Nginx Configuration (Debian)

by Jan Bachelor
  • By default, nginx is configured to forward traffic from HTTP (80) to HTTPS (443). However, in our case, we terminate SSL on HAProxy and are operating on an unencrypted port 8082. So we need to tweak the config a bit to make it work.
  • Essentially, we can just comment out the redirect and copy over the content of the 00-default-ssl.conf file and merge it with what we have 00-default.conf. Your resulting 00-default.conf file should look as follows:
sudo nano /etc/nginx/sites-available/00-default.conf

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 8082;
    listen [::]:8082;

    #root /var/www/html;
    #index index.php index.html;
    #server_name _;
    #Redirect all insecure http:// requests to https://
    #return 301 https://$host$request_uri;

    server_name _;
    root /var/www/html;
    index index.php index.html;
    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}
  • Verify the config and reload nginx:
# Verify the nginx config:
sudo nginx -t

# Restart the nginx config
sudo systemctl reload nginx
  • Since we changed the default port on nginx, we need to update nftable’s config (firewall)
# Check the status of nftables:
sudo systemctl status nftables.service

# Show existing rules (port 80 will likely be there)
sudo nft list ruleset

# Change port 80 to 8082 (or whatever you chose on OPNSense under Real Servers
sudo nano /etc/nftables.conf

# Reload nftables:
sudo systemctl reload nftables.service
  • To get RounCube work unencrypted, go to the following path and change the force HTTP directive to ‘false’. No services need to be restarted after that.
sudo nano /opt/www/roundcubemail/config/config.inc.php

# Change the following directive from 'true' to 'false:
$config['force_https'] = false;
  • Now you can finally try all three management interfaces:
# iRedAdmin: 
https://your-domain.tld/iredadmin/
# Roundcube webmail: 
https://your-domain.tld/mail/
# Monitoring
https://your-domain.tld/netdata
  • If you encounter difficulties, you can review the following logs
    • HAProxy logs (e.g. on OPNSense) → is the traffic being passed to the right back-end?
    • HAProxy → Is SSL offloading box ticked in the Virtual Services → Public Service?
    • nginx logs → check sudo tail /var/log/nginx/access.log and error.log.
    • Confirm that nginx is listening on the desired ports → ss -tln to confirm.
    • Have you re-configured and reloaded the firewall? Run sudo nft list ruleset.

Go back to course overview: Install iRedMail Mail Server As Proxmox VM With OPNSense As Firewall

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.