I'm just learning nginx. I cannot understand why the server_name in the address bar of the browser results in a page not found (e.g. mydomain/app2.com, but the location of the directory is okay (e.g. mydomain/app2). I do understand that the server_name is not evaluated if the listen directive is conclusive.
I have a file [webroot]/app2/index.html that show a simple message.
Below is the edited portion of nginx.conf, generated with the command nginx -T.
worker_processes auto;
#worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
include conf.d/main.conf;
events {
use epoll;
multi_accept on;
accept_mutex off;
worker_connections 1024;
include conf.d/events.conf;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
#access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname main;
error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname error;
tcp_nopush on;
tcp_nodelay on;
sendfile on;
server_tokens off;
proxy_request_buffering off;
fastcgi_request_buffering off;
scgi_request_buffering off;
proxy_buffering off;
fastcgi_buffering off;
scgi_buffering off;
resolver_timeout 5s;
client_header_timeout 10s;
client_body_timeout 60s;
send_timeout 60s;
keepalive_timeout 65s 20s;
client_max_body_size 0;
server_names_hash_max_size 8192;
server_names_hash_bucket_size 128;
ssl_certificate /usr/syno/etc/certificate/system/default/fullchain.pem;
ssl_certificate_key /usr/syno/etc/certificate/system/default/privkey.pem;
ssl_protocols TLSv1.2;
ssl_dhparam /usr/syno/etc/ssl/dh2048.pem;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 3600s;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from 127.0.0.1;
include /var/tmp/nginx/trusted_proxy/*.conf;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server_tag "nginx";
gzip_disable "msie6";
gzip_min_length 1000;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
gzip_static on;
open_file_cache max=1000 inactive=60s;
open_file_cache_valid 3s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
upstream synoscgi {
server unix:/run/synoscgi.sock;
}
index index.html index.htm index.php;
server {
listen 80 default_server;
listen [::]:80 default_server;
gzip on;
server_name _;
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
include app.d/www.*.conf;
include app.d/alias.*.conf;
include /usr/syno/share/nginx/conf.d/www.*.conf;
include conf.d/www.*.conf;
location = /webdefault/images/logo.jpg {
alias /usr/syno/share/nginx/logo.jpg;
}
error_page 403 404 500 502 503 504 #error_page;
location #error_page {
root /usr/syno/share/nginx;
rewrite (.*) /error.html break;
allow all;
}
location ^~ /.well-known/acme-challenge {
root /var/lib/letsencrypt;
default_type text/plain;
}
include app.d/.location.webstation.conf*;
location / {
rewrite ^ / redirect;
}
location ~ ^/$ {
rewrite / http://$host:5000/ redirect;
}
}
}
# configuration file /etc/nginx/app.d/dsm.DownloadStation.conf:
location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ {
internal;
root /;
open_file_cache off;
include app.d/x-accel.*.conf;
include conf.d/x-accel.*.conf;
}
location ~ ^/download/btsetting.cgi {
rewrite /download/btsetting.cgi /webman/3rdparty/DownloadStation/dlm/btsetting.cgi break;
include scgi_params;
scgi_pass synoscgi;
}
location ~ ^/webman/modules/DownloadStation/dlm/(.*) {
rewrite /webman/modules/DownloadStation/dlm/(.*) /webman/3rdparty/DownloadStation/dlm/$1 break;
include scgi_params;
scgi_pass synoscgi;
}
uninitialized_variable_warn off;
if ($fqdn = false) {
set $fqdn "";
}
scgi_param HOST $fqdn if_not_empty;
scgi_intercept_errors on;
# configuration file /etc/nginx/app.d/.location.webstation.conf:
location ~ ^/~([^\/]*)/ {
proxy_ignore_headers X-Accel-Redirect;
proxy_read_timeout 3600s;
