I have a reverse-proxy setup(I think), for gunicorn running a falcon app. I was also able to setup SSL on the nginx server. The /etc/nginx/nginx.conf:
worker_processes 1;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /tmp/nginx.error.log;
events {
worker_connections 1024; # increase if you have lots of clients
accept_mutex off; # set to 'on' if nginx worker_processes > 1
}
http {
include mime.types;
# fallback in case we can't determine a type
default_type application/json;
access_log /tmp/nginx.access.log combined;
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types application/json;
upstream app_server {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response
server 127.0.0.1:6789 fail_timeout=0;
}
server {
# if no Host match, close the connection to prevent host spoofing
listen 80 default_server;
return 444;
}
server {
listen 443 ssl;
client_max_body_size 4G;
# set the correct host(s) for your site
server_name 0.0.0.0;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
keepalive_timeout 2;
location / {
proxy_bind $server_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect off;
proxy_pass http://app_server;
}
}
}
What do I need to change so that the response headers from gunicorn are preserved? Also, I am completely new to this. So is there anything that I should change?
Related
I can't get my dotnet mvc app to be hosted correctly over ssl (https). It only works over http. The following is my relevant nginx files (with "example.org" used instead of my domain)
/etc/nginx/sites-enabled/default
# Default server configuration
#
server {
server_name example.org *.example.org;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# SSL configuration
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80 default_server;
# listen [::]:80 default_server deferred;
return 444;
}
server {
if ($host = example.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.org *.example.org;
return 404; # managed by Certbot
}
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
/etc/nginx/proxy.conf
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
This makes my site work over "http://example.org" but not over "https://example.org". I don't know why it won't work over https? I tried altering my /etc/nginx/nginx.conf file to make it like the recommended documentation for asp.net hosting via Microsoft. Here's my new /etc/nginx/nginx.conf file.
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
include /etc/nginx/proxy.conf;
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
server_tokens off;
sendfile on;
# Adjust keepalive_timeout to the lowest possible value that makes sense
# for your use case.
keepalive_timeout 29;
client_body_timeout 10; client_header_timeout 10; send_timeout 10;
upstream my-app{
server 127.0.0.1:5000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.org *.example.org;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_tickets off;
ssl_stapling off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#Redirects all traffic
location / {
proxy_pass http://my-app;
limit_req zone=one burst=10 nodelay;
}
}
}
When I change my /etc/nginx/nginx.conf file to the above, both "http://example.org" and "https://example.com" fail. So how do I get this app to work over https?
The problem was actually my ufw firewall. When I was setting up the droplet I did the commands:
sudo ufw enable
sudo ufw allow OpenSSH
sudo ufw default deny incoming
sudo ufw allow 'Nginx HTTP'
The problem above is that was supposed to do sudo ufw allow 'Nginx Full' then sudo reboot. After this, my original nginx configuration worked!
Try the config below (don't forget to disable https redirection in your app - remove app.UseHttpsRedirection(); from your Program.cs (Startup.cs) and remove applicationUrl https reference from launchSettings.json "https://localhost:5001"):
worker_processes 1;
events { worker_connections 1024; }
http {
sendfile on;
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log;
upstream web-api {
server 127.0.0.1:5000;
}
server {
listen 80;
server_name yourdomain.com;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/ssl/certs/yourdomain.com.crt;
ssl_certificate_key /etc/ssl/private/yourdomain.com.key;
location / {
proxy_pass http://web-api;
proxy_redirect off;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
This is my nginx configuration:
upstream itw_upstream {
server 127.0.0.1:2019 fail_timeout=3s;
}
proxy_cache_path /var/cache/nginx/mpword levels=2:2 keys_zone=itw_cache:10m inactive=300d max_size=1g;
proxy_temp_path /var/cache/nginx/tmp;
#
# the reverse proxy server as www
#
server {
listen 80;
server_name blog.demo.com;
root /opt/mpword/none;
access_log /opt/mpword/log/www_access.log;
error_log /opt/mpword/log/www_error.log;
client_max_body_size 2m;
gzip on;
gzip_min_length 1024;
gzip_buffers 4 8k;
gzip_types text/css application/x-javascript application/json;
sendfile on;
location = /favicon.ico {
proxy_pass http://source.blog.demo.com; // this is the line 14.
