
<div dir="ltr"><div>That last "# managed by Certbot" section looks wrong - it shouldn't be using "if ($host = ...", since that's inefficient and there are much better ways to do it.</div><div><br></div><div>I have a very similar server, so here are the config files I use for it. I don't like pasting them into emails, so I made a GitHub Gist: <a href="https://gist.github.com/kohenkatz/08a74d757e0695f4ec3dc34c44ea4369">https://gist.github.com/kohenkatz/08a74d757e0695f4ec3dc34c44ea4369</a> (that also means I can edit it later if it doesn't work for you).</div><div><br></div><div>Note that with this configuration you have to run Certbot in "certonly" mode instead of nginx mode. However, that is very easy. </div><div>I have eight servers configured in this exact way (though most of them with applications other than Seafile and Mattermost, but it doesn't matter).</div><div><br></div><div>Here is the certbot command I use:</div><div><font face="monospace, monospace">sudo certbot certonly --webroot -w 


<span style="color:rgb(36,41,46);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:pre;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">/usr/share/nginx/html -d <a href="http://domain-name-here.example.com">domain-name-here.example.com</a></span></font></div><div>(If you changed the path for `.well-known` in the config files in my Gist, you will also need to change it here.)<br></div><div><br></div><div>Let me know how this works for you.</div><div><br></div><div>Moshe</div><br clear="all"><div><div dir="ltr" class="gmail_signature"><div class="gmail_signature"><div dir="ltr">--<br>Moshe Katz<br>-- <a href="mailto:kohenkatz@gmail.com" target="_blank">kohenkatz@gmail.com</a><br>-- +1(301)867-3732</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Tue, May 15, 2018 at 4:32 PM Nginx-Chris <<a href="mailto:nginx-forum@forum.nginx.org">nginx-forum@forum.nginx.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Moshe<br>

<br>

I did switch off the seafile configuration and that means that the normal<br>

<a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a> works again with nginx.,<br>

<br>

I did then do <br>

<br>

> sudo certbot --nginx<br>

<br>

and the <a href="http://sitechat.mydomain.com" rel="noreferrer" target="_blank">sitechat.mydomain.com</a> now runs on with SSL.<br>

<br>

So then I switch seafile conf on again --> Seafile works as always.<br>

<br>

AND mattermost on <a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a> works, but ONLY if I add https:// in<br>

front of the web address.<br>

<br>

So:<br>

<br>

<a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a> <-- does only work when seafile off (then redirects)<br>

<a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">http://chat.mydomain.com</a> <--  does only work when seafile off (then<br>

redirects)<br>

<br>

<a href="https://chat.mydomain.com" rel="noreferrer" target="_blank">https://chat.mydomain.com</a> <-- works when seafile is on and/or off.<br>

<br>

Why does nginx not redirect the <a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a> to https?<br>

<br>

The new config for <a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a> is this. it got changed by certbot<br>

automatically.<br>

<br>

MATTERMOST:<br>

<br>

   server <a href="http://127.0.0.1:8065" rel="noreferrer" target="_blank">127.0.0.1:8065</a>;<br>

}<br>

<br>

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m<br>

max_size=3g inactive=120m use_temp_path=off;<br>

<br>

server { <br>

   server_name <a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a>;<br>

<br>

   location ~/api/v[0-9]+/(users/)?websocket$ {<br>

       proxy_set_header Upgrade $http_upgrade;<br>

       proxy_set_header Connection "upgrade";<br>

       client_max_body_size 50M;<br>

       proxy_set_header Host $http_host;<br>

       proxy_set_header X-Real-IP $remote_addr;<br>

       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>

       proxy_set_header X-Forwarded-Proto $scheme;<br>

       proxy_set_header X-Frame-Options SAMEORIGIN;<br>

       proxy_buffers 256 16k;<br>

       proxy_buffer_size 16k;<br>

       proxy_read_timeout 600s;<br>

       proxy_pass <a href="http://backend" rel="noreferrer" target="_blank">http://backend</a>;<br>

   }<br>

<br>

   location / {<br>

       client_max_body_size 50M;<br>

       proxy_set_header Connection "";<br>

       proxy_set_header Host $http_host;<br>

       proxy_set_header X-Real-IP $remote_addr;<br>

       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br>

       proxy_set_header X-Forwarded-Proto $scheme;<br>

       proxy_set_header X-Frame-Options SAMEORIGIN;<br>

       proxy_buffers 256 16k;<br>

       proxy_buffer_size 16k;<br>

       proxy_read_timeout 600s;<br>

       proxy_cache mattermost_cache;<br>

       proxy_cache_revalidate on;<br>

       proxy_cache_min_uses 2;<br>

       proxy_cache_use_stale timeout;<br>

       proxy_cache_lock on;<br>

       proxy_pass <a href="http://backend" rel="noreferrer" target="_blank">http://backend</a>;<br>

   }<br>

<br>

    listen 443 ssl; # managed by Certbot<br>

    ssl_certificate /etc/letsencrypt/live/<a href="http://chat.mydomain.com/fullchain.pem" rel="noreferrer" target="_blank">chat.mydomain.com/fullchain.pem</a>; #<br>

managed by Certbot<br>

    ssl_certificate_key /etc/letsencrypt/live/<a href="http://chat.mydomain.com/privkey.pem" rel="noreferrer" target="_blank">chat.mydomain.com/privkey.pem</a>;<br>

# managed by Certbot<br>

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<br>

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot<br>

<br>

}<br>

<br>

<br>

server {<br>

    if ($host = <a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a>) {<br>

        return 301 https://$host$request_uri;<br>

    } # managed by Certbot<br>

<br>

<br>

<br>

   listen 80;<br>

   server_name <a href="http://chat.mydomain.com" rel="noreferrer" target="_blank">chat.mydomain.com</a>;<br>

    return 404; # managed by Certbot<br>

<br>

Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,279794,279806#msg-279806" rel="noreferrer" target="_blank">https://forum.nginx.org/read.php?2,279794,279806#msg-279806</a><br>

<br>

_______________________________________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>

</blockquote></div>