Keep getting "Welcome to nginx!" with nginx proxy

I’ve been trying to set up a nginx proxy with the help of https://www.linode.com/docs/applications/containers/beginners-guide-to-lxd-reverse-proxy/

But every time I attempt to properly set it up, I keep getting the default nginx message:

# Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to [nginx.org](http://nginx.org/).
Commercial support is available at [nginx.com](http://nginx.com/).

*Thank you for using nginx.*

Here’s the website nginx block file:

server {
    listen 80;
    server_name websitehere;
    #return 301 https://$host$request_uri;
    #rewrite ^ https://$server_name$request_uri? permanent;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ipv6only=on ssl http2;
	server_name website;
	root locationoffiles;


	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Referrer-Policy "origin";

    ssl_stapling on;
    ssl_stapling_verify on;
	client_max_body_size 64M;

  
## CACHING ##

location ~* \.(css|js|ico|gif|jpeg|jpg|webp|png|svg|eot|otf|woff|woff2|ttf|ogg)$ {
 expires 30d;
 add_header Cache-Control "public, no-transform";
}

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;


## XENFORO 2 CODE ##

    location / {
        index index.php index.html index.htm;

        try_files $uri $uri/ /index.php?$uri&$args;
	deny 159.138.0.0/16;
        }

	location = /showthread.php {
 	   return 301 /threads/$arg_t/;
	}

	location = /member.php {
	   return 301 /members/$arg_u/;
	}	

        location /install/data/ {
        internal;
        }

        location /install/templates/ {
        internal;
        }

        location /internal_data/ {
        internal;
        }

        location /library/ {
        internal;
        }

        location /src/ {
        internal;
        }

        error_page 404 /index.php;

if ($http_user_agent ~ (HUAWEIFRD|OPPO|FRD-AL00|BLEXBot|AhrefsBot) ) {
    return 403;
}
       

  location ~ \.php$ {

    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    #fastcgi_param   HTTP_SCHEME         https;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    try_files $uri $uri/ =404;
    #fastcgi_intercept_errors on;
    client_max_body_size 32M;
    fastcgi_read_timeout 150;
  }
}

And the nginx proxy file

server {

        server_name website;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://10.75.254.113;
        }

        real_ip_header proxy_protocol;
        set_real_ip_from 127.0.0.1;

    listen [::]:443 ssl proxy_protocol ipv6only=on; # managed by Certbot
    listen 443 ssl proxy_protocol; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/website/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/website/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = website) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 proxy_protocol;
        listen [::]:80 proxy_protocol;

        server_name website;
    return 404; # managed by Certbot
}

I just can’t seem to get it to work, no matter what I try. the default files no longer exists.

I really appreciate the help.

Hi!

nginx uses the server_name field to differentiate which server block to use.
I think you are showing us some placeholder hostnames for your privacy (which is fine), like website, and websitehere.
Check in sites-enabled/ if there are any other server blocks, like the default server block.
Because, if you do not match properly the server_name, then nginx will show you whichever is the default website (likely, /etc/nginx/sites-enabled/default).

1 Like

Thanks for replying.

Forgot to mention that for good measure, I erased the default block files on both the proxy and web container yesterday before I made this thread. Including the removal of the default html directories.

The server_name matches on both proxy and web container, and the fpm socket is also in order. Proxy ports (80/443) has been forwarded as well. Yet, can’t seem to figure out why it keeps showing the default nginx page.

To be honest… I’m still confused what goes in to the proxy nginx container file and what goes in the web container nginx server file.

For example… One of my domains:

NGINX PROXY (container):

server {
        listen 80 proxy_protocol;
        listen [::]:80 proxy_protocol;

        server_name website;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://ipofwebcontainer;
}

        real_ip_header proxy_protocol;
        set_real_ip_from 127.0.0.1;

        listen [::]:443 proxy_protocol ssl ipv6only=on; # managed by Certbot
        listen 443 proxy_protocol ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/website/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/website/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "origin";

        ssl_stapling on;
        ssl_stapling_verify on;
}

server {
    if ($host = website) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80 proxy_protocol;
        listen [::]:80 proxy_protocol;

        server_name website;
    return 404; # managed by Certbot
}

And the Web container nginx server file:

> server {
>     #listen 80;
>     server_name website;
> 
>         #listen 443 ssl http2;
>         #listen [::]:443 ipv6only=on ssl http2;
>         root /var/www/website;
> 
> 
> location ~* \.(css|js|ico|gif|jpeg|jpg|webp|png|svg|eot|otf|woff|woff2|ttf|ogg)$ {
>  expires 30d;
>  add_header Cache-Control "public, no-transform";
> }
> 
>         gzip on;
>         gzip_disable "msie6";
> 
>         gzip_vary on;
>         gzip_proxied any;
>         gzip_comp_level 6;
>         gzip_buffers 16 8k;
>         gzip_http_version 1.1;
>         gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
> 
> 
> ## XENFORO 2 CODE ##
> 
>     location / {
>         index index.php index.html index.htm;
> 
>         try_files $uri $uri/ /index.php?$uri&$args;
>         deny 159.138.0.0/16;
>         }
> 
>         location = /showthread.php {
>            return 301 /threads/$arg_t/;
>         }
> 
>         location = /member.php {
>            return 301 /members/$arg_u/;
>         }
> 
>         location /install/data/ {
>         internal;
>         }
> 
>         location /install/templates/ {
>         internal;
>         }
> 
>         location /internal_data/ {
>         internal;
>         }
> 
>         location /library/ {
>         internal;
>         }
> 
>         location /src/ {
>         internal;
>         }
> 
>         error_page 404 /index.php;
> 
> if ($http_user_agent ~ (HUAWEIFRD|OPPO|FRD-AL00|BLEXBot|AhrefsBot) ) {
>     return 403;
> }
> 
> 
> 
>   location ~ \.php$ {
> 
>     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
>     fastcgi_index index.php;
>     include fastcgi_params;
>     fastcgi_param   HTTP_SCHEME         https;
>     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
>     try_files $uri $uri/ =404;
>     fastcgi_intercept_errors on;
>     client_max_body_size 32M;
>     fastcgi_read_timeout 150;
>   }
> }

Now, the website does appear to work. But only because I set the main website to use http://

If I change that to https://, I’m getting ERR_TOO_MANY_REDIRECTS.

