i have this vhost
server {
server_name admin.ex.com ;
listen 80 ;
listen [::]:80 ;
##SSL
#listen 443 ssl ;
listen *:443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384$
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/nginx/ssl/admin.crt;
ssl_certificate_key /etc/nginx/ssl/admin.key;
root /var/www/admin/public/;
index index.php index.html index.htm;
access_log /var/www/admin/admin.log;
auth_basic "Top Secret";
auth_basic_user_file /var/www/admin/.htpasswd;
location / {
try_files $uri $uri/ =404;
allow 192.168.1.1;
#deny all;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.0-fpm.admin.sock;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
}
}
its SO SLOW over HTTPS , i tried to visit phpmyadmin and my own php code over http it loads in 2 secs with HTTPS it takes 2-3 minutes , it loads the HTML code it self fast , but to download the resources (CSS-images) it takes so much time , i'm using chrome with the Nginx 1.9 and a self signed certificate .
i even tried curl -i both the HTTP and HTTPS , again so much latency between the two , i don't understand what's going on !
UPDATE ::
okay after some researching i figured out that if i take an image of exactly the same VPS and applied it to one which is in a server closer to me (Frankfurt instead of NY ) that it gets way faster . is it a distance problem then ?
What makes me think again is that why when i use HTTP it's so fast no matter what server it is in .
Any ideas ?
It turned out to be a location-related problem. I changed the location of the server from New York to Amsterdam which seems to solve the problem.
I understand that a server can be far and thus reduce the connection speed but I don't understand why it reduces the speed under HTTPS only and not HTTP requests. Kind of weird!
Related
I've been given an NGNIX server that previously only had Ubuntu 18.04 and NGNIX installed and was used to render a static html site.
I've installed PHP, MySqli ect and configured the sites-available file to get the website up and running. After importing the database from the development site to the live site the website is working perfectly fine as expected apart from one bug.
If I click on a draft page while in 'Split Mode' or 'Preview Mode' I get redirected to the 'Page Not Found' within the admin. If I switch to 'Edit Mode' everything works perfectly fine.
Once I publish the draft page I can then view it in 'Split Mode' or 'Preview mode' perfectly fine.
I'm wondering if it's got something to do with my NGNIX config. I configured my sites-available/default file using the link below:
https://www.nginx.com/resources/wiki/start/topics/recipes/silverstripe/#recipe
here is my ngnix sites-available config file
server {
include mime.types;
default_type application/octet-stream;
#listen 80 default_server;
#listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl on;
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/private/key.key;
root ****************
# Add index.php to the list if you are using PHP
index index.php index.html index.htm index.nginx-debian.html;
server_name ****************;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri /index.php?query_string;
}
error_page 404 /assets/error-404.html;
error_page 500 /assets/error-500.html;
# see caveats
error_page 502 /assets/error-500.html;
error_page 503 /assets/error-500.html;
location ^~ /assets/ {
sendfile on;
try_files $uri =404;
}
location /index.php {
fastcgi_buffer_size 32k;
fastcgi_busy_buffers_size 64k;
fastcgi_buffers 4 32k;
fastcgi_keep_conn on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
# With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
When I navigate to /install.php I get no warnings or errors.
Any clues as to what might cause this? Let me know if you need any more information.
Some of my clients are experimenting a blank page when they are trying to reach my website using there 4G internet.
By accumulating cases, I found out that it's alway a specific 4G provider: Bouygues telecom (french provider). Could be other provider, but this one is the most recurrent.
I have an Ubuntu webserver running Nginx and php5.
Sadly i can't find any nginx logs of those blank screen connexion.
When i am sharing a Bouygues 4G connexion thought my laptop, I also have a issue with a PR_CONNECT_RESET_ERROR on mozzila. Or a ERR_CONNECTION_RESET on a xiaomi phone.
Last track, i can reach my preproduction website with this 4G connexion, which have no ssl conf.
Somebody have an idear of what i am experimenting.
You will fin below my nginx conf:
server {
listen 80 default_server;
allow all;
server_name _;
return 301 https://$host$request_uri;
}server {
listen 443 default_server ssl;
allow all;
ssl on;
ssl_certificate /etc/nginx/ssl/2020_easyrenter.crt;
ssl_certificate_key /etc/nginx/ssl/easyrenter.fr.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s; server_name www.easyrenter.fr easyrenter.fr 46.101.103.115;
root /home/deploy/easyrenter/current/; location = /sitemap.xml {
alias /home/deploy/easyrenter/current/sitemap.xml;
} location = /sitemaps/en/sitemap.xml {
alias /home/deploy/easyrenter/current/sitemaps/en/sitemap.xml;
} location = /sitemaps/fr/sitemap.xml {
alias /home/deploy/easyrenter/current/sitemaps/fr/sitemap.xml;
} location / {
index index.html index.php;
try_files $uri/ #handler;
expires 30d;
} location ~ \.(js|css|png|jpg|gif|ico|pdf|tiff|swf) {
try_files $uri $uri/;
expires 356d;
} location ^~ /app/ {deny all;}
location ^~ /includes/ {deny all;}
#location ^~ /lib/ {deny all;}
location ^~ /media/downloadable/ {deny all;}
location ^~ /pkginfo/ {deny all;}
location ^~ /report/config.xml {deny all;}
location ^~ /var/ {deny all;} location /var/export {
auth_basic "restricted";
auth_basic_user_file htpasswd;
autoindex on;
} location /. {
return 404;
} location #handler {
rewrite / /index.php;
}# location ~ .php {
# rewrite ^(.*.php)/ $1 last;
# } location ~ \.php$ {
if (!-e $request_filename) { rewrite / /index.php last;}
expires off;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
proxy_read_timeout 300; } #Poids max des upload files
client_max_body_size 32M; include /etc/nginx/nginx-redirection.conf;
}
I found the solution.
