We Keep Coding

Nginx 1.18.0 not executing php files, using php7.4-fpm

Appologies in advance, this is rather a long description, skip to the Problem peice below for my actual problem, also see the config files
I'm setting up an set of internal web sites for where I work, I decided to use nginx as the main app I use (GitLab) uses it underneath. Although I now think that maybe that wasn't so sensible !).
I can get GitLab to function just fine. I have temporarily 'turned it off' so as I can get the entry point to the pages up an running.
Background
The plan.
To run a single page for entry, and then have the various 'apps' running on sub domains.
So out main server is called reslab and then we will have the gitlab.reslab running on a subdomain, and then any other items we need on other subdomains.
So we we plan to put all our documentation into a mediawiki, so that will live on wiki.reslab
Also we expect to run a test version of the units web site, which will reside on testweb.reslab. Eventually I expect more things to end up on here, such as sub sites for specific projects.
As the main site is running on WordPress, I decided that I would use wordpress as the principle development option for the all the pages that may be created.
The problem
Whenever I open a link that is a php file, the file will be downloaded, rather than being executed.
At first I realised that the files in the document root weren't executable, but that didn't help.
I've checked the php config for the location of the socket file, which is as it appears in the config files below.
I had originally wanted to split the config file into smaller peices, but I got persistent errors when testing the config with nginx -t.
Have I included my files in the wrong place ? should they all be in the nginx.conf file (and not sitting in the relab.conf file?) ~ although placing them into the nginx.conf file just gave errors about items being double declared, and as they where for the worpress site it made sense in my mind to leave them within the site specific config file.
Is there a way to output the details of the files that are being included, so as I can be sure that I have missed a config file.
The system is running debian : Linux reslab 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64 GNU/Linux
I have installed php and nginx, and both are running
php :
sudo service php7.4-fpm status
● php7.4-fpm.service - The PHP 7.4 FastCGI Process Manager
Loaded: loaded (/lib/systemd/system/php7.4-fpm.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-10-04 13:34:06 CEST; 7s ago
Docs: man:php-fpm7.4(8)
Process: 434953 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/7.4/fpm/pool.d/www.conf 74 (code=exited, status=0/SUCCESS)
Main PID: 434950 (php-fpm7.4)
Status: "Ready to handle connections"
Tasks: 3 (limit: 43238)
Memory: 9.8M
CPU: 56ms
CGroup: /system.slice/php7.4-fpm.service
├─434950 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
├─434951 php-fpm: pool www
└─434952 php-fpm: pool www
nginx :
sudo service nginx status
[sudo] password for davem:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-10-04 12:08:34 CEST; 1h 51min ago
Docs: man:nginx(8)
Process: 425978 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 425979 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 425980 (nginx)
Tasks: 13 (limit: 43238)
Memory: 11.7M
CPU: 73ms
CGroup: /system.slice/nginx.service
├─425980 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─425981 nginx: worker process
├─425982 nginx: worker process
├─425983 nginx: worker process
├─425984 nginx: worker process
├─425985 nginx: worker process
├─425986 nginx: worker process
├─425987 nginx: worker process
├─425988 nginx: worker process
├─425989 nginx: worker process
├─425990 nginx: worker process
├─425991 nginx: worker process
└─425992 nginx: worker process
Setup
I intend for the main site to be named as for the server, this is its nginx config.
/etc/nginx/nginx.conf
sudo more nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
#######################################################
### Config for Wordpress multi sites ########
#######################################################
worker_cpu_affinity auto; #worpress
##
# For Virtual Host Configs
##
# include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*.conf; # I do this later on ...
events {
worker_connections 1024;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
# it may be internal, but I want to set up good practice
# internal pages using a self signed certificate
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
#error log levels are : warn, error crit, alert, and emerg
# just add one to the end of the below line before the ';'
# eg error_log /var/log/nginx/error.log warn;
error_log /var/log/nginx/error.log debug;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
#for the inclusion of other sites config files
include /etc/nginx/sites-enabled/*.conf;
# for wordpress to use php
# Upstream to abstract backend connection(s) for PHP.
upstream php {
#this should match value of "listen" directive in php-fpm pool
server unix:/var/run/php/php7.4-fpm.sock;
server 127.0.0.1:9000;
}
# below is for gitlab config that cannot be in the main server section.
upstream gitlab-workhorse {
server unix://var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}
}
sites-enabled
/etc/nginx/sites-enabled/reslab.conf :
# This will be our default landing page configuration
# All the sub sites, and this one, are using wordpress
# the exception is the gitlab subdomain
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
## Strong SSL Security
## see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
# ssl on; # this line is deprecated and replaced by the listen 0.0.0.0:443 directive above (just after the start of the server section)
ssl_certificate /etc/nginx/ssl/reslab.crt;
ssl_certificate_key /etc/nginx/ssl/reslab.key;
#Some extra ssl wordpress stuff
# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015.
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
#document root for the main langing page
root /var/www/reslab/wordpress;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
#ensure that all the sub server are considered equally using the '.reslab'
server_name 10.69.60.18 reslab .reslab *.reslab;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
#add specific logging for this server.
access_log /var/log/nginx/reslab_access.log;
#set to debug whilst troubleshooting php problems
error_log /var/log/nginx/reslab_error.log debug;
}
#set the mapping of this site to its relevant blog pages
# this needs to be outside of the server block (but in the http block)
map $http_host $blogid {
default -999;
#Ref: https://wordpress.org/extend/plugins/nginx-helper/
#include /var/www/wordpress/wp-content/plugins/nginx-helper/map.conf ;
}
#here is the wordpress specific stuff, that should be copied into most subdomains.
#remember to modify as required the server root if you have just made a simple copy of this file
server {
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks doesn't break when using query string
try_files $uri $uri/ /index.php?rt=$uri&$args;
}
# load the nginx php / fastCGI support module
include /etc/nginx/fcgiwrap.conf;
# this is required to tell nginx to run php files on the server not as a downloadable file !
location ~ \.php$ {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# lots of the lines below can be included in the following file(s)
include fastcgi.conf;
include snippets/fastcgi-php.conf;
fastcgi_intercept_errors on;
# the fastci_index is included via the snippets/fastcgi_php.conf file so is not needed here
# the line is left here for reference
#fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# can run php through a file socket or via an ip
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
#WPMU Files
location ~ ^/files/(.*)$ {
try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
access_log off; log_not_found off; expires max;
}
#WPMU x-sendfile to avoid php readfile()
location ^~ /blogs.dir {
internal;
alias /var/www/example.com/htdocs/wp-content/blogs.dir;
access_log off; log_not_found off; expires max;
}
# ensure that no one is able to write directly to the server from the web page.
location ~ /\.ht {
deny all;
}
#add some rules for static content expiry-headers here
}
/etc/nginx/fastcgi.conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
/etc/nginx/fastcgi_params (which is exactly the same as fastcgi.conf ? do I need both ?)
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
/etc/nginx/snippets/fastcgi-php.conf
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
# we do this in the sites config file, so no need for duplication
#try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
#this looks back at the earlier file, does this circular reference cause a problem ?
include fastcgi.conf;
/etc/php/7.4/fpm/php.ini has not been modified from the installed version, and as its rather large, with the exception of the line
cgi.fix_pathinfo = 1
where some guides suggest this should be 0 (zero) and nginx suggest 1, I've tried both values ... and no difference.
Does nginx need a special module to run php to function ?
the file will be downloaded, it makes no difference if I access it from localhost or via its IP address.
Is there something obvious that I am missing ?
I can run the a simpl phpinfo() call from the cli, and I get the expected output.
need more config details... feel free to ask.
thanks in advance
Dave
edit 1
So I've tried all the variations of listen and server_name within the server block that has the php details within it.
I have turned on debug logging in the error file for this site, looking through it states http script var: "/wp-admin/install.php" which seems like it is seeing it as a php script, and demonstrates that it is clearly capturing the correct file. I have also tried with a basic info.php file... here is a section of the log ...
try files handler
2021/10/04 16:21:17 [debug] 452491#452491: *3 http script var: "/info.php"
2021/10/04 16:21:17 [debug] 452491#452491: *3 trying to use file: "/info.php" "/var/www/reslab/wordpress/info.php"
2021/10/04 16:21:17 [debug] 452491#452491: *3 try file uri: "/info.php"
2021/10/04 16:21:17 [debug] 452491#452491: *3 generic phase: 13
2021/10/04 16:21:17 [debug] 452491#452491: *3 content phase: 14
2021/10/04 16:21:17 [debug] 452491#452491: *3 content phase: 15
2021/10/04 16:21:17 [debug] 452491#452491: *3 content phase: 16
2021/10/04 16:21:17 [debug] 452491#452491: *3 content phase: 17
2021/10/04 16:21:17 [debug] 452491#452491: *3 content phase: 18
2021/10/04 16:21:17 [debug] 452491#452491: *3 http filename: "/var/www/reslab/wordpress/info.php"
I feel there should be some clue in here with the server telling me it is recognised as an http script rather than a fastcgi script ?
edit 2
So I just logged onto the server, and ran firefox locally. As I expected it attempts to download the file. However it wants to 'open' it in firefox ... when I do this, it just re-downloads ....
However, when I select the 'other' option from the download list the next windows has a message of :
no applications fournd for application/octet-stream files.
which strikes me as firefox trying to tell me that this is an 'application', or am I missunderstanding FFXs message ?
Also when I do the same thing on my remote pc, I still get the 'open with geany' option.
edit 3
So it occured to me this may be a permissions issue. So I ran the info.php script from the terminal as the www-data (user and group) :
sudo su -s /bin/bash -c "php info.php" -g www-data www-data
and I got the expected output.
note when I did this logged in via ssh to the server.
My other feeling is that the includes aren't correct in some way ? is there a way to debug the files that are being inlcuded (something like nginx -t but with a more verbose output ?)

