Nginx on another server?

pvanthony · September 10, 2024, 4:30pm

Need advice on nginx server for erpnext.

Currently using erpnext on my office server. The install was done using the script from the following site.

All working.

It installs a nginx web server on the same server as erpnext.

Does the nginx web server need to be on the same machine as erpnext server?

We have a nginx web server on another server. This nginx server is already facing the internet and other sites are on it. Can we use this nginx server instead of the nginx server with the erpnext? So there is only one nginx server to erpnext.

What is the best practice for the nginx server for production erpnext?

pvanthony · October 11, 2024, 6:48pm

I notice a webserver running on port 8000.
Is this the gunicorn webserver?

Currently the webserver running on port 8000 is restricted to localhost.
Where is the config file to change so that it can be on another ip address?

brian_pond · October 11, 2024, 7:48pm

Yes, the default port for the Frappe web server is 8000.

(technically it’s only a ‘gunicorn’ web server if you’re running in production mode.
but the kinds of web server doesn’t matter much for this discussion)

To change the default port to something besides 8000, you edit your common_site_config.json file.

See the final key “webserver_port” in example below:

{
 "background_workers": 1,
 "db_host": "127.0.0.1",
 "db_port": 3313,
 "default_site": "testv15",
 "developer_mode": 1,
 "file_watcher_port": 6787,
 "frappe_user": "frappe",
 "gunicorn_workers": 17,
 "live_reload": true,
 "rebase_on_pull": false,
 "redis_cache": "redis://localhost:13000",
 "redis_queue": "redis://localhost:11000",
 "redis_socketio": "redis://localhost:13000",
 "restart_supervisor_on_update": false,
 "restart_systemd_on_update": false,
 "serve_default_site": true,
 "shallow_clone": true,
 "socketio_port": 9000,
 "use_redis_auth": false,
 "webserver_port": 8000
}

pvanthony · October 11, 2024, 8:19pm

Thank you for the reply and advice.

Tried it but it did not take effect.

Did more searching and found out that the following needed to be done.

bench setup supervisor
sudo supervisorctl reread
sudo supervisorctl update

After that the supervisor.conf is updated and it takes effect.

Here is the link.
https://discuss.frappe.io/t/how-to-increase-number-of-gunicorns-workers/13648/3

pvanthony · October 11, 2024, 8:21pm

Another note.

The gunicorn ip is fixed to 127.0.0.1.
If a change is needed, it can be done in the config/supervisor.conf

Peer · October 12, 2024, 1:14pm

This is for updating, but for setting up production, there is a linking step between the “setup supervisor” and what follows in the quote, e.g.:
https://frappeframework.com/docs/user/en/bench/guides/setup-production

If you used the script you cited above, chances are that you have set up the erpnext+nginx as a separate hardware and using it “bare metal” (but not necessarily so).

You didn’t say if the erpnext+nginx server is also facing the internet or if it serves only to an internal LAN segment.
The difference can have security implications.

If you want to use an existing nginx server facing the internet as a frontend for erpnext, the first question I’d ask is if you want (or need) to pass the traffic to and from erpnext mingled to the external traffic currently passing through your internet-facing existing nginx server (e.g. if you serve internal business units sitting at external places) or not.

With firewall and router rules in addition to adaptions of the nginx config you can probably achieve to have the traffic passing through one external-facing nginx server directed to the eprnext (then without nginx).
This changes the amount on the paths of traffic in your LAN, and it needs careful consideration of the security of the whole setup.
I’d prefer to not run internal traffic through an external-facing webserver if not needed, but rather separate them as much as possible – if possible.

When talking about “server” you mean “a server in a kubernetes setup” (more a virtual server than a dedicated hardware), then the whole picture will be different (and an existing kubernetes team would probably have little difficulties to integrate the whole setup), because the traffic flows can be handled and secured as needed, which is part of the whole kubernetes endeavor anyway.

ERPNext runs as a combo of different processes which work in conjunction and can be on one machine (virtual or not) or spread out over different servers. You can study this by examining the pwd and compose yaml files of

and there you can also find much more information (wiki of the repo) for different setups which can help you understand many more things and possibilities.

If you are more ambitious, you can also study how this works:

which refers to kubernetes setup.

pvanthony · October 14, 2024, 8:26am

Thank you very much for a detailed reply. I do appreciate it very much.
This is good. I also noticed that there was not enough detailed information about my case. Here goes my attempt to reply.

