How setup subdomain in nginx?

Question

I tried a few times do from the beginning but still, my subdomain doesn't work. I have ubuntu Nginx. I want to create a client-side and backend(subdomain) domain.

The client-side config(work correctly):

server {
        root  /var/www/html/dist;

        # Add index.php to the list if you are using PHP
        index index.html;

        server_name hookahscope.com www.hookahscope.com;

        location ~ ^/(sitemap.xml) {
            root /var/www/html/public;
        }
        location / {
                try_files $uri /index.html;
        }
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hookahscope.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hookahscope.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/hookahscope.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}

server {
    if ($host = www.hookahscope.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = hookahscope.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;

    server_name hookahscope.com www.hookahscope.com;
    return 404; # managed by Certbot
}

UPDATED: My client side(main domain) config has additional configs and this is the conflict

server {
    if ($host = www.hookahscope.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = hookahscope.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name www.api.hookahscope.com api.hookahscope.com; # managed by Certb>
    return 404; # managed by Certbot

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hookahscope.com/fullchain.pem; # mana>
    ssl_certificate_key /etc/letsencrypt/live/hookahscope.com/privkey.pem; # ma>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/hookahscope.com/chain.pem; # >
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}



server {
    if ($host = www.api.hookahscope.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = api.hookahscope.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80 ;
        listen [::]:80 ;
    server_name www.api.hookahscope.com api.hookahscope.com;
    return 404; # managed by Certbot
}

And back-end config:

server {
        listen 80;

        root  /var/www/backend;

        # Add index.php to the list if you are using PHP
        index index.html;

        server_name api.hookahscope.com;

location ~ ^/(sitemap.xml) {
    root /var/www/html/public;
}

        location / {
proxy_pass http://localhost:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri /index.html;
        }

}

I run backend on pm2(server is nodejs with express) So, locally I can see backend on 8081 port by command :

 curl http://localhost:8081/

Nginx show some error, but it is not helped me:

 sudo nginx -t
nginx: [warn] conflicting server name "api.hookahscope.com" on 0.0.0.0:80, ignored

Of course, the error disappear if remove listen 80; from the subdomain config, but I can't find what I should setup instead of

UPDATED2 My subdomain config:

server {
        server_name api.hookahscope.com;

#location ~ ^/(sitemap.xml) {
 #   root /var/www/html/public;
#}

        location / {
proxy_pass http://localhost:8081/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        }
listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hookahscope.com/fullchain.pem; # mana>
    ssl_certificate_key /etc/letsencrypt/live/hookahscope.com/privkey.pem; # ma>
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/hookahscope.com/chain.pem; # >
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}

Both `proxy_pass` and `try_files` (as well as the `fastcgi_pass`, `uwsgi_pass` etc) are so-called *content handlers*. You should have only one content handler per `location` block, using several content handlers at once is meaningless and could lead to unpredictable results. Your nginx error means you have several `server` blocks with `server_name api.hookahscope.com; listen 80;` directives. You should check the `nginx -T` output to check what additional configuration files are being included to the main nginx config. Or better add that command output to your question. — Ivan Shatsky, Nov 18 '20 at 17:57
@ThanhNguyenVan Yes, you are right, now see Cannot GET /index.html so need to do something else — Mediator, Nov 18 '20 at 21:32
@IvanShatsky I found this conflict. Actually my main(client side) config has lines for subdomain. I updated my post. So now I'm not use remove it, or remove my api.hookahscope.com config. — Mediator, Nov 18 '20 at 22:46
@Mediator Are `hookahscope.com`, `www.hookahscope.com` and `api.hookahscope.com` the only domain names served by this particular nginx instance or there are some other shared server blocks/domain names? What domain names are actually listed under SAN (subject alternative name) field of the SSL certificate? What was the `certbot` command issued for getting those? In general you should never allow certbot to made any nginx automatic configuration change, I wrote about it [just yesterday](https://stackoverflow.com/questions/64889800/certbot-nginx-generates-pr-end-of-file-error/64890313#64890313). — Ivan Shatsky, Nov 19 '20 at 06:08
@Mediator And before I suggest you an optimal configuration for this case, answer one more question, do you want for some www-to-non-www or non-www-to-www redirection to be added to that configuration? As for now you have non-www HTTP to non-www HTTPS and www HTTP to www HTTPS redirection automatically added by certbot. — Ivan Shatsky, Nov 19 '20 at 06:13
Relly Im don't care about rediretion from www to non-www, the most important all domains should work www non-www with http or https. — Mediator, Nov 19 '20 at 08:55
@Mediator What about my previous questions? Are `hookahscope.com`, `www.hookahscope.com` and `api.hookahscope.com` the only domain names served by this particular nginx instance or there are some other shared server blocks/domain names? — Ivan Shatsky, Nov 19 '20 at 09:50
@IvanShatsky only hookahscope.com www.hookahscope.com and api.hookahscope.com — Mediator, Nov 19 '20 at 10:00

