I am docker newbie.
I want to deploy multiple wordpress containers on one host. I thought of two solutions, but I don't know if they are the right way.
Solution-1: use wordpress image
docker run --name wordpress-1 -dp 8001:80 -e some-database-env wordpress
docker run --name wordpress-2 -dp 8002:80 -e some-database-env wordpress
I think wordpress image contains web server, php, fpm so i can access http://localhost:8001 when it run.
When I need to expose two services to the Internet with port 80, I need a front-end service (nginx) to forward requests to these two services, is that correct?
Solution-2: use 5.5.0-php7.3-fpm-alpine image
This image is smaller, it just open a port 9000 from fpm. It seems dose not have web server. I try to config nginx with it, but not work.
docker run --name wordpress-1 -dp 9001:9000 -e some-database-env wordpress:5.5.0-php7.3-fpm-alpine
nginx config
server {
listen 9993;
server_name localhost;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
# I have try use container's ip, but network not work(ping not recieved)
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
}
}
Browser display file not found
And get nginx error
2020/09/01 21:26:28 [error] 59036#0: *9 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://[::1]:9001", host: "localhost:9993"
Is solution-1 the right way to deploy multiple wordpress containers on one host?
How to use 5.5.0-php7.3-fpm-alpine image to deploy multiple wordpress containers on one host?
It does not listen on that IP address, so change IP address from:
fastcgi_pass 127.0.0.1:9001;
to:
fastcgi_pass 172.17.0.1:9001;
IP address 172.17.0.1 is an IP address gateway of docker container network.
Or change to :
fastcgi_pass ip_address_of_wordpress_container:9001;
Just continue with your first option and set up NGINX as load balancer, and have config like:
http {
upstream app {
server wordpress-1:80;
server wordpress-1:80;
}
}
And to make it more easy, use docker-compose.
Ref - nginx load balancer - Docker compose
Related
I’m trying to figure out the best way of securing access to my MariaDB database. I have a root non-wordpress site with 2 wordpress sites as directories (/blog and /shop) - each with separate databases - that use phpMyAdmin as a database viewer (accessible at /phpmyadmin). I want to increase the security so that it can’t be hacked so easily. However, I can’t seem to implement any of the recommended security measures.
Creating a .htaccess and in /usr/share/phpmyadmin and adding the following to whitelist IPs and block all other IPs has no effect:
Order Deny,Allow
Deny from All
Allow from 12.34.56.78
Changing the phpMyAdmin url via the config file (so it’s not accessible at /phpmyadmin) also seems to have no effect.
I’m assuming that it’s because apache is not running (I use Nginx to run my main domain and the 2 wordpress sites). I can’t run apache and Nginx simultaneously (presumably because they’re both fighting for port 80), but what I don’t get is that when Nginx is running and apache is supposedly not running, how is the /phpmyadmin link still accessible?
Here’s my .conf file in /etc/nginx/sites-available (also symlinked to sites-enabled):
upstream wp-php-handler-four {
server unix:/var/run/php/php7.4-fpm.sock;
}
server {
listen 1234 default_server;
listen [::]:1234 default_server;
root /var/www/site;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /blog {
try_files $uri $uri/ /blog/index.php?$args;
}
location /shop {
try_files $uri $uri/ /shop/index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass wp-php-handler-four;
}
}
I followed a tutorial to set this up (maybe I’m misunderstanding how it’s fully set up) but is this not actually using apache to access /phpmyadmin or is it using some web socket? How can I make the above security attempts work?
Note: the /usr/share/phpmyadmin/ dir is symlinked to /var/www/site/
Creating a .htaccess in /usr/share/phpmyadmin and adding the following to whitelist IPs and block all other IPs has no effect:
Order Deny,Allow
Deny from All
Allow from 12.34.56.78
Of course it won't have any effect since this file processed only by apache.
