nginx misconfiguration

[boredomdenied]

While troubleshooting an error related to safari users not being able to resolve the site in browser, I came to find that the nginx configuration needs tweaking.

First, I found that there was an error in the nginx logs.

The command docker exec -ti nginx_mattermost watch cat /var/log/nginx/error.log

I kept seeing the error:

No resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org

Based on replies to this thread here it seems this is related to OSCP. I notice the latest commit with this file comments out the resolver 1.1.1.1 line. Was this a regressive move?

I've tried to modify the nginx default.conf file unsuccessfully so far.

Using the default config and issuing docker exec -ti nginx_mattermost nginx -t -c /etc/nginx/conf.d/default.conf results in:

nginx: [emerg] "proxy_cache_path" directive is not allowed here in /etc/nginx/conf.d/default.conf:6
nginx: configuration file /etc/nginx/conf.d/default.conf test failed

This brings me to try many variations so far all unsuccessful. Interestingly, this failed config somehow doesn't result in a reboot loop and the image does run as-is.

I'm requesting someone look into the standard docker nginx config. Why was the resolver removed, why does the default config fail, and what should be shifted to ensure the correct configuration passes nginx config test?

[boredomdenied]

While I can't explain the behavior, the user is now reporting that it works with safari after uncommenting on the resolver line. I made it: resolver 1.1.1.1 1.0.0.1;

The config still fails nginx -t so this is a bit disturbing for a production environment.

[mrckndt]

@boredomdenied

I notice the latest commit with this file comments out the resolver 1.1.1.1 line. Was this a regressive move?

No. If no resolver is configured Nginx uses the host resolver (host as in host which is running Nginx, not Docker host) which is in this case the container. The container itself uses the Docker host resolver (because this deployment uses a user defined network which is being created by docker-compose).
I can't say what you've changed but for me Nginx is working as expected; if nginx -t fails it refuses to start all together.

[jayakrishnayadav24]

[jaya@localhost conf.d]$ sudo cat default.conf
upstream backend {
server 192.168.56.101:8065;
keepalive 32;
}

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

server {
listen 80;
server_name 192.168.56.101;
location ~ /api/v[0-9]+/(users/)?websocket$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_pass http://backend;
}

    location / {
    client_max_body_size 50M;
    proxy_set_header Connection "";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Frame-Options SAMEORIGIN;
    proxy_buffers 256 16k;
    proxy_buffer_size 16k;
    proxy_read_timeout 600s;
    proxy_cache mattermost_cache;
    proxy_cache_revalidate on;
    proxy_cache_min_uses 2;
    proxy_cache_use_stale timeout;
    proxy_cache_lock on;
    proxy_http_version 1.1;
    proxy_pass http://backend;

    }
}
[jaya@localhost conf.d]$ sudo systemctl daemon-reload
[jaya@localhost conf.d]$ sudo systemctl restart nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[jaya@localhost conf.d]$ sudo systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2023-05-28 16:10:43 UTC; 9s ago
Docs: http://nginx.org/en/docs/
Process: 2078 ExecStop=/bin/sh -c /bin/kill -s TERM $(/bin/cat /var/run/nginx.pid) (code=exited, status=0/SUCCESS)
Process: 2083 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
Main PID: 1648 (code=exited, status=0/SUCCESS)

May 28 16:10:43 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
May 28 16:10:43 localhost.localdomain nginx[2083]: nginx: [emerg] unexpected "}" in /etc/nginx/conf.d/default.conf:50
May 28 16:10:43 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
May 28 16:10:43 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
May 28 16:10:43 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
May 28 16:10:43 localhost.localdomain systemd[1]: nginx.service failed.
[jaya@localhost conf.d]$

[jayakrishnayadav24]

There is no error in default.conf file but it is showingun expected } if i just remove the extension it is working there is no error but problem here is i need to save that file as .conf extension then only the mattermost curl http://localhost will work