Docker nginx reverse proxy configuration

learosema · Août 15, 2023, 1:30

Hello all. I just managed to install Mobilizon 3.1.3. via docker with an nginx reverse proxy configuration.

I was wondering if I’m missing anything with my reverse proxy configuration, as some things still look a bit weird, there are some margins missing and some buttons look unstyled (the button to upload an avatar image). As if certain CSS styles are missing. I configured mobilizon to use port 5000.

My nginx config derived from the configuration provided here:

https://docs.joinmobilizon.org/administration/install/release/#reverse-proxy

I didn’t specify the location block for the css/js files as the git repo for the docker setup doesn’t seem to provide that (assuming this is coming from the docker image?).

Am I missing something?

server {
  listen 80;
  listen [::]:80;

  server_name mobilize.hamburg;
  include snippets/letsencrypt.conf;
  location / {
    return 301 https://$host$request_uri;
  }

}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name mobilize.hamburg;

  ssl_trusted_certificate /etc/letsencrypt/live/mobilize.hamburg/fullchain.pem; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/mobilize.hamburg/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/mobilize.hamburg/privkey.pem; # managed by Certbot
  ssl_session_timeout 5m;

  # Add TLSv1.3 if it's supported by your system
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA';
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve prime256v1;
  # ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
  ssl_stapling on;
  ssl_stapling_verify on;
  
  add_header Strict-Transport-Security "max-age=31536000";

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;

  # the nginx default is 1m, not enough for large media uploads
  client_max_body_size 16m;

  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  location / {
    proxy_pass http://127.0.0.1:5000/;
  }

  location ~ ^/(media|proxy) {
        etag off;
        access_log off;
        add_header Cache-Control "public, max-age=31536000, immutable";
        proxy_pass http://localhost:5000;
  }
}

My snippets/letsencrypt.conf does the .well-known/acme-challenge/ stuff:

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root         /var/www/letsencrypt;
}

PaliPalo · Août 16, 2023, 8:43

Hello,

I saw you used 127.0.0.1 for location / whilst you used localhost for location ~ ^(media|proxy)

In the original support/nginx/mobilizon.conf, they are both using localhost.

Am I wrong to say that you changed localhost to 127.0.0.1 in your configuration ?

Maybe doing the same with the other localhost for media and proxy parts…

learosema · Août 16, 2023, 8:53

Good catch, thank you

I changed both back to localhost. The docker image is listening on something like 0.0.0.0 (:: in ipv6) by default. I could change that to localhost (127.0.0.1 or ::1 in ipv6). That way I wouldn’t expose that port publicly and limit communication through the nginx reverse proxy only. But I’m also using IPTables to close ports from the outside.