I can’t run apache and Nginx simultaneously (presumably because they’re both fighting for port 80)
In an early days of nginx there was a technique to use nginx for static files and apache to process PHP scripts. Apache was running on some other port (for example, 8080) and listening only on local IP (127.0.0.1). Nginx configuration for that was looking like
upstream apache {
server 127.0.0.1:8080;
}
server {
...
location ~ \.php$ {
proxy_pass http://apache;
}
}
Nowadays it is rarely used since using PHP-FPM is more flexible and gives a less server overhead. However it can be used when you have a complex .htaccess configuration and don't want to rewrite it for nginx/PHP-FPM.
but what I don’t get is that when Nginx is running and apache is supposedly not running, how is the /phpmyadmin link still accessible?
...
Is this not actually using apache to access /phpmyadmin or is it using some web socket?
This configuration uses UNIX socket /var/run/php/php7.4-fpm.sock where PHP-FPM daemon is listening for requests (you can read an introduction to this article to get some additional details).
How can I make the above security attempts work?
One of many possible solutions is
Unlink /usr/share/phpmyadmin/ from /var/www/site/
Use the following location block (put it before the location ~ \.php$ { ... } one:
location ~ ^/phpmyadmin(?<subpath>/.*)? {
allow 12.34.56.78;
# add other IPs here
deny all;
alias /usr/share/phpmyadmin/;
index index.php;
try_files $subpath $subpath/ =404;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$subpath;
fastcgi_pass wp-php-handler-four;
}
}
To add to the otherwise quite thorough answer:
Since Nginx doesn't use .htaccess files or the same syntax as Apache, you aren't being restricted as Apache would do. You may wish to find some other solution, or you could use what's built in to phpMyAdmin: there is a allow/deny functionality built in that you can learn about in the documentation: https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_order (and https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_rules); this will let you restrict access based on username and IP address.
I have a node.js project, working with nginx acting as a reverse proxy. I'm trying the configure nginx to serve static content. Both nginx and node.js are docker containers. I've tried to use the following solutions:
How do you serve static files from an nginx server acting as a reverse proxy for a nodejs server?
Serving static files with NGINX
No matter what i do, I always get the following error:
directory index of "/usr/src/app/public/" is forbidden
Here is my nginx configuration:
server {
listen 80;
server_name ~^(.+)$;
root /usr/src/app/public;
location / {
try_files $uri #nodejs;
}
location #nodejs {
default_type text/css;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
set $key $http_host$request_uri;
set_escape_uri $escaped_key $key;
srcache_fetch GET /redis $key;
srcache_store PUT /redis2 key=$escaped_key&exptime=120;
add_header X-Cached $srcache_fetch_status;
proxy_pass http://node;
}
# Try fetching from Redis
location = /redis {
...
}
# Storing to Redis
location = /redis2 {
...
}
include /etc/nginx/default.d/*.conf;
}
Here is my docker-compose:
services:
web:
ports:
- "127.0.0.1:80:80"
build:
context: .
dockerfile: docker/nginx/Dockerfile
volumes:
- ./docker/nginx/server.conf:/etc/nginx/conf.d/server.conf
- ./docker/nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf
links:
- node:node
node:
ports:
- "81:80"
environment:
DEVELOP: "true"
build:
context: .
dockerfile: ./docker/node/Dockerfile
As mentioned above, I get error of directory index of "/usr/src/app/public/" is forbidden.
Some more info:
Nginx has the relevant permissions (Rnning with root)
I'm able to get specific static files from the public directory. For example: /public/image.png
When i create some index.html file in the public directory, I'm able to load it. However, The expected behaviour is that nginx will pass me to my backend server using proxy_pass http://node configuration, So it seems that the proxy_pass doesn't occurring.
What could be the issue? Please advise.
Update:
I've updated nginx configuration as suggested to:
try_files $uri #nodejs;
Initially, The issue seemed to be solved and i could load my backend server. However, I order to verify that now the static content is being served from the nginx container, I've deleted the public directory from nodejs container, and now i get the following error:
Failed to lookup view "index" in views directory "/usr/src/app/public"
Does anyone know what could be the issue?
