Skip to main content

Nginx — LAN access by IP (port 80, then 443)

Expose dwd-api-fastapi on the server’s LAN IP at port 80 for testing before server room cutover (subdomain + production SSL).

Prerequisite: API container running and healthy on 127.0.0.1:800110-deploy-dwd-api-fastapi-server.md.

What this does

Browser / curl  →  http://<server-lan-ip>/health
→ Nginx :80 (all interfaces)
→ 127.0.0.1:8001 (Docker, localhost only)

Uses default_server and server_name _ so any LAN IP (Ethernet or Wi‑Fi) works without DNS.

Production later: replace with subdomain server_name + SSL — 04-nginx-reverse-proxy.md.


Step 1 — Confirm API is up (localhost)

On msi-laptop-3:

curl -s http://127.0.0.1:8001/health

Step 2 — Note server LAN IPs

ip -4 addr show enp58s0 | grep inet
ip -4 addr show wlo1 | grep inet

Use whichever IP your workstation can reach (often Ethernet during bench setup).


Step 3 — Install site config

Template: templates/nginx/dwd-api-fastapi-lan.conf

Option A — copy from admin docs on workstation (scp), or Option B — create on server:

sudo tee /etc/nginx/sites-available/dwd-api-fastapi > /dev/null << 'EOF'
upstream dwd_api_fastapi_backend {
server 127.0.0.1:8001;
keepalive 32;
}

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;

location / {
proxy_pass http://dwd_api_fastapi_backend;
proxy_http_version 1.1;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_read_timeout 300s;
proxy_send_timeout 300s;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
EOF

Step 4 — Enable site; disable default page

Ubuntu’s default site also listens on port 80 and will conflict.

sudo ln -sf /etc/nginx/sites-available/dwd-api-fastapi \
/etc/nginx/sites-enabled/dwd-api-fastapi

sudo rm -f /etc/nginx/sites-enabled/default

sudo nginx -t
sudo systemctl reload nginx

If nginx -t fails, read the error — often a typo or duplicate default_server.


Step 5 — Verify

On the server:

curl -s http://127.0.0.1/health
curl -s -o /dev/null -w "%{http_code}\n" http://127.0.0.1/docs

From your Windows workstation (replace IP):

curl http://192.168.x.x/health
# or open in browser:
# http://192.168.x.x/docs

Confirm Nginx is listening on all interfaces (expected for LAN test):

sudo ss -tlnp | grep ':80'

Port 8001 should still be 127.0.0.1 only:

sudo ss -tlnp | grep 8001

Step 6 — HTTPS later (same file)

When cert files are available, edit /etc/nginx/sites-available/dwd-api-fastapi:

  1. Uncomment the listen 443 ssl server block in templates/nginx/dwd-api-fastapi-lan.conf.
  2. Set ssl_certificate and ssl_certificate_key paths.
  3. sudo nginx -t && sudo systemctl reload nginx.
  4. Test: curl -k https://192.168.x.x/health (or with valid cert, no -k).
  5. Optionally uncomment the HTTP→HTTPS redirect block.

Record cert paths:

ItemPath
Full chainTBD
Private keyTBD

Server room cutover

When moving to public static IP + subdomain:

  1. New site file (or edit) with server_name dwd-api.example.com; — not default_server / _.
  2. SSL on 443 for that hostname.
  3. UFW: allow 80/443 on Ethernet only09-wifi-and-ssh-network-setup.md.
  4. DNS A record → static IP.

Keep LAN config as reference or remove default_server to avoid catching production traffic unintentionally.


Troubleshooting

SymptomFix
Ubuntu default pagesudo rm /etc/nginx/sites-enabled/default and reload
502 Bad GatewayAPI down — curl http://127.0.0.1:8001/health; docker compose ps
Connection refused on :80sudo systemctl status nginx; sudo nginx -t
Works on server, not from PCWrong IP, different subnet, or Windows firewall
duplicate default_serverOnly one site may use default_server on port 80

Checklist

  • curl http://127.0.0.1:8001/health OK
  • Site in sites-enabled; default site removed
  • nginx -t passes
  • curl http://127.0.0.1/health OK on server
  • http://<lan-ip>/health OK from workstation
  • http://<lan-ip>/docs loads Swagger UI