I am on free plan and created my 2nd reserved share. The first has been working well. On my local dev machine, I have a vagrant box setup with ubuntu 22 and using nginx as the web server. I alias the vagrant boxes local IP in the windows hosts file, I do this to be able to setup different nginx configs for different applications. I went to go setup like usual, make my reserved share point to the windows host alias. However, this just hits the main configs server name.
If I directly pull up the server name I aliased in the browser, it properly goes to the correct application. See nginx configs below:
server {
listen 80;
listen [::]:80;
server_name nexus.integrations.local;
return 301 https://nexus.integrations.local$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name nexus.integrations.local;
ssl on;
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
location / {
proxy_pass http://127.0.0.1:3001;
}
}
server {
listen 80;
listen [::]:80;
server_name local.api.nexus;
return 301 https://local.api.nexus$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name local.api.nexus;
ssl on;
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
location / {
proxy_pass http://127.0.0.1:3000;
}
}
On the Windows computer, there's a VM running Nginx and two HTTP servers (3000, 3001/TCP). There's no problem reaching those servers on the VM's interface address from a web browser you're running in Windows, so the VM IP is directly routable from Windows.
Here's a recipe that may be simpler than what you were expecting to do with zrok and Nginx that bypasses Nginx. You want to share both servers with zrok, so you'll run two separate zrok share processes. On the Linux VM, you can install the zrok-share package, enable your zrok account on the VM, then create two user services. Each user service on the VM proxies directly to the local server port. You could keep Nginx like it is so you can bypass zrok locally if you wish.
If you like this idea, then I'd be happy to give you an example configuration for your user services.
Back to daisy-chaining zrok to Nginx, in case you don't like the recipe idea above.
Nginx, running on the VM, is set to route HTTP requests between the two servers by server_name, and you've created hosts database entries for both in Windows to override DNS.
The first thing to check is that zrok can reach Nginx the same way your web browser is reaching Nginx on the VM. Are you running zrok in Windows, in WSL, or on the VM?
Next thing to check is Nginx's certificate. Nginx forces incoming requests to HTTPS. Does Nginx present a trusted server certificate? If not, you must use the --insecure option to share with zrok to skip certificate verification.
Let me clarify the issue. The internal workings of the VM and the webserver arent the issue here as I can pull all that correctly without Zrok.
Also, my host machine is Windows 10. The VM is a virtual box ubuntu 22 (no gui) image orchestrated by vagrant. The VM is addressable via 192.168.101.120
I am running zrok on windows CMD.
I have 2 reserve shares, lets call them.
share1 pointed to local alias: local.api.nexus
share2 pointed to local alias: nexus.integrations.local
The share1 works fine and pulls correctly. share2 through zrok, points to the the local alias that share1 is on.
This is the command I used to make the reserve. Removing actual unique name for a reason.
zrok reserve public --unique-name share2 https://nexus.integrations.local
To Run it:
zrok share reserved --insecure share2
My Host file in Windows:
192.168.101.120 local.api.nexus nexus.integrations.local
Nginx Error Log for calling the zrok share.
2025/03/07 18:42:53 [error] 4823#4823: *61 connect() failed (111: Unknown error) while connecting to upstream, client: 192.168.101.1, server: local.api.nexus, request: "GET /user HTTP/1.1", upstream: "http://127.0.0.1:3000/user", host: "share1.share.zrok.io"
If I call https://nexus.integrations.local/user I get a response. But if I call share2.share.zrok.io/user I get 502 bad gateway. Checking the nginx error logs shows the above error where the host: is showing as share1 and not share2.
So in short, zrok is making the call to my VM using the wrong server_name and thus nginx routes by the server name.
It sounds to me like your Nginx servers are "routing" to the correct "server" (using the "server_name") entry in your Nginx configuration.
When you proxy to those servers through zrok, the Host header is set to whatever the zrok share name is set to... and your Nginx server does not know where to send the traffic.
This is normal Nginx behavior... zrok is a reverse proxy in this case, and the Nginx server that is being proxied to needs to be configured to respond to the inbound Host header appropriately.
Alternatively, you could use the caddy zrok backend, which would allow you to re-write the incoming Host header to local.api.nexus, such that your Nginx server knows how to route the traffic appropriately.
There is an example of Host header rewriting in one of the Caddyfile examples in the zrok repo:
The caddy backend is a more powerful reverse proxy and allows you to "rewrite" the requests before they arrive at your Nginx server.
In other words, when you open local.api.nexus in your web browser, the web browser sets the Host header to local.api.nexus... and when the request arrives at Nginx, it knows which virtual server to send the request to.
When you put zrok in front of it, you hit a URL like someshare.share.zrok.io... your web browser sets the Host header to that value, and when the request arrives at your nginx, it doesn't know what someshare.share.zrok.io is, and it sends it to the default virtual server.
Using the caddy backend will allow you to re-write the inbound Host header so that it's set to local.api.nexus, no matter what the web browser (or other HTTP client) sends.
[FYI to the thread. this post: Weird Reserved Share Behavior - #3 by dvernon83 was marked as spam for "who know what reason". I rejected the flag and the post now shows up in the thread]
1 Like
Alternatively, you could create a virtual Nginx server with a server_name that corresponds to your zrok share URL. You could use a reserved share so that the name is persistent.
1 Like
Is this an automated thing or some user marked it as spam?
Discourse has "anti-spam" automation. I've never seen it trigger on someone for a comment to date but there's a first for everythng. Often a "how long it took to type the message" filter is one of theones that triggers it. So if you composed your message then pasted it in and hit send, that might have triggered it. But I didn't see a reason when I looked in the system (i didn't spend a lot of time looking to be fair)
1 Like
I did just this and revamped my nginx to handle the zrok server_name in stead