I am using nginx + php-fpm on my centos server and while I was trying to set up https, with nginx.conf revised, I find that only the 'index.php' cannot be properly accessed.
working:
https://ip/index.php
https://domain/*.php (* != index)
https://domain/*/*.php
http://ip/index.php
http://domain/index.php
not working:
https://domain/index.php
my nginx.conf looks like this:
server {
listen 443 default_server;
server_name localhost;
ssl on;
root /home/wwwroot/default;
index index.html index.htm;
ssl_certificate cert/*****.pem;
ssl_certificate_key cert/*****.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /home/wwwroot/default;
index index.html index.htm index.php;
}
location ~ [^/]\.php(/|$) {
root /home/wwwroot/default;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include fastcgi.conf;
}
}
Related
I used to use lnmp. Now I decide to use an upgradable apt source. I have build MySQL and Nginx. After installing PHP and php-fpm, my nginx cannot execute PHP. It can resolve HTML. Here is my config for my virtual host:
server {
listen 80;
server_name himeki.net;
return 301 https://$server_name$request_uri;
root /home/wwwroot;
index index.html index.php index.htm;
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443;
server_name himeki.net;
ssl on;
ssl_certificate /etc/nginx/himeki.net.crt;
ssl_certificate_key /etc/nginx/himeki.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /home/wwwroot;
location ~ / {
index index.html index.php index.html index.htm;
}
location ~ [^/]\.php(/|$)
{
try_files $uri =404;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
Finally I use 'Apache2' to instead. It works.
I have trouble to run davical (php) web calendar. There is no errol log in nginx error logs. When is calendar under \ location everything work. But when i have calendar under /calendar location. it returns 404.
default server root is: /usr/share/nginx/html/default
calendar index.php path: /usr/share/nginx/html/calendar/davical/htdocs\index.php
os: Centos 7
server {
listen 80 default_server;
server_name my_domain_name;
return 301 https://$server_name$request_uri;
}
Https
server {
listen 443 ssl http2;
server_name my_domain_name;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
ssl on;
ssl_certificate "/etc/pki/tls/certs/nginx/certificate.pem";
ssl_certificate_key "/etc/pki/tls/certs/nginx/privatekey.pem";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_dhparam "/etc/pki/tls/certs/nginx/dhparam.pem";
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
resolver 8.8.8.8 8.8.4.4;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate "/etc/pki/tls/certs/nginx/certificate.pem";
add_header Strict-Transport-Security "max-age=31536000;includeSubdomains; preload";
root /usr/share/nginx/html/default;
index index.php index.html index.htm;
include /etc/nginx/default.d/php-fpm.conf;
location /calendar {
alias /usr/share/nginx/html/calendar/davical/htdocs;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
php-fpm.conf
location ~ \.php$ {
try_files $uri =404;
fastcgi_param HTTPS on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
Your existing location ~ \.php$ block serves the /usr/share/nginx/html/default root. You need a nested location to process PHP files under the /calendar URI.
Assuming that your calendar app is designed to work within a subfolder, this may work for you:
location ^~ /calendar {
alias /usr/share/nginx/html/calendar/davical/htdocs;
index index.php;
if (!-e $request_filename) {
rewrite ^ /calendar/index.php last;
}
location ~ \.php$ {
if (!-f $request_filename) { return 404; }
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
Use the ^~ modifier to prevent the other location ~ \.php$ block from taking precedence (see this document for more). Use $request_filename, as it works with alias. Avoid using try_files with alias (see this issue).
I am trying to add wordpress in subdirectory /blog with react application running in root. Wordpress have been installed successfully and working correctly with simple permalinks:
https://foo.com/blog/?p=8
https://foo.com/blog/?page_id=8
but returns 404 error when using pretty permalinks like:
https://foo.com/blog/postname/
nginx conf:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name foo.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443;
server_name foo.com;
root /data/www/foo;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/nginx.crt;
ssl_certificate_key /etc/nginx/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://127.0.0.1:8443;
}
location /learn {
root /data/www/foo;
index index.php index.html index.htm
try_files $uri $uri/ /learn/index.php?$args;
}
location ~ /blog/.+\.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
root /data/www/foo;
}
location ~ /blog/.+\.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
How can I fix this?
Thanks!
`
I've got two different domains and two nginx files in sites-available. I also added the symlinks.
First site config, which should handle a Silex based API:
server {
listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
server_name bwr.mydomain1.com;
root /srv/www/bwr/src;
location / {
# try to serve file directly, fallback to front controller
try_files $uri /index.php$is_args$args;
}
# If you have 2 front controllers for dev|prod use the following line instead
# location ~ ^/(index|index_dev)\.php(/|$) {
location ~ ^/index\.php(/|$) {
# the ubuntu default
fastcgi_pass unix:/var/run/php5-fpm.sock;
# for running on centos
#fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Enable the internal directive to disable URIs like this
# internal;
}
#return 404 for all php files as we do have a front controller
location ~ \.php$ {
return 404;
}
# SSL configuration with letsencrypt
ssl_certificate "/etc/letsencrypt/live/bwr.mydomain1.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/bwr.mydomain1.com/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
error_log /var/log/nginx/bwr_error.log;
access_log /var/log/nginx/bwr_access.log;
}
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name bwr.mydomain1.com;
return 301 https://$host$request_uri;
}
The second domain just serves a normal php website:
server {
listen 443 ssl default_server;
server_name domain2.ch www.domain2.ch;
root /srv/www/hgtconnect;
index index.html index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
error_log /var/log/nginx/domain2_error.log;
access_log /var/log/nginx/domain2_access.log;
# SSL configuration with letsencrypt
ssl_certificate "/etc/letsencrypt/live/domain2.ch/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/domain2.ch/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
}
server {
listen 80 default_server;
server_name domain2.ch www.domain2.ch;
return 301 https://$host$request_uri;
}
Whenever I open https://domain2.ch I get the content of bwr.domain1.com. Also the wrong ssl cerificate is used and the site is untrusted.
Thanks!
Found the soultion.
Ipv6 wasn't enabled on both server blocks. I always requested the page in an Ipv6 network, so nginx was always falling back on the wrong server because ipv6 was configured there.
EDITED!
I set up a mail server on Debian 7 with Nginx, Postfix, Postfixadmin, Dovecot and Roundcube.
I tried to create an alias to use the SSL certificate of my domain example.org (of course, the domain here is an example) for the webmail. When accessing the following URL https://example.org/support/webmail/ - Nginx doesn't redirect to the index.php file and I get the following message 403 Forbidden. It only works if I manually add a .php file at the end of the URL.
Here's my configuration:
server {
listen 80;
server_name example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name example.org;
root /var/www/soon;
server_tokens off;
ssl_certificate /etc/ssl/certs/example.org.certchain.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
location /support/webmail/ {
alias /var/www/webmail/;
autoindex off;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
# include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
}
Thank you. :)
Solved.
Here's the configuration that works for me:
server {
listen 80;
server_name example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name example.org;
root /var/www/soon;
server_tokens off;
ssl_certificate /etc/ssl/certs/example.org.certchain.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
location /support/webmail/ {
alias /var/www/webmail/;
autoindex off;
index index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
}
Add the
location / {
try_files $uri $uri/ index.php;
}
part in the config that isnt working, and turn off autoindex.