Nginx reverse proxy: Difference between revisions
Jump to navigation
Jump to search
Created page with "The reverse proxy is set up as a conf file in /etc/nginx/conf.d/bunnfamily.nz.conf certbot keeps the certificates: Use: <pre> sudo certbot certonly --force-renew -d bunnfamily.nz -d www.bunnfamily.nz -d chrono.bunnfamily.nz -d grafana.bunnfamily.nz -d wiki.bunnfamily.nz -d pumpcompare.aquadvanced.online -d comfyui.bunnfamily.nz -d mine.bunnfamily.nz -d bunnserver.bunnfamily.nz -d hassio.bunnfamily.nz -d node-red.bunnfamily.nz</pre> Mediawiki uses php and this uses a li..." |
No edit summary |
||
| Line 12: | Line 12: | ||
Prove PHP is working by going to https://wiki.bunnfamily.nz/phpinfo.php | Prove PHP is working by going to https://wiki.bunnfamily.nz/phpinfo.php | ||
<pre> | |||
upstream php-handler { | |||
server unix:/run/php/php8.1-fpm.sock; | |||
} | |||
map $http_upgrade $connection_upgrade { | |||
default upgrade; | |||
'' close; | |||
} | |||
server { | |||
if ($host = comfyui.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = pumpcompare.info) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = mine.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = bunnserver.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = www.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = hassio.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = node-red.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = chrono.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = grafana.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
if ($host = wiki.bunnfamily.nz) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
listen 80; | |||
listen [::]:80; | |||
server_name *.bunnfamily.nz; | |||
return 301 https://$host$request_uri; | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443; | |||
server_name wiki.bunnfamily.nz; | |||
root /var/www/mediawiki; | |||
index index.php index.html index.htm index.nginx-debian.html; | |||
location ~ \.php$ { | |||
fastcgi_pass unix:/run/php/php-fpm.sock; | |||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |||
include fastcgi_params; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name bunnserver.bunnfamily.nz; | |||
location ~ { | |||
proxy_pass_header Authorization; | |||
proxy_set_header Host $host; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_http_version 1.1; | |||
proxy_set_header Connection ""; | |||
proxy_buffering off; | |||
client_max_body_size 0; | |||
proxy_read_timeout 36000s; | |||
proxy_redirect off; | |||
proxy_pass http://192.168.1.5; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name mine.bunnfamily.nz; | |||
location ~ { | |||
proxy_pass_header Authorization; | |||
proxy_set_header Host $host; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_http_version 1.1; | |||
proxy_set_header Connection ""; | |||
proxy_buffering off; | |||
client_max_body_size 0; | |||
proxy_read_timeout 36000s; | |||
proxy_redirect off; | |||
proxy_pass http://192.168.1.127:8080; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name pumpcompare.info; | |||
location ~ { | |||
proxy_pass http://192.168.1.37:3838; | |||
proxy_redirect http://192.168.1.37:3838/ https://$host/; | |||
proxy_http_version 1.1; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection $connection_upgrade; | |||
proxy_read_timeout 20d; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name hassio.bunnfamily.nz; | |||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |||
location / { | |||
proxy_pass http://192.168.1.22:8123; | |||
proxy_set_header Host $host; | |||
proxy_redirect http:// https://; | |||
proxy_http_version 1.1; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection $connection_upgrade; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name chrono.bunnfamily.nz; | |||
location / { | |||
proxy_set_header Accept-Encoding ""; | |||
proxy_set_header Host $host; | |||
proxy_redirect http:// https://; | |||
proxy_http_version 1.1; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection $connection_upgrade; | |||
proxy_pass http://localhost:8086; | |||
proxy_set_header Connection $connection_upgrade; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name grafana.bunnfamily.nz; | |||
location / { | |||
proxy_set_header Accept-Encoding ""; | |||
proxy_set_header Host $http_host; | |||
proxy_redirect http:// https://; | |||
proxy_http_version 1.1; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection $connection_upgrade; | |||
proxy_pass http://localhost:3000; | |||
proxy_set_header Connection $connection_upgrade; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl; | |||
listen [::]:443 ssl; | |||
server_name node-red.bunnfamily.nz; | |||
location / { | |||
proxy_set_header Accept-Encoding ""; | |||
proxy_pass http://localhost:1880; | |||
proxy_set_header Host $host; | |||
proxy_redirect http:// https://; | |||
proxy_http_version 1.1; | |||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection $connection_upgrade; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
listen 443 ssl default_server; | |||
listen [::]:443 ssl default_server; | |||
server_name bunnfamily.nz www.bunnfamily.nz; | |||
root /var/www/html; | |||
index index.php index.html index.htm index.nginx-debian.html; | |||
client_max_body_size 5m; | |||
client_body_timeout 30; | |||
location / { | |||
try_files $uri $uri/ =404; | |||
} | |||
location ~ /.well-known { | |||
allow all; | |||
} | |||
location ~ /\.ht { | |||
deny all; | |||
