Nginx reverse proxy: Difference between revisions

From Simon's Help System
Jump to navigation Jump to search
← Older edit
Simon (talk | contribs)
170 edits
No edit summary
Simon (talk | contribs)
170 edits
No edit summary
 
Line 6: Line 6:


Mediawiki uses php and this uses a link redirect to /var/run/php-fpm.sock so that I don't have to use the actual version number <pre>/var/run/php/php8.1-fpm.sock</pre>
Mediawiki uses php and this uses a link redirect to /var/run/php-fpm.sock so that I don't have to use the actual version number <pre>/var/run/php/php8.1-fpm.sock</pre>
You need a Netplan file that allows for the bridge to be the default 192.168.1.38 and then QEMU/KVM will get an IP address assigned by DHCP from the ASUS Router


<pre>network:
<pre>network:

Latest revision as of 14:33, 13 June 2025

The reverse proxy is set up as a conf file in /etc/nginx/conf.d/bunnfamily.nz.conf

certbot keeps the certificates: Use: 

sudo certbot certonly --force-renew -d bunnfamily.nz -d www.bunnfamily.nz -d chrono.bunnfamily.nz -d grafana.bunnfamily.nz -d wiki.bunnfamily.nz -d pumpcompare.aquadvanced.online -d comfyui.bunnfamily.nz -d mine.bunnfamily.nz -d bunnserver.bunnfamily.nz -d hassio.bunnfamily.nz -d node-red.bunnfamily.nz

Mediawiki uses php and this uses a link redirect to /var/run/php-fpm.sock so that I don't have to use the actual version number 

/var/run/php/php8.1-fpm.sock

You need a Netplan file that allows for the bridge to be the default 192.168.1.38 and then QEMU/KVM will get an IP address assigned by DHCP from the ASUS Router 

network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      dhcp4: no
      dhcp6: no
      optional: true
  bridges:
    br0:
      interfaces: [eno1]
      addresses: [192.168.1.38/24]
      nameservers:
        addresses: [192.168.1.4, 8.8.8.8]
      routes:
        - to: default
          via: 192.168.1.1
      parameters:
        stp: false
        forward-delay: 0

Also note that you need to 

cd /var/run/php
sudo chown nginx:nginx *.*

otherwise you will get errors in /var/log/nginx/error.log about permission errors to access php

Prove PHP is working by going to https://wiki.bunnfamily.nz/phpinfo.php 

upstream php-handler {
    server unix:/run/php/php8.1-fpm.sock;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    if ($host = comfyui.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = pumpcompare.info) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = mine.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = bunnserver.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = www.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = hassio.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = node-red.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = chrono.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = grafana.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = wiki.bunnfamily.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80; 
    listen [::]:80;
    server_name *.bunnfamily.nz;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443;
    server_name wiki.bunnfamily.nz;
    root /var/www/mediawiki;
    index index.php index.html index.htm index.nginx-debian.html;
    location ~ \.php$ {
         fastcgi_pass unix:/run/php/php-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
     }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name bunnserver.bunnfamily.nz;
    location ~ {
                 proxy_pass_header Authorization;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_http_version 1.1;
                 proxy_set_header Connection "";
                 proxy_buffering off;
                 client_max_body_size 0;
                 proxy_read_timeout 36000s;
                 proxy_redirect off;              
                 proxy_pass http://192.168.1.5;
       }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
       listen 443 ssl;
       listen [::]:443 ssl;
       server_name mine.bunnfamily.nz;
       location ~ {
                 proxy_pass_header Authorization;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_http_version 1.1;
                 proxy_set_header Connection "";
                 proxy_buffering off;
                 client_max_body_size 0;
                 proxy_read_timeout 36000s;
                 proxy_redirect off;
                 proxy_pass http://192.168.1.127:8080;
       }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
       listen 443 ssl;
       listen [::]:443 ssl;
       server_name pumpcompare.info;
       location ~ {
                  proxy_pass http://192.168.1.37:3838;
                  proxy_redirect http://192.168.1.37:3838/ https://$host/;
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection $connection_upgrade;
                  proxy_read_timeout 20d;
       }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name hassio.bunnfamily.nz;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    location / {
        proxy_pass http://192.168.1.22:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name chrono.bunnfamily.nz;
    location / {
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass http://localhost:8086;
        proxy_set_header Connection $connection_upgrade;
       }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name grafana.bunnfamily.nz;
    location / {
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $http_host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass http://localhost:3000;
        proxy_set_header Connection $connection_upgrade;
       }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name node-red.bunnfamily.nz;
    location / {
        proxy_set_header Accept-Encoding "";
        proxy_pass http://localhost:1880;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
       }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name bunnfamily.nz www.bunnfamily.nz;
    root /var/www/html;
    index index.php index.html index.htm index.nginx-debian.html;
    client_max_body_size 5m;
    client_body_timeout 30;
    location / {
                try_files $uri $uri/ =404;
               }
        location ~ /.well-known {
            allow all;
        }


        location ~ /\.ht {
          deny all;

         }


#     location ~ \.php$ {
#
#         fastcgi_pass unix:/run/php/php7.4-fpm.sock;
#         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#         include fastcgi_params;
#         include snippets/fastcgi-php.conf;
#     }

 
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|xml)$ {
         try_files $uri /index.php;
         expires max;
         log_not_found off;
     }

     location = /_.gif {
         expires max;
         empty_gif;
     }
     location ^~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ {
         deny all;
     }
     location ^~ ^/(bin|docs|extensions|includes|maintenance|mw-config|resources|serialized|tests)/ {
         internal;
     }
 

     # Security for 'image' directory
     location ~* ^/images/.*.(html|htm|php|shtml)$ {
         types { }
         default_type text/plain;
     }
     # Security for 'image' directory
     location ^~ /images/ {
         try_files $uri /index.php;
     }
    ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
    ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Retrieved from "https://wiki.bunnfamily.nz/index.php?title=Nginx_reverse_proxy&oldid=160"