[How-To] ownCloud using NGINX, PHP-FPM, and MySQL

[Joshua Parker Ruehlig]

Hi,

Everything is still running fine since my last post, but...

I want to get a ride of security tips concerning HSTS.

I added these lines to my nginx conf file but the warning message still appears even if i have restarted nginx.

server mydomain.com;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

Maybe i missed something.

Thanks.

I don't implement SSL in nginx so I'm not sure.
but, did you check your headers that it was being sent correctly? your quoting looks weird to me, like it starts and end weird

 

[Jailer]

Hi,

Everything is still running fine since my last post, but...

I want to get a ride of security tips concerning HSTS.

I added these lines to my nginx conf file but the warning message still appears even if i have restarted nginx.

server mydomain.com;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

Maybe i missed something.

Thanks.

Change this:

Code:

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

To this:

Code:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

 

[Mad_noob]

Hi,

Sorry guy's for the late answer, but thanks to you i manage to get it to work. I've now pass all security test basics.

But the problem was that i placed the add_header param to server statement instead of the http one...

But i've a last question :

I bought a domain name and use start ssl free ssl system to generate certificate for my domain. It works great.

My domain is :

gstore.fr. and is pointing to an IP address with a A record

www.gstore.fr. is redirected to gstore.fr.

On my FreeNas i've 2 jails :

- Owncloud
- Plex

and i'm planning to use a third jail with transmission.

I added for the moment 2 CNAME records one for owncloud and one for Plex. and redirected to gstore.fr.

My question is, how can i get these to work ? Like that, if i want to open owncloud, i must type https://owncloud.gstore.fr/owncloud. I want to open owncloud only with this link https://owncloud.gstore.fr/

Maybe do i need to install owncloud et the root of nginx ?

Thank you

 

[Joshua Parker Ruehlig]

Hi,

Sorry guy's for the late answer, but thanks to you i manage to get it to work. I've now pass all security test basics.

But the problem was that i placed the add_header param to server statement instead of the http one...

But i've a last question :

I bought a domain name and use start ssl free ssl system to generate certificate for my domain. It works great.

My domain is :

gstore.fr. and is pointing to an IP address with a A record

www.gstore.fr. is redirected to gstore.fr.

On my FreeNas i've 2 jails :

- Owncloud
- Plex

and i'm planning to use a third jail with transmission.

I added for the moment 2 CNAME records one for owncloud and one for Plex. and redirected to gstore.fr.

My question is, how can i get these to work ? Like that, if i want to open owncloud, i must type https://owncloud.gstore.fr/owncloud. I want to open owncloud only with this link https://owncloud.gstore.fr/

Maybe do i need to install owncloud et the root of nginx ?

Thank you

you would setup a different server block in nginx for each hostname, and for your Plex hostname have it proxy requests to your Plex IP and port

 

[Mad_noob]

Thank you !

But how did you do the part with proxy requests ? I added a server part in nginx.conf with proxy_redirect which i think is what i need to use to get it, but i'm a lost...

I keep searching... ;)

 

[Joshua Parker Ruehlig]

probably something like 'proxy_pass http://127.0.0.1:8080;'

 

[Mad_noob]

As simple than that ? :D

 

[Joshua Parker Ruehlig]

As simple than that ? :D

yes, nginx is very well documented. so i am sure you can figure it out

 

[Mad_noob]

Still doesn't work... And you're right, it's well documented but in fact it doesn't help when you don't really know what to use for :)

Of course with your help i have a path to search ;)

 

[Joshua Parker Ruehlig]

Still doesn't work... And you're right, it's well documented but in fact it doesn't help when you don't really know what to use for :)

Of course with your help i have a path to search ;)

can you post your server block for plex

 

[Mad_noob]

Thank you !

Code:

server {
    listen 443 ssl;
    server_name plex.gstore.fr;
    location / {
        proxy_pass https://plex.gstore.fr:29960/web/index.html# ;
        }
     
    }

 

[Joshua Parker Ruehlig]

Thank you !

