Develop Reference

Why is nginx with multiple servername in config not working for second servername

i have a server which hosts several websites. Some normal HTML, some wordpress and some reverse proxy.
Everything is managed by nginx with conf files for each site. All is managed by Ansible which means all config files are build from the same template.
I have a nginx conf like this:
# Ansible managed
user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
# Load modules
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 16M;
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;
# MIME
include mime.types;
default_type application/octet-stream;
# Log Format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# include TLS hardening
include /etc/nginx/snippets/tls-hardening.conf;
# Load configs
include /etc/nginx/conf.d/*.conf;
server {
# catch-all server for both http and https
listen *:80 default_server;
listen *:443 default_server;
server_name _;
# SSL
ssl_certificate /etc/ssl/FQDN.bundle.crt;
ssl_certificate_key /etc/ssl/FQDN.key;
# Redirect to canonical site
#rewrite ^/(.*)$ http://example.com/$1 permanent;
# return 404
return 404;
}
}
The default part shall catch all unconfigured requests.
the configs for normal websites are looking like this:
# Ansible managed
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name FQDN www.FQDN;
root /var/www/FQDN;
index index.html index.htm;
# SSL
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/FQDN/chain.pem;
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# logging
access_log /var/log/nginx/FQDN.access.log;
error_log /var/log/nginx/FQDN.error.log warn;
# index.html fallback
location / {
#try_files $uri /index.html index.htm index.php;
}
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name FQDN www.FQDN;
# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
root /var/www/_letsencrypt;
}
location / {
return 301 https://FQDN$request_uri;
}
}
So the SSL request shall be matched for FQDN and www.FQDN while http requests fro FQDN and www.FQDN shall be redirected to the SSL website.
This works fine for my wordpress websites but not for the HTML sites.
Even if I have a default server config nginx redirects the https://www.FQDN to the first config in the config folder.
Does anyone has a hint what's going on here?
I also See different behavior between Chrome and Firefox on one site and Safari on the other side.
Chrome and Firefox will be redirected to the first config in config folder while Safari shoes error that the requested https.www.FQDN website is not secure and readable.
Lets encrypt certificate is created for both domains FQDN and www.FQDN.