Since your node container is set to expose via port 81 in the docker-compose file, your proxy_pass has to be updated like this.
proxy_pass http://node:81;
Refer to this article to setup nginx with a nodejs reverse proxy step by step
https://medium.com/#francoisromain/setup-node-js-apache-nginx-reverse-proxy-with-docker-1f5a5cb3e71e
I have set a nginx, php, mysql and phpMyAdmin on my laptop (running Arch Linux). Everything was ok till I tried to move the root in my home directory.
Here is the nginx configuration file I'm using:
server {
############### General Settings ###################
listen 80;
server_name localhost;
root /home/me/Development;
charset utf-8;
############## Document Root #####################
location / {
index index.php index.html index.htm;
autoindex on;
}
############## PHPMyAdmin #######################
#location /phpmyadmin {
# rewrite ^/* /phpMyAdmin last;
#}
############# Error redirection pages ################
error_page 404 NGINX/html/404.html;
error_page 500 502 503 504 NGINX/html/50x.html;
############## Proxy Settings for FastCGI PHP Server #####
location ~ \.php$ {
if ($request_uri ~* /phpmyadmin) {
root /usr/share/nginx/html;
}
try_files $uri =404;
#fastcgi_pass 127.0.0.1:9000; (depending on your php-fpm socket configuration)
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi.conf;
}
location ~ /\.ht {
deny all;
}
}
So I'm trying to make this "Development" folder - the folder where I will store all my php projects. And I want to keep phpMyAdmin in its default location.
Now i get 403 Forbidden if i try to access phpMyAdmin or any php file on the new location - error message:
2016/05/20 14:11:46 [crit] 5292#5292: *3 stat() "/home/me/Development/test.php" failed (13: Permission denied), client: 127.0.0.1, server: localhost, request: "GET /test.php HTTP/1.1", host: "localhost"
It should do something with the linux groups and rights but can't figure it out.
It's selinux, google disabling that or configuring it to allow what you need to do.
When your perms are set right and the logs show 'permission denied' it's selinux.
You are using HTTP to get your page. Now HTTP is returning you the error code '403' which according to RFC 2616 means "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated."
The two possible reason for this error code
Authentication was provided, but the authenticated user is not permitted to perform the requested operation.
The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.
Try to check your file permissions. There is the solution.
I had a similar problem: I also got the 403 error code and tried to configure the rights of the file with chmod 777. Still the same result.
My problem was I started the nginx webserver with sudo nginx instead of starting it with my user and my rights. Just start the server with nginx without sudo and you should be fine.
I hope this helps someone.
check the owners and mode of the folder by using ls -l command if user is sudo then run this sudo chown -R yourusername:yourusername Development adn also run sudo chmod -R 777 Development
I'm experiencing 502 gateway errors when accessing my IP on nginx(http://52.xx.xx.xx/), the logs simply says this:
2015/09/18 13:03:37 [error] 32636#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: xx.xx.xx.xx, request: "GET / HTTP/1.1", upstream: "uwsgi://127.0.0.1:8000", host: "xx.xx.xx.xx"
my nginx.conf file
# the upstream component nginx needs to connect to
upstream django {
# server unix:///path/to/your/mysite/mysite.sock; # for a file socket
server 127.0.0.1:8000; # for a web port socket (we'll use this first)
}
# configuration of the server
server {
# the port your site will be served on
listen 80;
# the domain name it will serve for
server_name xx.xx.xx.xx; # substitute your machine's IP address or FQDN
charset utf-8;
access_log /home/ubuntu/test_django/nginx_access.log;
error_log /home/ubuntu/test_django/nginx_error.log;
# max upload size
client_max_body_size 75M; # adjust to taste
# Django media
location /media {
alias /home/ubuntu/test_django/static/media/; # your Django project's media files - amend as required
}
location /static {
alias /home/ubuntu/test_django/static/; # your Django project's static files - amend as required
}
# Finally, send all non-media requests to the Django server.
location / {
uwsgi_pass django;
include /home/ubuntu/test_django/uwsgi_params; # the uwsgi_params file you installed
}
}
Is there anything wrong with nginx.conf file.....if i use default conf then it is working.
