Third Spruce Tree On The Left

A while ago I installed the minimalist RSS reader Yarr (Yet Another RSS Reader) here.

One of the things that appealed to me about Yarr is that you can tell Yarr to run at a specific port from the command line:

#!/bin/bash
/usr/local/bin/yarr/yarr -addr "<ip to bind to>:<port>" -auth <user name>:<user yarr pwd not their system pwd> > /var/log/yarr.log 2>&1

(as well as secure it with a password)

I wanted this because I hadn't set up any kind of reverse proxy yet. Well, now I have and it turned out to be a lot easier than I anticipated. I now host:

• WriteFreely (blog – you're reading it)
• Yarr – in fact I host 3 of them for family members
• Navidrome – music streaming host (because haven't had success getting FunkWhale to work) got it working:
• Funkwhale – tunez.awadwatt.com
• Jellyfin
• a pet project under development

all from the same host behind NGINX. Also, a side benefit to NGINX is that if I create a blanket subdomain LetsEncrypt certificate, NGINX can use/apply that certificate to everything it reverse proxies. So yay, Yarr gets HTTPs for free! (also handy: this solved the problem I had been having with WriteFreely not using my self-generated LetsEncrypt certificates, I could only get it to work with the ones IT generates if you enable auto-certs.)

Here's my NGINX config file (mildly redacted). Created with some help from the very excellent Nginx Configuration Generator:

server
{
	listen 443 ssl;
	listen [::]:443 ssl;
	http2 on;
	server_name awadwatt.com, www.awadwatt.com;

	# SSL
	ssl_certificate /etc/letsencrypt/live/awadwatt.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/awadwatt.com/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/awadwatt.com/chain.pem;

	# security
	include nginxconfig.io/security.conf;

	# logging
	access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
	error_log /var/log/nginx/error.log warn;

	# reverse proxy
	location /
	{
		proxy_pass http://127.0.0.1:7035;
		proxy_set_header Host $host;
		include nginxconfig.io/proxy.conf;
	}

	# additional config
	include nginxconfig.io/general.conf;


}

Basically each “service” that Im running on a different port will be mapped to a different subdomain server that NGINX will listen for and redirect. Carving out the access and error logs for each into their own dedicated files.

server
{
	listen 443 ssl;
	listen [::]:443 ssl;
	http2 on;
	server_name jelly.awadwatt.com;
	ssl_certificate /etc/letsencrypt/live/awadwatt.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/awadwatt.com/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/awadwatt.com/chain.pem;

	include nginxconfig.io/security.conf;
	access_log /var/log/nginx/jellyfin.access.log combined buffer=512k flush=1m;
	error_log /var/log/nginx/jellyfin.error.log warn;
	location /
	{
		proxy_pass http://127.0.0.1:8096;
		proxy_set_header Host $host;
		include nginxconfig.io/proxy.conf;
	}
	include nginxconfig.io/general.conf;
}


server
{
	listen 443 ssl;
	listen [::]:443 ssl;
	http2 on;
	server_name navi.awadwatt.com;
	ssl_certificate /etc/letsencrypt/live/awadwatt.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/awadwatt.com/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/awadwatt.com/chain.pem;

	include nginxconfig.io/security.conf;
	access_log /var/log/nginx/navi.access.log combined buffer=512k flush=1m;
	error_log /var/log/nginx/navi.error.log warn;
	location /
	{
		proxy_pass http://127.0.0.1:4533;
		proxy_set_header Host $host;
		include nginxconfig.io/proxy.conf;
	}
	include nginxconfig.io/general.conf;
}


server
{
	listen 443 ssl;
	listen [::]:443 ssl;
	http2 on;
	server_name yarr.awadwatt.com;
	ssl_certificate /etc/letsencrypt/live/awadwatt.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/awadwatt.com/privkey.pem; # managed by Certbot
	ssl_trusted_certificate /etc/letsencrypt/live/awadwatt.com/chain.pem;

	include nginxconfig.io/security.conf;
	access_log /var/log/nginx/yarr.access.log combined buffer=512k flush=1m;
	error_log /var/log/nginx/yarr.error.log warn;
	location /
	{
		proxy_pass http://famine:5000;
		proxy_set_header Host $host;
		include nginxconfig.io/proxy.conf;
	}
	include nginxconfig.io/general.conf;
}

And this bit just redirects insecure HTTP port 80 traffic permanently to secure HTTPS mappings above.

# HTTP redirect
server
{
	if ($host = www.awadwatt.com)
	{
		return 301 https://$host$request_uri;
		} # managed by Certbo
	}
	# managed by Certbot

	if ($host = jelly.awadwatt.com)
	{
		return 301 https://$host$request_uri;
	}

	if ($host = navi.awadwatt.com)
	{
		return 301 https://$host$request_uri;
	}

	if ($host = yarr.awadwatt.com)
	{
		return 301 https://$host$request_uri;
	}


	if ($host = awadwatt.com)
	{
		return 301 https://$host$request_uri;
		} # managed by Certbo
	}
	# managed by Certbot


	listen 80;
	listen [::]:80;
	server_name awadwatt.com, www.awadwatt.com, lists.awadwatt.com, jelly.awadwatt.com, navi.awadwatt.com,  yarr.awadwatt.com;
	#include     nginxconfig.io/letsencrypt.conf;

	location /
	{
		return 301 https://awadwatt.com$request_uri;
	}


}

Also shoutout to the NGINX config file Beautifier for making it look purty.

Changelog:

2024-04-18 – initial

follow –> AT tezoatlipoca AT mas.to, or AT tezoatlipoca AT awadwatt.com to follow this blorg directly on the Fediverse.