How to fix Nginx cache so he will retain the cache as instrcted

I have an Nginx server with cache enabled, and when I analyzed the HIT-MISS, I discovered that Nginx marked as MISS many files that he fetched just a few minutes ago.
My configuration file looks like this:
http {
proxy_cache_path /usr/local/openresty/nginxCeche levels=1:2 keys_zone=my_cache:20g max_size=900g use_temp_path=off inactive=1y;
log_format json_combined escape=json
'{'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"time_local":"$time_local",'
'"status":"$status",'
'"bytes_sent":"$bytes_sent",'
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"upstream_cache_status":"$upstream_cache_status",'
'"request_uri":"$request_uri",'
'"limit_rate":"$limit_rate",'
'"host":"$host",'
'"hostname":"$hostname",'
'"request_time":"$request_time",'
'"upstream_http_V1Latency":"$upstream_http_V1Latency",'
'"upstream_http_ProxyCache":"$upstream_http_ProxyCache",'
'"server_addr":"$server_addr"'
'}';
# general performence settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 100M;
# using threads
aio threads;
# Limits - so it will be harder to DOS me
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
# Proxy server
upstream proxy_backend {
server proxyservice;
}
server {
listen 80;
keepalive_timeout 70;
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# restrict methods
if ($request_method !~ ^(GET|HEAD)$) {
return '405';
}
##
# Logging Settings - added compreion and buffer to ease on the file access
##
access_log /var/log/nginx/access.log_1 json_combined buffer=64k gzip;
##
# Gzip Settings
##
gzip on;
location ~ "^\/next(?<myurl>\/(?:[0-9A-Fa-f]{2}){16}\/(?:[0-9A-Fa-f]{2}){16}\/(?:.?[^\/]+))$" {
# solve the issue of gateway timeout
proxy_read_timeout 300s;
proxy_cache my_cache;
# at this stage the $uri is the sky link
proxy_cache_key $continue_url;
# set the ceching time for 200 respinse -> to 60 days
proxy_cache_valid 200 60d;
# Clear flags I dont want the clients to see
more_clear_headers 'Access-Control-Allow-Headers';
more_clear_headers 'Access-Control-Allow-Origin';
more_clear_headers 'access*';
more_clear_headers 'content-disposition';
more_clear_headers 'Date';
more_clear_headers 'x-proxy-cache';
more_clear_headers 'Server';
# add headers to handle CORS
more_set_headers 'Access-Control-Allow-Origin: *';
add_header Access-Control-Allow-Headers '*';
# to reduce Bandwisth I use compression
gzip on;
# set up the proxy, and instruct it to cech even if thre is no Cache-Control
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
proxy_cache_lock on;
# the rust base reverse proxy
proxy_pass http://proxy_backend$continue_url;
# set local ceching on the client side currently we will start at 365 days
expires 365d;
add_header Pragma public;
add_header Cache-Control "public";
add_header Content-Type "application/vnd.apple.mpegurl";
}
}
}
I will explain what I have tried to achieve here:
I wanted Nginx to delete the cache only if there isn't enough memory, so that it had an LRU cache.
Since I couldn't find this option, I declared:
inactive=1y (to prevent caches from being evicted because no one touches them)
proxy_ignore_headers X-Accel-Expires Expires Cache-Control; (to always cache results)
proxy_cache_lock on; (if I receive two requests, one will access the backend, the other will retrieve files from the cache)
proxy_cache_valid 200 60d; (keep 200 results for 60 days)
However, I get many misses in reality
Is the source of the issue is my configuration? If so, how can I fix it?

CORS - missing allow origin header - Nginx on Centos7

I had to re-setup some projects on my local using Centos 7 on a vagrant box. After the setup I am getting a CORS error and I am not able to figure out why.
This is nginx.conf file:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
And this is my project conf file. I don't think the name of the .conf file matters, right?
server {
listen 80;
server_name authentication.service.local ;
root /var/www/authentication-api/public;
index index.php;
gzip on;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
add_header X-Frame-Options "SAMEORIGIN";
location /proxy.html {
root /var/www/authentication-api/public;
}
location /xdomain.min.js {
root /var/www/authentication-api/public;
}
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, PATCH';
add_header 'Access-Control-Allow-Headers' 'DNT,Authorization,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
try_files $uri $uri/ /index.php?$query_string;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
I am able to ping the project correctly using ping authentication.service.local
But when I try to hit an endpoint using a browser (eg: login, which was working before), I get an error Failed to load resource: Origin http://localhost:7000 is not allowed by Access-Control-Allow-Origin
I thought adding add_header 'Access-Control-Allow-Origin' '*'; should resolve this issue, but I'm trying to understand why it doesn't?
Also the nginx error.log shows
2021/09/15 17:50:17 [error] 3290#3290: *8 open() "/usr/share/nginx/html/token/user" failed (2: No such file or directory), client: 10.0.5.1, server: _, request: "POST /token/user HTTP/1.1", host: "authentication.service.local", referrer: "http://localhost:7000/"
Since my /var/www folder points to my projects folder, is "/usr/share/nginx/html/token/user" incorrect?
Thanks for your help.