}
location = /robots.txt {
proxy_pass http://source.blog.demo.com;
}
location ~ /static/ {
rewrite ^(.*) http://static.blog.demo.com$1 permanent;
}
location ~ /files/ {
rewrite ^(.*) http://static.blog.demo.com$1 permanent;
}
location / {
proxy_pass http://itw_upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#
# the source server that serves static files and uploaded files
#
server {
listen 80;
server_name source.blog.demo.com;
root /opt/mpword/../src/main/resources;
access_log /opt/mpword/log/source_access.log;
error_log /opt/mpword/log/source_error.log;
client_max_body_size 1m;
gzip on;
gzip_min_length 1024;
gzip_buffers 4 8k;
gzip_types text/css application/x-javascript application/json;
sendfile on;
location ~ /static/ {
}
location ~ /files/ {
proxy_pass http://itw_upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache itw_cache;
proxy_cache_key $uri;
proxy_cache_valid 1d;
expires 1d;
}
}
#
# the simulated CDN server
#
server {
listen 80;
server_name static.blog.demo.com;
access_log /opt/mpword/log/static_access.log;
error_log /opt/mpword/log/static_error.log;
client_max_body_size 1m;
gzip on;
gzip_min_length 1024;
gzip_buffers 4 8k;
gzip_types text/css application/x-javascript application/json;
sendfile on;
location ~ /static/ {
add_header "Access-Control-Allow-Origin" "http://blog.demo.com";
add_header "Access-Control-Allow-Methods" "GET, POST";
proxy_pass http://source.blog.demo.com;
proxy_read_timeout 3s;
}
location ~ /files/ {
add_header "Access-Control-Allow-Origin" "http://blog.demo.com";
add_header "Access-Control-Allow-Methods" "GET, POST";
proxy_pass http://source.blog.demo.com;
proxy_read_timeout 3s;
}
}
but when I run nginx -t I get error:
nginx: [emerg] host not found in upstream "source.blog.demo.com" in /etc/nginx/conf.d/blog.demo.com.conf:14
nginx: configuration file /etc/nginx/nginx.conf test failed
I didn't find the issue? how to solve it?
This is your config:
server {
server_name blog.demo.com;
location = /favicon.ico {
proxy_pass http://source.blog.demo.com; # here you ask for a upstream server
}
}
server {
server_name source.blog.demo.com; # here you spin up the upstream server
}
Didn't test it, but I think the problem is, that nginx is looking for upstream servers given in proxy_pass. But the server source.blog.demo.com is not running at the time where the proxy_pass directive is loaded in the server blog.demo.com.
So 1.) make the second server the first one to spin up and the third the second. Finally run the blog.demo.com.
Or 2.) use the workaround preventing nginx checking for upstream servers in proxy_pass:
server {
resolver 8.8.8.8 valid=30s; # or any other reachable DNS, e.g. 127.0.0.11 for docker
location = /favicon.ico {
set $upstream_source source.blog.demo.com;
proxy_pass http://$upstream_source/favicon.ico;
}
}
Every time when I'm restart the upstream server, my NGINX shows "bad gateway" which is ok, but later, when the upstream server restarts nginx not recover automatically and I need to restart it (the nginx) manually.
Is there an option to make nginx to check every few seconds if the upstream backed to normal?
upstream core {
server core:3001;
}
server {
server_name core.mydomain.com corestg.mydomain.com www.core.mydomain.com;
#listen 80;
#listen [::]:80;
gzip on;
gzip_static on;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
gzip_proxied any;
#gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
listen 443 ssl http2;
listen [::]:443 ssl http2;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
server_tokens off;
ssl_certificate /etc/ssl/domain.crt;
ssl_certificate_key /etc/ssl/domain.rsa;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
location / {
proxy_ssl_session_reuse off;
proxy_pass http://core;
proxy_buffers 8 24k;
proxy_buffer_size 2k;
proxy_http_version 1.1;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
proxy_ignore_headers Set-Cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-NginX-Proxy true;
# proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
Seems that NGINX does not do the auto recovery by default.
