I use nginx with modsecurity and php-fpm on my web server.
I use OWASP ModSecurity Core Rule Set.
I'm trying to use some specific rules for one php file (contact.php)
Here is my nginx config:
location /contact.php {
ModSecurityEnabled on;
ModSecurityConfig ../owasp-modsecurity-crs/modsecurity_rule1.conf; # Specific rules for this file
}
location ~ \.php$ {
root /home/user/public_html;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
ModSecurityEnabled on;
ModSecurityConfig ../owasp-modsecurity-crs/modsecurity.conf;
}
When I run with this config I get "500 Internal Server Error"
And this error in the php-fpm 's error.log file:
2015/01/28 05:43:01 [alert] 1395#0: *1 no upstream configuration, client: IPAdress, server: example.com, request: "POST /contact.php HTTP/1.1", host: "www.example.com", referrer: "https://www.example.com/"
I guess there is a confusion with the two "location" blocks.
How to figure this out?
location /contact.php has no upstream configured. You must copy-paste all remaining directives from second location
or if you want to keep it DRY maybe this will work:
http {
map $request_uri $mod_sec_config {
/contact.php modsecurity_rule1.conf;
default modsecurity.conf;
}
}
.....
location ~ \.php$ {
root /home/user/public_html;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
ModSecurityEnabled on;
ModSecurityConfig ../owasp-modsecurity-crs/$mod_seq_config;
}
Not sure if this will work though, and according to nginx authors copy-paste is the right way of writing configs
Related
I'm new to nginx. I'm trying to use kubernetes with nginx. But I get a blank page and no error... what can I do ?
Here my configuration :
server {
listen 80;
root /var/www/project/web;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
# DEV
# This rule should only be placed on your development environment
# In production, don't include this and don't deploy app_dev.php or config.php
location ~ ^/(app_dev|config)\.php(/|$) {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# PROD
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
#internal;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
Edit :
I run it in a docker-compose, now I get this when I launch :
web_1 | * Restarting PHP5 FastCGI Process Manager php5-fpm
Edit 2
connect() to unix:/var/run/php/php7.0-fpm.sock failed (2: No such file
or directory) while connecting to upstream
I am new to symfony. I am trying to setup symfony2 on ubuntu server with nginx. but it shows 500 internal server error. I have this server running some laravel projects as well and its find
Anyone can help what the problem is?
my nginx configuration is :
server {
listen 80;
root /home/ubuntu/test-symfony/web;
index app.php;
# Make site accessible from http://localhost/
server_name symfony.jonesjapriady.com http://symfony.jonesjapriady.com;
error_log /var/log/nginx/symfony2.error.log;
access_log /var/log/nginx/symfony2.access.log;
location / {
try_files $uri /app.php?$query_string;
}
location ~ ^/(app_dev|app_test.php|app)\.php(/|$) {
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
}
}
I am running a VPS server with Centos and Plesk.
The server is working right, on a Nginx + php-fpm setup.
So, websites are served correctly, but when user tries to access to its webemail ( roundcube tool installed ), doesn't work.
My current nginx conf for webmail is :
server {
listen [my server ip...]:80;
server_name webmail.* roundcube.webmail.* horde.webmail.* atmail.webmail.*;
client_max_body_size 20m;
client_body_buffer_size 128k;
proxy_read_timeout 90;
location / {
root /usr/share/psa-roundcube;
index index.php index.html index.htm;
location ~ \.php$
{
fastcgi_pass unix:/tmp/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
include /etc/nginx/fastcgi_params;
fastcgi_keep_conn on;
fastcgi_split_path_info ^(.+\.php)(.*)$;
}
}
}
What can be wrong?
This snippet works for me on CentOS 6.5. The SCRIPT_FILENAME is different and the is fastcgi_index is present. Think that's it.
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/tmp/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
}
I have copied it from here and it works. The other directives in this particular example are very worth to get noticed/copied to harden the plesk setup just a little.
When I try to auto_prepend a file in one of my virtualhosts I think it is cached by FastCGI and used on another virtualhost as well. The first code block is one of my sites auto prepending a file:
server {
listen 80;
server_name www.site1.com;
root /var/www/site1;
index index.php;
# use fastcgi for all php files
location ~ \.php$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_VALUE "auto_prepend_file=/file.php";
include fastcgi_params;
}
}
The second site does not auto prepend the file but actually does so anyway if site1 is requested in any way before site2. It seems like the "fastcig_param PHP_VALUE" is cached somehow for both sites.
server {
listen 80;
server_name www.site2.com;
root /var/www/site2;
index index.php;
# use fastcgi for all php files
location ~ \.php$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
I would like to deploy lithium on nginx server, however there are configurations provided only for Apache and IIS.
I've successfully written several nginx server configurations for various applications in past, but I'm struggling with this one.
Already asked this question on nginx and lithium forums, no luck.
This is best of what I've made so far.
root /var/servers/my_app/app/webroot;
location / {
index index.php;
try_files $uri $uri/ index.php;
}
location ~ \.php {
fastcgi_pass unix:/tmp/php.socket;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/servers/my_app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
}
Problem is on / (root page) every link gets index.php prepended, e.g. instead of
www.example.com/something
I get
www.example.com/index.php/something
Not sure if this even is nginx configuration related or rather something, that lithium does when it cannot detect Apache/IIS environment. Either way I cannot solve it.
Another thing, that when I access "www.example.com/test" (via direct URL input), the page renders correctly, however "www.example.com/test/" (with trailing slash) and "www.example.com/test/anything_here" is broken - all links gets appended to current URL e.g. pressing the same link creates this:
www.example.com/test/
www.example.com/test/test
www.example.com/test/test/test
EDIT: Updated configuration
(Sorry for much delayed edit, but I'm still stuck and recently restarted solving this)
root /var/server/my_app/app/webroot/;
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
location ~ \.php {
fastcgi_pass unix:/tmp/php.socket;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/servers/my_app/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
}
location ~/\.ht {
deny all;
}
}
As I mentioned in comments this now causes all links to have index.php included, it looks like:
www.example.com/index.php/something
www.example.com/index.php/stylesheet.css
I think your problem is that the try_files shouldn't be inside a location block.
Try the configuration shown here: http://li3.me/docs/manual/configuration/servers/nginx.wiki
I helped define it and have been using it locally and in production. It shouldn't cause any of the issues you're reporting.
Copying it below:
server {
listen IP_ADDRESS_HERE:80;
server_name DOMAIN.COM;
root /var/www/DOMAIN.COM/webroot/;
access_log /var/log/DOMAIN.com/access.log;
error_log /var/log/DOMAIN.com/error.log warn;
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
location ~ \.php$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
As I suspected the problem was that Lithium relies on some environment variables, in this case - link generation, it uses PHP_SELF, which happened to be incorrect.
Solution:
fastcgi_param PATH_INFO $fastcgi_path_info;
Instead of previously incorrect:
fastcgi_param PATH_INFO $fastcgi_script_name;
So final configuration:
root /var/server/my_app/app/webroot/;
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
location ~ \.php {
fastcgi_pass unix:/tmp/php.socket;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/servers/my_app$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~/\.ht {
deny all;
}
Thanks to rmarscher and mehlah # lithum forums.