Sites¶
The Sites workspace plans and applies native Nginx configuration on the selected managed server. A site action is recorded by the controller, delivered to the selected agent, and moves through queued, delivered, completed, or failed state.
Start with a disposable hostname
Native site actions write Nginx configuration and can reload Nginx on the selected host. Prove the full deploy, HTTPS, disable, rollback, and cleanup path with a disposable hostname before managing an important site.
Supported site types¶
| Type | Use it for | Required input |
|---|---|---|
| Static Nginx | HTML, CSS, JavaScript, and other files served from a document root | Domain and document root |
| PHP-FPM | PHP applications served by Nginx | Domain, document root, and PHP-FPM upstream |
| Reverse proxy | An HTTP or HTTPS application already listening elsewhere | Domain and explicit proxy target |
New static and PHP document roots receive a small starter index only when no existing index file is present. aseStack does not overwrite an existing site entry file during initial creation.
Prepare the managed server¶
- Open Servers, select the target, and run Preflight.
- Confirm the agent reports Nginx ready and that its configured site root and Nginx paths match the host.
- Back up existing Nginx configuration and the intended document root.
- Enable the controller-side queue gate:
- On the managed host, enable the matching agent gate in its agent environment:
- Restart the affected services after changing environment files, then rerun Preflight.
Direct controller-host Nginx actions use ASESTACK_NGINX_ACTIONS. Selected-agent operations use both agent gates above. Keep unrelated action gates disabled.
Deploy a site¶
- Make sure the domain's DNS plan is understood, but do not switch important traffic yet.
- Open Sites and create a site.
- Choose the target server and a supported site type.
-
Enter the type-specific settings:
-
Static: choose a document root under the configured site root.
- PHP-FPM: also provide the host's PHP-FPM socket or upstream.
-
Reverse proxy: provide an explicit
http://orhttps://target. -
Preview the generated Nginx plan and check the server, domain, paths, upstream, and TLS choice.
- Submit the deployment and wait for the linked agent command to reach completed.
- Verify locally on the managed server before changing public DNS.
- Point DNS at the public server and verify HTTP from outside your network.
The selected agent validates Nginx before reload. A failed validation should leave the deployment failed; inspect the command result and host logs instead of repeatedly retrying.
Add HTTPS¶
Certificate issue and renewal are separate guarded actions. This separation lets you establish the HTTP/ACME path before generating a TLS configuration.
- Confirm the hostname resolves to the server that will answer the ACME challenge.
- Configure the certificate email and certbot command on the managed host.
- Enable the controller and agent certificate gates:
# Controller
ASESTACK_AGENT_CERTIFICATE_ACTION_COMMANDS=true
# Managed agent
ASESTACK_AGENT_CERTIFICATE_ACTIONS=true
- Deploy or otherwise route HTTP for the hostname.
- Run the certificate inspection and issue action from Sites.
- After the certificate exists, edit or redeploy the site with HTTPS enabled.
- Check the preview uses the expected full-chain and private-key paths.
- Verify origin HTTPS and then public HTTPS.
When custom paths are not supplied, the generated configuration expects Let's Encrypt files under /etc/letsencrypt/live/<domain>/.
Cloudflare proxying
If Cloudflare proxies the record, its SSL mode must match the origin. Verify origin TLS directly before enabling strict public TLS behavior. DNS records and Cloudflare SSL settings are outside aseStack's current cleanup flow.
Use a public gateway server¶
A site can run on a private origin server while a separate managed server accepts public traffic.
- The origin server runs the static, PHP-FPM, or reverse-proxy site.
- The gateway server runs a public reverse-proxy configuration and preserves the original
Hostheader. - The origin agent reports a private address with
ASESTACK_AGENT_PRIVATE_ORIGIN_ADDRESS, normally from Tailscale, WireGuard, or another private network. - Operators can choose a gateway per deployment or save a default with
ASESTACK_DEFAULT_SITE_GATEWAY_SERVER_ID.
For an automatic gateway deployment:
- Confirm the gateway can reach the origin's private address and selected port.
- Run preflight on both agents.
- Set the origin agent's private address and restart the agent.
- Select the origin server and gateway when deploying the site.
- Review both generated plans.
- Point public DNS at the gateway, not the origin.
- Verify the origin is not unintentionally exposed on a public listener.
HTTPS certificate paths apply to the gateway configuration when gateway HTTPS is enabled. The private origin can remain HTTP on a trusted private network unless you deploy and validate origin TLS separately.
Disable, roll back, or clean up¶
| Action | Result |
|---|---|
| Disable | Removes the enabled-site link, preserves the available configuration, validates Nginx, and reloads when needed. |
| Roll back | Restores the newest managed configuration backup, re-enables it, validates Nginx, and reloads. |
| Clean up | Can remove managed Nginx files, the managed document root, an empty managed parent, and—after separate confirmation—the certificate lineage. |
Cleanup does not remove DNS-provider records. Remove DNS manually only after you have confirmed the site should no longer resolve.
After every state change, verify the command result in Sites and the corresponding audit/operator history in Logs. See Troubleshooting for failed or stuck actions.