Changing the config part from:
upstream core {
server core:3001;
}
to:
{
server core:3001 max_fails=1 fail_timeout=1s;
server core:3001 max_fails=1 fail_timeout=1s;
}
did the trick. the duplication is not mistake. Nginx tries to resolve the first line, on failure it will try the second one (circularly).
My setup to test NGINX:
Docker-Container simulating the backend exposing port 9002.
afd9551abc54 nginx "/docker-entrypoint.…" About a minute ago Up 11 seconds 0.0.0.0:9002->80/tcp laughing_pike
NGINX configuration
# Defined upstream block.
upstream backend {
server 127.0.0.1:9002;
}
#Main Server block
server {
listen 80;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
}
}
Stopping the container will result in 502 Bad Gateway. Starting the container without restarting / reloading NGINX sends the data to the upstream server. So basically that should just work!
I have a odoo 11 installation behind a Nginx proxy. Its been working for a while but now when you access it, its showing index of / instead of Odoo login page (see screenshot).
Here is my Nginx configuration:
#odoo server
upstream odoo {
server 127.0.0.1:8069;
}
upstream odoochat {
server 127.0.0.1:8072;
}
# http -> https
server {
listen 80;
server_name businessapps.enone.tech;
#server_name odoo;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443;
server_name businessapps.enone.tech;
#server_name odoo;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
# Add Headers for odoo proxy mode
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl on;
ssl_certificate /etc/letsencrypt/live/businessapps.enone.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/businessapps.enone.tech/privkey.pem;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers '<replaced cipher>';
ssl_prefer_server_ciphers on;
# log
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;
# Redirect longpoll requests to odoo longpolling port
location /longpolling {
proxy_pass http://odoochat;
}
# Redirect requests to odoo backend server
location / {
proxy_redirect off;
proxy_pass http://odoo;
}
# common gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
gzip on;
}
Can someone point out what could be the issue. Sometimes I can access the login page, other times I get the index of / page. The installation is on Ubuntu 16.0
You need to specify the directory in the nginx config, and I had this error previously and found that even once changing my config I had weird errors with odoo, so I recommend you do what I did and that is completely re install Nginx and ensure you reboot your server after having done so!
Add location block inside server {} (block)
I have used below nginx configuration
upstream odooapp {
server odoo:8069;
keepalive 8;
}
upstream longpolling {
server odoo:8072;
keepalive 8;
}
server {
listen 80;
listen [::]:80;
server_name businessapps.enone.tech;
access_log /var/log/nginx/access.log mainlog;
error_log /var/log/nginx/error.log;
return 301 https://businessapps.enone.tech:443/web/login;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name businessapps.enone.tech;
access_log /var/log/nginx/access.log mainlog;
error_log /var/log/nginx/error.log;
ssl_ciphers ALL:!ADH:!MD5:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_certificate <PATH_TO_CERT>;
ssl_certificate_key <PATH_TO_KEY>;
add_header Strict-Transport-Security "max-age=2592000; preload;" always;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
client_max_body_size 20M;
proxy_pass http://odooapp/;
proxy_redirect off;
}
location /longpolling {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://longpolling/longpolling;
proxy_redirect off;
}
Is it possible to use Nginx reverse proxy with SSL Pass-through so that it can pass request to a server who require certificate authentication for client.
It means server will need to have certificate of client server and will not need certificate of Nginx reverse proxy server.
Not sure how much it can work in your situation, but newer (1.9.3+) versions of Nginx can pass (encrypted) TLS packets directly to an upstream server, using the stream block :
stream {
server {
listen 443;
proxy_pass backend.example.com:443;
}
}
If you want to target multiple upstream servers, distinguished by their hostnames, this is possible by using the nginx modules ngx_stream_ssl_preread and ngx_stream_map. The concept behind this is TLS Server Name Indication.
