how to nginx reverse proxy\redirect subdomain to subdirectory?

I've got a substack newsletter with a CNAME record pointing to newsletter.identosphere.net

I want that content to be displayed from identosphere.net/newsletter so the user can access each newsletter as a part of my main site:

identosphere.net/newsletter/issue-13/ should display content from newsletter.identosphere.net/issue-13/

Moreover, if possible (whether by nginx or dns) I want to redirect subdomain traffic to its folder on the root domain.

Right now I'm using:

location /newsletter/ {
    proxy_pass        http://newsletter.identosphere.net/;
    access_log /var/log/nginx/reverse-access.log;
    error_log /var/log/nginx/reverse-error.log;
}

What happens with this setting:

I type https://identosphere.net/newsletter and am redirected to https://newsletter.identosphere.net/


As requested by @ppuschmann, I'm posting the rest of my nginx config.

What I didn't mention, is that I'm using MailInABox its a selfhosted e-mail service that includes a web-server and dns.

Mainly, customizations are done via gui. I am using an unsupported feature that allows some customization of your config, but not of the main config, which is regularly refreshed. Apparently I cannot add server blocks to my "nginx user-config", only location blocks.

At this point, I'm not expecting to solve this, but if possible I'd like to determine how the dns (NSD) re-direct is set thats preventing my reverse proxy.

Here is the NGINX config

As stated in the comments, I can't edit this file, but I can add instructions via a config located elsewhere.

/etc/nginx/conf.d/local.conf

## NOTE: This file is automatically generated by Mail-in-a-Box.
##       Do not edit this file. It is continually updated by
##       Mail-in-a-Box and your changes will be lost.
##
##       Mail-in-a-Box machines are not meant to be modified.
##       If you modify any system configuration you are on
##       your own --- please do not ask for help from us.

upstream php-fpm {
    server unix:/var/run/php/php7.4-fpm.sock;
}
## identosphere.net

# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
# domain validation challenges) path, which must be served over HTTP per the ACME spec
# (due to some Apache vulnerability).
server {
    listen 80;
    listen [::]:80;

    server_name identosphere.net;
    root /tmp/invalid-path-nothing-here;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    location / {
        # Redirect using the 'return' directive and the built-in
        # variable '$request_uri' to avoid any capturing, matching
        # or evaluation of regular expressions.
        return 301 https://identosphere.net$request_uri;
    }

    location /.well-known/acme-challenge/ {
        # This path must be served over HTTP for ACME domain validation.
        # We map this to a special path where our TLS cert provisioning
        # tool knows to store challenge response files.
        alias /home/user-data/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
    }
}

# The secure HTTPS server.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name identosphere.net;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    ssl_certificate /home/user-data/ssl/ssl_certificate.pem;
    ssl_certificate_key /home/user-data/ssl/ssl_private_key.pem;

    root /home/user-data/www/default;

    # ssl files sha1: 4d28ac1a16c0e04772557f6a765cbaa2e4a1d96f / a2eda6be4854a2530dc96a579325f3e95160fc48
    add_header Strict-Transport-Security "max-age=15768000" always;
    include /home/user-data/www/identosphere.net.conf;
    
    # Control Panel
    # Proxy /admin to our Python based control panel daemon. It is
    # listening on IPv4 only so use an IP address and not 'localhost'.
    location /admin/assets {
        alias /usr/local/lib/mailinabox/vendor/assets;
    }
    rewrite ^/admin$ /admin/;
    rewrite ^/admin/munin$ /admin/munin/ redirect;
    location /admin/ {
        proxy_pass http://127.0.0.1:10222/;
        proxy_set_header X-Forwarded-For $remote_addr;
        add_header X-Frame-Options "DENY";
        add_header X-Content-Type-Options nosniff;
        add_header Content-Security-Policy "frame-ancestors 'none';";
    }

    # Roundcube Webmail configuration.
    rewrite ^/mail$ /mail/ redirect;
    rewrite ^/mail/$ /mail/index.php;
    location /mail/ {
        index index.php;
        alias /usr/local/lib/roundcubemail/;
    }
    location ~ /mail/config/.* {
        # A ~-style location is needed to give this precedence over the next block.
        return 403;
    }
    location ~ /mail/.*\.php {
        # note: ~ has precendence over a regular location block
        include fastcgi_params;
        fastcgi_split_path_info ^/mail(/.*)()$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/roundcubemail/$fastcgi_script_name;
        fastcgi_pass php-fpm;

