Talkyard with Nginx as reverse proxy and Letsencrypt for https [Mini tutorial]
Hello.
I finally made work my Talkyard instance with nginx as reverse proxy and letsencrypt for ssl, and it took me several hours so I thought I might leave this over here so others can do it in just minutes.
Environment is a VPS with Ubuntu 18.04.
1.. Follow the Talkyard official Install instructions at https://github.com/debiki/talkyard-prod-one UP TO STEP 6 ONLY.
2.. Now In the file /opt/talkyard/docker-compose.yml you must change this:
ports:
- '80:80'
- '443:443'
to this:
ports:
- '8080:80'
- '8443:443'
Or the port or number of your choice if you know what you are doing.
3.. Setup Talkyard to be able to work with https/ssl. If you don't do this it won't work:
sudo nano /opt/talkyard/conf/play-framework.conf
now find:
talkyard.secure=false
and change it to:
talkyard.secure=true
4.. Now resume the official instructions at https://github.com/debiki/talkyard-prod-one from step 7 onwards . IMPORTANT: Ignore the HTTPS instructions present at that other doc at https://github.com/debiki/talkyard-prod-one/blob/master/docs/setup-https.md. They are confusing and don't work for what we want to do.
5.. Install nginx in your server:
sudo apt install nginx
6.. Create a new server block.
sudo nano /etc/nginx/sites-available/your.domain.com.conf
That file will be empty. Now fill it with the following (of course you need to replace your.domain.com with your actual subdomain. Remember talkyard only accepts subdomains):
server {
listen 80;
server_name your.domain.com;
[…]
location /.well-known {
alias /var/www/your.domain.com/.well-known;
}
location / {
# proxy commands go here
[…]
}
}
Save the file to /etc/nginx/sites-available/your.domain.com.conf and close the editor.
7.. Now follow the instructions in this post https://serverfault.com/a/784940 "LetsEncrypt with an nginx reverse proxy" in order to configure the nginx server block, get the Letsencypt certificate, and optionally set up automatic redirection to HTTPS.
8.. Now add the talkyard configuracion to the SSL part of your server block:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name talkyard.yourblog.com;
# SSL config ...
# Reverse proxy to Talkyard:
location / {
proxy_pass http://talkyard.yourblog.com:8080/;
proxy_redirect http://talkyard.yourblog.com:8080/ https://talkyard.yourblog.com;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120;
}
Edit with your domain name. Now test nginx
sudo nginx -t
If there are problems, check for typos, etc. If everything is ok, enable the site:
sudo ln -s /etc/nginx/sites-available/your.domain.com.conf /etc/nginx/sites-enabled/
Now reload nginx
sudo systemctl reload nginx
If everything was ok, and you have have properly configured your domain at the DNS (which is outside the scope of this tutorial), then you should be able to see Talkyard working at your.domain.com.
I hope this was helpful.
KajMagnus @KajMagnus2020-05-19 15:04:01.300ZHi Locatelli, thanks for writing this — I now linked to this mini tutorial from the GitHub readme: https://github.com/debiki/talkyard-prod-one/tree/master#install-behind-nginx-reverse-proxy (and moved this topic to the Documentation category).
@ others: That whole answer over at ServerFault, i.e.: https://serverfault.com/a/784940/44112 "LetsEncrypt with an nginx reverse proxy", is good to read all of it
In reply toLocatelli⬆:Thiru @thiruHi, i'm kinda confused with the nginx part. We are supposed to install the talkyard in opt folder right? And then why the nginx conf file has the /var/www/ as a path? I tried to create a certificate with this command
certbot certonly --webroot -w /var/www/sub.domain.com/ -d sub.domain.com -d www.sub.domain.com textand I got an error/var/www/ask.***.com/ does not exist or is not a directory.
KajMagnus @KajMagnus2021-02-08 07:56:19.607Z2021-02-08 08:02:21.645ZDo you have your own Nginx server already? Then you've decided already, some time in the past, what public HTML files directory to use — could be
/var/www/or something else. That path is unrelated to Talkyard, so could be "anything".Yes you install Talkyard in
/opt/talkyard, but your already existing Nginx server doesn't care about that — it communicates with Talkyard via HTTP (it reverse-proxy forwards HTTP requsets to Talkyard's internal Nginx server).why the nginx conf file has the /var/www/ as a path?
This, in the Original Post above:
location /.well-known { alias /var/www/your.domain.com/.well-known; }is from your own Nginx server, which Talkyard knows nothing about. It might as well have been Apache or HAProxy or Traefik (but then the config looks differently of course :- )).
***
If you didn't already have your own Nginx server, then this whole discussion topic is off-topic to you
— you should just ignore everything here then.When using Talkyard, you don't need to install any HTTP / web server yourself — Talkyard has it's own internal Nginx already.
This topic is only for people who have an old Nginx (or Apache, whatever) already and want to keep it in front of Talkyard.
Thiru @thiruI started it on a fresh VPS. And followed the first 6 steps, from this https://github.com/debiki/talkyard-prod-one page. And followed the steps from this guide until the 3rd step. And then resumed instructions from the previous guide. I think, it's better to start over. because now all I can see is Welcome to nginx page. I did everything on this order https://pastebin.com/raw/nK9B2i0q
- In reply toKajMagnus⬆:Thiru @thiru
If you didn't already have your own Nginx server, then this whole discussion topic is off-topic to you
— you should just ignore everything here then.
When using Talkyard, you don't need to install any HTTP / web server yourself — Talkyard has it's own internal Nginx already.
This topic is only for people who have an old Nginx (or Apache, whatever) already and want to keep it in front of Talkyard.That makes sense. I just tried enable the ssl. will try it again. :) Thank you for the quick response. :)