First off, this is far too much config to trouble shoot for a simple problem, it would be far easier to whittle it down to a minimal config that works and then add in other site, caching, whatever.
But on a quick scan, the server block that does the fastcgi_pass has no listen directive, so there would be no way to hit that config.
Also:
Q: "Does nginx need a special module to run php to function ?"
A: No, not specifically for php. FastCGI is the module your using to contact php via standard protocol.

I do not know why do you change nginx.conf, I usually don't do that. I edit configs in sites available:
Maybe you should try my nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
Then in sites_available place the config from my blog:
server {
# https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-ubuntu-20-04
listen 80;
server_name wordpress.darius;
root /home/darius/Private/Projects/wordpress;
index index.html index.htm index.php;
location / {
# https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-20-04#prerequisites
try_files $uri $uri/ /index.php$is_args$args;
# end https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-20-04#prerequisites
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
# end https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-ubuntu-20-04
# https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-20-04#prerequisites
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
#end https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-20-04#prerequisites
}
In fastcgi.conf the difference I see that in your file there is
fastcgi_param REMOTE_USER $remote_user;
but in my there is no such line. Same with /etc/nginx/fastcgi_params
There are little differences from your in fastcgi-php.conf, my file looks like this:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
Also I am not changing this file ever I think.
cgi.fix_pathinfo in my case is On.
Not sure if there can be problem with the order of includes, since I do not modify those configs, besides ones in sites-available dir.
So try with my configs. And then if that works, make changes little by little to match your needs. Then you should find exactly which part makes it not work.
As you can see I use php 8 so I reccomend it to you also, or change values in my configs examples.

lxc with nextcloud and nginx proxy: Unknown: POST Content-Length

I have two lxc containers. One is the proxy with nginx and this config:
server {
server_name cloud.malte-kiefer.de;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://cloud.lxd;
}
real_ip_header proxy_protocol;
set_real_ip_from 127.0.0.1;
listen [::]:443 ssl http2 proxy_protocol;
listen 443 ssl http2 proxy_protocol;
ssl_certificate /etc/nginx/ssl/cloud.malte-kiefer.de/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/cloud.malte-kiefer.de/privkey.key;
}
server {
listen 80 proxy_protocol;
listen [::]:80 proxy_protocol;
server_name cloud.malte-kiefer.de;
location / {
return 301 https://cloud.malte-kiefer.de$request_uri;
}
return 404;
}
Then I have the cloud container with nextcloud with this config:
upstream php-handler {
server unix:/var/run/php/php7.3-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
set $base /var/www/html;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name cloud.malte-kiefer.de;
fastcgi_hide_header X-Powered-By;
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location = /.well-known/carddav {
return 301 https://cloud.malte-kiefer.de/remote.php/dav;
}
location = /.well-known/caldav {
return 301 https://cloud.malte-kiefer.de/remote.php/dav;
}
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
When I try to open the URL I see the installation page from nextcloud. When I enter information and send it reload from page and this in the nextcloud log:
Unknown: POST Content-Length of 213 bytes exceeds the limit of 16
bytes at Unknown#0
This is the nginx log from the nextcloud container
2020/01/13 17:32:20 [error] 416#416: *8 FastCGI sent in stderr: "PHP
message: PHP Warning: Unknown: POST Content-Length of 213 bytes
exceeds the limit of 16 bytes in Unknown on line 0" while reading
response header from upstream, client: 89.204.135.199, server:
cloud.malte-kiefer.de, request: "POST /index.php HTTP/1.0", upstream:
"fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host:
"cloud.malte-kiefer.de"
I check my PHP ini file:
root#cloud:~# grep -R "post_max_size" /etc/php/
/etc/php/7.3/fpm/php.ini:post_max_size = 16GB
/etc/php/7.3/cli/php.ini:post_max_size = 16GB
/etc/php/7.3/phpdbg/php.ini:post_max_size = 8M
root#cloud:~# grep -R "memory_limit" /etc/php/
/etc/php/7.3/fpm/pool.d/www.conf:;php_admin_value[memory_limit] = 32M
/etc/php/7.3/fpm/php.ini:memory_limit = 512M
/etc/php/7.3/cli/php.ini:memory_limit = 512M
/etc/php/7.3/phpdbg/php.ini:memory_limit = 128M
I can't find the issue. Maybe you guys can help me.