Yet, no redirection is into place in neither nginx server files. Even IF I disable this part:

server {
    if ($host = website) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80 proxy_protocol;
        listen [::]:80 proxy_protocol;

        server_name website;
    return 404; # managed by Certbot
}

Ever since I started using containers, SSL is screwed up on multiple websites. While technically the websites works, a lot of back-end are still using http and messing up a lot of stuff.

So… what gives? What should be on the proxy nginx file and what should be on the web nginx file?

Ill build an example tomorrow (today) at some point (probably the afternoon / evening BST) - are you trying to-do SSL termination at the proxy or do you want the webservers to have SSL aswell ?

What do you mean with SSL termination at the proxy?

Currently all SSL certs of all domains are installed on the nginx proxy container. But if you think it’s better / recommended to have them on the web containers instead, I can move them over.

And really appreciate it! :slight_smile:

(Its late here so forgive I miss understood - or I have forgot something)

You are trying to proxy requests on port 80 is that required ?

This is a working proxy config file for the proxy instance put this in /etc/nginx/sites-enabled/default - it redirects all HTTP requests to HTTPS then “proxies them” to HTTP servers we then have 2 server blocks for each domain - I dont include all the lets encrypt params because I dont have time to get letsencrypt setup here

// Redirect all requests to https
server {
    listen 80;
    return 301 https://$host$request_uri;
}
// Proxy requests for cool_website.com
server {
    listen 443;
    server_name YOUR_DOMAIN_NAME;

    ssl_certificate               /etc/letsencrypt/cert_path;
    ssl_certificate_key           /etc/letsencrypt/key_path;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "origin";


    access_log            /var/log/nginx/YOUR_DOMAIN_NAME.access.log;

    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://YOUR_NGINX_CONTAINER_DOMAIN_NAME:80;
      proxy_read_timeout  90;

      proxy_redirect      http://YOUR_NGINX_CONTAINER_DOMAIN_NAME:80 YOUR_DOMAIN_NAME;
    }
}
// Proxy requests for less_cool_website.com
server {
    listen 443;
    server_name YOUR_SECOND_DOMAIN;

    ssl_certificate           /etc/lets_encrypt/another_cert/cert.crt;
    ssl_certificate_key       /etc/lets_encrypt/another_cert/key.key

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "origin";

    access_log            /var/log/nginx/YOUR_SECOND_DOMAIN.access.log;

    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://YOUR_OTHER_NGINX_WEBSITE_CONTAINER:80;
      proxy_read_timeout  90;

      proxy_redirect      http://YOUR_OTHER_NGINX_WEBSITE_CONTAINER.lxd:80 YOUR_SECOND_DOMAIN;
    }
}

On the nginx containers - I just left the default installed nginx config file as it was and this proxied the requests to them no problem, did I miss something?

Put listen [::]:80 in your website containers nginx config file to make sure its also listening on ipv6 (which lxd will use by default)

1 Like

Not sure if 80 was required or not, just tried to get it to work.

With your nginx proxy server file I was successfully able to get SSL properly working!

Thank you ^_^!

While it did work, noticed all IP’s are 127.0.0.1 from all users, was able to solve that with:

    real_ip_header proxy_protocol;
    set_real_ip_from 127.0.0.1;

But I have the feeling that:

  proxy_set_header        X-Real-IP $remote_addr;

Should have done the same thing?

Curious about something else as well:

  proxy_pass          http://YOUR_NGINX_CONTAINER_DOMAIN_NAME:80;
  proxy_read_timeout  90;

  proxy_redirect      http://YOUR_NGINX_CONTAINER_DOMAIN_NAME:80 YOUR_DOMAIN_NAME;

domain name? Not the IP / Host of the container?

Copied that line from the interweb - im sure it works in some scenarios but remove it if you dont need it! (remove everything you dont need)

domain name? Not the IP / Host of the container?

Yeah because I thought that’s what you wanted, its up to you how you add the web servers here :slight_smile:

What differs using domain name or container IP? Using the domain name appears to be causing a 404. IP seems to work though.

This could be anyhting - unless you really want to debug it, just stick with the IP address (although I appreciate thats not perfect).

What I know, is that the domain name works in my proxy file and network enviroment (the default LXD network enviroment) so its something wrong with “your” setup (not being confrentational just saying - I cant replicate that behavior here (im more “practical” than “theoretical” + I hate networking with a passion so I cant just say “do XYZ” on this issue)

one “practical test” i can think of is put the IPV6 address instead of the domain name of the container and see if that works (that way you know if its a resolve issue or ipv6)

A just to be a 100% when I say the “domain name” i mean the domain name of the webserver I.E nginx_server.lxd not my_cool_website.com

Ah, that makes a lot of more sense to use the hostname ^_^. While I’d love to do so, the hostname will refer to the containers ipv6 address rather than ipv4.

And thus far, unable to solve that as of yet. Not even sure why the hostname defaults to ipv6 over ipv4.

But, thus far… Really appreciate it! I’m so glad this works properly now.

What do you get when you do curl -v lavalink.lxd from inside your proxy container Ignore that im distracted