I'm trying to set up virtual hosting for Plone 5.1 in Docker under ECS so that the individual sites are exposed but the management interfaces and ability to create new sites is not. I've tried following the instructions here and here and on other forum posts, but none seem to cover how to set up more than one site....
This is what my configuration looks like:
# This specifies which IP and port Plone is running on.
# The default is 127.0.0.1:8080
upstream plone {
server plone.ecs.internal:8080;
}
# this forces all unencrypted HTTP traffic on port 80 to be redirected to encrypted HTTPS
server {
listen 80;
server_name mysite.com;
location / {
rewrite ^ https://mysite.com permanent;
}
}
server {
listen 443 default ssl;
ssl_certificate /etc/ssl/ssl_certificate.cer;
ssl_certificate_key /etc/ssl/ssl_cert.key;
server_name mysite.com;
access_log /var/log/nginx/mysite.com.access.log;
error_log /var/log/nginx/mysite.com.error.log;
location ~* /manage(_.+)$ {
deny all;
}
location /health.html {
alias /opt/openresty/nginx/html/index.html;
}
location /site1 {
rewrite ^/(.*)$ /VirtualHostBase/https/mysite.com:443/site1/VirtualHostRoot/$1 break;
proxy_pass http://plone;
}
location /site2 {
rewrite ^/(.*)$ /VirtualHostBase/https/mysite.com:443/site2/VirtualHostRoot/$1 break;
proxy_pass http://plone;
}
}
This configuration causes nginx to spit back a 502 error, even though I can go to /health.html just fine. Any suggestions on what I might do differently so site1 and site2 work correctly?
Not sure whats wrong with your config but we do things in a simpler way that may help you. Instead of fiddling with custom nginx every time we want to add a new site we first rewrite the host header to put __ssl__ in the domain (since VHM doesn't handle protocol matching)
reqirep ^Host:\ (.*) Host:\ __ssl__\.\1 if https
(this is haproxy config but the same in nginx should be easy.
Then we can put as many rules as we want in the /virtual_monster in the base of the zope site. similar to this
So if I'm reading this correctly, __ssl__ is some form of substitution that goes at the front of mysite.com, so test-plone.mysite.com wouldn't need a separate rule, the location header would be rewritten to to "test-plone" instead. Am I understanding correctly or is __ssl__ a special keyword?
its a prefix that so that the VHM can tell the different between http and https urls. It's not special to VHM. It's something we made up. It just means you can have two rules in the VHM virtual hosting tab like this
So both https and https urls get rewritten properly.
In your case you are redirecting http traffic before it gets to plone so maybe you don't even need this. Just use VHM in zope directly.
Also in your config I'm not sure what you are trying to do. Normally you use VHM rewriting to handle more than one domain name. But you seem to be rewritting paths /site1 to /site1 and /site2 to /site2 which doesn't make a lot of sense.
The hope was to serve each site from the same parent domain, just from different paths.... is it better to do that from a VHM rule? That might solve the other problem that we're struggling with... we can get the site to work, but all the stylesheets are missing.
@djay One more question... the Docker container by default puts the Welcome page to create a new site at the root by default. Using the generic first rule you showed, is there any way to restrict access to that page so that people can't go randomly creating new sites, or is the only option to hide that page via the reverse proxy or a VHM rule?
You still still need an admin account to create sites. The first thing always should do is add a new root account and remove the old one so there is not an account with the default password.
Normally people rewrite a domain directly to a plone instance and have another domain or use the direct IP (or use a VPN tunnel like we do( to get at the ZMI.