Hi friends,
sorry for space in www .example.com address, but I really need your help, but forum forbids to publish my post with correct links.
I have 2 DO droplets. First droplet serves principal site www. example.com and second droplet serves discourse forum.example.com. I want proxy all traffic from www. example.com/forum/ to subdomain forum.example.com. I read a lot of forum posts and articles and eventually used following comment https://meta.discourse.org/t/discourse-in-a-subfolder-multiple-servers-sharing-a-domain/30514/10 to implement my requirements. I also have virtual hosts www .example2.com and www .example3.com they are used as domains for different language versions and they work fine. I also use free Cloudflare plan to process traffic for both sites with full strict ssl option enabled.
Result
1. www .example.com works fine
2. forum.example.com works fine
3. www .example.com/forum/ shows 502 http error
I have 2 separate ssl certificates installed on both sites. Certificates support www and non-www site versions.
Here are principal example.com nginx configurations
/etc/nginx/sites-available/default
root /var/www/example.com/public;
index index.php index.html index.htm;
server {
server_name example.com;
rewrite ^(.*) https://www.example.com$1 permanent;
}
server {
server_name example2.com;
rewrite ^(.*) https://www.example2.com$1 permanent;
}
server {
server_name example3.com;
rewrite ^(.*) https://www.example3.com$1 permanent;
}
server {
listen 443 ssl;
server_name www .example.com www.example2.com www.example3.com;
if ($request_method = "GET" ) {
rewrite ^([^.]*[^/])$ $1/ permanent;
}
include /etc/nginx/conf.d/location;
include /etc/nginx/conf.d/ssl;
include /etc/nginx/conf.d/gzip;
}
/etc/nginx/conf.d/location
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /forum {
rewrite ^/forum/(.*) /$1 break;
proxy_pass https://forum.example.com:443;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|svg|woff|woff2|ttf)\$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
/etc/nginx/conf.d/ssl
ssl_certificate /home/oleg/ssl/www .example.com.chained.crt;
ssl_certificate_key /home/oleg/ssl/www .example.com.key;
# disable ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# optimizing the cipher suites
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# connection credentials caching
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
# strict transport security
add_header Strict-Transport-Security "max-age=31536000";
/etc/nginx/conf.d/gzip
gzip_vary on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss;
forum.example.com nginx configuration
upstream discourse {
server 127.0.0.1:8080;
}
server {
listen 80 default_server;
server_name forum.example.com;
return 301 https://forum.example.com$request_uri;
}
server {
listen 443 default_server ssl;
root /var/www/discourse/public;
index index.html index.htm;
server_name forum.example.com;
ssl_certificate /home/oleg/ssl/forum.example.com.chained.crt;
ssl_certificate_key /home/oleg/ssl/forum.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass http://discourse;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
/var/discourse/containers/app.yml
templates:
- "templates/postgres.template.yml"
- "templates/redis.template.yml"
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
expose:
- "127.0.0.1:8080:80"
- "5432:5432"
params:
db_default_text_search_config: "pg_catalog.english"
db_shared_buffers: "256MB"
env:
LANG: en_US.UTF-8
UNICORN_WORKERS: 4
DISCOURSE_HOSTNAME: forum.example.com
DOCKER_USE_HOSTNAME: true
DISCOURSE_DEVELOPER_EMAILS: 'myadminemail'
## smtp settings and credentials removed from this dump, but they work fine
volumes:
- volume:
host: /var/discourse/shared/standalone
guest: /shared
- volume:
host: /var/discourse/shared/standalone/log/var-log
guest: /var/log
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- git clone https://github.com/discourse/docker_manager.git
- git clone https://github.com/discoursehosting/discourse-sitemap.git
- git clone https://github.com/discourse/discourse-spoiler-alert.git
run:
- exec: echo "Beginning of custom commands"
www .example.com nginx version is nginx/1.13.0
www .example.com openssl version is 1.0.2k-1+deb.sury.org~trusty+5
forum.example.com nginx version is nginx version: nginx/1.13.0
forum.example.com openssl version is 1.0.2g-1ubuntu4.1
www .example.com nginx error log
2017/05/12 05:15:01 [error] 5478#5478: *24473 connect() to [2400:cb00:2048:1::681b:a191]:443 failed (101: Network is unreachable) while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a191]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a191]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [error] 5478#5478: *24473 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.161.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.161.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [error] 5478#5478: *24473 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.160.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while SSL handshaking to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://104.27.160.145:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [error] 5478#5478: *24473 connect() to [2400:cb00:2048:1::681b:a091]:443 failed (101: Network is unreachable) while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a091]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
2017/05/12 05:15:01 [warn] 5478#5478: *24473 upstream server temporarily disabled while connecting to upstream, client: 162.158.102.195, server: www .example.com, request: "GET /forum/ HTTP/1.1", upstream: "https://[2400:cb00:2048:1::681b:a091]:443/", host: "www .example.com", referrer: "https://www .example.com/forum/"
I appeciate any thoughts how to fix 502 error on www .example.com/forum/