self-hosting two webapps on subdomains, unable to configure / access the 2nd one (nginx)

Question

I'm running a home server (Ubuntu 20.04) running nginx, and I'm having a bit of a sticky problem. Here's how it goes:

SETUP: I have a website (call it example.com) hosted on a VPS, somewhere. I'm trying to configure some webapps that are hosted locally, but accessible via the subdomains of example.com. I have one already working, as follows: an A-record on example.com redirects foo.example.com to the WAN IP of my router, which then forwards ports through NAT to my home server (local IP 192.168.1.69) running nginx. The config file foo.example.com.conf gets accessed in /etc/nginx/sites-enabled (via symlink from a conf file in /etc/nginx/sites-available), and, bada bing bada boom, the thing works! It's a jitsi-meet instance so I can conduct my own videoconferencing.

GOAL: I'm now trying to set up bar.example.com to work in the same way with FluxBB, a php-based messageboard service. (I haven't set up the A-record for bar.example.com yet, for obvious reasons.) I got PHP and MySQL installed on the box, made a little database for it -- the basic requirements for install. I then downloaded 1.5.11, unzipped it, moved the contents to /usr/www/bar.example.com. Then I moved to /etc/nginx/sites-available, made the extremely barebones config file bar.example.com.conf,, I set up a symlink to sites-enabled, reloaded nginx, confirmed that 192.168.1.69 shows the nginx splash screen. The next step for me is to navigate to the version of the website (locally running via nginx) and open install.php from the root directory of the site, to do more config...

PROBLEM: ...but the problem is, I don't know how to get there. I can access install.php from command line on my server machine, but it just prints the php of the webpage I'd like to be visiting — no use to me! So I'd like to access it from my client computer (on the LAN) but bar.example.com/install.php automatically resolves via the DNS of example.com, and the subdomain requested doesn't exist yet, so it returns 404. And while http:// 192.168.1.69/install.php returns nothing, https:// 192.168.1.69/install.php interprets "install.php" as a room name for jitsi-meet.

Any ideas on how to proceed? Do I truly have to install a command line web browser on my server, or worse, a GUI? I'm going to include the three .conf files (for each webapp, as well as for nginx itself)

/etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

/etc/nginx/sites-available/bar.example.com.conf

server {
    listen 80;
    listen [::]:80;
    root /var/www/bar.example.com;
    index  index.php index.html index.htm;
    server_name  bar.example.com www.bar.example.com;

    location / {
    try_files $uri $uri/ @rewriteapp;        
    }

    location /install/ {
     try_files $uri $uri/ @rewrite_installapp;
    }

    location ~ \.php(/|$) {
    fastcgi_split_path_info  ^(.+\.php)(/.+)$;
    fastcgi_index            index.php;
    fastcgi_pass             unix:/var/run/php/php7.2-fpm.sock;
    include                  fastcgi_params;
    fastcgi_param   PATH_INFO       $fastcgi_path_info;
    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    try_files $uri $uri/ /install/app.php$is_args$args;
    }

     location @rewrite_installapp {
      rewrite ^(.*)$ /install/app.php/$1 last;
     }

}

/etc/nginx/sites-available/foo.example.com.conf

server_names_hash_bucket_size 64;

server {
    listen 80;
    listen [::]:80;
    server_name foo.example.com;

    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
       return 404;
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
    listen 4444 ssl http2;
    listen [::]:4444 ssl http2;
    server_name foo.example.com;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/letsencrypt/live/foo.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/foo.example.com/privkey.pem;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    gzip on;
    gzip_types text/plain text/css application/javascript application/json;
    gzip_vary on;

    location = /config.js {
        alias /etc/jitsi/meet/foo.example.com-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # xmpp websockets
    location = /xmpp-websocket {
        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        tcp_nodelay on;
    }

    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }

    location ~ ^/([^/?&:'"]+)/config.js$
    {
       set $subdomain "$1.";
       set $subdir "$1/";

       alias /etc/jitsi/meet/foo.example.com-config.js;
    }

    #Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
    location ~ ^/([^/?&:'"]+)/(.*)$ {
        set $subdomain "$1.";
        set $subdir "$1/";
        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
    }

    # BOSH for subdomains
    location ~ ^/([^/?&:'"]+)/http-bind {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;
    }

    # websockets for subdomains
    location ~ ^/([^/?&:'"]+)/xmpp-websocket {
        set $subdomain "$1.";
        set $subdir "$1/";
        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;
    }
}

Answer 1

Let's split the problem.

So I'd like to access it from my client computer (on the LAN) but bar.example.com/install.php automatically resolves via the DNS of example.com,

Well, assuming it's not a big deal, you could add bar.example.com to your hosts file (/etc/hosts in Linux).

So, in /etc/hosts (Linux) you could add the line:

192.168.1.69 bar.example.com www.bar.example.com

while http:// 192.168.1.69/install.php returns nothing

That's normal. To quote the documentation:

[...] NGINX tests only the request’s header field “Host” to determine which server the request should be routed to. If its value does not match any server name, or the request does not contain this header field at all, then NGINX will route the request to the default server for this port.

It's because you are coming with the IP instead of the server name.

https:// 192.168.1.69/install.php interprets "install.php" as a room name for jitsi-meet.

That's correct, as you:

1. Are coming with the IP (as Hosts: header ?) and HTTPS.
2. Did not declared an SSL/HTTPS directive in your bar.example.com configuration.
3. Declared an SSL/HTTPS directive in foo.example.com.

NGINX will then try to guess what's the best based on what it knows. In your case your Jitsi instance.

So, I guess that your solution is to declare an A record for your bar.example.com domain and make it accessible or declare it locally on the hosts files on all machines which have to access your server through bar.example.com.

For your HTTPS access, you should declare a new server { [...] } section which will describe the HTTPS access for bar.example.com.

Let us know if I missed something or if something is not clear.