Ok, it was a missconfig in the php.ini file.
I totally removed PHP vom the nextcloud container, reinstalled and it works now.

Why is my php not being rendered? Why is my php page blank?

I'm trying to setup a wordpress server, but before that I need to get PHP working. Currently I have installed and configured nginx and php 7.3, but the php is not rendering, it is just showing text.
Main Issue:
[root#a-knapsack-sav ~]# cat /usr/share/nginx/html/info.php
<?php
phpinfo();
?>
[root#a-knapsack-sav ~]# curl http://localhost/info.php
<?php
phpinfo();
?>
Obviously I should expect to see some content from the above, but I'm not. The following is all of the setup that I've done. Hopefully someone can see this and point out my likely omission.
What OS are you using?
[root#a-knapsack-sav nginx]# rpm -q centos-release
centos-release-7-6.1810.2.el7.centos.x86_64
Is nginx even installed?
[root#a-knapsack-sav nginx]# nginx -v
nginx version: nginx/1.15.12
Is php even installed?
[root#a-knapsack-sav nginx]# php -v
PHP 7.3.5 (cli) (built: Apr 30 2019 08:37:17) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.5, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.5, Copyright (c) 1999-2018, by Zend Technologies
Where is nginx installed?
[root#a-knapsack-sav nginx]# pwd
/etc/nginx
[root#a-knapsack-sav nginx]# ls
conf.d fastcgi_params koi-utf koi-win mime.types modules nginx.conf scgi_params sites-available sites-enabled uwsgi_params win-utf
Is php-fpm even running?
[root#a-knapsack-sav nginx]# systemctl status php-fpm
● php-fpm.service - The PHP FastCGI Process Manager
Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-05-03 10:42:25 CDT; 7h ago
Main PID: 2772 (php-fpm)
Status: "Processes active: 0, idle: 5, Requests: 0, slow: 0, Traffic: 0req/sec"
CGroup: /system.slice/php-fpm.service
├─2772 php-fpm: master process (/etc/php-fpm.conf)
├─2773 php-fpm: pool www
├─2774 php-fpm: pool www
├─2775 php-fpm: pool www
├─2776 php-fpm: pool www
└─2777 php-fpm: pool www
Is nginx even running?
[root#a-knapsack-sav nginx]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-05-03 17:19:55 CDT; 31min ago
Docs: http://nginx.org/en/docs/
Process: 4299 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 4302 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 4303 (nginx)
CGroup: /system.slice/nginx.service
├─4303 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─4304 nginx: worker process
Did you edit you php.ini?
Only the cgi.fix_pathinfo for security.
[root#a-knapsack-sav nginx]# cat /etc/php.ini | grep cgi.fix
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0
Did you update php's conf settings to for nginx?
I think so.
[root#a-knapsack-sav ~]# cat /etc/php-fpm.d/www.conf | grep listen
; - 'listen' (unixsocket)
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; 'port' - to listen on a TCP socket to all addresses
; '/path/to/unix/socket' - to listen on a unix socket.
listen = /var/run/php-fpm/php-fpm.sock
; Set listen(2) backlog.
;listen.backlog = 511
listen.owner = nobody
listen.group = nobody
;listen.mode = 0660
; When set, listen.owner and listen.group are ignored
;listen.acl_users = apache,nginx
;listen.acl_groups =
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
listen.allowed_clients = 127.0.0.1
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; listen queue len - the size of the socket queue of pending connections;
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
[root#a-knapsack-sav ~]# cat /etc/php-fpm.d/www.conf | grep nginx
user = nginx
group = nginx
;listen.acl_users = apache,nginx
Did you update nginx's conf properly?
As far as I know to....
[root#a-knapsack-sav ~]# cat /etc/nginx/conf.d/default.conf
server {
listen 80;
# listen [::]:80;
server_name A.B.C.D;
root /usr/share/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~* \.php$ {
try_files $uri =404;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
# location ~ /.ht {
# deny all;
# }
}
Do you have your info.php file in the correct place?
Yezzir.
[root#a-knapsack-sav ~]# ls /usr/share/nginx/html
50x.html index.html info.php
What about your nginx.conf?
[root#a-knapsack-sav ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;
}
What about your sites-available conf?
I don't know if this is needed but I tried it anways.
[root#a-knapsack-sav ~]# cat /etc/nginx/sites-available/default.conf
server {
listen 80;
server_name A.B.C.D;
root /usr/share/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ .php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# location ~ /.ht {
# deny all;
# }
}
Did you forget to link sites-enabled and sites-available?
Nope :)
[root#a-knapsack-sav ~]# ls -lrt /etc/nginx/sites-enabled
total 0
lrwxrwxrwx. 1 root root 39 May 3 12:40 default.conf -> /etc/nginx/sites-available/default.conf
I hope this is everything. I think this is everything I've done. The index.html loads when I curl http://localhost but as shown above the info.php is not rendered when called. I think, I've set this up almost correct, but I'm pretty sure I missed something. Please let me know if something seems off. I tried to follow https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7 (mysql is on another server). Also if there is any configuration that I need to change so that curl http://A.B.C.D doesn't hang and returns like curl http://localhost, I'd appreciate it. Thanks :)
Edit:
What is your entire config?
[root#a-knapsack-sav ~]# nginx -T
nginx: [warn] conflicting server name "A.B.C.D" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
# listen [::]:80;
server_name A.B.C.D;
root /usr/share/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~* \.php$ {
try_files $uri =404;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
# location ~ /.ht {
# deny all;
# }
}
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/conf.d/default_original.conf:
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# configuration file /etc/nginx/sites-enabled/default.conf:
server {
listen 80;
server_name A.B.C.D;
root /usr/share/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ .php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# location ~ /.ht {
# deny all;
# }
}

