Nginx Subdomains are all messed up

malikwirin · December 14, 2024, 5:45pm

My configuration causes no errors or similar but does not follow my expectations at all. The odd behavior might be related to one another.

My configuration

Nginx

{ config, pkgs, ... }:
let
  domain = config.networking.domain;
in
{
  services.nginx = {
    enable = true;

    package = pkgs.nginxStable.override { openssl = pkgs.libressl; };

    virtualHosts = {
      ${domain} = {
        enableACME = true;
        addSSL = true;
        locations."/" = {
          return = "200 '<html><body>It works</body></html>'";
          extraConfig = ''
            default_type text/html;
          '';
        };
      };

      "binarycache.${domain}" = {
        useACMEHost = domain;
        addSSL = true;
        locations."/".extraConfig = ''
          proxy_pass http://127.0.0.1:5000;
          proxy_set_header Host $host;
          proxy_redirect http:// https://;
          proxy_http_version 1.1;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        '';
      };

      "${config.services.buildbot-nix.master.domain}" = {
        useACMEHost = domain;
        addSSL = true;
      };

      "test.${domain}" = {
        useACMEHost = domain;
        locations."/" = {
          return = "200 '<html><body>Test Works</body></html>'";
          extraConfig = ''
            default_type text/html;
          '';
        };
      };
    };
  };
}

ACME

{ pkgs, config, ... }:
let
  domain = config.networking.domain;
in
{
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "redacted";
      dnsProvider = redacted;
      environmentFile = redacted;
    };

    certs = {
      "${domain}" = {
        domain = "*.${domain}";
        extraDomainNames = [ domain ];
        group = config.services.nginx.group;
      };
    };
  };

  systemd.tmpfiles.rules = [ "d /var/lib/acme 0750 acme acme -" ];

  users.groups.acme = {
    members = [ config.services.nginx.user ];
  };
}

Buildbot Master

{ config, lib, ... }:

let
  sopsCfg = config.sops;
in
{
  services = {
    buildbot-nix.master = {
      enable = true;
      domain = "buildbot.${config.networking.domain}";

      workersFile = sopsCfg.templates."buildbot-workers.json".path;
      admins = [ "malik" ];
      outputsPath = "/var/www/buildbot/nix-outputs";

      authBackend = "gitea";
      gitea = {
        enable = true;
        tokenFile = sopsCfg.secrets."codeberg-token".path;
        instanceUrl = "https://codeberg.org";
        oauthId = "redacted";
        oauthSecretFile = sopsCfg.secrets."cb-buildbot-secret".path;
        webhookSecretFile = sopsCfg.secrets."buildbot-webhook".path;
        topic = "build-with-buildbot";
      };
    };

    buildbot-master = {
      buildbotUrl = lib.mkForce "https://${config.services.buildbot-nix.master.domain}";
    };
  };
}

Mismatch

1. All unconfigured Subdomains lead to the site of Harmonia

Whatever url I put in my Browser in the form of “https://any letters.domain” cause this behavior.

github.com/nix-community/harmonia

Recommended nginx setting overrides all subdomains

opened 04:46PM - 14 Dec 24 UTC

malikwirin

Using the recommended nginx settings ``` nix locations."/".extraConfig =… '' proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; ''; ``` makes it that I see ![Bildschirmfoto vom 2024-12-14 16-47-35](https://github.com/user-attachments/assets/5a4e60a6-eec1-42e6-8524-a903cfaea29b) not only when using the configured domain but when using any unconfigured domain also

2. buildbot domain not reachable

I get an error 502 Bad Gateway when trying to reach the buildbot web interface.
Nginx 502 Bad Gateway

github.com/nix-community/buildbot-nix

Buildbot Frontend not reachable

opened 05:41PM - 14 Dec 24 UTC

malikwirin

My configuration isn't based on the [clan infra](https://git.clan.lol/clan/clan-…infra/src/branch/main/modules/buildbot.nix). But I realized that they are very similar. ``` nix { config, lib, ... }: let sopsCfg = config.sops; domain = config.networking.domain; in { services = { buildbot-nix.master = { enable = true; domain = "buildbot.${domain}"; workersFile = sopsCfg.templates."buildbot-workers.json".path; admins = [ "malik" ]; outputsPath = "/var/www/buildbot/nix-outputs"; authBackend = "gitea"; gitea = { enable = true; tokenFile = sopsCfg.secrets."codeberg-token".path; instanceUrl = "https://codeberg.org"; oauthId = "redacted"; oauthSecretFile = sopsCfg.secrets."cb-buildbot-secret".path; webhookSecretFile = sopsCfg.secrets."buildbot-webhook".path; topic = "build-with-buildbot"; }; }; buildbot-master = { buildbotUrl = lib.mkForce "https://${config.services.buildbot-nix.master.domain}"; }; nginx.virtualHosts."${config.services.buildbot-nix.master.domain}" = { useACMEHost = domain; addSSL = true; }; }; } ``` But I always see the following instead of the buildbot frontend when trying to. ![Bildschirmfoto vom 2024-12-14 18-34-23](https://github.com/user-attachments/assets/fa8bbadd-ad88-41d5-94b1-dd16fbd7b0b1) Could this be related to [harmonia#481](https://github.com/nix-community/harmonia/issues/481)?

polygon · December 14, 2024, 8:38pm

For 1. the main question is why all these unconfigured subdomains resolve to your Nginx instance. Nginx will respond with whatever site is configured as default_server when the incoming domain name does not match any configured site. Not sure which one it chooses when no site is configured as default_server.

Still, I’d check why they all resolve to your webserver. And if that is on purpose, please mention what your expectations are.

For 2. that usually means that nginx cannot reach the application server of buildbot. It’s not completely clear to me how the buildbot configuration works, but I’d look at the generated nginx config files if there is a proxy_pass directive and if it is correct. Then you could check if the service that nginx expects to run is actually running and responding properly.

malikwirin · December 16, 2024, 9:38am

I will propably set the default server to the one behind the topdomain.

Because Harmonia is a binary cache provider I don’t really need the frontend, which makes me wonder why the in the Readme recommended nginx settings cause such behavior.

I already realized that the problem with buildbot is most propably not related to my nginx configuration.