Problem configuring nginx for virtual hosting of Plone5 site

Hello,

With reference to the tutorial: "Installing Plone for Production on Ubuntu", I failed to connect from outside to my Plone5 website with the Nginx server. The site can only be accessed to in localhost mode, with port 8080. However, Nginx can be externally accessed to (on port 80) with my static IP address. The "listen" directive of Plone5 config file ("plone5.conf") in /etc/nginx/sites-available/ only lists port 80. How can it be set to listen to all interfaces, not just localhost?

Any guidance or hint with regard to this issue would be very much appreciated.

Well, here is the file for my configuration. Don't ask me how it works, I have absolutely no idea, I use Ansible Plone and this marvelous tool is doing almost all the dirty work for me allowing me to concentrate on what I want to do. Highly recommended, it's easily the most undermarketed Plone feature - yes, this is the secret Plone hosting providers don't want you to know -, use it and forget all system troubles if you are using a compatible system (what you do)

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

Thank you so much for such a prompt reply and for the code I didn't know Ansible Plone, but at a first glance, it seems to be invaluable. Am giving it top priority and will be happy to let you know about any possible outcome.

Thank you again.

Nginx passes the request on from port 80 to plone on port 8080. The config should be just fine as it is.
If this doesn't work, then your public ipaddress probably is not the ipaddress of your machine.
Is there anything specific that does not work?

ps, I'm assuming you use the tutorial at https://docs.plone.org/manage/deploying/production/ubuntu_production.html#step-5-set-up-virtual-hosting ?

Thank you for your reply, jaroel.

If by my machine's ip address you mean my dynamic (private) address, then my static (public) address indeed is not the same as my dynamic (private) one. I tried, but without success so far, to allow the public IP address in the "location directive". Other than that, I didn't notice any particular problem.

Yes, I am using Plone's tutorial in the "Guide to deploying and installing Plone in Production" and the configuration file in "/etc/nginx/sites-available/plone5.conf".

If you (in nginx) specify nothing but the port (8), nginx will listen on all interfaces. So that's not you problem.

Where are you hosting your site? Is it on a VPS of some sort? Could you elaborate a bit on your setup, ie the public ip address, is it for the same machine as where your Plone site is running? If not, is it on a router that you control?

Hello, Roel,

My apologies for this late reply. No, my site is not hosted on a VPS. The static (public) IP address was assigned to me by my ISP and is registered with my DNS (as an A record). My Nginx server can be accessed to from outside with it, but not my website. The problem therefore remains between the server and the site's config file (the router's settings are correct).
Hope this answers your questions.

You'll have to help me out a bit more here.
If you access your public IP address, do you see the default page? If you try to access the domain name, what do you see? Does the domainname resolve to your ip address?

Can you configure a static page for the vhost first? ie try something like https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04 .

With my public IP address, I can see the Nginx default page (with the "Welcome to Nginx" message). But if I enter the domain name followed by my site's name, which is "archeonavis.net/ArcheoNavis4", I get an "error loading" message (in French, which is my mother tongue: "Erreur the chargement"), followed by "The connection was reset" ("la connexion a été réinitialisée"). The domain name therefore does not resolve to my IP address.

Thanks for the link to DigitalOcean. I didn't know about it, but if you give me some time, I'll try to work it out.

could it be a domain problem instead of a server one ? If I try archeonavis.net, I see the default registrar page. Did you configure your domain to setup an A record ?

Yes, my domain name is set up as an A record with my DNS. When you connect to "archeonavis.net", which is the domain name, alone, you only see the Plone5 entry page to sites which I host on the AWS (Amazon Web Service) cloud but which I haven't been maintaining for a while. I do have a fully operational site, also on AWS, which can be accessed to without problem.Its address is "modular.bitnamiapp.com/ArcheoNavis2".
What I am trying to do with my Nginx server is to give public access to my Plone5 site, "ArcheoNavis4", just as to the AWS site, but which I can only connect to as localhost for the moment. So, I don't think the problem is either with the domain or the server, but surely due to my inability to properly configure the latter.

dig archeonavis.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> archeonavis.net
(...)
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
(...)
;archeonavis.net. IN A
;; ANSWER SECTION:
archeonavis.net. 1137 IN A 192.64.119.169
archeonavis.net. 1137 IN A 81.63.149.242
archeonavis.net. 1137 IN A 35.176.250.121

seems a bit strange, is it really intended this way ?

