I have a VPS Ghost installation, which runs on nginx. I have created an SSL certificate for it and everything works well, apart from the fact that all http://subdomain.example.com always redirect back to my main https://example.com when using HTTP.
However, if I visit https://subdomain.example.com, it doesn't redirect back to example.com. I want to make sure that when my users visit *.example.com, they don't redirect back to the main domain, regardless of whether they are using HTTP/S.
The reason behind this is because I'm trying to set up ownCloud on a subdomain of its own and can only access it currently by example.com/cloud.
I've spent many hours configuring the conf files on nginx, please help!
Here are my two nginx config files -
For the main domain:
server {
listen 80;
server_name notepad.li;
ssl_certificate /etc/letsencrypt/live/notepad.li/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notepad.li/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name notepad.li;
root /var/www/ghost/;
ssl_certificate /etc/letsencrypt/live/notepad.li/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/notepad.li/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
client_max_body_size 200M;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2368;
}
location /robots.txt {
alias /var/www/notepad/robots.txt;
}
rewrite ^/cloud$ /cloud/ redirect;
rewrite ^/cloud/$ /cloud/index.php;
rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect;
rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
location /cloud/ {
alias /var/www/owncloud/;
location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
deny all;
}
location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
}
location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
# note: ~ has precendence over a regular location block
# Accept URLs like:
# /cloud/index.php/apps/files/
# /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d)
# /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240)
# /cloud/remote.php/webdav/yourfilehere...
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/owncloud/$2;
fastcgi_param SCRIPT_NAME $1$2;
fastcgi_param PATH_INFO $3;
fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel;
fastcgi_read_timeout 630;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
client_max_body_size 1G;
fastcgi_buffers 64 4K;
}
location ^~ /owncloud-xaccel/ {
# This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. ownCloud sends the full file
# path on disk as a subdirectory under this virtual path.
# We must only allow 'internal' redirects within nginx so that the filesystem
# is not exposed to the world.
internal;
alias /;
}
location ~ ^/((caldav|carddav|webdav).*)$ {
# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
# Properly proxying like this seems to work fine.
proxy_pass https://127.0.0.1/cloud/remote.php/$1;
}
rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
}
For the subdomain:
upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
}
server {
listen 80;
server_name box.notepad.li;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name box.notepad.li;
ssl_certificate /etc/letsencrypt/live/box.notepad.li/fullchain.crt;
ssl_certificate_key /etc/letsencrypt/live/box.notepad.li/privkey.key;
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/owncloud/;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location / {
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}
I have copied/pasted + modified nginx configuration code, regarding ownCloud. I checked everything and it seems fine. What am I doing wrong? Why can I not access http://subdomain.example.com without it being redirected to https://example.com?
As always, I forgot to triple-check my nginx core files. As pointed out in the comments, I forgot to include the include sites-enabled; in nginx.conf and then create a symlink for my new subdomain config in that folder.
Thanks again!
Related
I have 3 different sites on one server and they are on port 80,81 and 82. When I go to https://port80.site.com it takes me to the site and http://port80.site.com redirect to https. With https://port81.site.com and https://port82.site.com they take me to the correct site, but when I use http on port 81/82 they just re-direct to https://port80.site.com.
So I want http://port81.site.com to re-direct to https://port81.site.com, rather than the site on port 80. On my domain my records are A port80 IP, for all 3 sites.
Im using nginx and this is my config:
server {
listen 80 or 81 or 82;
server_name subdomain.site.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name subdomain.site.com;
root /var/www/site;
index index.php;
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/subdomain.site.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain.site.com/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
I would guess I need to add a record to my domain, but im not really sure, im using clouflare if that makes a difference, but im not using the proxy.
Thanks.
I got it work now by doing 2 things the first what was said but doing return 301 https://$host$request_uri; and also by making an srv record for each domain. I also had to restart the server because the systemctl restart nginx and service nginx restart didn't work.
I'm currently setting up a pterodactyl server and I want to access it over web. I have a domain (example.com) and set up a dynamic DNS pointing to the external IP of my router. I now want to use a subdomain (ptero.example.com), to point to the internal IP of the server.
My understanding is that I tell the subdomain to point to my external IP as well via a record (as this is the only way to access my internal network from the outside). Then I would need to configure a way for the router or server to identify the subdomain and route the request to the internal IP of the server. This is the part where I am stuck, as I'm not sure how to do it. The server is using nginx and I think i need to configure the .conf in /etc/nginx/sites-available and edit the location part, but I'm not quite sure. I pasted the current .conf file below (from Webconfig with pterodactyl)
server_tokens off;
server {
listen 80;
server_name <domain>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name <domain>;
root /var/www/pterodactyl/public;
index index.php;
access_log /var/log/nginx/pterodactyl.app-access.log;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
# SSL Configuration
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
I have a nginx server with a single web site, managed by Laravel Forge. At the moment it responds to requests for a single subdomain: subdomain_a.mydomain.com.au. I need it to respond to requests for subdomain_b.mydomain.com.au, and also the raw IP address. How do I do that?
