Well I've played around with this a little bit here and there over the past few days. Never really got to put more than a few minutes here and there to look at it. I tried to get sub directories to work but did not get far. From my understanding the issue ends up being how the original web server and application handle linking their internal resources. If they aren't hard linked the rewrite and redirect will not properly continue to pass them along to the proxy resulted in broken links. I'm sure I can get this to work once I learn more about NGINX.

So I decided to add Bookstack to the proxy and ran into an oddity with it. It keeps passing the port back no matter what I do. I'm looking into where that could be coming from. After playing around for a while I figured out how to fix it.
Steps performed on BOOKTSACK-01

• nano /vaw/www/bookstack/.env
  • I changed APP_URL= from APP_URL=https://bookstack.domain.com:44313 to APP_URL=https://bookstack.domain.com
• php artisan bookstack:update-url https://bookstack.domain.com:44313 https://bookstack.domain.com
• php artisan cache:clear

And the NGINX config on NGINX-01:

# Configuration for bookstack.domain.com
server {
    listen 443;
    server_name bookstack.domain.com;
    location / {
        proxy_set_header Host $host;
        proxy_pass https://bookstack.domain.local;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    ssl_certificate /etc/letsencrypt/live/fnkyhs.net-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/fnkyhs.net-0001/privkey.pem; # managed by Certbot

}

So it looks like with it configured this way Bookstack will respond on 44313 if the reverse proxy goes down but I imagine it would ultimately fail with linkage. It's not something that is terribly relevant because NGINX should be stable and not go down.

Configure Fail2Ban

I'm going to throw Fail2Ban on here since the server is up and running at this point.

Steps performed on NGINX-01

• sudo apt install fail2ban
• sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime  = 100m
findtime = 5m
maxretry = 5
ignoreip = 10.10.10.XXX

[sshd]
enabled  = true
port     = ssh
logpath  = %(sshd_log)s
backend  = %(sshd_backend)s

[nginx-http-auth]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s

I think that's how I need to have it configured on the reverse proxy.

Nginx Reverse Proxy Manager

So funny story, when I was looking into recommendations for a reverse proxy, everyone kept recommending Nginx Reverse Proxy. So I installed Nginx and went to town. I didn't realize what they were recommending was the Nginx Reverse Proxy Manager. Not plain old Nginx. Nginx Reverse Proxy Manager has a nice web based graphical interface that makes managing a reverse proxy super easy and straight forward. Doh!

Oh well. So I did it the hard way, that just means I got to learn more right? Right! Go me!