafic at domain 1 to port 1 (e.g.) and from domain 2 to port 2. Also, I want to set up SSL certificates but they are not supported on TCP but then I'm not able to use them on HTTP requests too. What can I do?

Cuz I can't setup HTTP and TCP listening on the same 443 port

The original post: /r/nginx by /u/Soulreaver88 on 2024-10-01 15:12:37.

1.070 / 5.000Hi, I don't know much about it and don't know where to ask. The network topic is pretty complicated. I want my own 'google drive' at home and I want to do this really easily using the docker file browser. Unfortunately I can't access it externally. I don't even know exactly what's wrong. I have a raspberry py5 that runs pihole+unbound+pivpn natively, then I've installed docker and portainer and file browser + nginy with mariadb via docker. I have a static IP address from my provider because I have business internet. The business router is set to dhcp routing because I don't have access to dan. The internet comes from the fritzbox 7590 behind it via wan. I created a subdomain using duckdns and entered it in the fritzbox. Then I created a domain via nginx, for example fb.my-sub.duckdns.org with the IP address of the pi and the port of the file browser. When I create it now, it says online but it doesn't work. If I do it with an SSL certificate, an error message appears.

The original post: /r/nginx by /u/darwishdev on 2024-10-08 02:27:58.

Excited to share my latest article on Installing a Second Instance of Nginx via Docker!

https://medium.com/@darwishdev.com/install-a-second-instance-of-nginx-via-docker-384e379f018e

The original post: /r/nginx by /u/athreyaaaa on 2024-10-06 17:24:54.

The original post: /r/nginx by /u/Accomplished_Risk_34 on 2024-10-05 22:31:04.

I want to know how I can set up my Nginx and PM2 to have my next.js admin panel provide the GET and POST APIs to consume and help my ISG website consume them. Note: the admin panel would also be consuming the routes that it provides.

The original post: /r/nginx by /u/Physical-Silver-9214 on 2024-10-05 12:45:17.

Hi, I've been using nginx for about a year now. Using it for my home lab. I'm trying to find tutorials that are specific to blocking off IPs using GeoIP, the ones I see either block off countries or cities. Thanks I'm advance.

The original post: /r/nginx by /u/MarieCMDM on 2024-10-03 17:06:59.

Hi everyone, I was wondering if anyone has already managed to configure nginx to use a private key saved inside the tpm with the tpm2-openssl tool, I've seen some examples of people using tpm2-tss-engine which is deprecated in favor of tpm2-opessl.

I would like to use tpm for key and csr generation to prevent someone from stealing keys and certificates and authenticating to my other nginx node.

Thanks to anyone who leaves an opinion 😁

The original post: /r/nginx by /u/buzzme_satyamani on 2024-10-01 19:37:38.

I am not able do it. not sure how to troubleshoot...the webserver and then the code dist folder that I migrated. Looking for help. Posting for my team.

The original post: /r/nginx by /u/MrChilliBalls on 2024-10-01 17:55:11.

I have Pterodactyl/Pelican Panel, Wings, and Nextcloud AIO running on the same machine. Pelican is on panel.example.net (not revealing my real domain name), Wings on node1.example.net and Nextcloud is on cloud.example.net. However, panel.example.net, node1.example.net, (and not as importantly, example.net) all seem to be redirecting to cloud.example.net. There aren't any errors on the nginx logs, so this seems like some sort of conflict in the configs. If I remove Nextcloud's config file, Pelican works fine, but if I add it back, it breaks Pelican's again. Do you guys have any idea on what the cause could be?

pelican.conf:

 server\_tokens off;

server {
    listen 80;
    server_name panel.example.net;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name panel.example.net;

    root /var/www/pelican/public;
    index index.php;

    access_log /var/log/nginx/pelican.app-access.log;
    error_log  /var/log/nginx/pelican.app-error.log error;

