i'm having an issue with my nginx config on our website. When I run my configuration with port 80 I have no issue, but when I move everything to port 443 with my ssl config the site doesn't respond anymore. I have tried a lot and don't see what I'm doing wrong here.
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
server {
listen 80;
server_name landing.kayzr.com;
return 301 https://landing.kayzr.com;
}
server {
listen 443;
server_name landing.kayzr.com;
ssl on;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DES-CBC3-SHA:!ADH:!AECDH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
root /var/www/html;
index index.php index.html index.htm;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
rewrite ^/(content|site|kirby)$ /error last;
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;
rewrite ^/(site|kirby)/(.*)$ /error last;
if (!-d $request_filename) {
rewrite ^/(.+)/$ /$1 permanent;
}
location ~ /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
location ~ / {
try_files $uri $uri/ /index.php?$uri&$args;
}
location ~ (?:^|/)\. {
deny all;
}
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
}
}
The strange this is when I copy everything from 'root /var/www/html' to my port 80 server everything works on non https.
Any help appreciated
OK I should post more on stackoverflow, everytime I post it (and I only do this after a few hours) the solution suddenly is there.
The file was completely correct. Only port 443 wasn't opened on my security group on Azure.
Related
I'm trying to configure a mediawiki instance with Nginx. I've done it before, on another server, and it worked fine there. However, when I copy the same nginx vhost file over to this server (changing relative bits like the server_name), nginx gives me the following error:
nginx: [emerg] "upstream" directive is not allowed here in /etc/nginx/sites-enabled/wiki.[site].com:48
On my other server, this gives me no errors at all and works exactly as intended. I'm using the same version of nginx (1.14) on either server, and the nginx.conf files are identical.
I'm completely stumped, any help would be massively appreciated.
The full vhost file is as follows:
server {
listen 80;
listen [::]:80;
server_name wiki.[site].work;
return 301 https://wiki.[site].work$request_uri;
}
server {
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name wiki.[site].work;
root /var/www/wiki.[site].work;
index index.php;
autoindex off;
ssl_certificate /etc/letsencrypt/live/[site].work/cert.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/[site].work/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
client_max_body_size 5m;
client_body_timeout 60;
location / {
index index.php5;
rewrite ^/([^?]*)(?:\?(.*))? /index.php5?title=$1&$2 last;
}
location ~ \.php5?$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_param HTTPS on;
}
location ~ \.php?$ {
try_files $uri =404;
fastcgi_param HTTPS on;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
upstream php5-fpm-sock {
server unix:/var/run/php5-fpm.soc;
fastcgi_param HTTPS on;
}
}
Although, my use case is load balancing, the principle still applies , it's preferable to add the upstream clause configuration on a separate file located at the etc/nginx/sites-available/ folder . For reference , below is the nginx.conf file that I used :
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
And the file (called Default) that I created on the sites-available folder
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert-key.pem;
server_name my_dummy_server;
location / {
proxy_pass http://myapp1;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
}
upstream myapp1
{
server 192.168.1.154;
server 192.168.1.164;
server 192.168.1.174;
}
Although I do not have laravel setup on the server I am just trying to display some php files
In my root directory I have /public/dashboard which is executed by domain.com/dashboard
It shows up fine but as soon as I try to append something to "dashboard" it redirects back to /dashboard
For example type domain.com/dashboard/test it goes back to domain.com/dashboard
I have nothing in my htaccess file. Here is my nginx config:
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/domain.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jackco.biz;
root /home/forge/domain.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/domain.com/292197/server.crt;
ssl_certificate_key /etc/nginx/ssl/domain.com/292197/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers '';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
#add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/domain.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/domain.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_read_timeout 600;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/domain.com/after/*;
Any thoughts to disable the constant redirect/rewite?
I have a project where I want to have one domain per language. So my sites are pointing at the same directory, but for some reason, one of my domains are being redirected to the other.
To clarify.
example.com
example.org
example.org is pointed to the same directory as example.com.
When I visit example.org, I get redirected to example.com
I don't know if the problem is that I use LetsEncrypt SSL on both domains.