Dave T. outlines a solution nicely. See his answer on this network.
From the moment that we want to do ssl pass-through, the ssl termination will take place to the backend nginx server. Also i haven't seen an answer that takes care of the http connections as well.
The optimal solution will be a Nginx that is acting as a Layer 7 + Layer4 proxy at the same time. Something else that is rarely a subject of discussion is the IP Address redirection. When we use a proxy, this must be configured on the proxy, and not to the backend server like usually.
Lastly, the client ip address must be preserved, hence we must use the proxy protocol to do this correctly.
Sounds confusing? It's not much.
I came up with a solution that i currently using in production is works flawlessly.
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
variables_hash_bucket_size 1024;
variables_hash_max_size 1024;
map_hash_max_size 1024;
map_hash_bucket_size 512;
types_hash_bucket_size 512;
server_names_hash_bucket_size 512;
sendfile on;
tcp_nodelay on;
tcp_nopush on;
autoindex off;
server_tokens off;
keepalive_timeout 15;
client_max_body_size 100m;
upstream production_server {
server backend1:3080;
}
upstream staging_server {
server backend2:3080;
}
upstream ip_address {
server backend1:3080; #or backend2:3080 depending on your preference.
}
server {
server_name server1.tld;
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Connection "";
#add_header X-Upstream $upstream_addr;
proxy_redirect off;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_buffers 16 16k;
proxy_buffer_size 64k;
proxy_cache_background_update on;
proxy_pass http://production_server$request_uri;
}
}
server {
server_name server2.tld;
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Connection "";
#add_header X-Upstream $upstream_addr;
proxy_redirect off;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_buffers 16 16k;
proxy_buffer_size 16k;
proxy_cache_background_update on;
proxy_pass http://staging_server$request_uri;
}
}
server {
server_name 192.168.1.1; #replace with your own main ip address
listen 80;
listen [::]:80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Connection "";
#add_header X-Upstream $upstream_addr;
proxy_redirect off;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_buffers 16 16k;
proxy_buffer_size 16k;
proxy_cache_background_update on;
proxy_pass http://ip_address$request_uri;
}
}
}
stream {
map $ssl_preread_server_name $domain {
server1.tld production_server_https;
server2.tld staging_server_https;
192.168.1.1 ip_address_https;
default staging_server_https;
}
upstream production_server_https {
server backend1:3443;
}
upstream staging_server_https {
server backend2:3443;
}
upstream ip_address_https {
server backend1:3443;
}
server {
ssl_preread on;
proxy_protocol on;
tcp_nodelay on;
listen 443;
listen [::]:443;
proxy_pass $domain;
}
log_format proxy '$protocol $status $bytes_sent $bytes_received $session_time';
access_log /var/log/nginx/access.log proxy;
error_log /var/log/nginx/error.log debug;
}
Now the only thing is yet to be done is to enable proxy protocol to the backend servers. The example below will get you going:
server {
real_ip_header proxy_protocol;
set_real_ip_from proxy;
server_name www.server1.tld;
listen 3080;
listen 3443 ssl http2;
listen [::]:3080;
listen [::]:3443 ssl http2;
include ssl_config;
# Non-www redirect
return 301 https://server1.tld$request_uri;
}
server {
real_ip_header proxy_protocol;
set_real_ip_from 1.2.3.4; # <--- proxy ip address, or proxy container hostname for docker
server_name server1.tld;
listen 3443 ssl http2 proxy_protocol; #<--- proxy protocol to the listen directive
listen [::]:3443 ssl http2 proxy_protocol; # <--- proxy protocol to the listen directive
root /var/www/html;
charset UTF-8;
include ssl_config;
#access_log logs/host.access.log main;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
default_type "text/plain";
}
location / {
index index.php;
try_files $uri $uri/ =404;
}
error_page 404 /404.php;
# place rest of the location stuff here
}
Now everything should work like a charm.