    # allow larger file uploads and longer script runtimes
    client_max_body_size 100m;
    client_body_timeout 120s;

    sendfile off;

    ssl_certificate /etc/letsencrypt/live/panel.example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/panel.example.net/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;

    # See https://hstspreload.org/ before uncommenting the line below.
    # add_header Strict-Transport-Security "max-age=15768000; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Frame-Options DENY;
    add_header Referrer-Policy same-origin;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTP_PROXY "";
        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        include /etc/nginx/fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

nextcloud.conf:

map $http\_upgrade $connection\_upgrade {
 default upgrade;
 '' close;
}

server {
 listen 80;
 # listen [::]:80; # comment to disable IPv6

if ($scheme = "http") { return 301 https://$host$request_uri; }

listen 443 ssl http2; # for nginx versions below v1.25.1

listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6

listen 443 ssl; # for nginx v1.25.1+

listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6

http2 on; # uncomment to enable HTTP/2 - supported on nginx v1.25.1+

http3 on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+

quic_retry on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+

add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+

listen 443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport

listen [::]:443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6

server_name cloud.example.net;

location / { proxy_pass http://127.0.0.1:11000$request_uri;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;

client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;

# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

}

If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine,

the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain.

In this case the subdomain should already be secured without additional actions

ssl_certificate /etc/letsencrypt/live/cloud.example.net/fullchain.pem; # managed by certbot on host machine ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by certbot on host machine

ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers on;

Optional settings:

OCSP stapling

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/letsencrypt/live//chain.pem;

replace with the IP address of your resolver

resolver 127.0.0.1; # needed for oscp stapling: e.g. use 94.140.15.15 for adguard / 1.1.1.1 for cloudflared or 8.8.8.8 for google - you can use the same nameserver as listed in your /etc/resolv.conf file

}

The original post: /r/nginx by /u/heathzz on 2024-10-01 14:37:21.

Hey guys is there a way to add the memcached module to my nginx installation without reinstalling nginx?

Based on what you can see bellow, the module is not present...

# nginx -V 2>&1 | tr -- - '\n' | grep _module
http_ssl_module
http_v2_module
http_realip_module
http_addition_module
http_xslt_module=dynamic
http_image_filter_module=dynamic
http_sub_module
http_dav_module
http_flv_module
http_mp4_module
http_gunzip_module
http_gzip_static_module
http_random_index_module
http_secure_link_module
http_degradation_module
http_slice_module
http_stub_status_module
http_perl_module=dynamic
http_auth_request_module
mail_ssl_module
stream_ssl_module

The original post: /r/nginx by /u/Acceptable_Sea_9441 on 2024-09-29 15:26:08.

I'm trying to set up a simple page through duckdns and I've got it working on http. When trying to setup https I can't get certificate to work. pls help. For quite some time I've been trying to follow this guide, but I can't set config path to read only because it breaks. https://mindsers.blog/en/post/https-using-nginx-certbot-docker/

https://preview.redd.it/oardasnlmrrd1.png?width=1894&format=png&auto=webp&s=a2dfbedc36a70408f58f18d8b2978401256b7a17

https://preview.redd.it/vdsrgtnlmrrd1.png?width=1786&format=png&auto=webp&s=77f68af3da7e8f0bcc22a06c2787e1d24a380359

https://preview.redd.it/6a74htnlmrrd1.png?width=491&format=png&auto=webp&s=1226bb466ffe4b9106c4e42c22d945eb4b6282ec

https://preview.redd.it/3suswgolmrrd1.png?width=385&format=png&auto=webp&s=772b52b321df1e30a15085da5816971f7bdc16b1

The original post: /r/nginx by /u/PTwolfy on 2024-09-29 09:38:30.

Seriously guys, has anyone managed to get Websockets or Socket.io working behind Nginx Proxy Manager?

For a few years I have this problem, I have tried many configs and it just won't work.

Socket.io is working locally, but when on the domain proxied by NPM it just won't work.

It either throws "WebSocket is closed before the connection is established."

Or simply a "failed" error.

