host OS nginx proxying

[ralyodio]

I have other sites that use the host OS nginx. I'd like to use that nginx instance to proxy to btcpayserver. What port should I use and how do I set it?

[NicolasDorier]

See https://docs.btcpayserver.org/faq-and-common-issues/faq-deployment#can-i-use-an-existing-nginx-server-as-a-reverse-proxy-with-ssl-termination

[ralyodio]

I'm getting TOO MANY REDIRECTS when I try to proxy.

# curl localhost:7780 -I
HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx
Date: Mon, 04 Nov 2019 15:46:13 GMT
Content-Type: text/html
Content-Length: 190
Connection: keep-alive

 server {
     listen [::]:80;
     listen      80;
     server_name  btcpay.profullstack.com;
     return      301 https://btcpay.profullstack.com$request_uri;
 }

server {
    server_name btcpay.profullstack.com;
    #index        index.php index.html;
    #root         /home/ubuntu/www/profullstack.com/profullstack-ui;

    add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
    add_header 'Last-Modified' '';
    if_modified_since off;
    #expires -1;
    etag off;

    #listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/btcpay.profullstack.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/btcpay.profullstack.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    sendfile on;
    client_max_body_size 10M;

location / {
        proxy_pass http://localhost:7780;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

# curl https://btcpay.profullstack.com -I
HTTP/2 301
server: nginx/1.14.0 (Ubuntu)
date: Mon, 04 Nov 2019 15:52:54 GMT
content-type: text/html
content-length: 162
location: https://btcpay.profullstack.com/
cache-control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0

[ralyodio]

I believe the problem is with 80 redirecting to 443. but i'm using my own nginx ssl termination.

# ack 301
Generated/nginx.tmpl
297:    #return 301 https://$host$request_uri;

Production/nginx.tmpl
297:    #return 301 https://$host$request_uri;

how do I redo this without the 301s?

[NicolasDorier]

I know that @woutersamaey made it works @chovy. (https://github.com/btcpayserver/btcpayserver-doc/pull/268)

Hey @woutersamaey anything we forgot in the doc? I can understand why it would not work, as it redirect to http internally which redirect to https.

[NicolasDorier]

@chovy did you following this part with REVERSEPROXY_HTTP_PORT ?

        # URL of BTCPay Server (i.e. a Docker installation with REVERSEPROXY_HTTP_PORT set to 10080)
        proxy_pass http://127.0.0.1:10080;

[woutersamaey]

I only use a redirect to force HTTP to HTTPS, which has nothing to do with BTCPay Server really. Besides this, there are no redirects whatsoever.

The docs are 100% fine.

[NicolasDorier]

@woutersamaey but why does it works? Like the request reach https then is forwarded to http to the btcpayserver's nginx, which should redirect to https, creating an infinite 301 loop. Why it does not happen in your case?

[ralyodio]

This is what is happening. the backend is redirecting http to https. This just started happening this week.

[ralyodio]

@chovy did you following this part with REVERSEPROXY_HTTP_PORT ?

      # URL of BTCPay Server (i.e. a Docker installation with REVERSEPROXY_HTTP_PORT set to 10080)
      proxy_pass http://127.0.0.1:10080;

Yes, I did this. It still tries to redirect from http to https on the location block

[NicolasDorier]

Damn @woutersamaey we need to find out how you managed to make it work, I really don't see how it can work currently.

[ralyodio]

Yeah. it worked fine like 4 days ago. Something changed over the weekend. I don't mind re-installing fresh but it seems docker caches everything and I can't actually delete everything.

[woutersamaey]

I’ll check my config and post full config files when I get to the office.

[woutersamaey]

This is my vhost config in Nginx. This Nginx does nothing except proxy to BTCPay Server + Terminate SSL

server {
        listen 80;

        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;

        server_name btcpay.domain.com;

        location ~ /.well-known {
                allow all;
        }

        location / {
                return 301 https://$http_host$request_uri;
        }
}

# Needed outside of server{} for websocket support
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
        listen 443 ssl http2;

        ssl on;
        ssl_certificate      /etc/letsencrypt/live/btcpay.domain.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/btcpay.domain.com/privkey.pem;

        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;

        server_name btcpay.domain.com;

        # Don't use the BTCPay Server homepage, but always send to the login page
        #location = / {
        #       return 302 $scheme://$http_host/account/login;
        #}

        location / {
                proxy_pass http://127.0.0.1:10080;

                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                # For websockets (used by Ledger hardware wallets)
                proxy_set_header Upgrade $http_upgrade;
        }

        location ~ /.well-known {
                allow all;
        }
}

And these are my exports:

export REVERSEPROXY_HTTP_PORT="10080"
export REVERSEPROXY_HTTPS_PORT="10443"
export BTCPAY_HOST="btcpay.domain.com"
export REVERSEPROXY_DEFAULT_HOST="btcpay.domain.com"

export NBITCOIN_NETWORK="mainnet"
export BTCPAYGEN_CRYPTO1="btc"
export BTCPAYGEN_CRYPTO2="ltc"
export BTCPAYGEN_REVERSEPROXY="nginx"
export BTCPAYGEN_LIGHTNING="lnd"
export LETSENCRYPT_EMAIL="my@email.com"
export BTCPAYGEN_ADDITIONAL_FRAGMENTS=""

My current version is BTCPayServer v1.0.3.116 Nginx version: nginx/1.14.2

[woutersamaey]

So it appears I have an older version. I just ran btcpay-update.sh but that did not update my version.

