[SOLVED] NethServer/Apache & Discourse/Nginx - download available

Hi all,

I am currently writing an howto on installing Discourse Forum on NethServer.

I managed to install Discourse Forum.
Everything is working perfectly with Discouse, even https://forum.toto.com.

To be able to install Discourse, I had to disable httpd as Nginx is using port:80.

I am able to get to NethServer GUI at port:980 without any problem as some httpd daemons are still runnning (see below).
● Is it because of some template starting some httpd daemons ?
● If I stop Nginx, I cannot access NethServer GUI on port:980 => so is it Nginx responding to 980 and redirecting to the GUI ?
● But if I kill all the below daemons, I cannot access anymore the NethServer GUI on port:980
This is not a problem as I can access NethServer GUI at port:980 / but I would like to know!

[root@tchana ~]# ps aux | grep http
root      1413  0.0  0.4 518776 17992 ?        Ss   12:52   0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -DFOREGROUND
srvmgr    2455  0.0  0.2 531156  8932 ?        S    12:52   0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -DFOREGROUND
srvmgr    2460  0.0  0.2 531156  8932 ?        S    12:52   0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -DFOREGROUND
srvmgr    2461  0.0  0.2 531156  8932 ?        S    12:52   0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -DFOREGROUND
srvmgr    2462  0.0  0.2 531156  8932 ?        S    12:52   0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -DFOREGROUND
srvmgr    2463  0.0  0.2 531156  8932 ?        S    12:52   0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -DFOREGROUND
root      7266  0.0  0.0 112732   976 pts/0    S+   13:10   0:00 grep --color=auto http
[root@tchana ~]#

PROBLEM:
I cannot access Webmail:

https://toto.com/webmail
https://www.toto.com/webmail
https://mail.toto.com/webmail
https://www.mail.toto.com/webmail

https://forum.toto.com/webmail
https://www.forum.toto.com/webmail
https://mail.forum.toto.com/webmail
https://www.mail.forum.toto.com/webmail

QUESTIONS:
● Is there a URL:port or a link I can use to directly access Webmail like calling the GUI with port:980 ?
● Is there a directive to insert in nginx.conf to tell it to get to Webmail.
● As it is quite difficult to change Nginx port 80 for Discourse, then I have to change the port 80 that is used by httpd for another one - how to do this ?
● I Google a lot and some threads suggest to use HAProxy. // I tried the NethServer Reverse Proxy to no avail.

Any suggestion very appreciated as this is the last problem to resolve before releasing the howto on installing Discourse on NethServer…

Michel-André

Can the nginx module be of use?

Hi dnutan,

Thank you very much for your reply.

But Nginx is already installed by the installation of Discourse,

Now I am looking to convert Apache:
/etc/httpd/conf.d/roundcubemail.conf
to Nginx:
/etc/nginx/conf.d/roundcubemail.conf
which I think will be easier as there are only a few directives to convert.

That way Nginx will access Roundcube the same way as Apache; (I hope…)

Michel-André

What about running nginx/discourse with different ports and reverse proxy to them from apache?
I think it’s easier than converting all other apps like roundcube from apache to nginx.

Hi Markus,

Can you please explain a little bit ?

Michel-André

You may run nginx/discourse with a non default http port i.e. 8877 instead of 80 to not conflict with apache port 80.
Then just add a virtual host reverse proxy like discourse.example.com to http://localhost:8877/discourse.
If you use letsencrypt you now have a secured connection and should be able to reach discourse via https://discourse.example.com

Hi Markus,

Excellent idea. I think this is the way to go.

For now, using port 80 and 443 everything works perfectly: Let’s Encrypt, https, email through SparkPost, registration, update, etc…

Presently, I am using forum.micronator-dev.org but I should use only micronator-dev.org and use NethServer Reverse Proxy for www.forum.micronator-dev.org to point to http://www.micronator-dev.org - - am I right?

► Looking at /etc/nginx/conf.d/discourse.conf.