I resolved it by changing the socket configuration in uwsgi.ini
from socket = 127.0.0.1:3031, to socket = :3031. I was facing this issue when I ran nginx in one Docker container and uWSGI in another. If you are using command line to start uWSGI then do uwsgi --socket :3031.
Hope this helps someone stuck with the same issue, during deployment of a Django application using Docker.
change this address:
include /home/ubuntu/test_django/uwsgi_params;
to
include /etc/nginx/uwsgi_params;
I ran into this issue when setting up the env by nginx + gunicorn and solve it by
adding '*' to ALLOWED_HOSTS or your specific domain.
In my case with a debian server it worked moving:
include /etc/nginx/uwsgi_params;
In the location tag in my nginx server config file, like this:
location /sistema {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix://path/sistema.sock;
}
Also, check you have the following packages installed:
uwsgi-plugin-python
pip3 install uWSGI did the trick for me :D
I cannot find a way to setup php-fpm on nginx on Amazon AMI EC2 instance from scratch. I know this should not be that difficult, but finding different answers based on *nix versions is confusing.
Here are the condensed steps I've taken that I thought would work, but don't. Does anyone have a set of steps to reliably setup php-fpm with nginx in Amazon AMI EC2 instance?
I've intentionally left out nginx.conf, etc from this post since they are the "stock" installations from the default yum repositories.
nginx version: 1.6.2
Does anyone have reliable steps to setup php-fpm in nginx for Amazon AMI EC2 instances? I would prefer to setup myself instead of using the AMI in the Amazon marketplace that charges for this setup.
Thanks
# install packages
yum install -y nginx
yum install -y php56-fpm.x86_64
# enable php in nginx.conf
vi /etc/nginx/nginx.conf
# add index.php at the beginning of index
index index.php index.html index.htm;
# uncomment the php block in nginx.conf
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
# tell php-fpm to run as same account as nginx
vi /etc/php-fpm-5.6.d/www.conf
- change user and group apache to nginx
# allow nginx user to read website files since they are typically owned by root
cd /usr/share/nginx
chown -R nginx:nginx html
# check to see if php works - doesn't with these steps
echo "<?php phpinfo(); ?>" > /usr/share/nginx/info.php
# restart services since we changed things
service nginx restart
service php-fpm-5.6 restart
# verify root path exists and is owned by nginx as we said above
# ls -l /usr/share/nginx/html
-rw-r--r-- 1 nginx nginx 3696 Mar 6 03:53 404.html
-rw-r--r-- 1 nginx nginx 3738 Mar 6 03:53 50x.html
-rw-r--r-- 1 nginx nginx 3770 Mar 6 03:53 index.html
-rw-r--r-- 1 nginx nginx 20 Apr 14 14:01 index.php
# I also verified php-fpm is listening on port 9000 and nginx is setup that way in the nginx.conf
# port 9000 usage is the default and I left it as-is for this question, but I would prefer to use sock once I get this working.
Edit
This is what I see in the nginx error log
2015/04/14 17:08:25 [error] 916#0: *9 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream,
client: 12.34.56.78, server: localhost, request: "GET /index.php HTTP/1.1",
upstream: "fastcgi://127.0.0.1:9000", host: "12.34.56.90"
What do you see in nginx error log (/var/log/nginx/errors.log)?
Added after additional info (logs) provided:
To me it looks root should be server section not location.
server {
...
root /usr/share/nginx/html;
...
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
}
Where is your index.php file? If it is here:
/usr/share/nginx/html/index.php
then change this line
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
to:
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;