I just made the switch to Nginx after years of using apache. I am in the process of switching everything over but I am having one hell of a time doing so. My current issue is with nagios. I can access nagios but the cgi portion of it does not appear to be working, I just get garbled output. I am also not being prompted for username/password when accessing it which is a bit concerning.
I am also running owncloud on my webserver which seems to be working properly. Here is my configuration. Any help would be greatly appreciated.
upstream php-handler {
server 127.0.0.1:9000;
}
server {
listen 80;
server_name www.<my_server>.com;
return 301 https://$server_name$request_uri;
}
#SSL Configuration
server {
listen 443 ssl;
server_name www.<my_server>.com;
ssl_certificate /etc/letsencrypt/live/www.<my_server>.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.<my_server>.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
include /etc/nginx/default.d/*.conf;
root /mnt/Webserver/html;
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# ownCloud blacklist
location ~ ^/owncloud/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
error_page 403 = /owncloud/core/templates/403.php;
}
location / {
index index.html;
}
location /owncloud/ {
error_page 403 = /owncloud/core/templates/403.php;
error_page 404 = /owncloud/core/templates/404.php;
rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;
rewrite ^(/owncloud/core/doc[^\/]+/)$ $1/index.html;
# The following rules are only needed with webfinger
rewrite ^/owncloud/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/owncloud/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/owncloud/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/owncloud/.well-known/caldav /remote.php/caldav/ redirect;
try_files $uri $uri/ index.php;
}
# Optional: set long EXPIRES header on static assets
location ~* ^/owncloud(/.+\.(jpg|jpeg|gif|bmp|ico|png|css|swf))$ {
expires 30d;
access_log off; # Optional: Don't log access to assets
}
#Nagios
location /nagios {
alias /usr/share/nagios;
auth_basic "Nagios Access";
auth_basic_user_file /etc/nagios/htpasswd.users;
index index.php;
autoindex off;
}
location ~ ^/nagios/(.*\.php)$ {
auth_basic "Nagios Restricted Access (via nginx)";
auth_basic_user_file /etc/nagios/passwd;
root /usr/share/nagios/;
rewrite ^/nagios/(.*) /$1 break;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nagios$fastcgi_script_name;
fastcgi_pass php-handler;
}
location ~ ^/nagios/(.*\.cgi)$ {
auth_basic "Nagios Restricted Access (via nginx)";
auth_basic_user_file /etc/nagios/passwd;
root /usr/lib64/nagios/cgi;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib64/nagios/cgi$fastcgi_script_name;
fastcgi_pass php-handler;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}
}
Any help would be greatly appreciated.
I figured it out. Here is my new configuration. Thanks.
upstream php-handler {
server 127.0.0.1:9000;
}
server {
listen 80;
server_name www.<my_server>.com;
return 301 https://$server_name$request_uri;
}
#SSL Configuration
server {
listen 443 ssl;
server_name www.<my_server>.com;
ssl_certificate /etc/letsencrypt/live/www.<my_server>.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.<my_server>.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
include /etc/nginx/default.d/*.conf;
root /mnt/Webserver/html;
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# ownCloud blacklist
location ~ ^/owncloud/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
error_page 403 = /owncloud/core/templates/403.php;
}
location / {
index index.html;
}
location /owncloud/ {
error_page 403 = /owncloud/core/templates/403.php;
error_page 404 = /owncloud/core/templates/404.php;
rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;
rewrite ^(/owncloud/core/doc[^\/]+/)$ $1/index.html;
# The following rules are only needed with webfinger
rewrite ^/owncloud/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/owncloud/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/owncloud/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/owncloud/.well-known/caldav /remote.php/caldav/ redirect;
try_files $uri $uri/ index.php;
}
# Optional: set long EXPIRES header on static assets
location ~* ^/owncloud(/.+\.(jpg|jpeg|gif|bmp|ico|png|css|swf))$ {
expires 30d;
}
#Nagios
location /nagios {
alias /usr/share/nagios;
auth_basic "Nagios Restricted Access (via nginx)";
auth_basic_user_file /etc/nginx/.htpasswd;
index index.php;
autoindex off;
}
location ~ ^/nagios/(.*\.php)$ {
root /usr/share/nagios/;
rewrite ^/nagios/(.*) /$1 break;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nagios$fastcgi_script_name;
fastcgi_pass php-handler;
}
location ~ ^/nagios/(.*\.cgi)$ {
root /usr/lib64/nagios/cgi;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib64/nagios/cgi$fastcgi_script_name;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}
}
Related
I want to apply rewrite /author/xxx to /index.php?author_name=xxx
rewrite ^/author/(.*)/$ /index.php?author_name=$1;
When I apply code, browser url looks like that :
http://www.site-name.com/?author_name=xxx
I want url will look like :
http://www.site-name.com/author/xxx but it will rewrite index.php?author_name=xxx
Any idea to fix it?