First part of that file for using port 80.
It should be easy to just change the port to 8877 for both IPv4 and also for IPv6 (which I don’t use) and just restart Nginx and it should the job.

server {
    listen 80; listen [::]:80;
    server_name  forum.micronator-dev.org;  # <-- changer ici

    return 301 https://$host$request_uri;
}

● The question is the port 443 for https.

Second part of that file for using port 443 and Let’s Encrypt.

server {
    listen 443 ssl http2;  listen [::]:443 ssl http2;
    server_name  forum.micronator-dev.org;  # <-- changer ici

#   ssl on;  # <-- COMMENTER parce que OBSOLETE
    ssl_certificate      /etc/pki/tls/certs/cert.pem;  # <-- changer ici
    ssl_certificate_key  /etc/pki/tls/private/privkey.pem;  # <-- changer ici
#   ssl_dhparam          /var/discourse/shared/standalone/ssl/dhparams.pem;  # <-- COMMENTER
    ssl_session_tickets off;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

    http2_idle_timeout 5m; # up from 3m default

    location / {
        proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

● Should I change that port 443 also ??? If yes, to what? Will it be still secure?

I have a snapshot of the machine using only the port 80 with no port 443.
I will try 8877 with that VM and let you know.

If everything is working, then that means I also have to redo the configuration at SparkPost for mail delivery which is not a big task,

And again, if everything is working it means I will be able to use a full functionning Discourse Forum running under NethServer.

I will keep you informed of the development.

Again, I thank you very much for your great support,

Michel-André

Hi again Markus,

There is something I am missing:

server {
        listen 8877;
        server_name  micronator-dev.org;

        location / {
                proxy_pass http://unix:/var/discourse/shared/standalone/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}

I also modified the port 80 => 8877 in /var/discourse/discourse/discourse-setup.
Then:

nginx -t
cd /var/discourse/
pwd
./launcher destroy app
./launcher start app

image.png400×519 10.5 KB

I will have a walk in the nice cold winter night for a while

Tomorrow will be better,

Michel-André

I think you don’t need to configure port 80 in nginx because it’s only used to redirect to https.
So it should be enough to delete the nginx server port 80 directive and change port 443 to 8877 and setup apache reverse proxy to https://localhost:8877

I think this change is not needed because apache should respond on port 80 too but I’m not sure about discourse configuration…

Hi Markus,

I wanted to do something to enable Webmail to see if root or admin received some mails from Discourse or from the system.

I stop nginx and start httpd to be able to login to Webmail - it works perfectly - and there was no mail for admin and some messages to root about clamav; nothing else.

So the solution is simple:
● stop nginx, start httpd, login to webmail and look for messages.
● stop httpd and restart nginx.
► I can always create an account in Thunderbird for root and another one for admin. That way no need to use Webmail. As I always say: “Why make it complicated when it is simple”. The KISS principal: Keep It Stupid Simple.

When Discourse is running, I still:
● can access NethServer GUI interface since it uses port 980 and some httpd deamons are always running even if httpd service is disabled.
● can update NethServer.
● can access all the logs, etc…

If I want to use a web site along with Discourse, there are quite a few howtos about that. But since Discourse can use a lot of CPU time, it is better to just run it on a dedicated NethServer.

My howto about the installation of Discourse on a Nethserver will be out pretty soon.

Thank you again for your appreciated support.

Michel-André

Therefore, rely on another mailserver, not consolidate mail, webtop and discourse into the same installation.

Hi all,

There was a new problem with Let’s Encrypt and the reloadcmd:

 --reloadcmd "/sbin/e-smith/signal-event certificate-update"

It gave the error: Reload error for :

The problem is from the file: /etc/e-smith/events/certificate-update/services2adjust/httpd.
The service2adjust wanted to restart httpd but since I had to disable it for Discourse, it can not restart it, so it gave the error.

SOLUTION:
In /etc/e-smith/events/certificate-update/services2adjust/, I renamed httpd to ningx and no more error.

I hope this is the very last problem and a future update of NethServer doesn’t modify or add httpd again.

Michel-André

Hi pike,

Been there done that, I use SparkPost for email as there is no way to use mail from NethServer (at least nobody found one yet).
► Also Discourse does’t support using your own mail server.

