@black3dynamite said in NGINX Reverse Proxy Help - Error code: SSL_ERROR_RX_RECORD_TOO_LONG: In the server block, add ssl_protocols TLSv1.2; and reload nginx no joy. Incognito mode did not work either.

I'd normally keep swap space too but I know for sure you can run without it successfully because we used to do that with embedded linux for years - with devices that had years of uptime. With memory ballooning you can overcommit RAM and the hypervisor can swap guest RAM to disk if it comes to that. I don't know which hypervisors supports it though. As always it depends on how much you want to cram out of your gear.

I have been using APache for a long time but Nginx is pretty good too (I have been using Ngnix for SSL Proxy) and Apache for my normal web hosting.

@Donahue said in Nginx questions: looks like the NC thing might be a bug with just iOS and using a reverse proxy https://github.com/nextcloud/server/issues/11464 yep, the "old method" indeed did work.

@scottalanmiller said in NGinx Configuration Block for Zimbra Reverse Proxy: Someone was looking for this specifically so... server { client_max_body_size 80M; server_name my.domain.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_redirect off; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass https://myip:443/; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } listen 80; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } Remember to create one for the Admin console on port 7071.

@wirestyle22 said in Nextcloud Update 14.04 Security Warning: Strict-Transport-Security If you are using Nginx Reverse Proxy, adding add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; in your server block should remove that warning.

Sorry, ignore me. I got this figured out. I was being really dumb and had the wrong config.json file open and didn't know what I was looking at. Just ignore. Yes, the socket.io settings were missing, but were on my screen so I was sure that they were there.

@Romo said in Collabora CODE and NextCloud Integration Shows Blank Editing Page and Spinning Circle: Just got it working, it was indeed a DNS issue. When launching the docker container I added the --add-host name:ip option to add an entry to the hosts file that pointed to the internal ip of our nextcloud server and that made it properly work. Its now properly working I'll have to try that tonight!

@JaredBusch I bet that was annoying to figure out with bad documentation. Nice.

All the Z-Push state files are located on /var/lib/z-push. I deleted them all for an user and then boom everything started working.

Nice Guide! I did this all and automated it for LXQ

Probably pretty minor, but just patch nGinx anyway

nano /var/www/bookstack/.env contains a commented line for APP_URL=http://bookstack.dev. Uncommenting it and changing it to APP_URL=https://wiki.domain.com fixed the issue for me.

@wirestyle22 said in Renewing Let's Encrypt certificates using a systemd timer: sudo systemctl enable certbot-renewal.timer As I did this again today, I thought I would post my quick tweak to this because I do not like the idea of it running hourly. I set mine to run twice a day with a 1 hour randomizer. [Timer] OnCalendar=*-*-* 01,13:00:00 RandomizedDelaySec=3600 Unit=certbot-renewal.service

@taurex said in Cloudflare and Nginx reverse proxy background.: @travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months. As @JaredBusch said, you can run self-signed certs with CloudFlare just fine. This was for my home lab, so I purposely do things the hard way sometimes, just to see what it's like. That's why I originally tackled this anyway. Running a reverse proxy mostly so I don't have to pay for nearly 30 IP addresses on the box I rent for it.

@jaredbusch Hm. I'm getting too many rewrite errors now. Some odd problems occurring. Relative pathing problem?

@stacksofplates said in Looking to migrate Nginx and LetsEncrypt: @jaredbusch said in Looking to migrate Nginx and LetsEncrypt: @stacksofplates said in Looking to migrate Nginx and LetsEncrypt: If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet. No. It is handled on the cert serial number level. Ah ok. I've moved things in the past by simply reissuing on the new server, and dealing with the expiring certs is an annoyance.

@scottalanmiller said in Anyone Using Collabora and NextCloud Behind NGinx?: Not sure how I should have things configured. I believe that I followed all of the instructions properly, but it is not working and there are no really clear instructions for a dual server scenario. All of the official stuff lists single server and Apache. The one thing I remember having issues with was that it wants to communicate over the same "channel" in between the Collabora and NextCloud servers, so if the external browser connection is https, then it's not happy and throws errors if the back end isn't communicating over https as well. Getting that https channel setup with the recommended Drupal container and instructions for that didn't seem to work, and was such a pain I gave up trying to get it fixed at the time.

