I've got two different domains and two nginx files in sites-available. I also added the symlinks.
First site config, which should handle a Silex based API:
server {
listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
server_name bwr.mydomain1.com;
root /srv/www/bwr/src;
location / {
# try to serve file directly, fallback to front controller
try_files $uri /index.php$is_args$args;
}
# If you have 2 front controllers for dev|prod use the following line instead
# location ~ ^/(index|index_dev)\.php(/|$) {
location ~ ^/index\.php(/|$) {
# the ubuntu default
fastcgi_pass unix:/var/run/php5-fpm.sock;
# for running on centos
#fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Enable the internal directive to disable URIs like this
# internal;
}
#return 404 for all php files as we do have a front controller
location ~ \.php$ {
return 404;
}
# SSL configuration with letsencrypt
ssl_certificate "/etc/letsencrypt/live/bwr.mydomain1.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/bwr.mydomain1.com/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
error_log /var/log/nginx/bwr_error.log;
access_log /var/log/nginx/bwr_access.log;
}
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name bwr.mydomain1.com;
return 301 https://$host$request_uri;
}
The second domain just serves a normal php website:
server {
listen 443 ssl default_server;
server_name domain2.ch www.domain2.ch;
root /srv/www/hgtconnect;
index index.html index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
error_log /var/log/nginx/domain2_error.log;
access_log /var/log/nginx/domain2_access.log;
# SSL configuration with letsencrypt
ssl_certificate "/etc/letsencrypt/live/domain2.ch/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/domain2.ch/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
}
server {
listen 80 default_server;
server_name domain2.ch www.domain2.ch;
return 301 https://$host$request_uri;
}
Whenever I open https://domain2.ch I get the content of bwr.domain1.com. Also the wrong ssl cerificate is used and the site is untrusted.
Thanks!
Found the soultion.
Ipv6 wasn't enabled on both server blocks. I always requested the page in an Ipv6 network, so nginx was always falling back on the wrong server because ipv6 was configured there.
Related
I am using nginx + php-fpm on my centos server and while I was trying to set up https, with nginx.conf revised, I find that only the 'index.php' cannot be properly accessed.
working:
https://ip/index.php
https://domain/*.php (* != index)
https://domain/*/*.php
http://ip/index.php
http://domain/index.php
not working:
https://domain/index.php
my nginx.conf looks like this:
server {
listen 443 default_server;
server_name localhost;
ssl on;
root /home/wwwroot/default;
index index.html index.htm;
ssl_certificate cert/*****.pem;
ssl_certificate_key cert/*****.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /home/wwwroot/default;
index index.html index.htm index.php;
}
location ~ [^/]\.php(/|$) {
root /home/wwwroot/default;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include fastcgi.conf;
}
}
I'm trying to configure a mediawiki instance with Nginx. I've done it before, on another server, and it worked fine there. However, when I copy the same nginx vhost file over to this server (changing relative bits like the server_name), nginx gives me the following error:
nginx: [emerg] "upstream" directive is not allowed here in /etc/nginx/sites-enabled/wiki.[site].com:48
On my other server, this gives me no errors at all and works exactly as intended. I'm using the same version of nginx (1.14) on either server, and the nginx.conf files are identical.
I'm completely stumped, any help would be massively appreciated.
The full vhost file is as follows:
server {
listen 80;
listen [::]:80;
server_name wiki.[site].work;
return 301 https://wiki.[site].work$request_uri;
}
server {
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name wiki.[site].work;
root /var/www/wiki.[site].work;
index index.php;
autoindex off;
ssl_certificate /etc/letsencrypt/live/[site].work/cert.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/[site].work/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
client_max_body_size 5m;
client_body_timeout 60;
location / {
index index.php5;
rewrite ^/([^?]*)(?:\?(.*))? /index.php5?title=$1&$2 last;
}
location ~ \.php5?$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_param HTTPS on;
}
location ~ \.php?$ {
try_files $uri =404;
fastcgi_param HTTPS on;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
upstream php5-fpm-sock {
server unix:/var/run/php5-fpm.soc;
fastcgi_param HTTPS on;
}
}
Although, my use case is load balancing, the principle still applies , it's preferable to add the upstream clause configuration on a separate file located at the etc/nginx/sites-available/ folder . For reference , below is the nginx.conf file that I used :
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
And the file (called Default) that I created on the sites-available folder
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert-key.pem;
server_name my_dummy_server;
location / {
proxy_pass http://myapp1;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
}
upstream myapp1
{
server 192.168.1.154;
server 192.168.1.164;
server 192.168.1.174;
}
I am trying to add wordpress in subdirectory /blog with react application running in root. Wordpress have been installed successfully and working correctly with simple permalinks:
https://foo.com/blog/?p=8
https://foo.com/blog/?page_id=8
but returns 404 error when using pretty permalinks like:
https://foo.com/blog/postname/
nginx conf:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name foo.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443;
server_name foo.com;
root /data/www/foo;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/nginx.crt;
ssl_certificate_key /etc/nginx/nginx.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://127.0.0.1:8443;
}
location /learn {
root /data/www/foo;
index index.php index.html index.htm
try_files $uri $uri/ /learn/index.php?$args;
}
location ~ /blog/.+\.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
root /data/www/foo;
}
location ~ /blog/.+\.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
How can I fix this?