You're sending a POST request, but only set the Access-Control-Allow-Origin header for the OPTIONS method.

nginx streaming server serving stream that causes VLC to reload in a loop

I explained the problem in this Video Stack Exchange Question as I don't believe this is something code related (e.g. a bug).
It may be a useful information for dev's however, that I did not compile nginx from source. I mention that explicitly, because searching the web, it seems like building from source is the recommended way for nginx/rtmp setups. I could not find a bug report, however, that would explain this behavior.
I feel like I am overseeing something stupid.
For the sake of completeness, I will post the configuration files. Also, dont miss out the live-demo and have fun playing around with the streaming server linked in the other Post ;)
Happy Coding!
nginx.conf:
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
rtmp {
include /etc/nginx/streams-enabled/*;
}
rtmp server (in streams-enabled/)
server {
listen 1935;
chunk_size 4096;
application live {
live on;
hls on;
hls_path /home/streamer/hls;
hls_nested on;
hls_fragment 3s;
hls_playlist_length 30s;
hls_base_url http://0.0.0.0:3456/hls;
on_publish http://0.0.0.0:3456/auth;
# Recent versions of IE need this for normal playback.
wait_video on; # start audio with video
# force hls
deny play all;
}
}
http-server (in sites-enabled/)
server {
listen 3456;
location /hls {
add_header Cache-Control no-cache;
# CORS setup
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length';
# allow CORS preflight requests
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
types {
application/dash+xml mpd;
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}
root /home/streamer/;
}
}

The problem is with the stream configuration.
vlc -vv http://104.248.36.47:3644/hls/debug/index.m3u8 ouput revealed:
[00007f0594002580] main stream debug: connecting to 0.0.0.0 port 3644 ...
[00007f0594002580] main stream error: connection error: Connection refused
...
[00007f0594002580] adaptive stream debug: Retrieving http://0.0.0.0:3644/hlsdebug/75.ts #0
Note that it says hlsdebug instead of the expected hls/debug
After adding a '/' to the hls_base_url, and changing 0.0.0.0 to the public IP, it works.
I do not understand fully tho why 0.0.0.0 would not work..

Nginx RTMP Module is not saving live-streaming files

I have had no issues in live-streaming to the server, but I am trying to add VOD functionality with some difficulty. The record_path "/mnt/film/" is not being created or written to by the server, even if I create the directory before running the server.
I have tried adding a user with root permissions, but this did not seem to help. The weird thing is that error logs are not being created as well, but it writes to the "/mnt/hls" path with no problems whatsoever.
user nginx root;
worker_processes auto;
error_log logs/error.log debug;
events {
worker_connections 1024;
}
# RTMP configuration
rtmp {
server {
listen 1935;
chunk_size 4096;
application live {
live on;
# Turn on HLS
hls on;
hls_path /mnt/hls/;
hls_fragment 3;
hls_playlist_length 60;
# record stream to folder /film/
record all;
record_path /mnt/film/;
# disable consuming the stream from nginx as rtmp
deny play all;
}
}
}
http {
sendfile off;
tcp_nopush on;
default_type application/octet-stream;
server {
listen 8080;
location /hls {
# Disable cache
add_header 'Cache-Control' 'no-cache';
# CORS setup
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length';
# allow CORS preflight requests
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
types {
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}
root /mnt/;
}
}
server {
listen 8384;
# vod caches
vod_metadata_cache metadata_cache 256m;
vod_response_cache response_cache 128m;
# vod settings
vod_mode local;
vod_segment_duration 2000; # 2s
vod_align_segments_to_key_frames on;
#file handle caching / aio
open_file_cache max=1000 inactive=5m;
open_file_cache_valid 2m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
aio on;
location /vod/ {
alias mnt/film/;
vod hls;
add_header 'Access-Control-Allow-Headers' '*';
add_header 'Access-Control-Expose-Headers' 'Server,range,Content-Length,Content-Range';
add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
add_header 'Access-Control-Allow-Origin' '*';
expires 100d;
}
}
}
I am just trying to get some files to show up in the "record_path" directory defined in the nginx.conf above.
Thanks

Have you checked hls_cleanup directive ? By default the feature is on. In this mode nginx cache manager process removes old HLS fragments and playlists from HLS directory.
https://github.com/arut/nginx-rtmp-module/wiki/Directives#hls_cleanup