Here's the nginx config:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/subdomain_a.mydomain.com.au/before/*;
server {
listen 80;
listen [::]:80;
server_name subdomain_a.mydomain.com.au;
root /home/forge/subdomain_a.mydomain.com.au/public;
# FORGE SSL (DO NOT REMOVE!)
# ssl_certificate;
# ssl_certificate_key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-(truncated by me!!!);
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/subdomain_a.mydomain.com.au/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/subdomain_a.mydomain.com.au-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/subdomain_a.mydomain.com.au/after/*;
I am new to both nginx and Forge, and this is due to be in production within a few days.
In forge open your website page, at the right bottom there is a dropup menu called "Files", click on "Edit Nginx configuration".
Now you have to change this directive (as described here) from:
add_header X-Frame-Options "SAMEORIGIN";
to
add_header X-Frame-Options "allow from https://your-ip-or-domain.tld"
I just made the switch to Nginx after years of using apache. I am in the process of switching everything over but I am having one hell of a time doing so. My current issue is with nagios. I can access nagios but the cgi portion of it does not appear to be working, I just get garbled output. I am also not being prompted for username/password when accessing it which is a bit concerning.
I am also running owncloud on my webserver which seems to be working properly. Here is my configuration. Any help would be greatly appreciated.
upstream php-handler {
server 127.0.0.1:9000;
}
server {
listen 80;
server_name www.<my_server>.com;
return 301 https://$server_name$request_uri;
}
#SSL Configuration
server {
listen 443 ssl;
server_name www.<my_server>.com;
ssl_certificate /etc/letsencrypt/live/www.<my_server>.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.<my_server>.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
include /etc/nginx/default.d/*.conf;
root /mnt/Webserver/html;
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# ownCloud blacklist
location ~ ^/owncloud/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
error_page 403 = /owncloud/core/templates/403.php;
}
location / {
index index.html;
}
location /owncloud/ {
error_page 403 = /owncloud/core/templates/403.php;
error_page 404 = /owncloud/core/templates/404.php;
rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;
rewrite ^(/owncloud/core/doc[^\/]+/)$ $1/index.html;
# The following rules are only needed with webfinger
rewrite ^/owncloud/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/owncloud/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/owncloud/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/owncloud/.well-known/caldav /remote.php/caldav/ redirect;
try_files $uri $uri/ index.php;
}
# Optional: set long EXPIRES header on static assets
location ~* ^/owncloud(/.+\.(jpg|jpeg|gif|bmp|ico|png|css|swf))$ {
expires 30d;
access_log off; # Optional: Don't log access to assets
}
#Nagios
location /nagios {
alias /usr/share/nagios;
auth_basic "Nagios Access";
auth_basic_user_file /etc/nagios/htpasswd.users;
index index.php;
autoindex off;
}
location ~ ^/nagios/(.*\.php)$ {
auth_basic "Nagios Restricted Access (via nginx)";
auth_basic_user_file /etc/nagios/passwd;
root /usr/share/nagios/;
rewrite ^/nagios/(.*) /$1 break;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nagios$fastcgi_script_name;
fastcgi_pass php-handler;
}
location ~ ^/nagios/(.*\.cgi)$ {
auth_basic "Nagios Restricted Access (via nginx)";
auth_basic_user_file /etc/nagios/passwd;
root /usr/lib64/nagios/cgi;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib64/nagios/cgi$fastcgi_script_name;
fastcgi_pass php-handler;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}
}
Any help would be greatly appreciated.
I figured it out. Here is my new configuration. Thanks.
upstream php-handler {
server 127.0.0.1:9000;
}
server {
listen 80;
server_name www.<my_server>.com;
return 301 https://$server_name$request_uri;
}
#SSL Configuration
server {
listen 443 ssl;
server_name www.<my_server>.com;
ssl_certificate /etc/letsencrypt/live/www.<my_server>.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.<my_server>.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
include /etc/nginx/default.d/*.conf;
root /mnt/Webserver/html;
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# ownCloud blacklist
location ~ ^/owncloud/(?:\.htaccess|data|config|db_structure\.xml|README) {
deny all;
error_page 403 = /owncloud/core/templates/403.php;
}
location / {
index index.html;
}
location /owncloud/ {
error_page 403 = /owncloud/core/templates/403.php;
error_page 404 = /owncloud/core/templates/404.php;
rewrite ^/owncloud/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/owncloud/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/owncloud/webdav(.*)$ /remote.php/webdav$1 redirect;
rewrite ^(/owncloud/core/doc[^\/]+/)$ $1/index.html;
# The following rules are only needed with webfinger
rewrite ^/owncloud/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/owncloud/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/owncloud/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/owncloud/.well-known/caldav /remote.php/caldav/ redirect;
try_files $uri $uri/ index.php;
}
# Optional: set long EXPIRES header on static assets
location ~* ^/owncloud(/.+\.(jpg|jpeg|gif|bmp|ico|png|css|swf))$ {
expires 30d;
}
#Nagios
location /nagios {
alias /usr/share/nagios;
auth_basic "Nagios Restricted Access (via nginx)";
auth_basic_user_file /etc/nginx/.htpasswd;
index index.php;
autoindex off;
}
location ~ ^/nagios/(.*\.php)$ {
root /usr/share/nagios/;
rewrite ^/nagios/(.*) /$1 break;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nagios$fastcgi_script_name;
fastcgi_pass php-handler;
}
location ~ ^/nagios/(.*\.cgi)$ {
root /usr/lib64/nagios/cgi;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib64/nagios/cgi$fastcgi_script_name;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}
}
I have issue with WordPress's permalinks while I am using nginx.
