The original post: /r/nginx by /u/MrChilliBalls on 2024-10-01 17:55:11.
I have Pterodactyl/Pelican Panel, Wings, and Nextcloud AIO running on the same machine. Pelican is on panel.example.net (not revealing my real domain name), Wings on node1.example.net and Nextcloud is on cloud.example.net. However, panel.example.net, node1.example.net, (and not as importantly, example.net) all seem to be redirecting to cloud.example.net. There aren't any errors on the nginx logs, so this seems like some sort of conflict in the configs. If I remove Nextcloud's config file, Pelican works fine, but if I add it back, it breaks Pelican's again. Do you guys have any idea on what the cause could be?
pelican.conf:
server\_tokens off;
server {
listen 80;
server_name panel.example.net;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name panel.example.net;
root /var/www/pelican/public;
index index.php;
access_log /var/log/nginx/pelican.app-access.log;
error_log /var/log/nginx/pelican.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/panel.example.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.net/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
nextcloud.conf:
map $http\_upgrade $connection\_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
# listen [::]:80; # comment to disable IPv6
if ($scheme = "http") { return 301 https://$host$request_uri; }
listen 443 ssl http2; # for nginx versions below v1.25.1
listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6
listen 443 ssl; # for nginx v1.25.1+
listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6
http2 on; # uncomment to enable HTTP/2 - supported on nginx v1.25.1+
http3 on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
quic_retry on; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
listen 443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
listen [::]:443 quic reuseport; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6
server_name cloud.example.net;
location / { proxy_pass http://127.0.0.1:11000$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine,
the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain.
In this case the subdomain should already be secured without additional actions
ssl_certificate /etc/letsencrypt/live/cloud.example.net/fullchain.pem; # managed by certbot on host machine ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; # managed by certbot on host machine
ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers on;
Optional settings:
OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live//chain.pem;
replace with the IP address of your resolver
resolver 127.0.0.1; # needed for oscp stapling: e.g. use 94.140.15.15 for adguard / 1.1.1.1 for cloudflared or 8.8.8.8 for google - you can use the same nameserver as listed in your /etc/resolv.conf file
}