ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Install Nginx as a Reverse Proxy on Fedora 27

    Scheduled Pinned Locked Moved IT Discussion
    nginxfedoracertbotfedora 27reverse proxyguidesreal instructionshow to
    107 Posts 16 Posters 30.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wirestyle22W
      wirestyle22
      last edited by wirestyle22

      Received following error:

      nginx: [warn] could not build optimal types_hash, you should increase either nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

      I went into /etc/nginx/nginx.conf and changed types_hash_max_size to a higher value as instructed. Removed the error.

      JaredBuschJ 1 Reply Last reply Reply Quote 0
      • wirestyle22W
        wirestyle22
        last edited by

        Great guide. Probably your best yet.

        1 Reply Last reply Reply Quote 0
        • hobbit666H
          hobbit666
          last edited by

          Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

          Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • hobbit666H
            hobbit666
            last edited by hobbit666

            But going to redo my nginx install using this guide Monday.

            Might just use certbot anyway 😁 for the new servers as I redo and sort them

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @hobbit666
              last edited by

              @hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

              Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

              Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

              100% correct.

              hobbit666H 1 Reply Last reply Reply Quote 0
              • NashBrydgesN
                NashBrydges
                last edited by

                This guide is fortuitous. I had this planned for migration from Ubuntu this week. This makes my job easier. Thanks!

                1 Reply Last reply Reply Quote 1
                • NashBrydgesN
                  NashBrydges
                  last edited by

                  I'm assuming you would recommend using the .well-known addition to the conf files in the server block to avoid shutting down Nginx?

                     location /.well-known/acme-challenge {
                              root /var/www/letsencrypt;
                           }
                  
                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @NashBrydges
                    last edited by

                    @nashbrydges said in Install Nginx as a Reverse Proxy on Fedora 27:

                    I'm assuming you would recommend using the .well-known addition to the conf files in the server block to avoid shutting down Nginx?

                       location /.well-known/acme-challenge {
                                root /var/www/letsencrypt;
                             }
                    

                    Not in this example as I am using the certbot --nginx switch. It knows how to handle things because of that.

                    But if you were doing something else? yes.

                    1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @wirestyle22
                      last edited by

                      @wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:

                      Received following error:

                      nginx: [warn] could not build optimal types_hash, you should increase either nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

                      I went into /etc/nginx/nginx.conf and changed types_hash_max_size to a higher value as instructed. Removed the error.

                      1. This is only a warning.
                      2. Unless you are hosting hundred of domains behind Nginx, this really doesn't matter.
                      3. If you increase it to not have a warning, keep it as small as possible.

                      I just went through jumping down in halves from 3000 until I found what made it stop complaining on my system.

                          types_hash_max_size 2249;
                      

                      2248 threw the warning still.

                      Reference to what this is: http://nginx.org/en/docs/hash.html

                      1 Reply Last reply Reply Quote 2
                      • hobbit666H
                        hobbit666 @JaredBusch
                        last edited by

                        @jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:

                        @hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

                        Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

                        Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

                        100% correct.

                        Last question.

                        What's the answer for this part of the question 🙂
                        "Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx"

                        😁

                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @hobbit666
                          last edited by

                          @hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

                          @jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:

                          @hobbit666 said in Install Nginx as a Reverse Proxy on Fedora 27:

                          Guess if I have my own SSL I don't need to run the certbot stuff and just add the SSL file locations in.

                          Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx?

                          100% correct.

                          Last question.

                          What's the answer for this part of the question 🙂
                          "Also if I have a wild card cert *.domain.co.uk do I still add the SSL to each .conf file or just the default.conf for nginx"

                          😁

                          Each server block needs it. Or you can use an include I guess like this.

                          include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                          

                          Just make your own file with all the ssl settings you want and drop the include in the various conf files.

                          hobbit666H 1 Reply Last reply Reply Quote 3
                          • hobbit666H
                            hobbit666 @JaredBusch
                            last edited by

                            @jaredbusch Thanks

                            1 Reply Last reply Reply Quote 0
                            • momurdaM
                              momurda
                              last edited by

                              @JaredBusch This is transparent to the www application server? I mean, Nextcloud server itself has no https configuration, it all handled through this proxy?
                              If so, this same process could be done using IIS sites in addition to apache correct?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @momurda
                                last edited by

                                @momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

                                @JaredBusch This is transparent to the www application server? I mean, Nextcloud server itself has no https configuration, it all handled through this proxy?
                                If so, this same process could be done using IIS sites in addition to apache correct?

                                Can be, and is, used with anything that has a web interface. Apache, Nginx, IIS, NodeJS, it doesn't care. A Reverse proxy is just a proxy in front of whatever HTTP traffic is behind it. So the platform behind it doesn't matter. Mix and match anything and everything.

                                momurdaM 1 Reply Last reply Reply Quote 0
                                • momurdaM
                                  momurda @scottalanmiller
                                  last edited by

                                  @scottalanmiller So if i set this up to work with an IIS site, this IIS site has an existing cert, i would first uninstall that ssl cert, and not install another? This is what I picture.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @momurda
                                    last edited by

                                    @momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

                                    @scottalanmiller So if i set this up to work with an IIS site, this IIS site has an existing cert, i would first uninstall that ssl cert, and not install another? This is what I picture.

                                    You can do either, with small adjustments. Your servers behind your reverse proxy can use HTTP or HTTPS as you desire. but there is rarely much point to the overhead of HTTPS, so many of us skip it unless there is a specific reason to have it (like you are using it without the reverse proxy for LAN based access.)

                                    JaredBuschJ 1 Reply Last reply Reply Quote 3
                                    • JaredBuschJ
                                      JaredBusch @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Install Nginx as a Reverse Proxy on Fedora 27:

                                      @momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

                                      @scottalanmiller So if i set this up to work with an IIS site, this IIS site has an existing cert, i would first uninstall that ssl cert, and not install another? This is what I picture.

                                      You can do either, with small adjustments. Your servers behind your reverse proxy can use HTTP or HTTPS as you desire. but there is rarely much point to the overhead of HTTPS, so many of us skip it unless there is a specific reason to have it (like you are using it without the reverse proxy for LAN based access.)

                                      If the existing server is designed for HTTP, I usually do not remove it. I just point the Nginx server block at it.

                                      Even if it is expired or self signed, it is sitll encyrpted between the proxy and the backend server.

                                      Now if the backend server has no encryption, I will not add it for no reason.

                                      Finally, if the backend server is across a public IP space, I will always use at least a self signed SSL cert for the connection.

                                      1 Reply Last reply Reply Quote 3
                                      • A
                                        Alex Sage
                                        last edited by

                                        Here is the command if you want a wildcard cert:

                                        sudo certbot  -i nginx -d "*.aaronstuder.com" -d aaronstuder.com --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns
                                        
                                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                                        • JaredBuschJ
                                          JaredBusch @Alex Sage
                                          last edited by

                                          @aaronstuder said in Install Nginx as a Reverse Proxy on Fedora 27:

                                          Here is the command if you want a wildcard cert:

                                          sudo certbot  -i nginx -d "*.aaronstuder.com" -d aaronstuder.com --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns
                                          

                                          Wildcard form LE is useless until you automate the DNS challenge.

                                          A 1 Reply Last reply Reply Quote 0
                                          • A
                                            Alex Sage @JaredBusch
                                            last edited by Alex Sage

                                            @jaredbusch It's coming. Right now it just pauses and you update DNS manually, or you can use acme.sh

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 3 / 6
                                            • First post
                                              Last post