Following Richard Smith's question, nginx -T showed that I had another conf active that was interfering with my config, /etc/nginx/conf.d/default_original.conf. So I did mv /etc/nginx/conf.d/default_original.conf /etc/nginx/conf.d/default.conf.original to get it to no longer load and I changed the include /etc/nginx/fastcgi_params; to include fastcgi_params; in /etc/nginx/sites-available/default.conf. After doing this I restarted nginx (systemctl restart nginx) and curl http://localhost return an expected output of html tables.

Nginx Fast CGI cache ON error_page 404

I would like to cache (fast_cgi) 404 response.
error_page 404 = /url_rewriting.php;
In my url_rewriting.php I generate image with php:
if(strpos($_SERVER['REQUEST_URI'], 'render/framed/file') !== FALSE) {
$urlBlocks = ['VR', 'sizePixels', 'image', 'ver', 'frame', 'borderSize', 'mat', 'matSize', 'maxSize', 'frameGlass', 'minSize'];
foreach($urlBlocks as $oneBlock) {
if($pos = array_search($oneBlock, $urlParts)) {
if(isset($urlParts[($pos+1)]) && $urlParts[($pos+1)] != '') {
$_GET[$oneBlock] = urldecode($urlParts[($pos+1)]);
}
}
}
chdir('include/php/render/framed');
header('Status: 200 OK', false, 200);
require ('include/php/render/framed/render_img.php');
}
By this way, I can have image src URL in the HTML like this :
https://mywebsite.com/include/php/render/framed/file/VR/1/size/300/image/U3dpwK/the-cat.jpg
which jpg file does not exist but is generated by PHP.
But I didn't find any way with Nginx to cache theses php generated images.
I tried this:
set $no_cache 0;
location ~ /render/ {
include snippets/fastcgi-php.conf;
#fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_buffers 8 16k; # increase the buffer size for PHP-FTP
fastcgi_buffer_size 32k; # increase the buffer size for PHP-FTP
fastcgi_cache_key $scheme$host$request_uri$request_method;
fastcgi_cache PROD;
fastcgi_cache_valid any 20d;
fastcgi_cache_valid 404 20d;
fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_hide_header "Set-Cookie";
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
expires 10M;
access_log off;
add_header Cache-Control "public";
add_header X-Cache-Status $upstream_cache_status;
}
It's working for image URL
https://mywebsite.com/include/php/render/framed/img.php?VR=1&size=300&image=U3pmwKi
but not for image URL
https://mywebsite.com/include/php/render/framed/file/VR/1/size/300/image/U3dpwK/the-cat.jpg
Yet I have put fastcgi_cache_valid 404 20d;
So, how to cache scripts going on error_page 404 = /url_rewriting.php;?
EDIT
Here are 2 curl -I output:
Non working URL (For cache)
curl -I "https://mywebsite.com/include/php/render/framed/file/VR/1/sizePixels/300/image/SzDuehqyda%3D/ver//frame/black-e91-2/borderSize/1.70/mat/zkadhtcoz/matSize/10/maxSize/800/minSize/600/freedom.jpg"
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 04 May 2018 14:59:24 GMT
Content-Type: image/jpeg
Connection: keep-alive
Set-Cookie: Mywebsite=vmegg0qk7udtmkmcathd329kkp; expires=Sun, 03-Jun-2018 14:59:24 GMT; Max-Age=2592000; path=/
Cache-Control: private, max-age=31536000, pre-check=31536000
Pragma: private
Last-Modified: Sat, 01 Apr 2000 13:13:45 GMT
Content-transfer-encoding: binary
Expires: Sat, 08 Jun 19 15:59:24 +0100
Strict-Transport-Security: max-age=31536000
Working URL (For cache)
curl -I "https://mywebsite.com/include/php/render/framed/render_img.php?VR=1&sizePixels=360&image=SzDuehqyda%3D&ver=&frame=black-e91-2&borderSize=1.70&mat=zkadhtcoz&matSize=10&maxSize=800&minSize=600"
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 04 May 2018 14:59:59 GMT
Content-Type: image/jpeg
Connection: keep-alive
Cache-Control: max-age=25920000
Pragma: private
Last-Modified: Sat, 01 Apr 2000 13:13:45 GMT