Any tips?

The original post: /r/nginx by /u/cocasticox on 2024-09-27 19:10:55.

Hi everyone !

Recently I discovered the HomeLab wide world so I found an old laptop and let's go !

I'm pretty new, I only know basic linux command, but i'm learning

I used Portainer to install Nginx reverse proxy, bought a cheap domain on Cloudflare, and test the setup using http without encryption

I exactly followed this tutorial which is very clear :

https://www.youtube.com/watch?v=fCJbw75DCZw

Here's the problem :

configuring Nginx with http, no ssl and port 9000 works well

BUT configuring Nginx with https, port 9443, and force SSL gives me an ERR_TOO_MANY_REDIRECTS

logs give me nothing, no new lines, even for an http connexion or maybe i'm looking at the wrong place..

I'm sure you know what i'm doing wrong.. Probably basic mistakes, can you help me guys please ?

As I said, i'm very new, so talk to like i'm 10 if possible, and I will send you more info if you tell me where to find them ! thank you !!!

The original post: /r/nginx by /u/_ginger_kid on 2024-09-26 17:57:52.

Hi. I'm in the process of migrating a very old IIS service to nginx. The service makes use of rewrite rules to serve images based on optional query parameters. Two of those parameters have an underscore in the name. Nginx will not support those for map directives. I am trying to parse out the parameter using regex, based on various posts found on stackoverflow, but I'm not having any luck. The current map is

map $args $format {

    default $uformat;

    ~(^|&)logo_format=(?<temp>[^&]+) $temp;
}

where $uformat is set by another map.

However, this just results in the entire query string value being set in the $format variable. I've tried variations, but getting the same result. Can someone help me out with the correct regex?

Worth noting - no I cannot change the requesting app to remove the underscore. There is a large install base and I cannot guarantee everyone will upgrade. I have to be able to support that base.

(admittedly I am very tired after a 20 hour work trip yesterday, so it may be obvious but I can't see it).

The original post: /r/nginx by /u/devilishTL on 2024-09-26 09:51:22.

I want to use NginX to safely open a JellyFin WebUI up to some friends of mine, but when i install it on my TrueNAS machine and start it it just gets stuck on deploying and the logs say nothing meaningful as far as i can tell as to why it fails to start.

https://pastebin.com/uUjb6Hmv

The original post: /r/nginx by /u/Sarquamon on 2024-09-26 04:51:48.

Hello community, I'm currently currently having an issue when being redirected back from a SSO server. Also, I'm still a bit of an NGINX newbie so any support is much much appreciated. Thanks in advance! :D

 A bit of context:

I'm working on creating a react app (using ts + vite) and I'm using NGINX to serve the bundle generated by vite.

Said application is using the react-router-dom package for routing the application, and in said router I have a route set up as: /redirect which as it implies, is the route which the SSO redirect back as a callback.

The issue

Whenever I open up the application in a docker container using openresty for serving the files it does find the actual index.html and redirects to the SSO, then when it comes back to /redirect from the SSO NGINX complains that the index.html is no where to be found.

 What I've tried

• Made sure the routes in the server are correct.
• The root folder is correct under the nginx.conf file
• Default.conf file is deleted as everything will live under the nginx.conf file
• Updated the base property under the vite.config file
• Added a specific /redirect route under nginx
• Changed try_files for index directive
• Updated the root folder
• Read through posts, comments and replies accros multiple sites :')
• Prayed to the old gods and the new ones.

 Project / NGINX config

The project as previously mentioned is a React app using vite and TS. I do have an auth wrapper which verifies the user is logged in from the start, this wrapper is responsible for redirecting to the SSO.

In the routes I have a /redirect route which is when the SSO comes back (callback). The URL comes something like: https://localhost:8080/some/path/redirect#acc=...

and then... the app breaks.

Once I run the vite build command, vite bundles everything and drops it in a /dist folder. I copy just the contents of the folder and deploy it using an openresty container.