My Nginx conf file is below :
server {
server_name site-name.com;
rewrite ^(.*) http://www.site-name.com$1 permanent;
listen 8080;
}
server {
listen 8080;
access_log off;
# access_log /home/www.site-name.com/logs/access_log;
error_log on;
# error_log /home/www.site-name.com/logs/error.log;
#add_header X-Frame-Options SAMEORIGIN;
#add_header X-Frame-Options "ALLOW-FROM https://www.site-name.xyz";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
root /home/www.site-name.com/public_html;
include /etc/nginx/conf/ddos2.conf;
# include /etc/nginx/conf/cors.conf;
index index.php index.html index.htm;
server_name www.site-name.com;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
rewrite ^/author/(.*)/$ /index.php?author_name=$1;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_connect_timeout 250;
fastcgi_send_timeout 250;
fastcgi_read_timeout 250;
fastcgi_buffer_size 256k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
fastcgi_param SCRIPT_FILENAME /home/www.site-name.com/public_html$fastcgi_script_name;
}
include /etc/nginx/conf/drop.conf;
}
Your rewrite looks OK: From extern you can use /author/... and internally it will use index.php?....
I suppose you also want to redirect index.php?... to the nice path:
rewrite ^/author/([^/]*)/?$ /index.php?author_name=$1 break;
rewrite ^/index.php$ https://www.example.com/author/$arg_author_name/ redirect;
root /var/www/html/;
fastcgi_index index.php;
fastcgi_pass php;
include fastcgi_params;
I have issue with WordPress's permalinks while I am using nginx.
I've tried to add the following line in my nginx's config file, but still I am unable to getting these permalinks to work:
location / {
try_files $uri $uri/ /en/index.php?$args;
}
I am getting 404 error, when I enable Permalinks in WordPress control panel.
Here is my nginx conf file, if this could help to investigate the issue, as I've tried almost everything on the web. I guess something in my config is messing up:
server {
server_name blog.domain.com www.blog.domain.com;
listen 161.122.20.14;
return 301 https://$server_name$request_uri;
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
}
server {
server_name blog.domain.com www.blog.domain.com;
listen 161.122.20.14:443 ssl http2;
root /home/domain/domains/blog.domain.com/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/blog.domain.com_access_log;
error_log /var/log/virtualmin/blog.domain.com_error_log;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /home/domain/domains/blog.domain.com/public_html$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /home/domain/domains/blog.domain.com/public_html;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/php-nginx/14765596504348.sock/socket;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
log_not_found off;
expires 365d;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
ssl_trusted_certificate /home/domain/domains/blog.domain.com/ssl.ca;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Accept-Ranges bytes;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15768000" always;
add_header Public-Key-Pins 'pin-sha256="Niasdcu1LQAzCK234v6aJLcwJFCcWATc4asdIBhio7XpIQ="; pin-sha256="75h33riR+PAtOJcVKNfn2y1/N1ARLqJ213YDX5bnAi1Q="; max-age=2592000;';
}
Let's look at your redirect server block... Since WordPress isn't going to allow or like the fact that you use both www and root domain for website url, you must choose one. Let's assume you don't want the www and want to use the domain itself, your first redirect server block would look like this:
server {
listen 161.122.20.14;
server_name blog.domain.com www.blog.domain.com;
return 301 https://blog.domain.com$request_uri;
}
This would effectively listen on the given ip, port 80 for both blog.domain.com and www.blog.domain.com redirecting them to https://blog.domain.com
Now why did i say first? Because you might want to have another redirect server block to catch all https at www domain. In this case, you need to make sure your server block has valid ssl config set. Without more investigating and only taking fron your config, your ssl redirect would look like this:
server {
listen 161.122.20.14:443 ssl http2;
server_name www.blog.domain.com;
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
ssl_trusted_certificate /home/domain/domains/blog.domain.com/ssl.ca;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
return 301 https://blog.domain.com$request_uri;
}
now that we are certain that all requests to either blog.domain.com or www.blog.domain.com are being taken care of as far as redirection, on both port 80 and 443, our main server block would look like so:
server {
listen 161.122.20.14:443 ssl http2 deferred;
server_name blog.domain.com;
root /home/domain/domains/blog.domain.com/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/blog.domain.com_access_log;
