nano /var/www/bookstack/.env contains a commented line for APP_URL=http://bookstack.dev. Uncommenting it and changing it to APP_URL=https://wiki.domain.com fixed the issue for me.

@black3dynamite said in Renewing Let's Encrypt certificates using a systemd timer: @nashbrydges said in Renewing Let's Encrypt certificates using a systemd timer: @jaredbusch Thanks Also if you install Fedora Server 28 as a minimal base environment, cronie isn't even installed. Didn't know that but it makes sense.

@taurex said in Cloudflare and Nginx reverse proxy background.: @travisdh1 Are there any benefits of configuring your own reverse-proxy if it's running behind CloudFlare that is essentially the one already? I know they offer their own Origin CA certs that you can install on your web servers to encrypt the traffic between CF and your cloud. As long as you're happy to stick with CloudFlare, there will be no need to run cron jobs with certbot renewals every 3 months. As @JaredBusch said, you can run self-signed certs with CloudFlare just fine. This was for my home lab, so I purposely do things the hard way sometimes, just to see what it's like. That's why I originally tackled this anyway. Running a reverse proxy mostly so I don't have to pay for nearly 30 IP addresses on the box I rent for it.

@jaredbusch Hm. I'm getting too many rewrite errors now. Some odd problems occurring. Relative pathing problem?

@stacksofplates said in Looking to migrate Nginx and LetsEncrypt: @jaredbusch said in Looking to migrate Nginx and LetsEncrypt: @stacksofplates said in Looking to migrate Nginx and LetsEncrypt: If you start over with a new system so you still get notifications of old certs expiring? Aren't these handled at the domain level so it knows that a new system has a newer cert? Honestly asking since I haven't run into this yet. No. It is handled on the cert serial number level. Ah ok. I've moved things in the past by simply reissuing on the new server, and dealing with the expiring certs is an annoyance.

@scottalanmiller said in Anyone Using Collabora and NextCloud Behind NGinx?: Not sure how I should have things configured. I believe that I followed all of the instructions properly, but it is not working and there are no really clear instructions for a dual server scenario. All of the official stuff lists single server and Apache. The one thing I remember having issues with was that it wants to communicate over the same "channel" in between the Collabora and NextCloud servers, so if the external browser connection is https, then it's not happy and throws errors if the back end isn't communicating over https as well. Getting that https channel setup with the recommended Drupal container and instructions for that didn't seem to work, and was such a pain I gave up trying to get it fixed at the time.

@jaredbusch said in 302 Moved Error: That auto generated stuff is only sending stuff to the Apache host on the same box as Nginx. Thanks for your valuable comments. I solved this problem. I've erased all routing on Nginx/Apache , I created a virtual server for HAproxy, I installed HAproxy and currently all virtual servers routing process was completed. Only I have one problem with HAproxy conf. file, I do not know how to do FTP Routing. if you want to see the topic, please visit this topic.

@jaredbusch said in Rewriting A Single Resource URL On A Webpage: @nashbrydges said in Rewriting A Single Resource URL On A Webpage: @jaredbusch said in Rewriting A Single Resource URL On A Webpage: @nashbrydges said in Rewriting A Single Resource URL On A Webpage: Currently (which breaks proper tracking because the script is blocked by most browsers): <script src="http://sub.domain.com/mtc.js" async data-source="mautic"></script> A location should handle this. in your :80 server block add a location location /mtc.jc { rewrtie ^ https://sub.domain.com/mtc.js; } Thanks, I'll give that a try. Pulled that right out of my ass, it very well may not work. But you get the general idea. It does work, as I have used it on Apache like my post below: https://mangolassi.it/topic/16660/reverse-or-forward-proxy-setup/3

@black3dynamite said in Wordpress Install - Page is trying to load unsafe script: @NashBrydges Change CustomLog /var/log/access.log combined to CustomLog /var/log/httpd/access.log combined Good catch. Thanks.

I was able to fix the issue with the following lines on Apache as Reverse Proxy ProxyPass /soap/v1/ https://api.authorize.net/soap/v1/ ProxyPassReverse /soap/v1/ https://api.authorize.net/soap/v1/ I assume this can also be done on Ngnix as well. So I will find out.

@JaredBusch This is from the Nginx website under pitfalls and common mistakes. I read that return's are much faster than rewrites due to not needing to evaluate RegEx(?) which is why you see return listed as a better option. I know you use rewrite and there's a lot you know that I don't so I was just wondering why that is your preference

This behavior is different than the last time I setup a reverse proxy like this. But that was also on CentOS 7 and not Fedora. So policy could be different.

@nashbrydges said in Nginx Active-Passive HA: @jaredbusch said in Nginx Active-Passive HA: @NashBrydges side question. If you setup the .well-known to work correctly, why do you then need the HA? because nginx will never be down except for the momentary reload after the certs are updated. That certainly addresses the biggest concern about a long downtime during the renewall process for a high number of certs and probably addresses most concerns with this client. He's already running Veeam replication to a second box so his RTO and RPO are relatively short and within his business tolerance. Having said that, it's a great learning opportunity for me to set this up in my lab, if for no other reason than to try it and see how it works. Certainly no reason not to do it for a lab. and for a proxy with as much as it sounds like you have in production, it will still be a likely good solution.