Since this is running under openresty container, I've set nginx.conf file as:

nginx.conf

pid /tmp/nginx.pid;
error\_log /dev/stdout;

events {
 worker\_connections 1024;
}

pcre\_jit on;
worker\_processes auto;

http {
 access\_log off;
 error\_log /usr/local/openresty/nginx/logs/error.log debug;

include mime.types;
 keepalive\_timeout 65;
 default\_type application/octet-stream;

client\_body\_temp\_path /tmp/client\_temp;
 proxy\_temp\_path /tmp/proxy\_temp\_path;
 fastcgi\_temp\_path /tmp/fastcgi\_temp;
 uwsgi\_temp\_path /tmp/uwsgi\_temp;
 scgi\_temp\_path /tmp/scgi\_temp;

server {
 listen 8080 ssl;

sendfile on;

proxy_read_timeout 300s; port_in_redirect off;

ssl_certificate /usr/local/openresty/nginx/conf/ssl/server.crt; ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/server.key;

ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;

large_client_header_buffers 4 32k;

root /usr/local/openresty/nginx/site/some/path;

location ~* .(?:css|js|map|jpe?g|gif|png|ico)$ { access_log /usr/local/openresty/nginx/logs/access.log combined; add_header Cache-Control public; add_header Pragma public; add_header Vary Accept-Encoding; expires 1M; }

location =/health { add_header Content-Type text/json; return 200 '{"Status": "Ok"}'; }

location / { try_files $uri $uri/ /index.html; }

}
}

The flow would be:

locahost:8080/some/path -> sso server -> localhost:8080/some/path/redirect#ac=...

Many many thanks in advance, any help is much appreciated.

The original post: /r/nginx by /u/These_Shoe3594 on 2024-09-25 18:20:04.

Hi all,

I’m working on a project that’s hosted in an EKS cluster, and we’re facing an intermittent issue where accessing the REST API of our application sometimes results in a 503 error. Here’s what I’ve checked so far:

1. The ingress file is valid.
2. The service file is properly configured.
3. The application works fine when tested locally.

Our reverse proxy is Nginx, and the 503 response is the standard Nginx error HTML. However, the odd thing is that there’s no trace of the 503 error in the Nginx logs, even though I’ve enabled debug logging. All other requests are logged as expected, but the 503 responses don’t appear in the logs.

The issue is quite random, and most of the time the API returns a valid response.

My question is: How can Nginx return a 503 without even logging it? Is there any scenario where Nginx might generate a 503 but not log the event? Any pointers would be greatly appreciated!

Thanks in advance!

The original post: /r/nginx by /u/TaurusFervant on 2024-09-24 17:02:19.

0

When I host my kafka server on vps and add the nginx server for the control center authentication, I get the error 404 page not found. However this same setup works fine on my local machine when I change the nginx.conf file and replcae evey ip address with my localhost. I am using docker containers and I have 5 docker containers 2 of them are kafka brokers, 1 is zookeepr, 1 is the control center and 1 is the nginx server. Everything is working fine, the niginx logs is saying that its ready to use.

this is my nginx.conf file

user nginx;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # SSL settings
    ssl_certificate /etc/nginx/ssl/ssl_cert.pem;
    ssl_certificate_key /etc/nginx/ssl/ssl_cert.key;

    # Gzip Settings (optional)
    gzip on;

    server {
        listen 443 ssl;
        server_name <VPS_ADDRESS>;  # Change to your local IP or hostname if needed

        # Proxy settings for Control Center
        location / {
            auth_basic "Restricted Access";
            auth_basic_user_file /etc/nginx/.htpasswd;

            proxy_pass ;  # Forward requests to Control Center
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

        }

        # Error page for 404
        error_page 404 /404.html;
    }

    server {
        listen 80;
        server_name <VPS_ADDRESS>;  # Change to your local IP or hostname if needed

