Problem with Nginx conf file


  • Service Provider

    I spun up SuiteCRM last night. it works by IP as expected.
    0_1494631916113_upload-fc5479a4-9866-469d-9d72-194ed91ed4c5

    So next, I connect to the proxy server I have running in front of everything that is on my lab network and make conf file for Nginx. I have many of these, I simply copied one and changed where things were pointing.

    [[email protected] ~]# cat /etc/nginx/conf.d/crm.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name crm.bundystl.com;
        server_tokens off;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://10.254.0.38;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name crm.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    But I get this instead..

    0_1494632181796_upload-32d13390-e6a1-4536-9b63-2dabca81a7f5

    Because it loads by internal IP, I know that SuiteCRM is up and runnng.

    My SnipeIT system is behind this as well and it works perfectly.

    [[email protected] ~]# cat /etc/nginx/conf.d/assets.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name assets.bundystl.com snipe.bundystl.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://10.254.0.34;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name assets.bundystl.com snipe.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    0_1494632351927_upload-4a0a7ac7-e105-4da9-9769-0eb134f8534e

    someone tell me what stupid f***ing thing I did here...



  • I don't know really anything of Nginx - that's a @scottalanmiller thing.

    But If the server name is right, and the key is right, than I would think it should work.

    First 'difference' I see is the server_name

    SnipeIT as two server_name assest and snipe; whereas your CRM is just the CRM..

    Which I can't see as being incorrect.



  • Can you still get to it by IP?


  • Service Provider

    Looks right to me. No socket.io stuff needed, maybe remove that?


  • Service Provider

    @JaredBusch said in Problem with Nginx conf file:

       proxy_pass http://10.254.0.38;
    

    Shouldn't it say:
    proxy_pass https://10.254.0.38;

    (https vs http) Since you're going to a SSL site?


  • Service Provider

    @Mike-Davis said in Problem with Nginx conf file:

    @JaredBusch said in Problem with Nginx conf file:

       proxy_pass http://10.254.0.38;
    

    Shouldn't it say:
    proxy_pass https://10.254.0.38;

    (https vs http) Since you're going to a SSL site?

    No, Nginx is providing the SSL here. He'd likely skip Nginx if he already had SSL without it.


  • Service Provider

    Internally, if he goes to http://10.254.0.38
    does he get the Fedora site,
    and if he goes to https://10.254.0.38
    does he get the SuiteCRM site?



  • I know with Snipe-IT in the .env config file, in the Optional: Misc section. You have to supply the ip address of the proxy server when snipe-it is behind a proxy server. Maybe SuiteCRM needs something like that.


  • Service Provider

    @black3dynamite said in Problem with Nginx conf file:

    I know with Snipe-IT in the .env config file, in the Optional: Misc section. You have to supply the ip address of the proxy server when snipe-it is behind a proxy server. Maybe SuiteCRM needs something like that.

    Not with SuiteCRM. We support it and there is no special config like that.



  • Comparing the two configs

    CRM under location / does not have this:
    proxy_set_header X-Forwarded-Proto $scheme;


  • Service Provider

    @black3dynamite said in Problem with Nginx conf file:

    Comparing the two configs

    CRM under location / does not have this:
    proxy_set_header X-Forwarded-Proto $scheme;

    Mine works without that.


  • Service Provider

    I think there is a simpler problem. because if you notice, the port 80 server block should simple force a rediect to the SSL which will then hits the 443 block.

    But if you go to crm.bundystl.com it does not even redirect.


  • Service Provider

    but if you go to assets.bundystl.com it does.


  • Service Provider

    but DNS resolves the same.
    and it is all setup the same in cloudflare

    0_1494647542509_upload-0e9c7782-793c-4c45-bba2-ec4d83e217a8


  • Service Provider

    Looks like it is working to me.


  • Service Provider

    well coming back I start over and it works this time.. but i REALLY do not know WTF was different..

    I deleted the crm conf, and copied assets, again.

    [[email protected] ~]# cd /etc/nginx/conf.d/
    [[email protected] conf.d]# rm crm.bundystl.com.conf 
    rm: remove regular file ‘crm.bundystl.com.conf’? y
    [[email protected] conf.d]# cp assets.bundystl.com.conf crm.bundystl.com.conf 
    

    I edited the crm conf, only changin the two server_name lines and the proxy_pass.

    [[email protected] conf.d]# nano crm.bundystl.com.conf 
    [[email protected] conf.d]# cat crm.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name crm.bundystl.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://10.254.0.38;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    
    server {
        client_max_body_size 40M;
        listen 80;
        server_name crm.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    It tested good

    [[email protected] conf.d]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    [[email protected] conf.d]# systemctl restart nginx
    [[email protected] conf.d]# 
    

    and wtf it works.. someone who can find the difference, please let me know because this drove me fucking mad..

    0_1494648043805_upload-b0a73f26-d96a-4684-9d71-af15d8dab958


  • Service Provider

    @scottalanmiller said in Problem with Nginx conf file:

    Looks like it is working to me.

    see post


  • Service Provider

    @JaredBusch said in Problem with Nginx conf file:

    @scottalanmiller said in Problem with Nginx conf file:

    Looks like it is working to me.

    see post

    I beat you my a second.


  • Service Provider

    @black3dynamite said in Problem with Nginx conf file:

    Comparing the two configs

    CRM under location / does not have this:
    proxy_set_header X-Forwarded-Proto $scheme;

    That probably went missing when I was troubleshooting. I was copy pasting in pieces and removing them trying to figure out why it was not working.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.