        # Outgoing mail also goes through this endpoint, so increase the maximum
        # file upload limit to match the corresponding Postfix limit.
        client_max_body_size 128M;
    }

    # Nextcloud configuration.
    rewrite ^/cloud$ /cloud/ redirect;
    rewrite ^/cloud/$ /cloud/index.php;
    rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
    rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
    rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect;
    location /cloud/ {
        alias /usr/local/lib/owncloud/;
        location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
            deny all;
        }
        location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
        # Enable paths for service and cloud federation discovery
        # Resolves warning in Nextcloud Settings panel
        location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ {
            index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2;
            fastcgi_pass php-fpm;
        }
    }
    location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
        # note: ~ has precendence over a regular location block
        # Accept URLs like:
        # /cloud/index.php/apps/files/
        # /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d)
        # /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240)
        # /cloud/remote.php/webdav/yourfilehere...
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
        fastcgi_param SCRIPT_NAME $1$2;
        fastcgi_param PATH_INFO $3;
        fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
        fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
        fastcgi_read_timeout 630;
        fastcgi_pass php-fpm;
        client_max_body_size 1G;
        fastcgi_buffers 64 4K;
    }
    location ^~ /owncloud-xaccel/ {
        # This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file
        # path on disk as a subdirectory under this virtual path.
        # We must only allow 'internal' redirects within nginx so that the filesystem
        # is not exposed to the world.
        internal;
        alias /;
    }
    location ~ ^/((caldav|carddav|webdav).*)$ {
        # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
        # Properly proxying like this seems to work fine.
        proxy_pass https://127.0.0.1/cloud/remote.php/$1;
    }
    rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
    rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
    rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;

    location = /robots.txt {
        log_not_found off;
        access_log off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /mailinabox.mobileconfig {
        alias /var/lib/mailinabox/mobileconfig.xml;
    }
    location = /.well-known/autoconfig/mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /.well-known/mta-sts.txt {
        alias /var/lib/mailinabox/mta-sts.txt;
    }

    # Z-Push (Microsoft Exchange ActiveSync)
    location /Microsoft-Server-ActiveSync {
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/index.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_read_timeout 630;
        fastcgi_pass php-fpm;

        # Outgoing mail also goes through this endpoint, so increase the maximum
        # file upload limit to match the corresponding Postfix limit.
        client_max_body_size 128M;
    }
    location ~* ^/autodiscover/autodiscover.xml$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/autodiscover/autodiscover.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_pass php-fpm;
    }

    # Disable viewing dotfiles (.htaccess, .svn, .git, etc.)
    # This block is placed at the end. Nginx's precedence rules means this block
    # takes precedence over all non-regex matches and only regex matches that
    # come after it (i.e. none of those, since this is the last one.) That means
    # we're blocking dotfiles in the static hosted sites but not the FastCGI-
    # handled locations for Nextcloud (which serves user-uploaded files that might
    # have this pattern, see #414) or some of the other services.
    location ~ /\.(ht|svn|git|hg|bzr) {
        log_not_found off;
        access_log off;
        deny all;
    }
}
## autoconfig.identosphere.net

# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
# domain validation challenges) path, which must be served over HTTP per the ACME spec
# (due to some Apache vulnerability).
server {
    listen 80;
    listen [::]:80;

    server_name autoconfig.identosphere.net;
    root /tmp/invalid-path-nothing-here;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    location / {
        # Redirect using the 'return' directive and the built-in
        # variable '$request_uri' to avoid any capturing, matching
        # or evaluation of regular expressions.
        return 301 https://autoconfig.identosphere.net$request_uri;
    }

    location /.well-known/acme-challenge/ {
        # This path must be served over HTTP for ACME domain validation.
        # We map this to a special path where our TLS cert provisioning
        # tool knows to store challenge response files.
        alias /home/user-data/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
    }
}

# The secure HTTPS server.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name autoconfig.identosphere.net;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    ssl_certificate /home/user-data/ssl/identosphere.net-20210401-90d5ae2d.pem;
    ssl_certificate_key /home/user-data/ssl/ssl_private_key.pem;

    root /home/user-data/www/default;