Thank you for the link to the documentation. Will read it in detail.

You are correct. It is like a “bare metal” installation, if I can use that word. Let me explain and please advice me.

This is an on-premise installation. What we have is a Debian 12 server with ‘no’ services running. Then we have multiple KVM virtual machines running different things like email server(ispconfig), file sharing(nextcloud), openvpn.

Only the ispconfig(email server) is facing the internet. The nginx in ispconfig is like a proxy web server. ISPconfig proxys to nextcloud and any new servers like erpnext. That’s the plan anyway with erpnext.

I was thinking if I turn off the nginx on the erpnext server and get the ispconfig nginx to do all the web serving. Tried it but the static files are not serving. Got the python stuff to work. Next option would be to copy the files into ispconfig but that would be complicated when updating/upgrading. Looking like the nginx need to be turned on erpnext server. Need advice.

The erpnext with nginx done by the script is on kvm which is on the local network and not facing the internet directly.

I need to pass the traffic through the ispconfig’s nginx. Unfortunately there are two other locations. So internet needs to access erpnext. I was thinking of restricting access using ip restriction in nginx. Or even use zerotier.

This was what I was trying to achieve but failed. As mentioned in the paras above. Especially without using a second nginx. Please advice.

I am running a local dns in my router. So I can route the erpnext domain name to the local ip address. Hope that will settle that.

Woooow! I am no where near kubernetes. I do not have that much of knowledge.
This is just a simple setup. All on premise. Trying to keep it simple. At least not too complex.

Noted. Just trying to get the nginx out. Maybe it might not be worth it. Better just leave the nginx running on erpnext. That is what it looks like now. Please advice.

pvanthony · October 14, 2024, 8:43am

“WARNING: We DO NOT recommend installing on bare metal servers. Recommend way of setting up production sites is using docker images. You can find instructions here: GitHub - frappe/frappe: Low code web framework for real world applications, in Python and Javascript”

Just read the above from the link shared in the above post.
https://frappeframework.com/docs/user/en/bench/guides/setup-production

Can docker handle custom apps? I am not familiar with docker.
I am old school.

brian_pond · October 14, 2024, 3:48pm

Yes, you can use Docker with custom apps.

Note the recommendation you quoted is just a recommendation. There’s nothing wrong with installing Frappe Apps on bare metal servers. I’ve been doing that successfully for almost 8 years, across dozens of installations. It’s fine. You just have to learn a bit more about the prerequisites and dependencies.

pvanthony · October 15, 2024, 10:40am

Phew! This is good news. I prefer bare metal installation for now. Or until I learn more about docker.

If you do not mind and if you have time, could you comment on the following post because I need advice on the points I have made. It would be really useful to hear your comments. @brian_pond

The post is,

brian_pond · October 15, 2024, 6:03pm

Yes, I believe it’s possible for ispconfig to be the main Nginx proxy. The challenge is for Nginx to serve static files, the files have to “exist” wherever Nginx is located.

Option 1

Mount the remote ERPNext directory '..frappe-bench/sites' on the ispconfig device.

There are a bunch of ways to do this (NFS, SSHFS, etc.). But the idea is you want the ispconfig machine to treat those ERPNext files as if they were local. If you do that, then the try_files directive in the Nginx configuration will actually work. You may have to make some other edits in Nginx (for example, root /frappe-bench/sites; probably has to be changed in your location block, so it’s pointing at the mounted directory.)

But hopefully you get the idea. Once ispconfig can “see” those static files, and treat them like any other local directory + file? Then Nginx can successfully serve them.

Option 2

I “believe” it’s possible for the main Nginx on ispconfig to have a location block for the static files that doesn’t actually try serving them…

…but instead forwards that request to the other Nginx server on the ERPNext host.

So you end up with a round robin:

Web browser wants a static file.
ispconfig Nginx recognizes this, and forwards the request to ERPNext Nginx.
ERPNext Nginx fetches the file from disk, and returns it.
ispconfig Nginx gets the response (the file) and returns that to the browser.
Browser now has the file and does whatever it’s supposed to with it.

This would require a bit of Nginx editing on ispconfig. But I think it’s possible to make it just forward those static file requests to the other Nginx service on ERPNext’s host.