External Access - own domain -> NGINX - > 2 instances of HA -

Hi all.

Quick question:
I have been struggling with external access of HA, I have one instance of HA already working on domain ha.domain.com and now I wanted to add external access for second HA instance on ha2.domain.com.
I have selfhosted NGINX running on proxmox pve. Both instances are reachable on 8123 port.
But can’t get second one on external access.

Is it possible that both are on same port (but different IP obviously)? So NGINX is proxying:
ha.domain.com - > 192.168.1.199
ha2.domain.com - > 192.168.1.197

Is it possible this is the culprit?
I have certs issued on ha2 nad ha instance, both should be reachable on https.

Thank you in advance.

This is certainly possible with nginx. I have three instances that I proxy through nginx, all on the same port. I’m not following the exact failure mode, are both urls proxying to the same instance? Would likely need to see config files to help much.

No
Proxy receive request on port and just forward as needed

What is error received?

Hm, can’t figure it out…still… when running
sudo certbot certonly --nginx -d ha2.domain.com
I get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

2024/12/17 20:31:35 [emerg] 548#548: unknown log format "standard" in /etc/nginx/conf.d/default.conf:11
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\n2024/12/17 20:31:35 [emerg] 548#548: unknown log format "standard" in /etc/nginx/conf.d/default.conf:11\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;
      # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;

        ##
        # Gzip Settings

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml appli>

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

and the default.conf file:

# "You are not configured" page, which is the default if another default doesn't exist
server {
        listen 80;
        listen [::]:80;

        set $forward_scheme "http";
        set $server "127.0.0.1";
        set $port "80";

        server_name localhost-nginx-proxy-manager;
        access_log /data/logs/fallback_access.log standard;
        error_log /data/logs/fallback_error.log warn;
        include /etc/nginx/conf.d/include/assets.conf;
        include /etc/nginx/conf.d/include/block-exploits.conf;
        include /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf;

        location / {
                index index.html;
                root /var/www/html;
        }
}

# First 443 Host, which is the default if another default doesn't exist
server {
        listen 443 ssl;
        listen [::]:443 ssl;

        set $forward_scheme "https";
        set $server "127.0.0.1";
        set $port "443";

        server_name localhost;
        access_log /data/logs/fallback_access.log proxy;
        error_log /dev/null crit;
        include /etc/nginx/conf.d/include/ssl-ciphers.conf;
        ssl_reject_handshake on;

        return 444;
}

I’m really lost now. Anyone has any idea what should be wrong in configuration file(s) as it says misconfiguration…
I would be very thankful for any help.

PS: Renew other certs for my othe subdomains work OK, but obtaining new certs doesn’t work

PS2:
running sudo certbot certonly --standalone --preferred-challenges http -d your_domain

I get (output is sanitized):

sudo certbot certonly --standalone --preferred-challenges http -d ha2.-------.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ha2.-----------.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for ha2.--------.xxx

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ha2.----------/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ha2.-----------/privkey.pem
This certificate expires on 2025-03-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If I copy content od .pem files from above to text editor and save it as files on my nginx LXC and them upload to NPM web server and add custom certificate, the ha2.domain.com instance I can’t connect with https but only http. If I connect https I get SSL_ERROR_UNRECOGNIZED_NAME_ALERT.

Domain.com
Ha1.domain.com
HA2.domain.com

These are all different and seperate server block in nginx. Also for ssl purpose they are different but your cert looks Ok.

You also need to verify file permissions. Moving them between systems it’s possible the permission are incorrect and nginx can’t see the cert.

I don’t see different server blocks. Is the config only for ha2 or also ha1?

I think the problem is that you have to define your log formats on the default config file, something like this, before the server part:

log_format standard '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

log_format proxy '$proxy_add_x_forwarded_for - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                 '"$http_user_agent" "$http_x_forwarded_for"';

@tmjpugh and @brunobrossi thanks!

Tried to configure nginx.conf and default.conf but after I fixed log error, I got new error:

Error while running nginx -c /etc/nginx/nginx.conf -t.

2024/12/18 20:10:12 [emerg] 536#536: "proxy_cache" zone "public-cache" is unknown in /etc/nginx/nginx.conf:61
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\n2024/12/18 20:10:12 [emerg] 536#536: "proxy_cache" zone "public-cache" is unknown in /etc/nginx/nginx.conf:61\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

After 4 days of I’m slowly giving up on NPM…

Looks like you have some misconfigured cache. If you don’t want to use cache, you have to remove the references to cache, I can’t see in your config, but maybe there are remains on /etc/nginx/sites-available.
Look for things like

proxy_cache public-cache
proxy_cache_path /path/to/cache 
proxy_cache_valid 

If you don’t have much experience with reverse proxy, be careful with the configs. For example, if you are exposing 443 already, there is no need to expose port 80 as well, there are more simple ways (free) you can access HA externally, maybe try TailScale for example.
If you are using nginx to learn, I would go over the docs and read it a bit,it will help as well.

@brunobrossi thanks.
There is default file in sites-available
and inthere:

server {
        listen 81 default_server;
        listen [::]:81 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):

I’m not really a beginner with nginx but since now all worked great. I wanted to add another ha instance to access externally but then thing got messed up and can’t figure it out. On a web server I get internal error message each time I try to change something and if I click save button internal error message pops up (after closing the windows and refreshing the page, everything looks normal and saved
Right now I’m exposing port 80 because I tried to obtain certificates… renewing of already configured servers works great, but new one is a pain.

I see yeah, for the error you are having now, it is some misconfigured cache, what you can do it try to explicitly disable, or enable some simple browser caching and see if it goes through

@brunobrossi thanks.
I started with cache but thing didn’t change, it turned out some other errors started or at least showed with nginx -t command.

So instead of spending more time I just installed another nginx server on my LXC in Proxmox and this time I used openresty and I turned out there was indeed misconfiguration because on new server everything went fine and smooth.

I think I accidenty checked HSTS button which messed my config.

Thank guys for your help anyway!