@jaredbusch said in 302 Moved Error: That auto generated stuff is only sending stuff to the Apache host on the same box as Nginx. Thanks for your valuable comments. I solved this problem. I've erased all routing on Nginx/Apache , I created a virtual server for HAproxy, I installed HAproxy and currently all virtual servers routing process was completed. Only I have one problem with HAproxy conf. file, I do not know how to do FTP Routing. if you want to see the topic, please visit this topic.

@jaredbusch said in Rewriting A Single Resource URL On A Webpage: @nashbrydges said in Rewriting A Single Resource URL On A Webpage: @jaredbusch said in Rewriting A Single Resource URL On A Webpage: @nashbrydges said in Rewriting A Single Resource URL On A Webpage: Currently (which breaks proper tracking because the script is blocked by most browsers): <script src="http://sub.domain.com/mtc.js" async data-source="mautic"></script> A location should handle this. in your :80 server block add a location location /mtc.jc { rewrtie ^ https://sub.domain.com/mtc.js; } Thanks, I'll give that a try. Pulled that right out of my ass, it very well may not work. But you get the general idea. It does work, as I have used it on Apache like my post below: https://mangolassi.it/topic/16660/reverse-or-forward-proxy-setup/3

@black3dynamite said in Wordpress Install - Page is trying to load unsafe script: @NashBrydges Change CustomLog /var/log/access.log combined to CustomLog /var/log/httpd/access.log combined Good catch. Thanks.

I was able to fix the issue with the following lines on Apache as Reverse Proxy ProxyPass /soap/v1/ https://api.authorize.net/soap/v1/ ProxyPassReverse /soap/v1/ https://api.authorize.net/soap/v1/ I assume this can also be done on Ngnix as well. So I will find out.

The problem was the items such as $remote_addr did not copy at all. They were missing. The config passed. Did the certbot and all went fine. If I go to https://nc.domain.com the site loads properly. If I go to http://nc.domain.com the site redirects and loads fine. Both work and cert loads in browser. However, if I go to nc.domain.com, it returns a blank page and shows https://localhost in the browser. I have the fqdn set up on the NC server and the Nginx. Not sure where this is coming from.

This behavior is different than the last time I setup a reverse proxy like this. But that was also on CentOS 7 and not Fedora. So policy could be different.

@nashbrydges said in Nginx Active-Passive HA: @jaredbusch said in Nginx Active-Passive HA: @NashBrydges side question. If you setup the .well-known to work correctly, why do you then need the HA? because nginx will never be down except for the momentary reload after the certs are updated. That certainly addresses the biggest concern about a long downtime during the renewall process for a high number of certs and probably addresses most concerns with this client. He's already running Veeam replication to a second box so his RTO and RPO are relatively short and within his business tolerance. Having said that, it's a great learning opportunity for me to set this up in my lab, if for no other reason than to try it and see how it works. Certainly no reason not to do it for a lab. and for a proxy with as much as it sounds like you have in production, it will still be a likely good solution.

@bnrstnr said in WordPress behind NGINX Reverse Proxy issues: @scottalanmiller said in WordPress behind NGINX Reverse Proxy issues: https://mangolassi.it/topic/13062/install-a-basic-wordpress-site-with-wp-cli Doh, somehow I missed this. And this one.... https://mangolassi.it/topic/16084/installing-fedora-27-lamp-stack-plus-wordpress/

@scottalanmiller said in Proxy Failure on Zimbra 8.8 After Update: @wirestyle22 said in Proxy Failure on Zimbra 8.8 After Update: @dbeato said in Proxy Failure on Zimbra 8.8 After Update: Apparently this fixes it $ zmprov md domain.com zimbraVirtualHostname mail.domain.com zimbraVirtualIPAddress 10.0.1.6 $ libexec/zmproxyconfgen $ zmproxyctl restart Obviously change it to your enviroment. did this work @scottalanmiller? Boom, that did it! Thanks @dbeato Awesomeness !

I haven’t tried it but process substitution may work if you enable envsubst. So rather than an include you might just be able to do: $( nslookup domain.com | yada yada) Driving so don’t feel like typing out anything.