<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.wilsoz.com/index.php?action=history&amp;feed=atom&amp;title=Services%2FVpsNginx</id>
	<title>Services/VpsNginx - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.wilsoz.com/index.php?action=history&amp;feed=atom&amp;title=Services%2FVpsNginx"/>
	<link rel="alternate" type="text/html" href="https://wiki.wilsoz.com/index.php?title=Services/VpsNginx&amp;action=history"/>
	<updated>2026-07-06T06:59:21Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.9</generator>
	<entry>
		<id>https://wiki.wilsoz.com/index.php?title=Services/VpsNginx&amp;diff=17&amp;oldid=prev</id>
		<title>Wikibot: Migrated from services/VPS-NGINX.md</title>
		<link rel="alternate" type="text/html" href="https://wiki.wilsoz.com/index.php?title=Services/VpsNginx&amp;diff=17&amp;oldid=prev"/>
		<updated>2026-07-05T18:16:22Z</updated>

		<summary type="html">&lt;p&gt;Migrated from services/VPS-NGINX.md&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;As of: 2026-07-05 — migrated from `services/VPS-NGINX.md`&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
= VPS nginx — vhost management scripts =&lt;br /&gt;
&lt;br /&gt;
Reference for the RackNerd VPS (100.67.169.50, public-facing) that reverse-proxies every &amp;lt;code&amp;gt;*.wilsoz.com&amp;lt;/code&amp;gt; subdomain back to stronghold over Tailscale (100.64.207.155). Read this before hand-writing an nginx vhost — as of 2026-07-05 there are scripts that do the whole thing in one command.&lt;br /&gt;
&lt;br /&gt;
== Scripts (on the VPS, &amp;lt;code&amp;gt;/home/mnw/&amp;lt;/code&amp;gt;) ==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Script&lt;br /&gt;
! Purpose&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;code&amp;gt;add-vhost.sh&amp;lt;/code&amp;gt;&lt;br /&gt;
| Create a vhost, symlink it, get a cert, add security headers, reload, verify — one command&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;code&amp;gt;remove-vhost.sh&amp;lt;/code&amp;gt;&lt;br /&gt;
| Tear a vhost down: remove symlink, delete/revoke cert, delete vhost file, reload&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;code&amp;gt;VHOST-HOWTO.md&amp;lt;/code&amp;gt;&lt;br /&gt;
| Full usage doc, lives alongside the scripts on the VPS&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Add a site ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
sudo /home/mnw/add-vhost.sh &amp;lt;domain&amp;gt; &amp;lt;tailscale-ip:port&amp;gt;&lt;br /&gt;
# Example:&lt;br /&gt;
sudo /home/mnw/add-vhost.sh wiki.wilsoz.com 100.64.207.155:9926&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Does, in order: writes &amp;lt;code&amp;gt;/etc/nginx/sites-available/&amp;lt;domain&amp;gt;&amp;lt;/code&amp;gt; with a plain HTTP proxy block → symlinks into &amp;lt;code&amp;gt;sites-enabled/&amp;lt;/code&amp;gt; → &amp;lt;code&amp;gt;nginx -t&amp;lt;/code&amp;gt; + reload → &amp;lt;code&amp;gt;certbot --nginx -d &amp;lt;domain&amp;gt;&amp;lt;/code&amp;gt; (Cloudflare DNS-01, rewrites the file with the SSL block + 80→443 redirect, same as every other cert on this VPS) → injects &amp;lt;code&amp;gt;include /etc/nginx/snippets/security-headers.conf;&amp;lt;/code&amp;gt; right after certbot&amp;#039;s &amp;lt;code&amp;gt;options-ssl-nginx.conf&amp;lt;/code&amp;gt; line → final &amp;lt;code&amp;gt;nginx -t&amp;lt;/code&amp;gt; + reload → &amp;lt;code&amp;gt;curl&amp;lt;/code&amp;gt; status check.&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Prerequisites before running:&amp;#039;&amp;#039;&amp;#039; DNS A record for the domain already pointing at the VPS (100.67.169.50); the backend already up and reachable on stronghold at the given port. WebSocket backends need &amp;lt;code&amp;gt;proxy_http_version 1.1&amp;lt;/code&amp;gt; + &amp;lt;code&amp;gt;Upgrade&amp;lt;/code&amp;gt;/&amp;lt;code&amp;gt;Connection&amp;lt;/code&amp;gt; headers added manually afterward — the script doesn&amp;#039;t detect that case.&lt;br /&gt;
&lt;br /&gt;
=== Remove a site ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
sudo /home/mnw/remove-vhost.sh &amp;lt;domain&amp;gt;&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Shows you the backend it&amp;#039;s about to remove, asks whether to &amp;#039;&amp;#039;&amp;#039;revoke&amp;#039;&amp;#039;&amp;#039; the cert (&amp;lt;code&amp;gt;y&amp;lt;/code&amp;gt; = revoke + delete, use when the domain is gone for good; default &amp;lt;code&amp;gt;N&amp;lt;/code&amp;gt; = delete locally only, use when just moving/rebuilding), removes the &amp;lt;code&amp;gt;sites-enabled&amp;lt;/code&amp;gt; symlink, deletes the vhost file, tests + reloads nginx.&lt;br /&gt;
&lt;br /&gt;
== Server topology ==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Thing&lt;br /&gt;
! Value&lt;br /&gt;
|-&lt;br /&gt;
| Public VPS&lt;br /&gt;
| 100.67.169.50 (RackNerd)&lt;br /&gt;
|-&lt;br /&gt;
| Home server (stronghold)&lt;br /&gt;
| 100.64.207.155 (Tailscale)&lt;br /&gt;
|-&lt;br /&gt;
| Backend ports (examples)&lt;br /&gt;
| 9925 = Mealie, 9926 = MediaWiki&lt;br /&gt;
|-&lt;br /&gt;
| Cert method&lt;br /&gt;
| Let&amp;#039;s Encrypt via certbot + Cloudflare DNS-01 (same plugin as &amp;lt;code&amp;gt;mymail.wilsoz.com&amp;lt;/code&amp;gt;, see CLAUDE.md)&lt;br /&gt;
|-&lt;br /&gt;
| HSTS&lt;br /&gt;
| &amp;lt;code&amp;gt;max-age=300&amp;lt;/code&amp;gt; — staged rollout, expect this to increase over time&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== Known nginx warnings (harmless, pre-existing) ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;nginx -t&amp;lt;/code&amp;gt; shows an &amp;lt;code&amp;gt;ssl_protocols&amp;lt;/code&amp;gt; redefinition warning for &amp;lt;code&amp;gt;pages.git.wilsoz.com&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;photos.wilsoz.com&amp;lt;/code&amp;gt;, and will show the same for any vhost combining &amp;lt;code&amp;gt;options-ssl-nginx.conf&amp;lt;/code&amp;gt; (certbot) with &amp;lt;code&amp;gt;security-headers.conf&amp;lt;/code&amp;gt;. Cosmetic only — config still loads and serves correctly.&lt;br /&gt;
&lt;br /&gt;
== Gotcha ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;add-vhost.sh&amp;lt;/code&amp;gt; aborts rather than overwriting if the vhost file already exists — safe to run repeatedly/accidentally, but means you must &amp;lt;code&amp;gt;remove-vhost.sh&amp;lt;/code&amp;gt; first (or hand-edit) to change an existing site&amp;#039;s backend port.&lt;/div&gt;</summary>
		<author><name>Wikibot</name></author>
	</entry>
</feed>