Develop Reference

Getting 404 with Nginx reverse proxy

relatively new with nginx servers, and trying to do relatively tricky stuff. Go easy please.
I don't know what's wrong with my config. I'm trying to do a pretty basic reverse proxy. The first server block that does the SSL encryption definitely works. And if i uncomment the second server block, all my traffic is forwarded over to my main server, which works perfectly. The problem is, I only want certain subdomains exposed to the internet, like my gitea server. so I've commented out the second block and added the server block at the bottom, which only matches with the gitea subdomain. When I do that, all I get is a 404.
I'm also seeing some weird issues where if I go to the site without specifying a subdomain, I get a page from a site I'm no longer hosting, like it's been cached. I saw a stackoverflow post that recommended removing the sendfile option, which didn't seem to affect anything. Thought I'd ask you guys.
I should also mention that the address I'm forwarding through is on the other side of a wireguard tunnel. I don't think that's an issue since I've seen it work regardless, but it could be.
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
stream
{
server
{
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
proxy_pass 127.0.0.1:80;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
# server
# {
# listen 80;
# proxy_pass 10.67.19.2:80;
# }
}
http {
##
# Basic Settings
##
# sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*.conf;
server
{
listen 80;
server_name gitea.*;
location /
{
proxy_pass http://10.76.91.3:80;
}
}
}

If anyone else has this problem. I didn't realize that when you proxy a website with a url based on a subdomain, you have to include the subdomain on the proxied address.
So instead of forwarding to the IP address, I added an entry in my /etc/hosts file: 10.76.91.3 tunnel tunnel.lan gitea.tunnel.lan and modified the nginx conf with the new hostname:
server
{
listen 80;
server_name gitea.*;
location /
{
proxy_pass http://gitea.tunnel.lan;
}
}
and that fixed everything.

Using variable in nginx conf

This works in my Nginx config:
# This works
proxy_pass http://GitLab-CE:9080;
... but this does not:
# does not work
set $upstream_gitlab GitLab-CE;
proxy_pass http://$upstream_gitlab:9080;
This was copied from a different working example which uses a hyphen and a different port.
# this works
set $upstream_deluge binhex-delugevpn;
proxy_pass http://$upstream_deluge:8112;
I thought perhaps something to do with the dash, but I have another config which also uses a hyphen in its name (see above) and it works. I have tried various forms of quotation which doesn't seem to help either. What could be going on here? I am at a loss. What is it about GitLab-CE that doesn't work yet binhex-delugevpn does work? Is Nginx seeing CE has some hexidecimal math?
Full context:
# make sure that your dns has a cname set for gitlab and that your gitlab container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name gitlab.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_gitlab GitLab-CE;
proxy_pass http://$upstream_gitlab:9080;
}
}
I should note that 127.0.0.11 is indeed the correct resolver and the names GitLab-CE and binhex-delugevpn do correctly resolve.
Of course there is no need to use a variable when it is only being referenced a single time but this follows the templates from linuxserver.io's letsencrypt Docker image.
EDIT: more context
Here is /config/nginx/nginx.conf.
It is unmodified by me.
## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
client_max_body_size 0;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
daemon off;
EDIT 2:
I have verified that Nginx seems to be doing some "tolower" conversion when using variables.
I renamed my GitLab container to gitlab-ce and it worked fine.
I renamed my deluge container (and made appropriate edits to the .conf) to binhex-deLugevpn and it stopped working.
Then I renamed it back to binhex-deluge but in the .conf file I put set $upstream_deluge bInHeX-dElUgEvPn;
And it worked. So, nginx (1.14.2) from linuxserver/letsencrypt seems to be doing some lower conversions on variables.
I tried looking find /config -type f -print0 | xargs -0 grep -i lower and found nothing.

Why does nginx default to my proxypass?