score 1 · Accepted Answer · answered Nov 19 '20 at 14:04

1

Instead of checking the Host HTTP header via the if ($host = hookahscope.com) { ... } I recommend to filter the requests defining two server blocks as suggested by official nginx documentation (read this answer for detailed description). Having two separate SSL server blocks you shouldn't use the ipv6only=on flag on listen directive (read this thread for details). Here is the configuration I recommend to use:

server {
    # redirect HTTP to HTTPS for requests where the HTTP 'Host' header equal to one of our domains
    listen 80;
    listen [::]:80;
    server_name hookahscope.com www.hookahscope.com api.hookahscope.com;
    return 301 https://$http_host$request_uri;
}
server {
    # close the connection immediately for the rest of requests
    listen 80 default_server;
    listen [::]:80 default_server;
    return 444;
}
server {
    # frontend
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name hookahscope.com www.hookahscope.com;
    root /var/www/html/dist;

    # SSL configuration made by certbot
    ssl_certificate /etc/letsencrypt/live/hookahscope.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hookahscope.com/privkey.pem; managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/hookahscope.com/chain.pem; managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

    location = /sitemap.xml {
        root /var/www/html/public;
    }
    location / {
        try_files $uri /index.html;
    }
}
server {
    # backend
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name api.hookahscope.com;

    # SSL configuration made by certbot
    ssl_certificate /etc/letsencrypt/live/hookahscope.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hookahscope.com/privkey.pem; managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/hookahscope.com/chain.pem; managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

    location / {
        proxy_pass http://localhost:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

answered Nov 19 '20 at 14:04

Ivan Shatsky

13,267
2
21
37

this config shows content from hookahscope.com by https://api.hookahscope.com – Mediator Nov 19 '20 at 18:56
also hookahscope.com redirect to the backend. maybe I did something wrong, try to do it from the begging – Mediator Nov 19 '20 at 19:14
@Mediator You can check how the redirections working with `curl` (look at `Location` HTTP header value): `curl http://hookahscope.com`, `curl http://www.hookahscope.com`, `curl http://api.hookahscope.com`. Remember that unlike temporary 302, permanent 301 redirections are being cached by the browser. – Ivan Shatsky Nov 19 '20 at 19:33
curl http://hookahscope.com and curl http://www.hookahscope.com curl http://api.hookahscope.com returns backend. – Mediator Nov 19 '20 at 20:01
@Mediator Use the markdown (single backquotes) please for URLs, I don't understand anything from the previous comments. – Ivan Shatsky Nov 19 '20 at 20:04
@Mediator Do you remove all the other `server` blocks? What `nginx -t` says? – Ivan Shatsky Nov 19 '20 at 20:08
nginx: [warn] conflicting server name "api.hookahscope.com" on 0.0.0.0:443, ignored nginx: [warn] conflicting server name "api.hookahscope.com" on [::]:443, ignored nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful – Mediator Nov 19 '20 at 21:37
@Mediator You still have some other `server` blocks in your config from your older configuration. Can you post `nginx -T` output somewhere (append to your question or at pastebin etc)? – Ivan Shatsky Nov 19 '20 at 21:40
In your config was wrong "hookahscope.com www.hookahscope.com api.hookahscope.com" should be without api.hookahscope.com. Now it is works, but only for https:// but not redirection for htttp://hookahscope.com/ error: curl: (7) Failed to connect to hookahscope.com port 80: Connection refused " – Mediator Nov 19 '20 at 21:42
@Mediator Nothing was wrong with my config. That `server` block was designed specially for HTTP to HTTPS redirection and should contain all the three domain names (and do a correct redirection for all of them). You have some extra `server` block either in `nginx.conf` or in one of the included files. Can you post `nginx -T` output somewhere? – Ivan Shatsky Nov 19 '20 at 21:47
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/224816/discussion-between-mediator-and-ivan-shatsky). – Mediator Nov 19 '20 at 22:00

How setup subdomain in nginx?

1 Answers1

Linked