I've tried to add the following line in my nginx's config file, but still I am unable to getting these permalinks to work:
location / {
try_files $uri $uri/ /en/index.php?$args;
}
I am getting 404 error, when I enable Permalinks in WordPress control panel.
Here is my nginx conf file, if this could help to investigate the issue, as I've tried almost everything on the web. I guess something in my config is messing up:
server {
server_name blog.domain.com www.blog.domain.com;
listen 161.122.20.14;
return 301 https://$server_name$request_uri;
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
}
server {
server_name blog.domain.com www.blog.domain.com;
listen 161.122.20.14:443 ssl http2;
root /home/domain/domains/blog.domain.com/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/blog.domain.com_access_log;
error_log /var/log/virtualmin/blog.domain.com_error_log;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /home/domain/domains/blog.domain.com/public_html$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /home/domain/domains/blog.domain.com/public_html;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/php-nginx/14765596504348.sock/socket;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
log_not_found off;
expires 365d;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
ssl_trusted_certificate /home/domain/domains/blog.domain.com/ssl.ca;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Accept-Ranges bytes;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15768000" always;
add_header Public-Key-Pins 'pin-sha256="Niasdcu1LQAzCK234v6aJLcwJFCcWATc4asdIBhio7XpIQ="; pin-sha256="75h33riR+PAtOJcVKNfn2y1/N1ARLqJ213YDX5bnAi1Q="; max-age=2592000;';
}
Let's look at your redirect server block... Since WordPress isn't going to allow or like the fact that you use both www and root domain for website url, you must choose one. Let's assume you don't want the www and want to use the domain itself, your first redirect server block would look like this:
server {
listen 161.122.20.14;
server_name blog.domain.com www.blog.domain.com;
return 301 https://blog.domain.com$request_uri;
}
This would effectively listen on the given ip, port 80 for both blog.domain.com and www.blog.domain.com redirecting them to https://blog.domain.com
Now why did i say first? Because you might want to have another redirect server block to catch all https at www domain. In this case, you need to make sure your server block has valid ssl config set. Without more investigating and only taking fron your config, your ssl redirect would look like this:
server {
listen 161.122.20.14:443 ssl http2;
server_name www.blog.domain.com;
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
ssl_trusted_certificate /home/domain/domains/blog.domain.com/ssl.ca;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
return 301 https://blog.domain.com$request_uri;
}
now that we are certain that all requests to either blog.domain.com or www.blog.domain.com are being taken care of as far as redirection, on both port 80 and 443, our main server block would look like so:
server {
listen 161.122.20.14:443 ssl http2 deferred;
server_name blog.domain.com;
root /home/domain/domains/blog.domain.com/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/blog.domain.com_access_log;
error_log /var/log/virtualmin/blog.domain.com_error_log;
ssl_certificate /home/domain/domains/blog.domain.com/ssl.cert;
ssl_certificate_key /home/domain/domains/blog.domain.com/ssl.key;
ssl_trusted_certificate /home/domain/domains/blog.domain.com/ssl.ca;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Accept-Ranges bytes;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15768000" always;
add_header Public-Key-Pins 'pin-sha256="Niasdcu1LQAzCK234v6aJLcwJFCcWATc4asdIBhio7XpIQ="; pin-sha256="75h33riR+PAtOJcVKNfn2y1/N1ARLqJ213YDX5bnAi1Q="; max-age=2592000;';
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
log_not_found off;
expires 365d;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/php-nginx/14765596504348.sock/socket;
}
}
Key here is your try_files and adding a / location block containing the default action. You should also save that php location block and use it for future configurations... the other one was just, how to say, unsecure. This is really, in essence, what will allow you to use permalinks with WordPress.
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/php-nginx/14765596504348.sock/socket;
}
I'm also wondering where you got the idea to put all fastcgi params in your config.. where did you get such info?
Mind you i've copy/pasted from what you posted without checking if all was valid.