Ah yes, many options to read the same goal – this was my proposition, please feel free to ask:
*:80: You don’t have to do anything here: This is the Nginx configuration for a default server on port 80, open to your internal network and serving Kolibri with a non-modified version of
kolibri-server's Nginx and UWSGI configuration.
yourdomain.com:443: Open to the internet, is configured with a
proxy_pass to serve
http://127.0.0.1:80 (the above Nginx host). This way, you can keep its configuration minimal! This is where you will put your SSL configuration.
yourdomain.com:80 - Configured with Nginx to redirect everything to
https://yourdomain.com (the above configuration), overrules
*:80 because it’s a more specific rule. I think you may want to use a Firewall and some NATing in front of your server to bind external port 80 traffic to another internal port, such that “intranet Kolibri” can have
*:80 in its entirety for your internal network.
If you have a firewall in front of your server, perhaps you can serve unencrypted HTTP as
yourdomain:81 on the server and serve port 80 on your external interface (router?), using NAT to redirect it to
For me, making Nginx configurations work, usually starts by making them work without SSL and then adding it afterwards, to have a manageable amount of configuration introduced step-by-step
Perhaps this order can be of use?
- Use the normal installation of
kolibri-server and select to listen on port 80 (as the default server), with nothing else configured on Nginx. See that http://yourhost:80 works and serves kolibri
- Create a new nginx server configuration in
/etc/nginx/sites-available/yourhost.conf, listening on port 123 with a
http://127.0.0.1:80, check that
http://yourhost:123 works in your browser
- … oh and remember to symlink the configuration in
/etc/nginx/sites-enabled/yourhost.conf and run
sudo systemctl reload nginx every time you change something.
yourhost.conf to serve your actual domain name, ensure that your DNS, NAT etc. works and you can access yourdomain.com from outside. You don’t need port 80 for this to work.
- When you have Kolibri running through the
proxy_pass and accessible with your domain, start introducing SSL.
Could I get some support on how to redirect to HTTPS? I have done some of the reading on proxy_pass-ing to https, but I don’t seem to have success.
proxy_pass is used to serve something from an internal socket or TCP port, so for instance a browser can go to
http://blah:123 and Nginx then serves back
http://127.0.0.1:567 without the browser seeing the difference, since the whole proxy mechanism is inside Nginx. Now, if you use a redirect, Nginx will send back an HTTP response “302 moved” and the browsers address would change in the address bar to the new location - http://blah:567. This is very useful when you want to force the browser to use HTTPS instead of HTTP.
I hope it helps – there are many ways to set this up.