So, I want to secure only the login and admin part of my website. The problem is that the admin uses some common static files that are used on the general site as well. This means that when I am in the admin those files should be served over https while when I am on the general site they should be served as http.
How can I configure nginx to behave this way?
The configuration I use so far is bellow:
server {
listen 80;
server_name site.com www.site.com;
root /home/site_folder/web;
index index.php;
location ~ /(get-involved|contribute|api) {
return 301 https://$server_name$request_uri;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME /home/site_folder/web/index.php;
}
location / {
root /home/site_folder/web;
if (-f $request_filename) {
expires max;
break;
}
try_files $uri $uri/index.php;
rewrite ^(.*) /index.php last;
}
}
server {
listen 443 ssl;
ssl_certificate path_to_ssl.crt;
ssl_certificate_key path_to_key.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name site.com www.site.com;
root /home/site_folder/web;
index index.php;
location ~ /(get-involved|contribute|api) {
root /home/site_folder/web;
if (-f $request_filename) {
expires max;
break;
}
try_files $uri $uri/index.php;
rewrite ^(.*) /index.php last;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME /home/site_folder/web/index.php;
}
location / {
return 301 http://$server_name$request_uri;
}
}
Related
in sites-enabled file test.com.conf:
map $http_host $blogid {
default 0;
test.com 1;
}
server {
listen 5.187.1.93:80;
server_name test.com *.test.com;
root /home/fornex/wordpress;
access_log /var/log/nginx/test.com-access.log;
error_log /var/log/nginx/test.com-error.log;
include conf.d/restrictions.conf;
# include /home/fornex/wordpress/nginx.conf;
include conf.d/wordpress-mu.conf;
}
file site.com.conf:
server {
listen 5.187.1.93:80;
server_name site.com *.site.com;
return 301 https://$host$request_uri;
}
server {
listen 5.187.1.93:443 ssl;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;
server_name site.com *.site.com;
root /home/fornex/site.com;
index index.php;
client_max_body_size 7m;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~* /\. {
deny all;
}
location ~*\.(php)$ {
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
when I open test.com(It should be a wordpress installation) - site.com opens. What is wrong? How can I make them separate sites? I searched a lot in WEB but didn't find anything that helps in my situation. Adding *.test.com didn't help.
when i click on this link for example: http://debian.local/cgi-bin/hobbitcolumn.sh?bbgen it download the .sh file instead of show it.
i tried to put fastcgi_ params in location ^~ /hobbit but still not working.
could you help me please
thanks
here is my sites-available/debian.local.conf:
# /etc/nginx/sites-available/debian.local.conf
# HTTP server
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default_server ipv6only=on; ## listen for ipv6
# Make site accessible from http://localhost/
server_name debian.local localhost ;
# On redirige toutes les requĂȘtes vers HTTPS
#rewrite ^ https://$server_name$request_uri? permanent;
location ^~ /glpi {
root /home/cedric/web;
index index.php;
location ~ /glpi(/.*\.php) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
}
}
location ^~ /hobbit {
alias /usr/lib/hobbit/server/www/ ;
index index.html ;
}
location /cgi-bin/ {
alias /usr/lib/hobbit/cgi-bin/;
}
location /cgi-secure/ {
alias /usr/lib/hobbit/cgi-secure/ ;
}
}
server {
listen 443 ssl;
server_name debian.local localhost ;
root html;
index index.html index.htm;
# Use a self-signed certificate to ensure
# secure connexion to phpmyadmin
ssl_certificate debian.local.crt;
ssl_certificate_key debian.local.key;
ssl_session_timeout 5m;
# Access only latest browsers
ssl_protocols TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
location /zabbix {
if ($scheme ~ ^http:){
rewrite ^(.*)$ https://$host$1 permanent;
}
alias /usr/share/zabbix;
index index.php;
error_page 403 404 502 503 504 /zabbix/index.php;
location ~ \.php$ {
if (!-f $request_filename) { return 404; }
expires epoch;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
location ~ \.(jpg|jpeg|gif|png|ico)$ {
access_log off;
expires 33d;
}
}
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
## Xcache admin pages
location /xcache {
alias /usr/share/xcache/;
try_files $uri $uri/ /index.php;
location ~ ^/xcache/(.+\.php)$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
}
}
this is what appear instead of the web page:
#!/bin/sh QS="${QUERY_STRING}" QUERY_STRING="db=columndoc.csv&key=${QS}" export QUERY_STRING . /usr/lib/hobbit/server/etc/hobbitcgi.cfg exec /usr/lib/hobbit/server/bin/bb-csvinfo.cgi $CGI_HOBBITCOLUMN_OPTS
You should use the default_type directive in the interested location, for example:
location /cgi-bin/ {
alias /usr/lib/hobbit/cgi-bin/;
default_type text/plain;
}
I made it work.
This helped me: https://www.howtoforge.com/serving-cgi-scripts-with-nginx-on-debian-squeeze-ubuntu-11.04-p3
i intalled Fcgiwrap and edited my sites-available/debian.local.conf like this:
location /cgi-bin/ {
# Disable gzip (it makes scripts feel slower since they have to complete
# before getting gzipped)
gzip off;
# Set the root to /usr/lib (inside this location this means that we are
# giving access to the files under /usr/lib/cgi-bin)
alias /usr/lib/hobbit/cgi-bin/;
# Fastcgi socket
fastcgi_pass unix:/var/run/fcgiwrap.socket;
# Fastcgi parameters, include the standard ones
include /etc/nginx/fastcgi_params;
# Adjust non standard parameters (SCRIPT_FILENAME)
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
Thanks.
I'm having a main domain example.com and an example.com/admin/. This admin domain has a different document root and will render the admin interface. The problem currently is that the file is server plain-text by nginx. So I can basically see the index.php file. I'm trying to figure it out, but no success yet.