        # Redirect all HTTP to HTTPS
        return 301 https://$host$request_uri;
    }
}
http://control-center:9021

and these are docker containers for nginx and control center:

  control-center:
    image: confluentinc/cp-enterprise-control-center:7.4.0
    hostname: control-center
    container_name: control-center
    depends_on:
      - zookeeper
      - broker1
      - broker2
    ports:
      - "9021:9021"  # Control Center UI port
    environment:
      CONTROL_CENTER_BOOTSTRAP_SERVERS: 'broker1:29092,broker2:29093'
      CONTROL_CENTER_ZOOKEEPER_CONNECT: 'zookeeper:2181'
      CONTROL_CENTER_CONNECT_CONNECT_CLUSTER: 'localhost:8083'
      CONTROL_CENTER_KSQL_KSQLDB1_URL: "http://ksqldb-server:8088"
      CONTROL_CENTER_SCHEMA_REGISTRY_URL: "http://schema-registry:8081"
      CONTROL_CENTER_REPLICATION_FACTOR: 1
      CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1
      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1
      CONFLUENT_METRICS_TOPIC_REPLICATION: 1
      CONTROL_CENTER_SSL_KEYSTORE_LOCATION: '/etc/ssl/keystore.jks'  # Path to keystore in the container
      CONTROL_CENTER_SSL_KEYSTORE_PASSWORD: 'key_stroe_pw'  # Keystore password
      CONTROL_CENTER_SSL_TRUSTSTORE_LOCATION: '/etc/ssl/truststore.jks'  # Path to truststore in the container
      CONTROL_CENTER_SSL_TRUSTSTORE_PASSWORD: 'trust_store_pw'  # Truststore password

    volumes:
      - ./keystore.jks:/etc/ssl/keystore.jks:ro  # Mount the keystore into the container
      - ./truststore.jks:/etc/ssl/truststore.jks:ro  # Mount the truststore into the container (if applicable)
    networks:
      - confluent
    healthcheck:
      test: ["CMD", "curl", "-f", "https://localhost:9021"]
      interval: 30s
      timeout: 10s
      retries: 5

  nginx:
    image: nginx:latest
    container_name: nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro  # NGINX config
      - ./htpasswd:/etc/nginx/.htpasswd:ro  # Password file for authentication
      - ./ssl:/etc/nginx/ssl:ro  # Mount the SSL certificates
    ports:
      - "443:443"  # Expose SSL on port 443
      - "8080:8080"  # Redirect HTTP to HTTPS
    depends_on:
      - control-center
    networks:
      - confluent

I can access the control center directly from my local machine through this <VPS\_ADDRESS>:9021 but I want an authentication enabled so that when I access this http://<VPS\_ADDRESS> i get a prompt to add username and password and the redirect to control center.

I have tried to access the control center from nginx container, I am getting 200 response message on curl http://control-center:9021

The original post: /r/nginx by /u/SDR3078 on 2024-09-24 15:38:27.

Hi all,

Breaking my head since yesterday because I have followed tutorials related to hooking up NGINX and Cloudflare for extra security. I am trying to configure the Cloudflare Origin CA certificates, but I am always getting an error when enabling TLS verification. My encryption mode is set to 'Full (strict)' and covers *.mydomain.suf and mydomain.suf. My NGINX config looks like this:

server {
    # Listen on port 443 for HTTPS
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name subdomain.domain.suf;

    # SSL certificates
    ssl_certificate /etc/ssl/certs/domain.suf.pem;    # Path to your SSL certificate
    ssl_certificate_key /etc/ssl/private/domain.suf.key; # Path to your SSL private key

    # Proxy settings to forward traffic to local server (e.g., localhost:5000)
    location / {
        proxy_pass http://ip:port;  # Forward traffic to local server running on port 5000
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (if applicable)
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

# Redirect HTTP traffic to HTTPS
server {
    listen 80;
    server_name *.domain.suf domain.suf;

    location / {
        return 301 https://$host$request_uri;  # Redirect all HTTP requests to HTTPS
    }
}