I am using nginx as a proxy server to serve two web apps on a single server that are running on separate ports (for local development purposes). Below is the full nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
server {
server_name news.mysite;
location / {
proxy_pass http://localhost:3001;
}
}
server {
server_name blog.mysite;
location / {
proxy_pass http://localhost:3002;
}
}
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;
}
When accessing the subdomains from the browser I see the expected content based on the web apps that are running. However, when I access the main domain through the browser (http://mysite), it displays the content from the first proxypass (news.mysite # localhost:3001). I would have expected one of the following two scenarios:
Serve content from the default directory # /var/www/html
The typical "This site can’t be reached" error in the browser.
Why is nginx proxying the first proxypass it finds by default and how can I change it?

The first server that nginx encounters for a socket will be considered the default unless you create another one that you explicitly mark as the default.
So for your case, you would want to add an additional server block as a catch all:
server {
listen 80 default_server;
root /var/www/html;
}

docker nginx stream balancer 404

I have docker and nginx version: nginx/1.10.0 (Ubuntu 16.04)
my nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
include /etc/nginx/tcpconf.d/*;
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
this is default nginx.conf, and I added include /etc/nginx/tcpconf.d/*;
tcpconf.d contains 1 file:
stream {
upstream docker{
server localhost:8182;
server localhost:8183;
}
server {
listen 443;
proxy_pass docker;
}
}
So basically i have glassfish 4 server on docker, and when i start container on port 8182 i want to nginx balance request to port 8183(if 8182 not responding) and in reverse order.
And this is works perfectly, except one thing, when i start container, glassfish server is starting and web application on this server is starting too. Glassfish starts after 1-5 seconds and web application after 30 sec - 1 min, so when glassfish is up(for example on port 8182) nginx send request to this port and i getting 404, because glassfish is up, but web application is not, in this case I want to be redirected on port 8183 because 404 is not what i want to see)
so my question is how to tell nginx to not showing me 404 and try to request another port?

Is there any reason you are using the stream module for this? If it is a regular http server NGINX is proxying to then use regular http{} and proxy_next_upstream to define behavior on 404 error:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream

nginx error:"location" directive is not allowed here in /etc/nginx/nginx.conf:76

When i restart the nginx with, sudo service nginx restart,
Iam facing with this error,
Restarting nginx: nginx: [emerg] "location" directive is not allowed here in /etc/nginx/nginx.conf:76
nginx: configuration file /etc/nginx/nginx.conf test failed
This is my nginx.conf file:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
location / {
/home/techcee/scrapbook/local/lib/python2.7/site-packages/django/__init__.pyc/
}
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
# `enter code here`
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
What is wrong in this ?

"location" directive should be inside a 'server' directive, e.g.
server {
listen 8765;
location / {
resolver 8.8.8.8;
proxy_pass http://$http_host$uri$is_args$args;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}

The server directive has to be in the http directive. It should not be outside of it.
Incase if you need detailed information, refer this.

Since your server already includes the sites-enabled folder ( notice the include /etc/nginx/sites-enabled/* line ), then you better use that.
Create a file inside /etc/nginx/sites-available and call it whatever you want, I'll call it django since it's a djanog server
sudo touch /etc/nginx/sites-available/django
Then create a symlink that points to it
sudo ln -s /etc/nginx/sites-available/django /etc/nginx/sites-enabled
Then edit that file with whatever file editor you use, vim or nano or whatever and create the server inside it
server {
# hostname or ip or multiple separated by spaces
server_name localhost example.com 192.168.1.1; #change to your setting
location / {
root /home/techcee/scrapbook/local/lib/python2.7/site-packages/django/__init__.pyc/;
}
}
Restart or reload nginx settings
sudo service nginx reload
Note I believe that your configuration like this probably won't work yet because you need to pass it to a fastcgi server or something, but at least this is how you could create a valid server

The location directive should be in the server directive, which in turn should be in the http directive. See example below for a reverse proxy:
http {
server {
location /some-path {
proxy_pass http://1.2.3.4;
}
}
}
The above is adapted from the Wiki example. More examples and documentation on the site.
By the way, be aware of the effect of include directives.