You are here
Hello there
I am attempting to make use of turnkey linux wordpress and am at a bit of a loss for how to configure SSL on the 'backend' vm with the wordpress-18.0-bookworm-amd64.iso
Note: I have read the article Turnkey linux appliances behind a reverse proxy
MY SETUP:
I am running a home server with proxmox. Inside an ubuntu-cloud vm instance I have nginx installed with a reverse proxy which points external traffic from a particular domain linked to my external IP address, redirected to my internal IP address of a wordpress turnkey linux VM hosted on proxmox.
(Previously, I did not have such an nginx reverse proxy, and was instead relying on my router to perform the function of redirecting incoming traffic to this machine)
Since that time, I have installed the ubuntu-cloud machine with nginx. Which leads me to the following problems:
* The page loads but since many assets such as images in particular are http, this leads to a host of errors within the browser (cross origin etc)
I have messed around with the php files and attempted an installation of 'really simple ssl' plugin to try to programmatically go through wordpress and change everything automatically. It turns out to be not that simple.
This has led to me abandoning this wordpress machine and instantiating a new one. I have done the following:
1. Followed the prompts before installation, utilizing Turnkey terminal user interface (TUI) for letsencrypt. While this seems like a natural fit for my purposes, as I wish to conduct to have https - "proper" CA signed specific cert; cert verified by reverse proxy, I am confronted with another issue.
2. Wordpress, itself, has site url under settings listed as http. I have experimented with 'Really Simple SSL' wordpress plugin in addition to the above Turnkey linux SSL yet again because it isn't clear how to resolve this matter.
What is the best way to deal with this? I am under the belief my reverse proxy is properly configured. Below is a snippet of that configuration code, situated at /etc/nginx/sites-enabled
server { listen 80 default_server; listen [::]:80 default_server; server_name my-broken-and-annoying-site.com; # Ensure requests are redirected to HTTPS return 301 https://$host$request_uri; } # Handle HTTPS traffic server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name my-broken-and-annoying-site.com; # SSL configuration managed by Certbot ssl_certificate /etc/letsencrypt/live/my-broken-and-annoying-site.comfullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my-broken-and-annoying-site.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Proxy configuration location / { proxy_pass http://192.168.1.69; # Forward traffic to WordPress proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Additional proxy settings for enhanced functionality and security proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # This line is key for WebSocket support proxy_set_header Connection "upgrade"; }
Any guidance on how to deal with this situation, specifically with wordpress but with other turnkey appliances such as LAMP & others, is very welcome.
I've got thoughts...
TBH, I don't run the setup you are attempting myself, so I'm not super familiar. FYI my main experience with reverse proxying is providing a front end https termination for a local backend service running on a non-standard port via http.
I'm happy to do my best to help, but unfortunately right now I'm a bit snowed under and not in a position to work out exactly what you're trying to achieve. I'm sure I could get it to work, but I don't know OTTOMH so would need to do some trial and error. But I wanted to reply so you know I'm not just ignoring you and perhaps I can point you int the right direction?
From a glance though I can tell that your config is not set for what I think that you are saying you're trying to achieve. This line in particular:
You're connecting to your backend TKL WP via IP using HTTP. To do what you say you're trying to achieve, you'll need to use HTTPS. And an HTTPS cert can only be valid for a domain, not an IP. E.g.:
I suspect that to get that all working there will be some specific steps. And beyond that, I'd need to have a bit of play and I just don't have the time and energy to spare (I started at 6am and it's nearly 8pm and I really need to knock off...).
A quick google turned up this Nginx doc page that from a glance looks like it might help?: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/.
FWIW one of the alternate methods will be much easier...! Perhaps do one of them now to get you up and running, and fiddle with this as and when you have the time and energy?
Sorry I'm not giving you much to work with, but please let me know how you go (good or bad) and what you've tried and I'll try to give some more feedback as I can.If I get some spare time I'll have a play myself because it's a problem that I think would be interesting to solve.
Good luck and hopefully chat more soon.
Add new comment