proxy_set_header X-Forwarded-By $server_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-HTTPS $https;
proxy_set_header X-Port $server_port;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_intercept_errors off;
error_page 404 /_webstation_/404.html;
return 404;
}
location ^~ /_webstation_/ {
alias /var/packages/WebStation/target/error_page/;
}
location ~ ^ {
proxy_ignore_headers X-Accel-Redirect;
proxy_read_timeout 3600s;
proxy_set_header X-Forwarded-By $server_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-HTTPS $https;
proxy_set_header X-Port $server_port;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_intercept_errors off;
error_page 502 /_webstation_/$status.html;
proxy_pass http://unix:/run/webstation_default.sock;
}
# configuration file /etc/nginx/app.d/server.webstation-vhost.conf:
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name app3.com;
location ^~ /.well-known/acme-challenge {
root /var/lib/letsencrypt;
default_type text/plain;
}
root "/volume1/web/app3";
index index.html index.htm index.cgi index.php index.php5 ;
error_page 400 401 402 403 404 405 406 407 408 500 501 502 503 504 505 #error_page;
location #error_page {
root /var/packages/WebStation/target/error_page;
rewrite ^ /$status.html break;
}
location ^~ /_webstation_/ {
alias /var/packages/WebStation/target/error_page/;
}
include /usr/local/etc/nginx/conf.d/05d0bb2f-bd06-4069-ba12-eb4f67b58137/user.conf*;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name app2.com;
location ^~ /.well-known/acme-challenge {
root /var/lib/letsencrypt;
default_type text/plain;
}
root "/volume1/web/app2";
index index.html index.htm index.cgi index.php index.php5 ;
error_page 400 401 402 403 404 405 406 407 408 500 501 502 503 504 505 #error_page;
location #error_page {
root /var/packages/WebStation/target/error_page;
rewrite ^ /$status.html break;
}
location ^~ /_webstation_/ {
alias /var/packages/WebStation/target/error_page/;
}
include /usr/local/etc/nginx/conf.d/e0fd8b64-e801-426b-86b6-c0035b4ae9d7/user.conf*;
}
# configuration file /etc/nginx/app.d/server.webstation.conf:
server {
listen unix:/run/webstation_default.sock;
root /var/services/web;
index index.html index.php index.cgi;
set_real_ip_from unix:;
real_ip_header X-Real-IP;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $http_x_https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $http_x_real_port;
fastcgi_param SERVER_ADDR $http_x_forwarded_by;
fastcgi_param SERVER_PORT $http_x_port;
fastcgi_param SERVER_NAME $host;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_intercept_errors on;
fastcgi_read_timeout 3600s;
error_page 400 401 402 403 404 405 406 407 408 500 501 502 503 504 505 #error_page;
location #error_page {
root /var/packages/WebStation/target/error_page;
rewrite ^ /$status.html break;
}
location ^~ /_webstation_/ {
alias /var/packages/WebStation/target/error_page/;
}
location ~* \.(php[345]?|phtml)$ {
fastcgi_pass unix:/run/php-fpm/php-9f1e642a-0d20-4664-8934-c51d34f609de.sock;
}
location ~* \.cgi {
fastcgi_pass unix:/run/fcgiwrap.sock;
}
}
Related
I am trying to use nginx configuration to disable mailcow admin panel from the internet so that it is only accessible on the LAN.
Admin panel have default URL mail.xz.com
location / {
try_files $uri $uri/ #strip-ext;
#Allow ip
allow 192.168.250.0/25;
#deny for everybody else
deny all;
}
And after this webmail in URL mail.xz.com/SOGo stop working.
location /rspamd/ {
#Allow ip
allow 192.168.250.0/25;
#deny for everybody else
deny all;
I don't understand this because other /somethink URLs work.
For example, blocking works fine for me at mail.xz.com/rspamd. If I remove the block and leave it for / then rspamd works but SOGo doesn't.
I don't understand.
