I have configured my local nginx server with this snippet:
location / {
root html;
index index.html;
try_files $uri $uri /index.html;
}
which is inside http { server { ... } }. I also have an nginx server on Digital Ocean, and I put the above snippet in the same location (...) in the file /etc/nginx/nginx.conf. However, those changes are ignored by the server, i.e., the behavior after is the same as the behavior before (and unlike the behavior of the local server).
What am I doing wrong?
After every change you make to your nginx files (or to your website) it is important to reload nginx to apply the changes by using the following in the terminal/command line: sudo nginx -s reload
You can also run nginx -t to test nginx for any conflicts.
You can (and probably should) run them together to make it easier:
sudo nginx -t && sudo nginx -s reload
It is necessary to make the change
try_files $uri $uri/ =404;
to
try_files $uri $uri/ /index.html;
in two places in /etc/nginx/sites-available also.
Related
I’m trying to figure out the best way of securing access to my MariaDB database. I have a root non-wordpress site with 2 wordpress sites as directories (/blog and /shop) - each with separate databases - that use phpMyAdmin as a database viewer (accessible at /phpmyadmin). I want to increase the security so that it can’t be hacked so easily. However, I can’t seem to implement any of the recommended security measures.
Creating a .htaccess and in /usr/share/phpmyadmin and adding the following to whitelist IPs and block all other IPs has no effect:
Order Deny,Allow
Deny from All
Allow from 12.34.56.78
Changing the phpMyAdmin url via the config file (so it’s not accessible at /phpmyadmin) also seems to have no effect.
I’m assuming that it’s because apache is not running (I use Nginx to run my main domain and the 2 wordpress sites). I can’t run apache and Nginx simultaneously (presumably because they’re both fighting for port 80), but what I don’t get is that when Nginx is running and apache is supposedly not running, how is the /phpmyadmin link still accessible?
Here’s my .conf file in /etc/nginx/sites-available (also symlinked to sites-enabled):
upstream wp-php-handler-four {
server unix:/var/run/php/php7.4-fpm.sock;
}
server {
listen 1234 default_server;
listen [::]:1234 default_server;
root /var/www/site;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /blog {
try_files $uri $uri/ /blog/index.php?$args;
}
location /shop {
try_files $uri $uri/ /shop/index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass wp-php-handler-four;
}
}
I followed a tutorial to set this up (maybe I’m misunderstanding how it’s fully set up) but is this not actually using apache to access /phpmyadmin or is it using some web socket? How can I make the above security attempts work?
Note: the /usr/share/phpmyadmin/ dir is symlinked to /var/www/site/
Creating a .htaccess in /usr/share/phpmyadmin and adding the following to whitelist IPs and block all other IPs has no effect:
Order Deny,Allow
Deny from All
Allow from 12.34.56.78
Of course it won't have any effect since this file processed only by apache.
I can’t run apache and Nginx simultaneously (presumably because they’re both fighting for port 80)
In an early days of nginx there was a technique to use nginx for static files and apache to process PHP scripts. Apache was running on some other port (for example, 8080) and listening only on local IP (127.0.0.1). Nginx configuration for that was looking like
upstream apache {
server 127.0.0.1:8080;
}
server {
...
location ~ \.php$ {
proxy_pass http://apache;
}
}
Nowadays it is rarely used since using PHP-FPM is more flexible and gives a less server overhead. However it can be used when you have a complex .htaccess configuration and don't want to rewrite it for nginx/PHP-FPM.
but what I don’t get is that when Nginx is running and apache is supposedly not running, how is the /phpmyadmin link still accessible?
...
Is this not actually using apache to access /phpmyadmin or is it using some web socket?
This configuration uses UNIX socket /var/run/php/php7.4-fpm.sock where PHP-FPM daemon is listening for requests (you can read an introduction to this article to get some additional details).
How can I make the above security attempts work?
One of many possible solutions is
Unlink /usr/share/phpmyadmin/ from /var/www/site/
Use the following location block (put it before the location ~ \.php$ { ... } one:
location ~ ^/phpmyadmin(?<subpath>/.*)? {
allow 12.34.56.78;
# add other IPs here
deny all;
alias /usr/share/phpmyadmin/;
index index.php;
try_files $subpath $subpath/ =404;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$subpath;
fastcgi_pass wp-php-handler-four;
}
}
To add to the otherwise quite thorough answer:
Since Nginx doesn't use .htaccess files or the same syntax as Apache, you aren't being restricted as Apache would do. You may wish to find some other solution, or you could use what's built in to phpMyAdmin: there is a allow/deny functionality built in that you can learn about in the documentation: https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_order (and https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_rules); this will let you restrict access based on username and IP address.