    # ssl files sha1: 4d28ac1a16c0e04772557f6a765cbaa2e4a1d96f / a2eda6be4854a2530dc96a579325f3e95160fc48
    add_header Strict-Transport-Security "max-age=15768000" always;
    include /home/user-data/www/autoconfig.identosphere.net.conf;

    location = /robots.txt {
        log_not_found off;
        access_log off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /mailinabox.mobileconfig {
        alias /var/lib/mailinabox/mobileconfig.xml;
    }
    location = /.well-known/autoconfig/mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /.well-known/mta-sts.txt {
        alias /var/lib/mailinabox/mta-sts.txt;
    }

    # Z-Push (Microsoft Exchange ActiveSync)
    location /Microsoft-Server-ActiveSync {
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/index.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_read_timeout 630;
        fastcgi_pass php-fpm;

        # Outgoing mail also goes through this endpoint, so increase the maximum
        # file upload limit to match the corresponding Postfix limit.
        client_max_body_size 128M;
    }
    location ~* ^/autodiscover/autodiscover.xml$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/autodiscover/autodiscover.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_pass php-fpm;
    }

    # Disable viewing dotfiles (.htaccess, .svn, .git, etc.)
    # This block is placed at the end. Nginx's precedence rules means this block
    # takes precedence over all non-regex matches and only regex matches that
    # come after it (i.e. none of those, since this is the last one.) That means
    # we're blocking dotfiles in the static hosted sites but not the FastCGI-
    # handled locations for Nextcloud (which serves user-uploaded files that might
    # have this pattern, see #414) or some of the other services.
    location ~ /\.(ht|svn|git|hg|bzr) {
        log_not_found off;
        access_log off;
        deny all;
    }
}
## autodiscover.identosphere.net

# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
# domain validation challenges) path, which must be served over HTTP per the ACME spec
# (due to some Apache vulnerability).
server {
    listen 80;
    listen [::]:80;

    server_name autodiscover.identosphere.net;
    root /tmp/invalid-path-nothing-here;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    location / {
        # Redirect using the 'return' directive and the built-in
        # variable '$request_uri' to avoid any capturing, matching
        # or evaluation of regular expressions.
        return 301 https://autodiscover.identosphere.net$request_uri;
    }

    location /.well-known/acme-challenge/ {
        # This path must be served over HTTP for ACME domain validation.
        # We map this to a special path where our TLS cert provisioning
        # tool knows to store challenge response files.
        alias /home/user-data/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
    }
}

# The secure HTTPS server.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name autodiscover.identosphere.net;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    ssl_certificate /home/user-data/ssl/identosphere.net-20210401-90d5ae2d.pem;
    ssl_certificate_key /home/user-data/ssl/ssl_private_key.pem;

    root /home/user-data/www/default;

    # ssl files sha1: 4d28ac1a16c0e04772557f6a765cbaa2e4a1d96f / a2eda6be4854a2530dc96a579325f3e95160fc48
    add_header Strict-Transport-Security "max-age=15768000" always;
    include /home/user-data/www/autodiscover.identosphere.net.conf;

    location = /robots.txt {
        log_not_found off;
        access_log off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /mailinabox.mobileconfig {
        alias /var/lib/mailinabox/mobileconfig.xml;
    }
    location = /.well-known/autoconfig/mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /.well-known/mta-sts.txt {
        alias /var/lib/mailinabox/mta-sts.txt;
    }

    # Z-Push (Microsoft Exchange ActiveSync)
    location /Microsoft-Server-ActiveSync {
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/index.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_read_timeout 630;
        fastcgi_pass php-fpm;

        # Outgoing mail also goes through this endpoint, so increase the maximum
        # file upload limit to match the corresponding Postfix limit.
        client_max_body_size 128M;
    }
    location ~* ^/autodiscover/autodiscover.xml$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/autodiscover/autodiscover.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_pass php-fpm;
    }

    # Disable viewing dotfiles (.htaccess, .svn, .git, etc.)
    # This block is placed at the end. Nginx's precedence rules means this block
    # takes precedence over all non-regex matches and only regex matches that
    # come after it (i.e. none of those, since this is the last one.) That means
    # we're blocking dotfiles in the static hosted sites but not the FastCGI-
    # handled locations for Nextcloud (which serves user-uploaded files that might
    # have this pattern, see #414) or some of the other services.
    location ~ /\.(ht|svn|git|hg|bzr) {
        log_not_found off;
        access_log off;
        deny all;
    }
}
## mta-sts.identosphere.net

# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
# domain validation challenges) path, which must be served over HTTP per the ACME spec
# (due to some Apache vulnerability).
server {
    listen 80;
    listen [::]:80;

    server_name mta-sts.identosphere.net;
    root /tmp/invalid-path-nothing-here;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    location / {
        # Redirect using the 'return' directive and the built-in
        # variable '$request_uri' to avoid any capturing, matching
        # or evaluation of regular expressions.
        return 301 https://mta-sts.identosphere.net$request_uri;
    }

    location /.well-known/acme-challenge/ {
        # This path must be served over HTTP for ACME domain validation.
        # We map this to a special path where our TLS cert provisioning
        # tool knows to store challenge response files.
        alias /home/user-data/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
    }
}

# The secure HTTPS server.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name mta-sts.identosphere.net;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    ssl_certificate /home/user-data/ssl/identosphere.net-20210401-90d5ae2d.pem;
    ssl_certificate_key /home/user-data/ssl/ssl_private_key.pem;

    root /home/user-data/www/default;

    # ssl files sha1: 4d28ac1a16c0e04772557f6a765cbaa2e4a1d96f / a2eda6be4854a2530dc96a579325f3e95160fc48
    add_header Strict-Transport-Security "max-age=15768000" always;
    include /home/user-data/www/mta-sts.identosphere.net.conf;

    location = /robots.txt {
        log_not_found off;
        access_log off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /mailinabox.mobileconfig {
        alias /var/lib/mailinabox/mobileconfig.xml;
    }
    location = /.well-known/autoconfig/mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /mail/config-v1.1.xml {
        alias /var/lib/mailinabox/mozilla-autoconfig.xml;
    }
    location = /.well-known/mta-sts.txt {
        alias /var/lib/mailinabox/mta-sts.txt;
    }

    # Z-Push (Microsoft Exchange ActiveSync)
    location /Microsoft-Server-ActiveSync {
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/index.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_read_timeout 630;
        fastcgi_pass php-fpm;

        # Outgoing mail also goes through this endpoint, so increase the maximum
        # file upload limit to match the corresponding Postfix limit.
        client_max_body_size 128M;
    }
    location ~* ^/autodiscover/autodiscover.xml$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /usr/local/lib/z-push/autodiscover/autodiscover.php;
        fastcgi_param PHP_VALUE "include_path=.:/usr/share/php:/usr/share/pear:/usr/share/awl/inc";
        fastcgi_pass php-fpm;
    }

    # Disable viewing dotfiles (.htaccess, .svn, .git, etc.)
    # This block is placed at the end. Nginx's precedence rules means this block
    # takes precedence over all non-regex matches and only regex matches that
    # come after it (i.e. none of those, since this is the last one.) That means
    # we're blocking dotfiles in the static hosted sites but not the FastCGI-
    # handled locations for Nextcloud (which serves user-uploaded files that might
    # have this pattern, see #414) or some of the other services.
    location ~ /\.(ht|svn|git|hg|bzr) {
        log_not_found off;
        access_log off;
        deny all;
    }
}
## www.identosphere.net

# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
# domain validation challenges) path, which must be served over HTTP per the ACME spec
# (due to some Apache vulnerability).
server {
    listen 80;
    listen [::]:80;

    server_name www.identosphere.net;
    root /tmp/invalid-path-nothing-here;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    location / {
        # Redirect using the 'return' directive and the built-in
        # variable '$request_uri' to avoid any capturing, matching
        # or evaluation of regular expressions.
        return 301 https://www.identosphere.net$request_uri;
    }

    location /.well-known/acme-challenge/ {
        # This path must be served over HTTP for ACME domain validation.
        # We map this to a special path where our TLS cert provisioning
        # tool knows to store challenge response files.
        alias /home/user-data/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
    }
}

# The secure HTTPS server.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.identosphere.net;

    # Improve privacy: Hide version an OS information on
    # error pages and in the "Server" HTTP-Header.
    server_tokens off;

    ssl_certificate /home/user-data/ssl/identosphere.net-20210401-90d5ae2d.pem;
    ssl_certificate_key /home/user-data/ssl/ssl_private_key.pem;

    rewrite ^(.*) https://identosphere.net$1 permanent;
}

Solution 1:

You need to at least set:

proxy_set_header Host newsletter.identosphere.net;

This sends the correct Host header to the upstream server, which might be configured to send redirects when there is an incorrect Host header in the request.