Will look into that a bit more.

[woutersamaey]

I deleted my btcpayserver-docker GIT repo and cloned it anew. Now I'm on v1.0.3.136 and can confirm everything is still functional.

[ralyodio]

I think the docker build did something that you have to delete to reproduce.

On Wed, Nov 6, 2019 at 12:28 AM Wouter Samaey notifications@github.com wrote:

I deleted my btcpayserver-docker GIT repo and cloned it anew. Now I'm on v1.0.3.136 and can confirm everything is still functional.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/btcpayserver/btcpayserver-docker/issues/215?email_source=notifications&email_token=AAAGV5ILFD7XM4ZD572OY23QSJ52ZA5CNFSM4JIGNPVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDFWMVA#issuecomment-550200916, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAGV5OK2DE7F3ZVATDFWFTQSJ52ZANCNFSM4JIGNPVA .

-- Anthony Ettinger http://anthony.ettinger.name anthony@ettinger.name +1 (831) 406-1123

[woutersamaey]

Okay, so how can I help exactly?

[NicolasDorier]

@woutersamaey by giving us a theory on why you setup work. I would expect that the first reverse proxy send to http of the second reverse proxy, which trigger a redirect.

[woutersamaey]

@NicolasDorier looking at the code in nginx.tmpl there seams to be a variable $https_method that can be set to noredirect so it won't have the redirect.

Maybe this is a possible avenue?

Honestly, I don't even fully understand how this repo is tied together, so I'm having a hard time figuring out how it all works exactly.

To help with the debugging, I would add some response headers in the Nginx config so we can figure out where the redirect comes from. I.e. add_header X-Redirect-Reason Because reasons;

And, are we sure the redirect is not triggered by C# code?

[NicolasDorier]

@woutersamaey ha maybe you can share with us

docker exec nginx cat /etc/nginx/conf.d/default.conf

[NicolasDorier]

Ping @chovy it came to my mind what is wrong! The redirect is added to nginx config only when a certificate has been successfully fetched! And because you probably ran btcpay without the reverse proxy before, there is a certificate. (this explain why it would work on @woutersamaey case)

I will make a PR which allow you to remove this cert and will update the doc.

[NicolasDorier]

Ok @chovy I made a new commit for you!

First do a btcpay-update.sh then remove then exclude fragment nginx-https.

btcpay-update.sh
BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https"
. btcpay-setup.sh -i

This will make sure the certificates you already have are not bound to docker.

[ralyodio]

I don't know if that's why but I'm willing to test it. I didn't change anything and it was working fine earlier. The only thing I did which could have caused this is I moved /var/lib/docker to another location while it was still running. I was trying to fully delete everything and start over, but docker seems to keep a lot stuff behind.

[NicolasDorier]

I didn't change anything and it was working fine earlier.

Yeah, this make my explanation even more plausible actually.

[ralyodio]

It works! marking as closed.

[NicolasDorier]

@chovy can you update the doc?

[ralyodio]

All I did was git pull and restart.

On Fri, Nov 8, 2019 at 12:37 AM Nicolas Dorier notifications@github.com wrote:

@chovy https://github.com/chovy can you update the doc?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/btcpayserver/btcpayserver-docker/issues/215?email_source=notifications&email_token=AAAGV5OOEE373326FJXO4DDQSUQKVA5CNFSM4JIGNPVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDPECLI#issuecomment-551436589, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAGV5IJUE7M26CVPP7RPGLQSUQKVANCNFSM4JIGNPVA .

-- Anthony Ettinger http://anthony.ettinger.name anthony@ettinger.name +1 (831) 406-1123

[NicolasDorier]

@chovy no, I mean

BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https"
. btcpay-setup.sh -i

The nginx-https in exclude fragment was needed

[ralyodio]

Where in the docs do you want this?

Anthony http://profullstack.com

On Nov 8, 2019, at 10:46 PM, Nicolas Dorier notifications@github.com wrote:

 @chovy no, I mean

BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https" . btcpay-setup.sh -i The nginx-https in exclude fragment was needed

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[NicolasDorier]

in this section https://docs.btcpayserver.org/faq-and-common-issues/faq-deployment#can-i-use-an-existing-nginx-server-as-a-reverse-proxy-with-ssl-termination

[NicolasDorier]

I did it.

[cpleonardo]

Ok @chovy I made a new commit for you!

First do a btcpay-update.sh then remove then exclude fragment nginx-https.

btcpay-update.sh
BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https"
. btcpay-setup.sh -i

This will make sure the certificates you already have are not bound to docker.

It worked for me! Thanks!