Content-transfer-encoding: binary
Expires: Thu, 28 Feb 2019 14:59:59 GMT
Cache-Control: public
X-Cache-Status: HIT
EDIT2
Output of nginx -t
root#mywebsite-london-01:/var/www/mywebsite.com/prod# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Adding GeoIP for Matomo
##
geoip_country /var/www/geoip/GeoIP.dat;
geoip_city /var/www/geoip/GeoLiteCity.dat;
# Max File upload
client_max_body_size 100m;
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
log_format compression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
# gzip on;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# CACHE (Images rendering)
fastcgi_cache_path /var/www/cache/l7 levels=1:2 keys_zone=L7:1m max_size=100m inactive=20d;
fastcgi_cache_path /var/www/cache/prod levels=1:2 keys_zone=PROD:100m max_size=10000m inactive=30d; # For PROD
add_header X-Cache $upstream_cache_status; #To check what is that for
# SSL
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/nginx/cert/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name mywebsite.com www.mywebsite.com l7.mywebsite.com cdn.mywebsite.com dev.mywebsite.com;
set $rootfolder "prod";
set $ask_auth "Restricted Area";
if ($host ~ "l7.mywebsite.com") {
set $rootfolder "l7";
set $ask_auth off;
}
root /var/www/mywebsite.com/$rootfolder;
access_log /var/log/nginx/mywebsite.com-access.log compression buffer=32k;
error_log /var/log/nginx/mywebsite.com-error.log;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
error_page 404 = /url_rewriting.php;
set $no_cache 1;
if ($request_uri ~* "render_img.php") {
set $no_cache 0;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
#auth_basic $ask_auth;
#auth_basic_user_file .htpasswd;
}
set $no_cache 0;
#location ~ render_img.php {
location ~ /render\/framed/ {
include snippets/fastcgi-php.conf;
#fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_buffers 8 16k; # increase the buffer size for PHP-FTP
fastcgi_buffer_size 32k; # increase the buffer size for PHP-FTP
fastcgi_cache_key $scheme$host$request_uri$request_method;
fastcgi_cache PROD;
fastcgi_cache_valid any 20d;
fastcgi_cache_valid 404 1d;
#fastcgi_cache_valid any 20d;
#fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503 http_404;
fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_hide_header "Set-Cookie";
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
expires 10M;
access_log off;
add_header Cache-Control "public";
add_header X-Cache-Status $upstream_cache_status;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_buffers 8 16k; # increase the buffer size for PHP-FTP
fastcgi_buffer_size 32k; # increase the buffer size for PHP-FTP
fastcgi_param GEOIP_ADDR $remote_addr;
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_REGION_NAME $geoip_region_name;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_AREA_CODE $geoip_area_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
if ($rootfolder = "l7") {
access_log /var/log/nginx/mywebsite_l7.com-access.log;
}
}
location ~ /\.ht {
deny all;
}
}
server {
if ($host = dev.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = cdn.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = l7.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name mywebsite.com www.mywebsite.com l7.mywebsite.com cdn.mywebsite.com dev.mywebsite.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
SOLUTION
As said by Tarun Lalwani, the block priority and order matters. But also, when you want to cache 404 response, you have to check it on the filename of error_page:
location ~ (render_img.php|^/url_rewriting.php$) {
fastcgi_cache...stuffs to cache...
}
We cannot check location ^~ /render/framed/ { as it's a 404 response which corresponds to /url_rewriting.php.

