Problem with Nginx conf file


  • Service Provider

    I spun up SuiteCRM last night. it works by IP as expected.
    0_1494631916113_upload-fc5479a4-9866-469d-9d72-194ed91ed4c5

    So next, I connect to the proxy server I have running in front of everything that is on my lab network and make conf file for Nginx. I have many of these, I simply copied one and changed where things were pointing.

    [[email protected] ~]# cat /etc/nginx/conf.d/crm.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name crm.bundystl.com;
        server_tokens off;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://10.254.0.38;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name crm.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    But I get this instead..

    0_1494632181796_upload-32d13390-e6a1-4536-9b63-2dabca81a7f5

    Because it loads by internal IP, I know that SuiteCRM is up and runnng.

    My SnipeIT system is behind this as well and it works perfectly.

    [[email protected] ~]# cat /etc/nginx/conf.d/assets.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name assets.bundystl.com snipe.bundystl.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://10.254.0.34;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name assets.bundystl.com snipe.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    0_1494632351927_upload-4a0a7ac7-e105-4da9-9769-0eb134f8534e

    someone tell me what stupid f***ing thing I did here...



  • I don't know really anything of Nginx - that's a @scottalanmiller thing.

    But If the server name is right, and the key is right, than I would think it should work.

    First 'difference' I see is the server_name

    SnipeIT as two server_name assest and snipe; whereas your CRM is just the CRM..

    Which I can't see as being incorrect.



  • Can you still get to it by IP?


  • Service Provider

    Looks right to me. No socket.io stuff needed, maybe remove that?


  • Service Provider

    @JaredBusch said in Problem with Nginx conf file:

       proxy_pass http://10.254.0.38;
    

    Shouldn't it say:
    proxy_pass https://10.254.0.38;

    (https vs http) Since you're going to a SSL site?


  • Service Provider

    @Mike-Davis said in Problem with Nginx conf file:

    @JaredBusch said in Problem with Nginx conf file:

       proxy_pass http://10.254.0.38;
    

    Shouldn't it say:
    proxy_pass https://10.254.0.38;

    (https vs http) Since you're going to a SSL site?

    No, Nginx is providing the SSL here. He'd likely skip Nginx if he already had SSL without it.


  • Service Provider

    Internally, if he goes to http://10.254.0.38
    does he get the Fedora site,
    and if he goes to https://10.254.0.38
    does he get the SuiteCRM site?



  • I know with Snipe-IT in the .env config file, in the Optional: Misc section. You have to supply the ip address of the proxy server when snipe-it is behind a proxy server. Maybe SuiteCRM needs something like that.


  • Service Provider

    @black3dynamite said in Problem with Nginx conf file:

    I know with Snipe-IT in the .env config file, in the Optional: Misc section. You have to supply the ip address of the proxy server when snipe-it is behind a proxy server. Maybe SuiteCRM needs something like that.

    Not with SuiteCRM. We support it and there is no special config like that.



  • Comparing the two configs

    CRM under location / does not have this:
    proxy_set_header X-Forwarded-Proto $scheme;


  • Service Provider

    @black3dynamite said in Problem with Nginx conf file:

    Comparing the two configs

    CRM under location / does not have this:
    proxy_set_header X-Forwarded-Proto $scheme;

    Mine works without that.


  • Service Provider

    I think there is a simpler problem. because if you notice, the port 80 server block should simple force a rediect to the SSL which will then hits the 443 block.

    But if you go to crm.bundystl.com it does not even redirect.


  • Service Provider

    but if you go to assets.bundystl.com it does.


  • Service Provider

    but DNS resolves the same.
    and it is all setup the same in cloudflare

    0_1494647542509_upload-0e9c7782-793c-4c45-bba2-ec4d83e217a8


  • Service Provider

    Looks like it is working to me.


  • Service Provider

    well coming back I start over and it works this time.. but i REALLY do not know WTF was different..

    I deleted the crm conf, and copied assets, again.

    [[email protected] ~]# cd /etc/nginx/conf.d/
    [[email protected] conf.d]# rm crm.bundystl.com.conf 
    rm: remove regular file ‘crm.bundystl.com.conf’? y
    [[email protected] conf.d]# cp assets.bundystl.com.conf crm.bundystl.com.conf 
    

    I edited the crm conf, only changin the two server_name lines and the proxy_pass.

    [[email protected] conf.d]# nano crm.bundystl.com.conf 
    [[email protected] conf.d]# cat crm.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name crm.bundystl.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://10.254.0.38;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name crm.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    It tested good

    [[email protected] conf.d]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    [[email protected] conf.d]# systemctl restart nginx
    [[email protected] conf.d]# 
    

    and wtf it works.. someone who can find the difference, please let me know because this drove me fucking mad..

    0_1494648043805_upload-b0a73f26-d96a-4684-9d71-af15d8dab958


  • Service Provider

    @scottalanmiller said in Problem with Nginx conf file:

    Looks like it is working to me.

    see post


  • Service Provider

    @JaredBusch said in Problem with Nginx conf file:

    @scottalanmiller said in Problem with Nginx conf file:

    Looks like it is working to me.

    see post

    I beat you my a second.


  • Service Provider

    @black3dynamite said in Problem with Nginx conf file:

    Comparing the two configs

    CRM under location / does not have this:
    proxy_set_header X-Forwarded-Proto $scheme;

    That probably went missing when I was troubleshooting. I was copy pasting in pieces and removing them trying to figure out why it was not working.