@bnrstnr said in WordPress behind NGINX Reverse Proxy issues: @scottalanmiller said in WordPress behind NGINX Reverse Proxy issues: https://mangolassi.it/topic/13062/install-a-basic-wordpress-site-with-wp-cli Doh, somehow I missed this. And this one.... https://mangolassi.it/topic/16084/installing-fedora-27-lamp-stack-plus-wordpress/

@scottalanmiller said in Proxy Failure on Zimbra 8.8 After Update: @wirestyle22 said in Proxy Failure on Zimbra 8.8 After Update: @dbeato said in Proxy Failure on Zimbra 8.8 After Update: Apparently this fixes it $ zmprov md domain.com zimbraVirtualHostname mail.domain.com zimbraVirtualIPAddress 10.0.1.6 $ libexec/zmproxyconfgen $ zmproxyctl restart Obviously change it to your enviroment. did this work @scottalanmiller? Boom, that did it! Thanks @dbeato Awesomeness !

I haven’t tried it but process substitution may work if you enable envsubst. So rather than an include you might just be able to do: $( nslookup domain.com | yada yada) Driving so don’t feel like typing out anything.

https://mangolassi.it/topic/15267/how-to-allow-site-access-in-nginx-by-ddns-instead-of-by-ip

@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative): @emad-r 3650 One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken. Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.

@jaredbusch said in Nginx Certificate Authentication issue: @emad-r said in Nginx Certificate Authentication issue: @jaredbusch said in Nginx Certificate Authentication issue: ls -laZ /etc/pki/nginx/ca.crt -rw-r--r-- root root ? i specified -laZ intentionally to show the SELinux context also. I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like drwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:cert_t:s0 .. lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. root root system_u:object_r:cert_t:s0 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. root root unconfined_u:object_r:cert_t:s0 dhparam.pem -rwxr-xr-x. root root system_u:object_r:bin_t:s0 make-dummy-cert -rw-r--r--. root root system_u:object_r:cert_t:s0 Makefile -rwxr-xr-x. root root system_u:object_r:cert_t:s0 renew-dummy-cert Thanks this pointed me in the right direction, a useful guide coming soon

@scottalanmiller said in Install Alfresco Community Edition On Ubuntu 17.04: @stacksofplates said in Install Alfresco Community Edition On Ubuntu 17.04: @scottalanmiller said in Install Alfresco Community Edition On Ubuntu 17.04: @nashbrydges said in Install Alfresco Community Edition On Ubuntu 17.04: @scottalanmiller Just testing it out for now but so far so good. I had a client ask me for a good document management solution that wouldn't break the bank and could be hosted locally so I immediately thought of this. I've given him access to see if this could work and from the sounds of his feedback, he might want it setup. Cool, would be good to see some threads on it. Been so long since I've used it. I use the hosted one. They gave you 10GB for free. Idk if they still do that or not. I didn't even know that they did hosted. Ya the free one didn't seem advertised much. I'll have to see if I can find a sign up link again.

Thanks @JaredBusch this will be a huge help! I'll give this a try later this evening when I'm back.

@black3dynamite said in Problem with Nginx conf file: Comparing the two configs CRM under location / does not have this: proxy_set_header X-Forwarded-Proto $scheme; That probably went missing when I was troubleshooting. I was copy pasting in pieces and removing them trying to figure out why it was not working.

@JaredBusch said in Looking for how-to on setting up a proxy: server { client_max_body_size 40M; listen 80; server_name support.bundystl.com; rewrite ^ https://$server_name$request_uri? permanent; } Yep, got all that done and it's working well. What I was referring to was redirecting traffic to HTTPS. Essentially this is the part of the file I was missing... server { client_max_body_size 40M; listen 80; server_name support.bundystl.com; rewrite ^ https://$server_name$request_uri? permanent; }

This way you can share the config(s) under conf.d between multiple machines using the same roles (or whatever Salt calls them) and have different main NGINX server settings.

@travisdh1 said in SSL between a proxy and its target: @Dashrender said in SSL between a proxy and its target: @dafyre said in SSL between a proxy and its target: @scottalanmiller said in SSL between a proxy and its target: Never had to do that. Seems like a script to pull it from time to time might be enough, though? Set up a passwordless scp of the /etc/letsencrypt (or /etc/certbot?) folder from the proxy to the internal machine? Any security risk to this? I don't know anything about it - I just see passwordless and have to ask. It's industry standard public/private key encryption, so shouldn't be an issue. You should go read up on SQRL. In my not so humble opinion, passwords have long outlived the point where they are a useful security mechanism. I'm fully aware of SQRL - I asked Scott on Day one of ML if he would support it when it became available, sadly it's still not released to the wild

Location matters very little. I would stick to the standards.

Okay - so the reason I am able to use ScreenConnect on iOS is due to it being the Legacy version. I'll see about sorting this out in the morning - I'm done with IT for the night.