The whole configuration
include /etc/nginx/mime.types;
charset utf-8;
override_charset on;
server_tokens off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=15768000;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy strict-origin;
index index.php index.html;
client_max_body_size 0;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied off;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
location ~ ^/(fonts|js|css|img)/ {
expires max;
add_header Cache-Control public;
}
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
fastcgi_hide_header X-Powered-By;
absolute_redirect off;
root /web;
location / {
try_files $uri $uri/ #strip-ext;
#Allow ip
allow 192.168.250.0/25;
#deny for everybody else
#deny all;
}
location /qhandler {
rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
}
location /edit {
rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
}
location #strip-ext {
rewrite ^(.*)$ $1.php last;
}
location ~ ^/api/v1/(.*)$ {
try_files $uri $uri/ /json_api.php?query=$1&$args;
}
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
}
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
location ^~ /principals {
return 301 /SOGo/dav;
}
location ^~ /inc/lib/ {
deny all;
return 403;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
}
location /rspamd/ {
#Allow ip
allow 192.168.250.0/25;
#deny for everybody else
deny all;
location /rspamd/auth {
# proxy_pass is not inherited
proxy_pass http://rspamd:11334/auth;
proxy_intercept_errors on;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
error_page 403 /_rspamderror.php;
}
proxy_pass http://rspamd:11334/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
}
location ~* ^/Autodiscover/Autodiscover.xml {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files /autodiscover.php =404;
}
location ~* ^/Autodiscover/Autodiscover.json {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files /autodiscover-json.php =404;
}
location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass phpfpm:9002;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files /autoconfig.php =404;
}
location /sogo-auth-verify {
allow all;
internal;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Content-Length "";
proxy_pass http://127.0.0.1:65510/sogo-auth;
proxy_pass_request_body off;
}
location ^~ /Microsoft-Server-ActiveSync {
include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
include /etc/nginx/conf.d/sogo_eas.active;
proxy_connect_timeout 75;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
client_body_buffer_size 512k;
client_max_body_size 0;
}
location ^~ /SOGo {
location ~* ^/SOGo/so/.*\.(xml|js|html|xhtml)$ {
include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
include /etc/nginx/conf.d/sogo.active;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
proxy_set_header x-webobjects-remote-host $remote_addr;
proxy_set_header x-webobjects-server-name $server_name;
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
proxy_set_header x-webobjects-server-port $server_port;
proxy_hide_header Content-Type;
add_header Content-Type text/plain;
break;
}
include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
include /etc/nginx/conf.d/sogo.active;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
proxy_set_header x-webobjects-remote-host $remote_addr;
proxy_set_header x-webobjects-server-name $server_name;
proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
proxy_set_header x-webobjects-server-port $server_port;
proxy_buffer_size 128k;
proxy_buffers 64 512k;
proxy_busy_buffers_size 512k;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
client_body_buffer_size 128k;
client_max_body_size 0;
break;
}
location ~* /sogo$ {
return 301 $client_req_scheme://$http_host/SOGo;
}
location /SOGo.woa/WebServerResources/ {
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
}
location /.woa/WebServerResources/ {
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
}
location /SOGo/WebServerResources/ {
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
}
location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
}
include /etc/nginx/conf.d/site.*.custom;
error_page 502 #awaitingupstream;
location #awaitingupstream {
rewrite ^(.*)$ /_status.502.html break;
}
location ~ ^/cache/(.*)$ {
try_files $uri $uri/ /resource.php?file=$1;
Thanks
I have issue with nginx configuration, when i try to run it its giving me error :
nginx: [emerg] invalid variable name in /etc/nginx/nginx.conf:156
nginx: configuration file /etc/nginx/nginx.conf test failed
nginx.service: control process exited, code=exited status=1 Failed
to start The nginx HTTP and reverse proxy server. Unit
nginx.service entered failed state nginx.service failed.
Below this is my configuration file.
Please notice it is REACTJS website.