Thanks!
`
EDITED!
I set up a mail server on Debian 7 with Nginx, Postfix, Postfixadmin, Dovecot and Roundcube.
I tried to create an alias to use the SSL certificate of my domain example.org (of course, the domain here is an example) for the webmail. When accessing the following URL https://example.org/support/webmail/ - Nginx doesn't redirect to the index.php file and I get the following message 403 Forbidden. It only works if I manually add a .php file at the end of the URL.
Here's my configuration:
server {
listen 80;
server_name example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name example.org;
root /var/www/soon;
server_tokens off;
ssl_certificate /etc/ssl/certs/example.org.certchain.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
location /support/webmail/ {
alias /var/www/webmail/;
autoindex off;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
# include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
}
Thank you. :)
Solved.
Here's the configuration that works for me:
server {
listen 80;
server_name example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name www.example.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name example.org;
root /var/www/soon;
server_tokens off;
ssl_certificate /etc/ssl/certs/example.org.certchain.crt;
ssl_certificate_key /etc/ssl/private/example.org.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
location /support/webmail/ {
alias /var/www/webmail/;
autoindex off;
index index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
}
Add the
location / {
try_files $uri $uri/ index.php;
}
part in the config that isnt working, and turn off autoindex.
I have cakephp set up with nginx, and before I had nginx set up and url rewriting was working perfectly, such that urls of form: mywebsite.com/cake_project/controller/action worked perfectly. Then I changed the name of the folder cake_project to web, and updated the nginx config file and now when I go to mywebsite.com/web the cakephp works, but If I go to mywebsite.com/web/controller or mywebsite.com/web/controller/action it gives 404.
(My Operating system is Ubuntu, and my CakePHP version is 2.3.9)
Here is what my current nginx config is, sorry I didn't backup my old nginx config :( (that probably would have helped me).
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80;
listen [::]:80;
server_name mywebsite.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default_server;
listen [::]:443 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.php index.html index.htm;
ssl on;
ssl_certificate path_to_ssl_certificate;
ssl_certificate_key path_to_ssl_key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
# Make site accessible from http://localhost/
server_name localhost;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location /web {
alias /usr/share/nginx/html/web/app/webroot;
try_files $uri $uri/ /web/webroot/index.php;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# root html;
# index index.html index.htm;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
Can Anyone see, what I am doing wrong?
I have similar Nginx configs to this on everything from Nginx 1.4 - 1.8 seems to work well with CakePHP overall especially for the rewriting. Do you have things that are using the IPv6? I would think that stuff could go, if you are sure nothing is using IPv6.
Here is a working example I have working with several CakePHP 2.x project:
server {
listen 80 default_server;
server_name www.example.com;
rewrite ^(.*) https://www.example.com$1 permanent;
}
server {
listen 443 ssl;
access_log /var/log/nginx/www.example.com.access.log;
error_log /var/log/nginx/www.example.com.error.log;
root /var/www/production/app/webroot;
index index.php;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl.crt/www.example.com.intermediate.combined.crt;
ssl_certificate_key /etc/nginx/ssl.key/www.example.com.key;
# For Larger File Uploads
client_max_body_size 28M;
# This is for CakePHP
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php?url=$1 last;
break;
}
proxy_buffers 4 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;
# Cache Headers for Static Files
location ~* \.(?:ico|css|js|gif|jpe?g|png|swf)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
# Pass the PHP scripts to FastCGI server
# listening on 127.0.0.1:9000
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_pass_header Set-Cookie;
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_intercept_errors on; # to support 404s for PHP files no$
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffers 4 256k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 256k;
include fastcgi_params;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
# Deny access to .htaccess files,
# git & svn repositories, etc
location ~ /\.(ht|git|svn) {
deny all;
}
}
Here is another option that might work for you:
server {
listen 80;
listen [::]:80;
server_name mywebsite.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 default_server;
listen [::]:443 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.php index.html index.htm;
ssl on;
ssl_certificate path_to_ssl_certificate;
ssl_certificate_key path_to_ssl_key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
# Make site accessible from http://localhost/
server_name localhost;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location /web {
rewrite ^/web$ /web/ permanent;
rewrite ^/web/(.+)$ /$1 break;
root /usr/share/nginx/html/web/app/webroot;
try_files $uri /$uri/ #cakephp;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# Other PHP Files - Non-CakePHP
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
# For CakePHP
location #cakephp {
set $q $request_uri;
if ($request_uri ~ "^/web(.+)$") {
set $q $1;
}
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/web/app/webroot/index.php;
fastcgi_param QUERY_STRING url=$q;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_intercept_errors on; # to support 404s for PHP files no$
include fastcgi_params;
}
}