Two of the three IP addresses were assigned as static IPs for the sites I have on the AWS cloud. The last one, '81.63.149.242', was provided by my ISP and makes it possible to connect to my Nginx server from outside, but only to the Nginx welcome page, not to my Plone5 website, All three addresses are recorded with my DNS as 'A records'.
Did I answer your question?

yes, the third is your bitnamiapp, the second is your nginx/plone. What I am not quite getting is how you can expect your browser to get to the IP address you want. I have tried the IP address of your nginx site and it does not display the default page, nothing, with http or https

I don't get it either. Could it be because my nginx/plone static IP address was assigned to me by my ISP, who also assigned my dynamic (private) address with which I normally connect to the Internet, but who doesn't authorize external access otherwise? I had lengthly discussions with my ISP's technicians about this, we also checked my router's settings several times together, and it comes down to this: they cannot solve the problem and even invoke security reasons, while disclaiming that they are deliberately blocking access to my server.
Very sorry I can't give you more precise explanations at this stage.

If this can be of any help, I should also mention that I occasionally use the OpenVPN server and that its user permissions for DMZ settings were enabled and set to '81.63.149.242:tcp/80' as DMZ Ip address by OpenVPN's support. They assured me that my server can be accessed from outside with these settings. But, of course, only an external user other than me could confirm it. The OpenVPN is open at this moment on my machine and I can leave it open for the next few hours. So if you might have a chance to try a connection, I would very much appreciate it.

I have the beginning of a headache trying to follow :slight_smile:To be candid I have no urge to even know about an Openvpn link without certificates.
Anyway I can now see your nginx default page using the IP address. At this moment you should only use the IP address to do your testing, let the DNS situation be as it is.
I have looked a bit more at the ansible plone generated nginx configuration and I think I see the problem. You asked for the site-available file and I provided it. But it's not in this file that the magic happens, it's in a site-enabled file. Here it is:

sites-enabled/http_ploneprod2:   set $vh_port "80";
sites-enabled/http_ploneprod2:        rewrite ^/(.*)$ /VirtualHostBase/$vh_protocol/$host:$vh_port/Plone/VirtualHostRoot/$1 break;
sites-enabled/https_ploneprod2:   set $vh_port "443";
sites-enabled/https_ploneprod2:        rewrite ^/(.*)$ /VirtualHostBase/$vh_protocol/$host:$vh_port/Plone/VirtualHostRoot/$1 break;

you should have something like that in your nginx directory (in mine there is an include in the nginx.conf for the files under site-enabled directory)

This is what I have in my nginx.conf file:

# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

The "conf.d" directory is empty. I tried to modify the plone conf file in "sites-enabled", following your indications, but it failed the service nginx configtest. Here is my original plone5.conf, which I adapted from the Plone tutorial example (I changed the domain name to "mydomain.net" so as not to post its link twice):

/***
server {
server_name www.mydomain.net;
listen 80;

location / {
rewrite ^/(.)$ /VirtualHostBase/http/www.mydomain.net:80/ArcheoNavis4/VirtualHostRoot/$1 break;
proxy_pass http://localhost:8080;
}
location ~
manage_ {
deny all;
}
}

server {
server_name mydomain.net;
listen 80;
access_log off;
rewrite ^(/.*)$ http://www.mydomain$1 permanent;
}
***/

I can also connect to my server with the IP address, but not with the domain name.

I apologize for the headache. Of course, the VPN would be useless without certificates. I just gave the DMZ settings for information.