ZNC on a subdomain with Nginx reverse proxy?

Question

I access ZNC on my VPS through http://www.example.net:6667 currently, but I'm trying to configure Nginx so it can only be accessed through http://znc.example.net instead.

I followed the instructions on the official ZNC wiki, but despite many hours trying different things, I continue to get Firefox's "Server not found" error.

A server block within /etc/nginx/sites-available/example.net is as follows:

server {
    listen 80;
    server_name znc.example.net;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:6667/;
    }
}

I also have TrustedProxy = 127.0.0.1 in my ~/.znc/configs/znc.conf file, so where am I going wrong? Thanks.

Answer 1

I've been battling this issue myself and it's so frustrating! But I figured out a solution and it's working for me now, let me know what you think...

HIGH LEVEL

1. split the listener sections between AllowWeb and AllowIRC
2. disable SSL termination on web listener, enable SSL on irc listener
3. configure web listener for localhost
4. remove 'Host =' for IRC listener (bind to all interfaces)
5. configure nginx to forward ssl to your localhost web interface

---

DETAILS

1. split the listener sections between AllowWeb and AllowIRC

This was the biggest move for me, and after combing through a number of blog posts + znc config docs I noticed that all nginx config settings referred only to the web interface. Splitting these into two listeners for distinct purposes decouples the portion that nginx handles, while leaving the other entry guarded by znc ssl. I've added the snippet from my znc.conf below:

// WARNING
//
// Do NOT edit this file while ZNC is running!
// Use webadmin or *controlpanel instead.
//
// Altering this file by hand will forfeit all support.
//
// But if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.
// Also check http://en.znc.in/wiki/Configuration

AnonIPLimit = 10
ConnectDelay = 5
HideVersion = false
LoadModule = webadmin
MaxBufferSize = 500
PidFile = /var/run/znc/znc.pid
ProtectWebSessions = true
SSLCertFile = /var/lib/znc/znc.pem
SSLCiphers = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocols = -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
ServerThrottle = 30
Skin = dark-clouds
StatusPrefix = *
Version = 1.6.5

<Listener listener0>
    AllowIRC = false
    AllowWeb = true
    Host = localhost
    IPv4 = true
    IPv6 = false
    Port = 8080
    SSL = false
    URIPrefix = /
</Listener>

<Listener listener1>
    AllowIRC = true
    AllowWeb = false
    IPv4 = true
    IPv6 = false
    Port = 9191
    SSL = true
    URIPrefix = /
</Listener>
...

The rest is pretty much the standard options when defining a user and adding channels.

2. disable SSL termination on web listener, enable SSL on irc listener
3. configure web listener for localhost
4. remove 'Host =' for IRC listener (bind to all interfaces)

Force the web interface to be routable only to localhost given that it's not protected by ssl. The nginx proxy will terminate ssl sessions on your behalf (I'm using letsencrypt) and route connections through proxy_pass to your localhost listener. The irc connections will bind directly to your irc listener where ssl is turned on and leverages the znc.pem you defined earlier. These instructions are useful to define znc.pem and in this case I added my dhparam.pem as well (essential!).

5. configure nginx to forward ssl to your localhost web interface

This is where your example from above is pretty much on-point. I've posted mine as reference but they're pretty much the same.

server {
    listen      443 ssl http2;
    server_name irc.example.com;
    access_log  /var/log/nginx/irc.log combined;

    ssl_certificate     /etc/letsencrypt/live/irc.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/irc.example.com/privkey.pem;
    ssl_dhparam         /etc/letsencrypt/live/irc.example.com/dhparam.pem;

    location /.well-known {
        alias /var/www/irc/.well-known;
    }

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header      Host             $host;
        proxy_set_header      X-Real-IP        $remote_addr;
        proxy_set_header      X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header      X-Client-Verify  SUCCESS;
        proxy_set_header      X-Client-DN      $ssl_client_s_dn;
        proxy_set_header      X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header      X-SSL-Issuer     $ssl_client_i_dn;
        proxy_read_timeout    1800;
        proxy_connect_timeout 1800;
    }
}

GOOD LUCK!