Proxy status kills access

so got a domain from cloudflare its showing up and says its working.

I setup the dns records, then nginx proxy manager on my server. it will only work if i set the proxy to dns only. when i do that i can go to canu.fightthepanda.uk and it sends me where it should but as soon as its proxied no dice. just an Connection timed out Error code 522

I also tried a tunnel but same deal

Make sure you are using the Full (strict) SSL setting in Cloudflare.

If you shared your Nginx config (use the preformatted text option, ctrl+e), I could have a look.

yeah ive set it to fully strict but no joy

i think this is the config your asking for but i dont think its an nginx issue because bypassing it with a tunnel had the same problem

run nginx in foreground

daemon off;
pid /run/nginx/nginx.pid;
user npm;

Set number of worker processes automatically based on number of CPU cores.

worker_processes auto;

Enables the use of JIT for regular expressions to speed-up their processing.

pcre_jit on;

error_log /data/logs/fallback_error.log warn;

Includes files with directives to load dynamic modules.

include /etc/nginx/modules/*.conf;

events {
include /data/nginx/custom/events[.]conf;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
client_body_temp_path /tmp/nginx/body 1 2;
keepalive_timeout 90s;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
ssl_prefer_server_ciphers on;
gzip on;
proxy_ignore_client_abort off;
client_max_body_size 2000m;
server_names_hash_bucket_size 1024;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding “”;
proxy_cache off;
proxy_cache_path /var/lib/nginx/cache/public levels=1:2 keys_zone=public-cache:30m max_size=192m;
proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;

log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';

access_log /data/logs/fallback_access.log proxy;

# Dynamically generated resolvers file
include /etc/nginx/conf.d/include/resolvers.conf;

# Default upstream scheme
map $host $forward_scheme {
	default http;
}

# Real IP Determination

# Local subnets:
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
set_real_ip_from 192.168.0.0/16;
# NPM generated CDN ip ranges:
include conf.d/include/ip_ranges.conf;
# always put the following 2 lines after ip subnets:
real_ip_header X-Real-IP;
real_ip_recursive on;

# Custom
include /data/nginx/custom/http_top[.]conf;

# Files generated by NPM
include /etc/nginx/conf.d/*.conf;
include /data/nginx/default_host/*.conf;
include /data/nginx/proxy_host/*.conf;
include /data/nginx/redirection_host/*.conf;
include /data/nginx/dead_host/*.conf;
include /data/nginx/temp/*.conf;

# Custom
include /data/nginx/custom/http[.]conf;

}

stream {
# Files generated by NPM
include /data/nginx/stream/*.conf;

# Custom
include /data/nginx/custom/stream[.]conf;

}

Custom

include /data/nginx/custom/root[.]conf;

Sorry, I meant your site-specific Nginx config, not the global config. That’s the config that includes your site’s domain.

Do you mean the proxy host stuff? It’s got the domain and local ip / port. If not give me a hint where to look. I’m new to this

You should have a config file that contains this:

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

Except it’s your domain instead of www.example.com.

The only config I’ve done for that has been copy and paste for Portainer and with the web ui for the routes. Could that be what I’m missing?

And a few more includes that you have put outside the preformatted text.

These are the directories you include. One of the files in there must have the section from my previous post with listen and server_name and so on.

Can you give me a link to the tutorial you followed?

Only difference is I got the domain from cloudflare and I copied a token for the ssl.
I’ll have a look for the other stuff

Might need to be a tomorrow thing now getting late

ok pretty sure this is it

------------------------------------------------------------

canu.fightthepanda.uk

------------------------------------------------------------

map $scheme $hsts_header {
https “max-age=63072000;includeSubDomains; preload”;
}

server {
set $forward_scheme http;
set $server “192.168.50.103”;
set $port 2342;

listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

server_name canu.fightthepanda.uk;

Let’s Encrypt SSL

include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem;

Block Exploits

include conf.d/include/block-exploits.conf;

HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)

add_header Strict-Transport-Security $hsts_header always;

# Force SSL
include conf.d/include/force-ssl.conf;

access_log /data/logs/proxy-host-1_access.log proxy;
error_log /data/logs/proxy-host-1_error.log warn;

location / {

HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)

add_header Strict-Transport-Security $hsts_header always;

# Proxy!
include conf.d/include/proxy.conf;

}

Custom

include /data/nginx/custom/server_proxy[.]conf;
}

1 Like

Yes, that is the correct file.

Can you change the proxy status to DNS-Only for a few moments?

Yep done

That’s not working, neither via HTTP nor HTTPS:

curl -svo /dev/null https://canu.fightthepanda.uk
*   Trying xxx.xxx.xxx.xxx:443...
^C

curl -svo /dev/null http://canu.fightthepanda.uk
*   Trying xxx.xxx.xxx.xxx...
^C

There is no response at all, so I assume you either have no port forwarding or your ISP blocks requests.

2 Likes

So port forwarding is setup so I guess I’ll hit up my isp and see how that goes. Thanks for all your help

I wouldn’t bother.

I would recommend you just use Cloudflared instead of following that Youtube guide. It works without port forwarding, and it doesn’t matter if your ISP blocks ports 80 and 443.

It’s also not very complicated to set up.

1 Like

Yep was an isp issue they block the ports. This had me so confused. I guess I could just use ports that aren’t blocked

You could create a tunnel using cloudflared and not have to change ports or open any in your firewall.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.