Your issue is that you need to give priority to your block of .php and not /render/framed/ when a .php is called in that location. It is still caught by the .php block
So you need to use below for your location block. You need to use
location ^~ /render/framed/ {
...
}
For understanding the same in details refer to
Nginx location priority

Nginx error FastCGI sent in stderr: "Access to the script [folder] has been denied (see security.limit_extensions)"

I am trying to configure my webserver using Nginx and php-fpm
I have successfully configured before in my local computer and dev server, but not now in AWS.
The only difference is I installed Nginx from a source in production server
It gives an error like these in my /var/log/nginx/error.log
2014/03/11 11:09:19 [error] 11138#0: *1 FastCGI sent in stderr: "Access to the script '/home/ambassador-portal/ambassador-api/web' has been denied (see security.limit_extensions)" while reading response header from upstream, client: 202.62.16.225, server: brandapi.whatiwear.com, request: "GET /app_dev.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "brandapi.whatiwear.com", referrer: "http://brandapi.whatiwear.com/"
While the error log in php-fpm gives no error
Here is my nginx.conf
user root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
include /usr/local/nginx/conf/sites-enabled/*.conf;
}
Here is my nginx_host.conf
server {
server_name brandapi.whatiwear.com;
access_log /var/log/nginx/brandapi_access.log;
error_log /var/log/nginx/brandapi_error.log;
root /home/ambassador-portal/ambassador-api/web;
disable_symlinks off;
autoindex on;
location / {
try_files $uri $uri/ /app.php$uri?$args;
}
location ~ \.htaccess {
deny all;
}
location ~ \.php$ {
fastcgi_split_path_info ^((?U).+\.php)(.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include /usr/local/nginx/conf/fastcgi_params;
}
}
Here is my /etc/php5/fpm/conf/www.conf
; Start a new pool named 'www'.
[www]
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
user = ec2-user
group = ec2-user
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
security.limit_extensions = .php .php3 .php4 .php5 .html .htm
php_admin_value[error_log] = /var/log/php-fpm/5.5/www-error.log
php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 128M
; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/5.5/session
I've read from access denied on nginx and php and try to chmod and I've tried the solution from Nginx 403 forbidden for all files and here is my result
dr-xr-xr-x root root /
drwxr-xr-x root root home
drwxr-xr-x ec2-user ec2-user ambassador-portal
drwxr-xr-x ec2-user ec2-user ambassador-api
drwxr-xr-x ec2-user ec2-user web
I turned the autoindex on just for seeing if my root directory is right, the weird thing is I can open all files except PHP files
You can see a live example at http://brandapi.whatiwear.com/
What is wrong with my webserver..?

I removed these two configurations from the nginx.conf file.
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
It works.

The problem is in this line
(in your /etc/php5/fpm/conf/www.conf)
security.limit_extensions = .php .php3 .php4 .php5 .html .htm
Just add the extension .pl after .htm.
Cheers.