0

NGINX newb here. I'm running NGINX via a SWAG container and have TLS enabled for my server using a Let's Encrypt cert.

What I'm trying to do is proxy https://plantuml.mydomain.com to https://plantuml.com. I've tried multiple variations and followed multiple guides, but thus far have been unable to get this configuration to work.

A few of the pages I've tried to follow:

Here is the config I currently have:

# from /config/nginx/proxy-confs/plantuml.subdomain.conf server { listen 443 ssl; listen [::]:443 ssl; server_name plantuml.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 8.8.8.8; set $puml plantuml.com; proxy_pass https://$puml; proxy_ssl_server_name on; proxy_ssl_certificate /config/keys/letsencrypt/fullchain.pem; proxy_ssl_certificate_key /config/keys/letsencrypt/privkey.pem; proxy_ssl_session_reuse on; } }

The above includes are all the SWAG defaults, and other subdomains in this NGINX config, which point to other docker containers in the docker network, proxy correctly.

Here is a trimmed result of what I'm currently getting, with the tl;dr being its a 523

# curl -v https://plantuml.mydomain.com * Trying x.x.x.x:443... * Connected to plantuml.mydomain.com (x.x.x.x) port 443 (#0) ... * Server certificate: * subject: CN=*.mydomain.com * start date: Jan 18 08:16:27 2023 GMT * expire date: Apr 18 08:16:26 2023 GMT * subjectAltName: host "plantuml.mydomain.com" matched cert's "*.mydomain.com" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x480e50) > GET / HTTP/2 > Host: plantuml.mydomain.com > user-agent: curl/7.74.0 > accept: */* > ... < HTTP/2 523 < server: nginx < date: Fri, 20 Jan 2023 18:21:14 GMT < content-type: text/plain; charset=utf-8 < content-length: 0 < vary: Accept-Encoding <

I have the error_log set to info, but there is nothing in there for this call. This entry is in the access.log (call comes from internet via the router at 192.168.50.1):

192.168.50.1 - - [20/Jan/2023:11: -0700] "GET / HTTP/2.0" 523 0 "-" "curl/7.74.0"
Improve this question
2
  • I believe you don't need any of the proxy_ssl_* settings - try without them Commented Jan 21, 2023 at 6:34
  • You've got no client facing certificate. The upstream won't respond to these requests unles you rewrite the headers and the returned content won't work as you expect without being rewritten. Sorry but you've got WAY too much to learn before you'll be able to solve problems by relying on simple questions here. Commented Jan 28, 2023 at 23:42

1 Answer 1

Reset to default
0

This come from my PlantUML Docker install page https://blog.sbw.be/scips/2023/install-your-own-plantuml-server-inside-a-docker/389/

And I think the comment underneath are heading to the right way.

Here is my nginx config for plantuml (inside a docker but that's just a matter of port)

upstream jetty { server 127.0.0.1:8084 weight=100 max_fails=5 fail_timeout=5;} server { listen 443 ssl; # managed by Certbot listen [::]:443 ssl; # managed by Certbot listen 80; listen [::]:80; server_name plantuml.mycompany.example; access_log /var/log/nginx/plantuml.mycompany.example.access.log; error_log /var/log/nginx/plantuml.mycompany.example.error.log; # RSA certificate ssl_certificate /etc/letsencrypt/live/mycompany.example-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mycompany.example-0001/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_pass http://jetty/; sub_filter '"http://jetty/' '"/'; sub_filter_once off; } }

As you can see in the image below:

A deployment diagram of what we are building. A shared folder with the docker. A jetty docker container. And an nginx reverse proxy. All inside a virtual private server.

There is a proxy_pass to HTTP and not to HTTPS.

As people are pointing out there is no need to use HTTP internally.

Also you mention using let's encrypt. You can see that for the let's encrypt configuration the ssl certificates must be in the configuration too, this is mandatory for every subdomain, let's encrypt does not properly and automatically support *.mydomain.com.

So a good habit is to run the certbot each time you have a new subdomain to automatically add the ssl certificate in each subdomain.

I hope this will help.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.