Any clues?
Here is my nginx files
example.com
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /home/forge/example.com;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/example.com/xxx/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/xxx/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'XXXXXX-$'
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ /(public/mail-signature/.*)$ {
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/after/*;
example.org
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.org/before/*;
server {
listen 80;
listen [::]:80;
server_name example.org;
root /home/forge/example.com;
# FORGE SSL (DO NOT REMOVE!)
# ssl_certificate;
# ssl_certificate_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'xxxxxxx-$'
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.org/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/example.org-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.org/after/*;
I would suggest using a more agnostic name for your document root, otherwise is very easy to get confused, you could use something like:
/home/forge/site-example
Later try to use curl to diagnose your flow, for example:
curl -I -L https://google.com
The option -I will fetch only headers
And option -L will follow redirects
For example for the site http://immortal.run
$ curl -I -L http://immortal.run
HTTP/1.1 301 Moved Permanently
Date: Fri, 15 Sep 2017 14:58:43 GMT
...
HTTP/1.1 200 OK
Date: Fri, 15 Sep 2017 14:58:43 GMT
Content-Type: text/html; charset=utf-8
...
Notice the:
HTTP/1.1 301 Moved Permanently
That is something probably is happening with your setup.
I want to make certain php files accessible via http only.
So I added location = /example.php{} as shown in the code below.
server {
listen 80;
ssl off;
server_name example.com www.example.com;
root /var/www/example;
location ~* \.(php)$ {
# dostufdd
}
location = /example.php {
#do stuff
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server {
listen 443 ssl http2;
server_name example.com www.example.com;
root /var/www/example;
index index.php;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_dhparam /etc/letsencrypt/live/example.com/example.com.dhparam;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
# Set caches, protocols, and accepted ciphers. This config will
# merit an A+ SSL Labs score.
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kED$
error_log /var/log/nginx/example.error.log warn;
location / {
try_files $uri $uri/ /index.php?$args;
}
# Allow Lets Encrypt Domain Validation Program
location ^~ /.well-known/acme-challenge/ {
allow all;
}
# Block dot file (.htaccess .htpasswd .svn .git .env and so on.)
location ~ /\. {
deny all;
}
# Block (log file, binary, certificate, shell script, sql dump file) access.
location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ {
deny all;
}
location = /robots.txt {
log_not_found off;
access_log off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location ~* \.(css|js|ico|gif|jpe?g|png|svg|eot|otf|woff|woff2|ttf|ogg)$ {
expires max;
}
location ~ /.well-known {
allow all;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_read_timeout 180;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
However, if I try to access to http://example.com/example.php, the php file is
downloaded instead of executing.
but If i access https://example.com/example.php, it will be accessed normally.
I have no idea what to do.
Please help me.
Thank you.
I have just moved my wordpress multisite to a digital ocean cloud server running ubuntu (nginx).
One of my page on my primary blog (i.e. the main site) is a checkout page (your-account) and the payment gateway requires an ssl certificate. When you go to http://example.com/your-account it forces https, however, if you were to then return to the homepage, https is still being used. Is ther a way to force http on all pages except for checkout?
Here is my nginx conf file:
server {
listen 80;
listen 443 ssl;
server_name skizzar.com *.skizzar.com;
ssl_certificate /etc/ssl/skizzar/www.skizzar.com.chained.crt;
ssl_certificate_key /etc/ssl/skizzar/www.skizzar.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
root /usr/share/nginx/skizzar;
index index.php index.html index.htm;
add_header Access-Control-Allow-Origin *;
location / {
try_files $uri $uri/ /index.php?$args ;
rewrite files/(.+) /wp-includes/ms-files.php?file=$1 last;
}
location /nothingtosee {
auth_basic "Admin Login";
auth_basic_user_file /etc/nginx/pma_pass;
}
location ~ /favicon.ico {
access_log off;
log_not_found off;
}
location ~ \.php$ {
try_files $uri /index.php;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
access_log /var/log/nginx/$host-access.log;
error_log /var/log/nginx/wpms-error.log;
}