Your current Nginx config is a solid starting point, but it’s missing critical settings to support Rancher’s WebSocket-dependent features (like real-time UI updates and cluster management). Here’s the refined configuration with key improvements tailored for Rancher:

# Define the upstream Rancher server (update this to match your Rancher container's exposed address)
upstream backendrancher { 
    server domain.com:8072; # Confirm this points to your Rancher instance's IP/port
    keepalive 64; # Reuse connections for better performance
} 

# Optional: Redirect HTTP traffic to HTTPS (strongly recommended for Rancher)
server {
    listen 80;
    server_name your-external-domain.com; # Replace with your actual public domain

    return 301 https://$server_name$request_uri;
}

# HTTPS server block (required for secure Rancher operation)
server {
    listen 443 ssl http2;
    server_name your-external-domain.com; # Match your public domain

    # SSL certificate configuration (update paths to your cert files)
    ssl_certificate /path/to/your/fullchain.crt;
    ssl_certificate_key /path/to/your/private.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location /rancher {
        rewrite ^/rancher(.*)$ /$1 break;
        proxy_pass http://backendrancher;

        # Critical for WebSocket support (Rancher relies on this for real-time features)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Forward headers so Rancher can detect the external URL and client details
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;

        # Disable caching/buffering for dynamic Rancher content
        proxy_cache off;
        proxy_buffering off;

        # Logging (ensure the directory exists before reloading Nginx)
        access_log /var/log/nginx/rancher/access.log timed_combined;
        error_log /var/log/nginx/rancher/error.log warn; # Use warn instead of debug for production
    }
}

Key Changes Explained: #

• WebSocket Support: Added proxy_http_version 1.1 and the Upgrade/Connection headers to handle real-time communication between the Rancher UI and backend—this is non-negotiable for features like live cluster status updates.
• SSL Enforcement: Included a full HTTPS setup (Rancher requires HTTPS for secure authentication and cluster management). If you don’t have SSL certs, use Let’s Encrypt for free, trusted certificates.
• Persistent Connections: The keepalive 64 line in the upstream block reuses connections, reducing latency for repeated requests to Rancher.
• Header Improvements: Added X-Forwarded-Host to ensure Rancher generates correct URLs for its UI and API endpoints.
• Performance Tweaks: Disabled proxy_buffering to prevent delays in real-time data transmission.
• Logging Adjustment: Switched the error log level from debug to warn—debug logs are overly verbose and not suitable for production environments.

Additional Steps to Complete Setup: #

1. Update Rancher Container Config: When starting your Rancher container, specify its external URL so it generates correct links. For example:

   docker run -d --restart=unless-stopped -p 8072:80 -p 8073:443 rancher/rancher:latest --set hostname=https://your-external-domain.com/rancher
   

2. Prepare Log Directory: Create the Rancher log folder if it doesn’t exist:

   mkdir -p /var/log/nginx/rancher && chown nginx:nginx /var/log/nginx/rancher
   

3. Test and Reload Nginx: Validate your config with nginx -t, then apply changes with systemctl reload nginx.

内容的提问来源于stack exchange，提问作者Hidayath