error_log /var/log/virtualmin/blog.domain.com_error_log;
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
ssl_trusted_certificate /home/domain/domains/blog.domain.com/ssl.ca;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Accept-Ranges bytes;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15768000" always;
add_header Public-Key-Pins 'pin-sha256="Niasdcu1LQAzCK234v6aJLcwJFCcWATc4asdIBhio7XpIQ="; pin-sha256="75h33riR+PAtOJcVKNfn2y1/N1ARLqJ213YDX5bnAi1Q="; max-age=2592000;';
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
log_not_found off;
expires 365d;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/php-nginx/14765596504348.sock/socket;
}
}
Key here is your try_files and adding a / location block containing the default action. You should also save that php location block and use it for future configurations... the other one was just, how to say, unsecure. This is really, in essence, what will allow you to use permalinks with WordPress.
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/php-nginx/14765596504348.sock/socket;
}
I'm also wondering where you got the idea to put all fastcgi params in your config.. where did you get such info?
Mind you i've copy/pasted from what you posted without checking if all was valid.
I have a VPS Ghost installation, which runs on nginx. I have created an SSL certificate for it and everything works well, apart from the fact that all http://subdomain.example.com always redirect back to my main https://example.com when using HTTP.
However, if I visit https://subdomain.example.com, it doesn't redirect back to example.com. I want to make sure that when my users visit *.example.com, they don't redirect back to the main domain, regardless of whether they are using HTTP/S.
The reason behind this is because I'm trying to set up ownCloud on a subdomain of its own and can only access it currently by example.com/cloud.
I've spent many hours configuring the conf files on nginx, please help!
Here are my two nginx config files -
For the main domain:
server {
listen 80;
server_name notepad.li;
ssl_certificate /etc/letsencrypt/live/notepad.li/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notepad.li/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name notepad.li;
root /var/www/ghost/;
ssl_certificate /etc/letsencrypt/live/notepad.li/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notepad.li/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
client_max_body_size 200M;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location /robots.txt {
alias /var/www/notepad/robots.txt;
}
rewrite ^/cloud$ /cloud/ redirect;
rewrite ^/cloud/$ /cloud/index.php;
rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
location /cloud/ {
alias /var/www/owncloud/;
location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
deny all;
}
location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
}
location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
# note: ~ has precendence over a regular location block
# Accept URLs like:
# /cloud/index.php/apps/files/
# /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d)
# /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240)
# /cloud/remote.php/webdav/yourfilehere...
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/owncloud/$2;
fastcgi_param SCRIPT_NAME $1$2;
fastcgi_param PATH_INFO $3;
fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
fastcgi_read_timeout 630;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
client_max_body_size 1G;
fastcgi_buffers 64 4K;
}
location ^~ /owncloud-xaccel/ {
# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. ownCloud sends the full file
# path on disk as a subdirectory under this virtual path.
# We must only allow 'internal' redirects within nginx so that the filesystem
# is not exposed to the world.
internal;
alias /;
}
location ~ ^/((caldav|carddav|webdav).*)$ {
# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
# Properly proxying like this seems to work fine.
proxy_pass https://127.0.0.1/cloud/remote.php/$1;
}
rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
}
For the subdomain:
upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
}
server {
listen 80;
server_name box.notepad.li;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name box.notepad.li;
ssl_certificate /etc/letsencrypt/live/box.notepad.li/fullchain.crt;
ssl_certificate_key /etc/letsencrypt/live/box.notepad.li/privkey.key;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/owncloud/;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location / {
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}
I have copied/pasted + modified nginx configuration code, regarding ownCloud. I checked everything and it seems fine. What am I doing wrong? Why can I not access http://subdomain.example.com without it being redirected to https://example.com?