I need to modify the nginx config file (/etc/nginx/app.d/server.webstation-vhost.conf) to add one line, which is for Laravel routing work correctly.
location / { try_files $uri $uri/ /index.php?$query_string; }
The problem is /etc/nginx/app.d/server.webstation-vhost.conf will ALWAYS OVERWITTEN once reboot the NAS,
Does anybody having experience how to hand this problem.
Many Thanks !
Not sure if you figured this out, but if you haven't, under that vhost conf file (/etc/nginx/app.d/server.webstation-vhost.conf), look for something like:
include /usr/local/etc/nginx/conf.d/f2f0a62b-74d6-4c34-a745-d0156f13c9d6/user.conf*;
Instead of f2f0a62b-74d6-4c34-a745-d0156f13c9d6 you should see another unique id for your nginx app, create/edit the mentioned user.conf file (without asterisk) with the contents you need, in my case I created a file with the contents below:
location / {
try_files $uri $uri/ /index.html;
}
Then I had to restart nginx with the command sudo synoservice --restart nginx.
And it worked.
PS.: I believe it should work for any DSM v6.1 or later (maybe 6.0.x as well).
For research I used:
https://community.synology.com/enu/forum/1/post/122043
https://community.synology.com/enu/forum/1/post/120538
I'm trying to verify a file upload for SSL certificate.
The file needs to be .well-known/acme-challenge/file
I have successfully placed the file as above, but while accessing the same file from the web http://weburl.com/.well-known/acme-challenge/file, 404 error is coming up.
When I place the same file in .well-known/ the file can be access from the path http://weburl.com/.well-known/file successfully.
My nginx configuration:
server {
listen 80;
server_name weburl.com;
root /var/www/html;
location ~ /.well-known {
allow all;
}
location ~ /\.well-known/acme-challenge/ {
allow all;
root /var/www/html;
try_files $uri =404;
break;
}
}
You have to grant permissions for www-data user.
sudo chown -R www-data:www-data .well-known
In the first case it looks for /var/www/html/.well-known/file.
In the second case it looks for /var/www/html/file.
What you intend is for it to find /var/www/html/.well-known/acme-challenge/file
This is because you specify root in the location block, which changes where it reads the file from.
So instead of this:
location ~ /\.well-known/acme-challenge/ {
allow all;
root /var/www/html; # <================= Your problem, sir
try_files $uri =404;
break;
}
You should have this:
location ~ /\.well-known/acme-challenge/ {
allow all;
try_files $uri =404;
break;
}
Shameless plug: If you're just doing simple virtual hosting and you're familiar with node at all you might like Greenlock.
If you have installed the LetsEcnrypt module on Plesk, but for some reason you need to authorize for eg. example.com manually like we do.
Add you authorization code to
/var/www/vhosts/default/htdocs/.well-known/acme-challenge
instead of expected (domain webroot)
/var/www/vhosts/example.com/htdocs/.well-known/acme-challenge
To find so I had to check /var/www/vhosts/system/example.com/conf/httpd.conf
Trying to configure nginx to find files from subfolder. Code from nginx documentation:
location / {
try_files $uri $uri/index.html $uri.html =404;
}
request "/" opens file index.html - it's ok
request "/folder" opens file /folder/index.html - ok
but request "/folder/file" as I suggest, should open /folder/file.html - but it returns 404
Please help me configure nginx try_files setting correctly so nginx can find file.html in "folder" directory when "/folder/file" request is received
I have two mounts:
/mnt/nfs - an NFS mount that contain a lot of files.
/mnt/ssd - a local SSD disk that acts as cache for the above nfs mount.
In nginx I have configure a location like so:
location ~ /my_location/(.*) {
alias /mnt/;
try_files ssd/$1 nfs/$1 =404;
}
This itself works just fine.
I would like to log when the file was found from ssd and when it was required to fetch it from the nfs mount.
Finding the file from ssd would be logged as HIT.
Having to go to nfs would be logged as MISS.
How might I achieve this?
One possible solution that I just came up with, using an extra named location:
location /my_location/ {
alias /mnt/ssd/;
set $file_source ssd;
try_files $uri #nfs;
}
location #nfs {
alias /mnt/nfs/;
set $file_source nfs;
try_files $uri =404;
}
Now you know what to do with that new variable.