Michel-André

Of course it does; you just need to enter the appropriate server FQDN and credentials. Discourse will work with any SMTP server.

It’s almost certain that it will, unless you’ve removed the nethserver-httpd RPM.

Hi Dan,

“Discourse does’t support using your own mail server.” meaning it won’t give you support if you have problem with it, but it is still possible to use it.

I can’t delete httpd because I will loose the Web Interface Manager or I will have to reconfigure it for Nginx which is a too big work to do.

QUESTION:
Will update of httpd insert httpd and leave nginx there or will it delete the folder and create a new one?

If it only adds httpd and doesn’t delete nginx, then it is OK. It will give an error beacause of the impossiblilty to restart httpd but it will still restart nginx and this will be OK.

Michel-André

I wanted to test if it’s possible to use apache next to nginx/discourse but I didn’t find a simple discourse install howto for centos 7 without docker.

Here I read they only support docker officially:

Hi Markus,

I don’t know if that might help you but I found this when I was looking to run Apache & Nginx:

Michel-André

Thanks, I’ll have a look but my first impression is that haproxy may be too much for just having nginx next to apache.

Did you install discourse with docker?

Yes, the installation I followed was with Docker.
The name of the container run by Docker is app, check it with:

# docker container ls -a

CONTAINER ID IMAGE               COMMAND      CREATED        STATUS        PORTS                                    NAMES
e470946e11d3 local_discourse/app "/sbin/boot" 24 minutes ago Up 24 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp app
#

When I read that article, I installed HAProxy and play with it for a while. It looks a little bit hard to configure and I switch to another solution.

If you want I can send you my document on Discourse. It is not entirely finished but almost.
You can send me your email address at: https://www.micronator.org/affaires/nous-contacter/.

Michel-André

PS: Sent

Hi Dan

I have an old VM and I updated all httpd.
You are absolutely right, the update recreated the httpd file, but didn’t touch the nginx file.

To get rid of the error, I can modify the cron job for Let’s Encrypt so it will start by deleting the httpd file.

Original file:

32 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Change to:

32 0 * * * /usr/bin/rm -rf /etc/e-smith/events/certificate-update/services2adjust/httpd ; "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

► Testing the modified cron job without: > /dev/null:

# /usr/bin/rm -rf /etc/e-smith/events/certificate-update/services2adjust/httpd ; "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[dim. mars  1 19:33:35 EST 2020] ===Starting cron===
[dim. mars  1 19:33:35 EST 2020] Renew: 'forum.micronator-dev.org'
[dim. mars  1 19:33:35 EST 2020] Skip, Next renewal time is: ven. mai  1 00:09:26 UTC 2020
[dim. mars  1 19:33:35 EST 2020] Add '--force' to force to renew.
[dim. mars  1 19:33:35 EST 2020] Skipped forum.micronator-dev.org
[dim. mars  1 19:33:35 EST 2020] Renew: 'micronator-dev.org'
[dim. mars  1 19:33:35 EST 2020] Skip, Next renewal time is: lun. avril  6 14:59:54 UTC 2020
[dim. mars  1 19:33:35 EST 2020] Add '--force' to force to renew.
[dim. mars  1 19:33:35 EST 2020] Skipped micronator-dev.org
[dim. mars  1 19:33:35 EST 2020] ===End cron===
#

The thing I don’t quite understand is the 2 Renew:

Maybe the first one is for the Discourse container domain and the second one is for the other standard domains outside of the Discourse container.

If I check the certificates:

● The one used by the forum

Pas avant 29/02/2020 à 14:47:03 (heure normale de l’Est nord-américain)
Pas après 29/05/2020 à 15:47:03 (heure normale de l’Est nord-américain)

● The one used by the NethServer Manager

Pas avant 01/03/2020 à 18:09:25 (heure normale de l’Est nord-américain)
Pas après 30/05/2020 à 19:09:25 (heure normale de l’Est nord-américain)

If modifying the cron job is correct, then I have no more problem

Any comment will be very appreciated,

Michel-André