} | |||
# location ~ \.php$ { | |||
# | |||
# fastcgi_pass unix:/run/php/php7.4-fpm.sock; | |||
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |||
# include fastcgi_params; | |||
# include snippets/fastcgi-php.conf; | |||
# } | |||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|xml)$ { | |||
try_files $uri /index.php; | |||
expires max; | |||
log_not_found off; | |||
} | |||
location = /_.gif { | |||
expires max; | |||
empty_gif; | |||
} | |||
location ^~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ { | |||
deny all; | |||
} | |||
location ^~ ^/(bin|docs|extensions|includes|maintenance|mw-config|resources|serialized|tests)/ { | |||
internal; | |||
} | |||
# Security for 'image' directory | |||
location ~* ^/images/.*.(html|htm|php|shtml)$ { | |||
types { } | |||
default_type text/plain; | |||
} | |||
# Security for 'image' directory | |||
location ^~ /images/ { | |||
try_files $uri /index.php; | |||
} | |||
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m> | |||
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #> | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
</pre> | |||
Revision as of 16:42, 15 May 2025
The reverse proxy is set up as a conf file in /etc/nginx/conf.d/bunnfamily.nz.conf
certbot keeps the certificates: Use:
sudo certbot certonly --force-renew -d bunnfamily.nz -d www.bunnfamily.nz -d chrono.bunnfamily.nz -d grafana.bunnfamily.nz -d wiki.bunnfamily.nz -d pumpcompare.aquadvanced.online -d comfyui.bunnfamily.nz -d mine.bunnfamily.nz -d bunnserver.bunnfamily.nz -d hassio.bunnfamily.nz -d node-red.bunnfamily.nz
Mediawiki uses php and this uses a link redirect to /var/run/php-fpm.sock so that I don't have to use the actual version number
/var/run/php/php8.1-fpm.sock
Also note that you need to
cd /var/run/php sudo chown www-data:www-data *.*
otherwise you will get errors in /var/log/nginx/error.log about permission errors to access php
Prove PHP is working by going to https://wiki.bunnfamily.nz/phpinfo.php
upstream php-handler {
server unix:/run/php/php8.1-fpm.sock;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
if ($host = comfyui.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pumpcompare.info) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mine.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = bunnserver.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = hassio.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = node-red.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = chrono.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = grafana.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = wiki.bunnfamily.nz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name *.bunnfamily.nz;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443;
server_name wiki.bunnfamily.nz;
root /var/www/mediawiki;
index index.php index.html index.htm index.nginx-debian.html;
location ~ \.php$ {
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name bunnserver.bunnfamily.nz;
location ~ {
proxy_pass_header Authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_pass http://192.168.1.5;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name mine.bunnfamily.nz;
location ~ {
proxy_pass_header Authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
proxy_pass http://192.168.1.127:8080;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name pumpcompare.info;
location ~ {
proxy_pass http://192.168.1.37:3838;
proxy_redirect http://192.168.1.37:3838/ https://$host/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 20d;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hassio.bunnfamily.nz;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location / {
proxy_pass http://192.168.1.22:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name chrono.bunnfamily.nz;
location / {
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://localhost:8086;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name grafana.bunnfamily.nz;
location / {
proxy_set_header Accept-Encoding "";
proxy_set_header Host $http_host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://localhost:3000;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name node-red.bunnfamily.nz;
location / {
proxy_set_header Accept-Encoding "";
proxy_pass http://localhost:1880;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name bunnfamily.nz www.bunnfamily.nz;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
client_max_body_size 5m;
client_body_timeout 30;
location / {
try_files $uri $uri/ =404;
}
location ~ /.well-known {
allow all;
}
location ~ /\.ht {
deny all;
}
# location ~ \.php$ {
#
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# include snippets/fastcgi-php.conf;
# }
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|xml)$ {
try_files $uri /index.php;
expires max;
log_not_found off;
}
location = /_.gif {
expires max;
empty_gif;
}
location ^~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/ {
deny all;
}
location ^~ ^/(bin|docs|extensions|includes|maintenance|mw-config|resources|serialized|tests)/ {
internal;
}
# Security for 'image' directory
location ~* ^/images/.*.(html|htm|php|shtml)$ {
types { }
default_type text/plain;
}
# Security for 'image' directory
location ^~ /images/ {
try_files $uri /index.php;
}
ssl_certificate /etc/letsencrypt/live/bunnfamily.nz/fullchain.pem; # m>
ssl_certificate_key /etc/letsencrypt/live/bunnfamily.nz/privkey.pem; #>
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}