| Host |
IP |
Role |
Location |
| prod-web01 |
192.168.9.160 |
OpenResty primary |
ESXi esxi-04 |
| prod-web02 |
192.168.8.111 |
OpenResty secondary |
Proxmox bm02 (VMID 111, named "DG-Kafka-01" — wrong) |
SSH: manojm / manojM@1289 on both. web02 sudo: echo Manojm@1289 | sudo -S <cmd> (capital M)
- Version: 1.29.2.3
- Config base:
/usr/local/openresty/nginx/conf/
- Vhosts:
/usr/local/openresty/nginx/conf/sites/*.conf
⚠️ CRITICAL: /etc/nginx/sites-enabled/ is NOT loaded. Only the sites/ dir above. Don't put configs in /etc/nginx/.
# 1. Create config on web01
cat > /usr/local/openresty/nginx/conf/sites/<domain>.conf << 'EOF'
server {
listen 80;
listen [::]:80;
server_name <domain>;
include snippets/acme_challenge.conf;
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name <domain>;
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
include snippets/ssl_common.conf;
include snippets/acme_challenge.conf;
location / {
proxy_pass http://BACKEND_IP:PORT;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
EOF
# 2. Get SSL cert
certbot certonly --webroot --webroot-path /var/www/acme -d <domain> --non-interactive --agree-tos -m mnjkumar426@gmail.com
# 3. Test and reload
/usr/local/openresty/bin/openresty -t && /usr/local/openresty/bin/openresty -s reload
# 4. Copy config + certs to web02 and reload
| Backend type |
proxy_pass |
Notes |
| Direct VM/service |
http://192.168.x.x:PORT |
Simple direct proxy |
| k3s Traefik (HTTP) |
http://192.168.9.92:80 |
Must set proxy_set_header Host <domain> |
| k3s Traefik (HTTPS) |
https://192.168.9.92:32443 |
Some older vhosts use this |
| Snippet |
Purpose |
snippets/acme_challenge.conf |
Let's Encrypt webroot challenge |
snippets/ssl_common.conf |
TLS 1.2/1.3, session cache |
snippets/proxy_websocket.conf |
WebSocket + all proxy headers (use with care — overrides inherited headers) |
snippets/proxy_buffers_large.conf |
Large response buffering |
snippets/proxy_timeout_long.conf |
Long timeouts for slow backends |
# Issue cert (on web01)
certbot certonly --webroot --webroot-path /var/www/acme -d <domain> --non-interactive --agree-tos -m mnjkumar426@gmail.com
# Sync certs to web02 (copy /etc/letsencrypt/live/<domain> + /etc/letsencrypt/archive/<domain>)
# Must copy archive/ too — live/ only has symlinks
# Auto-renewal hook: /etc/letsencrypt/renewal-hooks/deploy/sync-to-web02.sh
# web01 (via bm02 jump)
sshpass -p 'JohnIsTheBest1980!' ssh root@192.168.9.81 "sshpass -p 'manojM@1289' ssh manojm@192.168.9.160 'cmd'"
# web02 (via bm02 jump)
sshpass -p 'JohnIsTheBest1980!' ssh root@192.168.9.81 "sshpass -p 'Manojm@1289' ssh manojm@192.168.8.111 'cmd'"