Thanks infront
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream some_upsteram_com {
server 127.0.0.1:7000;
keepalive 15;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name socket.domain.com;
location / {
root /usr/share/nginx/folder/socket;
index index.html index.htm;
}
ssl_certificate "/etc/pki/socketserver.crt";
ssl_certificate_key "/etc/pki/socketserver.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/project_error_socket.log;
error_log /var/log/nginx/project_access_socket.log;
large_client_header_buffers 8 32k;
location / {
try_files $uri #nodejs;
}
# Important! Serve client socket.io file as normal static file, e.g. /js/libs/socket.io/socket.io.min.js
location /socket.io/ {
proxy_pass http://some_upsteram_com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_redirect off;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header 'Access-Control-Allow-Origin' '*';
}
location #nodejs {
proxy_pass http://some_upsteram_com;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.domain.com;
root /usr/share/nginx/folder/public;
ssl_certificate "/etc/pki/apiserver.crt";
ssl_certificate_key "/etc/pki/apiserver.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param APP_ENV dev;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/project_error_api.log;
access_log /var/log/nginx/project_access_api.log;
}
server {
listen 80;
server_name domain.com;
return 301 https://domain.c0m$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name www.domain.com;
return 301 https://$server_name$request_uri;
root /usr/share/nginx/folder/public;
rewrite ^/faq/$ /en/faq permanent;
rewrite ^/quote/$ /en/contact-us permanent;
rewrite ^/reviews/$ / permanent;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param APP_ENV dev;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.domain.com;
root /usr/share/nginx/folder/public;
ssl_certificate "/etc/pki/server.crt";
ssl_certificate_key "/etc/pki/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
# Enable Gzip
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/json
application/xml
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_static on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
# Cache
location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ {
access_log off;
expires 30d;
add_header Cache-Control public;
tcp_nodelay off;
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
rewrite ^/faq/$ /en/faq permanent;
rewrite ^/quote/$ /en/contact-us permanent;
rewrite ^/reviews/$ / permanent;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf)$ {
expires 365d;
}
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
}
I am trying to configure Nginx to enable nginx caching on browser. My configuration file is as following
upstream app_server {
server 127.0.0.1:9000 fail_timeout=0;
}
server
{
listen 195.69.159.654:80;
listen 195.69.159.654:443 ssl;
listen [::]:80 ipv6only=on;
listen [::]:443 ssl ipv6only=on;
server_name www.domain.com *.domain.com ;
root /home/admin/domains/domain.com/private_html;
index index.php index.html index.htm;
ssl_certificate /usr/local/directadmin/data/users/admin/domains/domain.com.cert.combined;
ssl_certificate_key /usr/local/directadmin/data/users/admin/domains/domain.com.key;
include /usr/local/directadmin/data/users/admin/nginx_php.conf;
include /etc/nginx/webapps.ssl.conf;
add_header Strict-Transport-Security "max-age=31536000" always;
return 301 domain.com$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1; # see here and here (pg. 485)
ssl_session_timeout 24h;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k; # I've since found 8k works best for this blog. (test!!) Default = 16k
}
server {
server_name domain.com *.domain.com;
listen 195.69.159.654:80;
listen [::]:80;
return 301 domain.com$request_uri;
}
server
{
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
gzip_disable msie6;
listen 195.69.159.654:443 ssl;
listen [::]:443 ssl;
server_name domain.com *.domain.com;
access_log /var/log/nginx/domains/domain.com.log;
access_log /var/log/nginx/domains/domain.com.bytes bytes;
error_log /var/log/nginx/domains/domain.com.error.log;
root /home/admin/domains/domain.com/private_html;
index index.php index.html index.htm;
ssl_certificate /usr/local/directadmin/data/users/admin/domains/domain.com.cert.combined;
ssl_certificate_key /usr/local/directadmin/data/users/admin/domains/domain.com.key;
include /usr/local/directadmin/data/users/admin/nginx_php.conf;
include /etc/nginx/webapps.ssl.conf;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
client_header_timeout 3m;
client_body_timeout 10;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 2;
keepalive_requests 100000;
reset_timedout_connection on;
server_tokens off;
client_body_buffer_size 128k;
client_max_body_size 10m;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location /nginx_status {
stub_status on;
access_log off;
deny all;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
include fastcgi_params;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~* \.(eot|ttf|woff)$ {
add_header Access-Control-Allow-Origin *;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~* ^/.well-known/ {
allow all;
}
location ~ (^|/)\. {
return 403;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location #rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri #rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(jpeg|ico|css|js|gif|jpeg|jpg|png|woff|ttf|otf|svg|woff2|eot)$ {
try_files $uri #rewrite;
expires max;
log_not_found off;
}
location ~* \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location /images/ {
valid_referers none blocked domain domain;
if ($invalid_referer) {
return 403;
}
}
}
When I add in the following caching configuration, the server not cache
I have done quite some research online but cannot solve this problem.
Can anyone help me or just give me some suggestions on enable caching in Nginx? Thank you!
I want NGINX to forward any requests to the domain name http://home.com to proxy_pass http://localhost:8866;. I have set a root root /home/owncloud;, in the NGINX configuration file where the document root of ownCloud is located. This should point to http://home.com/owncloud Under the http://localhost:8866 I have a Docker container running hosting Wordpress. However, NGINX always points the Reverse Proxy to the actual document root of the server (root /home/owncloud) when I try to access http://home.com
Thank you for your input on this - I already browsed through a lot of documentation, but currently I am not able to find a solution myself. Thanks!