This is my nginx config:
server {
listen 127.0.0.1:8080;
server_name www.example.me;
rewrite ^(.*) http://example.me$1 permanent;
}
server {
listen 127.0.0.1:8080;
server_name example.me;
root /var/www/example.me/laravel/example/public/;
index index.html index.htm index.php;
error_log /var/log/nginx/example.me.error.log error;
access_log /var/log/nginx/example.me.access.log;
port_in_redirect off;
merge_slashes on;
client_max_body_size 20M;
error_page 404 =301 http://example.me;
location / {
#Don't use slash at end
rewrite ^/(.*)/$ /$1 permanent;
# add rewrite rule here:
# block access to /index.(php|htm|html)
if ($request_uri ~ "/index.(php|html?)") {
rewrite ^ /$1 permanent;
}
if (!-e $request_filename) {
rewrite ^.*$ /index.php last;
}
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ^~ /admin {
root /var/www/example.me/zend/public/;
index index.php;
try_files /index.php$is_args$args $uri;
auth_basic "example Admin";
auth_basic_user_file /var/www/example.me/zend/public/.htpasswd;
rewrite_log on;
access_log /var/log/nginx/adminexample.access.log;
error_log /var/log/nginx/adminexample.error.log notice;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param SCRIPT_FILENAME /var/www/example.me/zend/public$fastcgi_script_name;
}
}
}
I have a project set up on Nginx running on Symfony2 with Wordpress blog in it. Wordpress blog is inside web/ in Symfony2. Some things on the blog doesn't work (for example infinite 302 on wp-admin and some CSS issues). Can someone show me how proper config file for this setup should look like?
Mine looks like this:
server {
listen 80;
server_name project.com *.project.com;
return 301 https://www.project.com$request_uri;
root /usr/share/nginx/html/project.com/web;
error_log /var/log/nginx/project.error.log;
access_log /var/log/nginx/project.access.log;
client_max_body_size 12M;
# strip app.php/ prefix if it is present
#rewrite ^/app\.php/?(.*)$ /$1 permanent;
location / {
index app.php;
try_files $uri #rewriteapp;
if ($http_host ~ "^[^.]+\.[^.]+$"){
rewrite ^(.*)$ https:%1://www.$http_host$request_uri redirect;
}
}
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .php {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
}
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/www.project.com/project-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/www.project.com/project.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM";
ssl_dhparam dh4096.pem;
server_name project.com *.project.com;
root /usr/share/nginx/html/project.com/web;
error_log /var/log/nginx/project.error.log;
access_log /var/log/nginx/project.access.log;
client_max_body_size 12M;
# strip app.php/ prefix if it is present
rewrite ^/app\.php/?(.*)$ /$1 permanent;
location / {
index app.php;
try_files $uri #rewriteapp;
if ($http_host ~ "^[^.]+\.[^.]+$"){
rewrite ^(.*)$ https:%1://www.$http_host$request_uri redirect;
}
}
location /blog/wp-admin/ {
index index.php;
# #try_files $uri #rewriteindex;
# try_files $uri $uri/ /index.php?$args;
}
#location #rewriteindex {
# rewrite ^(.*)$ /blog/wp-admin/index.php/$1 last;
#}
location #rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .php {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
location .(js|jpg|png|css)$ {
root /usr/share/nginx/html/project.com/web;
expires 30d;
}
}
This config file is just a mess. It might be better just to start from scratch but I'm not sure how I should handle the Wordpress part inside web/blog/
location ~ /blog {
proxy_pass http://your_wp_server_url;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
and define in a new site enabled file in nginx the server for wordpress:
server{
server_name your_wp_server_url;
root path_to_wordpress;
.
.
.
}
I have a project written using Symfony2 framework and running on Nginx server.
The goal is to protect it with auth_basic.
What I did in nginx config file:
location ~ \.php(/|$) {
auth_basic 'RESTRICTED ACCESS';
auth_basic_user_file /var/www/my.passwd;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
But there, when I try to access the page and i fill in the username and password, It asks me the same again and again.
I have some redirects on the page:
server {
listen 80;
server_name example.com;
rewrite ^ http://www.example.com$uri permanent;
}
server {
listen 80;
listen 443 default_server ssl;
ssl_certificate ssl2013/myssl.crt;
ssl_certificate_key ssl2013/myssl.key;
keepalive_timeout 70;
set $asset_dir /var/www/example.com/web/bundles/mdpimain;
server_name www.example.com;
root /var/www/example.com/web;
# strip app.php/ prefix if it is present
rewrite ^/app\.php/?(.*)$ /$1 permanent;
# rewrite home
rewrite ^/home/? / permanent;
# remove trailing slash
rewrite ^/(.*)/$ /$1 permanent;
# remove index.php
rewrite ^[/](.*)/index\.php$ /$1 permanent;
# sitemap redirection
rewrite ^/sitemap_(.*)$ /sitemap/$1 last;
location / {
index app.php;
if (-f $request_filename) {
break;
}
rewrite ^(.*)$ /app.php/$1 last;
}
EDIT1.
Another detail: the password and user I am using are ok because no logs in the nginx error.log, so there is a redirect problem.
Try checking the $remote_user, if empty, return 403.
EDIT This works for me.
server {
listen 80;
server_name www.example.com;
auth_basic 'RESTRICTED ACCESS';
auth_basic_user_file /var/web/my.passwd;
set $ok "no";
if ($remote_user ~ ^$) { break; }
if ($remote_user != '') { set $ok "yes"; }
if ($ok != "yes") {
return 403;
}
# Path for static files
root /var/web/public_html;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app_dev.php$is_args$args;
}
location ~ ^/(app|app_dev|config)\.php(/|$) {
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
}