Code:

server {
    listen 443 ssl;
    server_name plex.gstore.fr;
    location / {
        proxy_pass https://plex.gstore.fr:29960/web/index.html# ;
        }
    
    }

is plex using SSL, as well as nginx? I don't recommend you have ssl on both, disable it for plex, and have nginx handle it for you.

Code:

server {
    listen 443 ssl;
    server_name plex.gstore.fr;
    proxy_pass http://INTERNAL_IP:29960;
    }

 

[Mad_noob]

Thanks.

When restarting nginx, sanity check failed as proxy_pass directive is note allowed here.

I suppose it must be in a location statement as in documentation ?

 

[Joshua Parker Ruehlig]

Thanks.

When restarting nginx, sanity check failed as proxy_pass directive is note allowed here.

I suppose it must be in a location statement as in documentation ?

ahh, probably. how you had it for "/" would be best then

 

[Mad_noob]

That's what i did, restart nginx and got a 502 bad gateway error...

Code:

server {
    listen 443 ssl;
    server_name plex.gstore.fr;
    location / {
        proxy_pass http://192.168.1.5:29960/web/index.html# ;
        }

    }

Plex seems to work well here https://plex.gstore.fr:29960/web/index.html#

 

[Joshua Parker Ruehlig]

That's what i did, restart nginx and got a 502 bad gateway error...

Code:

server {
    listen 443 ssl;
    server_name plex.gstore.fr;
    location / {
        proxy_pass http://192.168.1.5:29960/web/index.html# ;
        }

    }

Plex seems to work well here https://plex.gstore.fr:29960/web/index.html#

you don't need to add all that stuff after the port. you didn't disable SSL on plex as i suggested.
I can't help if you want to have ssl on plex itself, I only ever proxy to stuff without SSL, and implement ssl in the upstream proxy

 

[Mad_noob]

Ok, so there is no problem to me to proxy_pass ssl and i found on internet people who do it fine.

I think your statement is ok even if i have the bad gateway 502 error.

The only problem is my residential router and it's loopback...

My HP microserver is behind it, and is trying to open plex.gstore.fr which is bind to the routeur public address.

I find this and will try to set it up to to know if i'm right.

Excuse me it's a french website : https://www.sheldon.fr/2014/10/la-livebox-et-son-loopback-go-fuck/

I keep you informed.

 

[Joshua Parker Ruehlig]

Ok, so there is no problem to me to proxy_pass ssl and i found on internet people who do it fine.

I think your statement is ok even if i have the bad gateway 502 error.

The only problem is my residential router and it's loopback...

My HP microserver is behind it, and is trying to open plex.gstore.fr which is bind to the routeur public address.

I find this and will try to set it up to to know if i'm right.

Excuse me it's a french website : https://www.sheldon.fr/2014/10/la-livebox-et-son-loopback-go-fuck/

I keep you informed.

I personally would disable SSL on Plex, and access it through nginx.
goodluck with your solution

 

[Mad_noob]

Thanks for your help !

I'll follow your advice for ssl on plex.

So I've to apply the trick to bypass fake box loopback and to configure nginx as a reverse proxy for the other services.

I'll be posting here the result as soon as possible.

:)

 

[Joshua Parker Ruehlig]

Thanks for your help !

I'll follow your advice for ssl on plex.

So I've to apply the trick to bypass fake box loopback and to configure nginx as a reverse proxy for the other services.

I'll be posting here the result as soon as possible.

:)

looking at a translated version of that French site, sounds like you might be dealing with what I call NAT reelection. when you try to access your WAN IP from your LAN and aren't routed to the correct internal IP.

this should affect your owncloud instance as well, so I'm not sure why you are only bringing it up with Plex. with the router OS's I'm familiar with (pfsense and ddwrt) there are simple solutions to NAT reflection. but sounds like you might be stuck with your router