This is my NGINX configuration file:
upstream php-handler {
server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name home.com;
index index.html index.htm index.php;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
ssl on;
listen 443 ssl;
server_name home.com;
server_name 123.456.789.10 ssl;
ssl_certificate /home/ssl/certificate.pem;
ssl_certificate_key /home/ssl/owncloud.key;
index index.html index.htm index.php;
root /space/owncloud;
try_files $uri $uri/ /index.php?q=$request_uri;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# set max upload size
client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
# Disable gzip to avoid the removal of the ETag header
gzip off;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
index index.php index.html index.htm;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location = / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8866;
proxy_read_timeout 90;
}
location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
deny all;
}
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
proxy_pass_header Authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
}
location /owncloud {
index index.html index.htm index.php;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
# attachments can be huge
client_max_body_size 513M;
client_body_in_file_only clean;
# this is where requests body are saved
client_body_temp_path /opt/nginx/bugzilla/data/request_body 1 2;
}
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
If you need to forward all requests another port at your localhost, you need merely this:
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8866$request_uri;
proxy_read_timeout 90;
}
Note, there is no "=" equal sign before the slash /. location / {} means "exact match of /".
In your code nothing really tryes to forward all requests to localhost. Only requests to index page (document root, i.e. "/") are forwarded.
If you pass all requests to the the process at localhost:8866, none of other location sections will even be tested, so once you make sure your proxy_pass works, you may delete them.
i've got a site on xyz.com and piwik on xyz.com/piwik. Piwik is running fine, but unfortunately not all data - requested by piwik - are handled by the server.
I've watched behaviour like:
xyz.com/piwik/ -> error
xyz.com/piwik/index.php -> is fine
xyz.com/piwik/?module=... -> error
nginx.conf
# Configuration containing list of application servers
upstream wsgi_cluster {
server ***.***.112.44:5000;
}
# Default server configuration
#
server {
listen 80;
error_log /var/log/nginx/http.error.log warn;
server_name xxx;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl;
server_name xxx;
auth_basic "Restricted";
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
error_log /var/log/nginx/https.error.log warn;
charset utf-8;
location /piwik/ {
location ~ /piwik/(.*\.php)(/.*)?$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
#fastcgi_split_path_info ^(.+\.php)(/.+)$;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
#fastcgi_index index.php;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 60s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffering off;
proxy_temp_file_write_size 64k;
proxy_pass http://wsgi_cluster;
proxy_redirect off;
}
# Deny certain User-Agents (case insensitive)
# The ~* makes it case insensitive as opposed to just a ~
if ($http_user_agent ~* "Baiduspider|Jullo|AcoiRobot" ) {
return 403;
}
error_page 502 /502.html;
location = /502.html {
root /etc/nginx/;
internal;
}
error_page 401 /401.html;
location = /401.html {
root /etc/nginx/;
internal;
}
}
my-site.conf
# Configuration containing list of application servers
upstream wsgi_cluster {
server ***.***.112.44:5000;
}
# Default server configuration
#
server {
listen 80;
error_log /var/log/nginx/http.error.log warn;
server_name xxx;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl;
server_name xxx;
auth_basic "Restricted";
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
error_log /var/log/nginx/https.error.log warn;
charset utf-8;
location /piwik/ {
location ~ /piwik/(.*\.php)(/.*)?$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
#fastcgi_split_path_info ^(.+\.php)(/.+)$;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
#fastcgi_index index.php;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 60s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffering off;
proxy_temp_file_write_size 64k;
proxy_pass http://wsgi_cluster;
proxy_redirect off;
}
# Deny certain User-Agents (case insensitive)
# The ~* makes it case insensitive as opposed to just a ~
if ($http_user_agent ~* "Baiduspider|Jullo|AcoiRobot" ) {
return 403;
}
error_page 502 /502.html;
location = /502.html {
root /etc/nginx/;
internal;
}
error_page 401 /401.html;
location = /401.html {
root /etc/nginx/;
internal;
}
}
You are missing any default action for the /piwik/ URI. Presumably, if no other matching file is found, you would like the /piwik/index.php URI to be tried. Add a try_files directive to the outer location block, for example:
location /piwik/ {
try_files $uri /piwik/index.php$is_args$args;
location ~ /piwik/(.*\.php)(/.*)?$ { ... }
}