As always, I forgot to triple-check my nginx core files. As pointed out in the comments, I forgot to include the include sites-enabled; in nginx.conf and then create a symlink for my new subdomain config in that folder.
Thanks again!
I have a project set up on Nginx running on Symfony2 with Wordpress blog in it. Wordpress blog is inside web/ in Symfony2. Some things on the blog doesn't work (for example infinite 302 on wp-admin and some CSS issues). Can someone show me how proper config file for this setup should look like?
Mine looks like this:
server {
listen 80;
server_name project.com *.project.com;
return 301 https://www.project.com$request_uri;
root /usr/share/nginx/html/project.com/web;
error_log /var/log/nginx/project.error.log;
access_log /var/log/nginx/project.access.log;
client_max_body_size 12M;
# strip app.php/ prefix if it is present
#rewrite ^/app\.php/?(.*)$ /$1 permanent;
location / {
index app.php;
try_files $uri #rewriteapp;
if ($http_host ~ "^[^.]+\.[^.]+$"){
rewrite ^(.*)$ https:%1://www.$http_host$request_uri redirect;
}
}
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .php {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/www.project.com/project-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/www.project.com/project.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM";
ssl_dhparam dh4096.pem;
server_name project.com *.project.com;
root /usr/share/nginx/html/project.com/web;
error_log /var/log/nginx/project.error.log;
access_log /var/log/nginx/project.access.log;
client_max_body_size 12M;
# strip app.php/ prefix if it is present
rewrite ^/app\.php/?(.*)$ /$1 permanent;
location / {
index app.php;
try_files $uri #rewriteapp;
if ($http_host ~ "^[^.]+\.[^.]+$"){
rewrite ^(.*)$ https:%1://www.$http_host$request_uri redirect;
}
}
location /blog/wp-admin/ {
index index.php;
# #try_files $uri #rewriteindex;
# try_files $uri $uri/ /index.php?$args;
}
#location #rewriteindex {
# rewrite ^(.*)$ /blog/wp-admin/index.php/$1 last;
#}
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .php {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location .(js|jpg|png|css)$ {
root /usr/share/nginx/html/project.com/web;
expires 30d;
}
}
This config file is just a mess. It might be better just to start from scratch but I'm not sure how I should handle the Wordpress part inside web/blog/
location ~ /blog {
proxy_pass http://your_wp_server_url;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
and define in a new site enabled file in nginx the server for wordpress:
server{
server_name your_wp_server_url;
root path_to_wordpress;
.
.
.
}
So, I want to secure only the login and admin part of my website. The problem is that the admin uses some common static files that are used on the general site as well. This means that when I am in the admin those files should be served over https while when I am on the general site they should be served as http.
How can I configure nginx to behave this way?
The configuration I use so far is bellow:
server {
listen 80;
server_name site.com www.site.com;
root /home/site_folder/web;
index index.php;
location ~ /(get-involved|contribute|api) {
return 301 https://$server_name$request_uri;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME /home/site_folder/web/index.php;
}
location / {
root /home/site_folder/web;
if (-f $request_filename) {
expires max;
break;
}
try_files $uri $uri/index.php;
rewrite ^(.*) /index.php last;
}
}
server {
listen 443 ssl;
ssl_certificate path_to_ssl.crt;
ssl_certificate_key path_to_key.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name site.com www.site.com;
root /home/site_folder/web;
index index.php;
location ~ /(get-involved|contribute|api) {
root /home/site_folder/web;
if (-f $request_filename) {
expires max;
break;
}
try_files $uri $uri/index.php;
rewrite ^(.*) /index.php last;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME /home/site_folder/web/index.php;
}
location / {
return 301 http://$server_name$request_uri;
}
}