Bouygues 4G was forcing the IPV6 of my serveur.
At first the request page was lopping for the users using there 4G Bouygues. Guessing that it was a IPV6 issue, i activate a IPV6 on my server and i add a AAAA entry on my DNS.
Then the 4G Bouygues user had a blank page, because the IPV6 wasn't declare on my nginx conf. Here below my adds:
server {
listen 80;
**listen [::]:80;**
allow all;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl http2;
**listen [::]:443 default_server ssl http2;**
Hope it will help others,
Axel
I'm having an issue since today when I uploaded updates to my production server from my local development environment on my laptop.
When I try to access a page, it's completely blank. I didn't touch anything - I did like I always do when uploading new files, which has always worked.
I can also access my assets, like images, js and css perfectly fine. And my auth middleware is working as I'm using Steam login and it redirects me to login through Steam.
What I remember doing before it broke:
Uploaded my files
ran composer dumpautoload
ran php artisan cache:clear
What I have done so far:
Checked my NGINX/PHP/MySQL error logs. Nothing.
Checked laravel logs, nothing there either.
Made sure PHP, NGINX and Mysql is running.
Made sure php, nginx and mysql is up to date.
Generated a new key
Double checked my .env so it's valid.
composer update
chmodded my directories (even though I had no problems with this prior to the blank page).
At this point I don't know how and why it suddenly does not work, when it's working perfectly fine on my local laptop.
nginx config:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
proxy_set_header X-Forwarded-For $remote_addr;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/preview/example/public;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
charset utf-8;
index index.html index.htm index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
#auth_basic "Restricted Content";
#auth_basic_user_file /etc/nginx/.htpasswd;
}
location ~ /\.(?!well-known).* {
deny all;
}
server_name hsbuilds.com;
ssl on;
ssl_certificate /home/hsbuilds/src/hsbuilds/example.com.chained.crt;
ssl_certificate_key /home/hsbuilds/src/example.com/example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
#location / {
# proxy_pass http://example.com:8000;
# proxy_set_header X-Forwarded-For $remote_addr;
#}
}
Edit: When checking the network tab in chrome, the page returns code 200.
first, check .env file and especially vars APP_KEY(php artisan key:generate) and APP_URL.
Then run, just for sure php artisan cache:clear && php artisan config:clear && php artisan config:cache.
I would like to serve two php sites and one static site on my server. Eventually I'd like to be able to add a number of further static, php or proxied sites to this nginx configuration.
At the moment, I try to serve
domain1.com (php, WordPress)
sub.domain1.com (php, phpMyAdmin)
domain2.com (static, plain HTML)
However all of the requests to any domain always end up serving domain1.com. I have since implemented SSL, hoping to eliminate the wrongly served sites, however now they have turned into redirects to https://domain1.com.
I have also tried to implement a catch-all which drops the connection (return 444) on incorrect domains, but that does exactly what it says on the package: It'll just start sending empty responses for sub.domain1.com and domain2.com. Not sure what I expected to be honest.
Furthermore I have tried to move the root directive into location blocks as can be seen in domain1.com's configuration, however this also did not help.
Additionally, I tried to put the domain in the listen 80; directives, such as listen domain2.com:80 hoping to make nginx prefer this block over the general domain1.com block. I got that inspiration from Nginx Request Processing Documentation. However, also without luck.
I would not call myself the most proficient nginx user, but on a different server which hosts multiple domains which serve proxied content from gunicorn servers, this was never an issue. Hence, I suspect the php related configuration part is what creates this problem.
The guide I used to set up my vanilla server was this DigitalOcean guide. However, the server I am actually using is an Amazon EC2 t2.micro instance with all necessary ports opened in the security group. I am also using Ubuntu 14.04 LTS. Nginx is running as root, worker processes as www-data. The permissions are all set up like for domain1.com which is served without a problem. All the domains point to the IP address of the EC2 instance.
Thank you for helping!
This is my nginx configuration for each of the domains.
domain1.com
server {
listen 80;
server_name domain1.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name domain1.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
index index.php index.html index.htm;
client_max_body_size 64M;
location / {
root /usr/share/nginx/html/domain1.com/public;
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
root /usr/share/nginx/html/domain1.com/public;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
sub.domain1.com
server {
listen 80;
server_name sub.domain1.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name sub.domain1.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/sub.domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain1.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
index index.php index.html index.htm;
server_name sub.domain1.com;
client_max_body_size 64M;
location / {
try_files $uri $uri/ =404;
root /var/www/sub.domain1.com;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
domain2.com
server {
listen 80;
server_name domain2.com www.domain2.com;
root /var/www/domain2.com/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
I have a challenge that I can't figure out how to solve.
I a DigitalOcean VPS running CentOS7. Here I host a domain, e.q. www.example.com.
I'm running nginx right now on it. It used to be Apache but I could not figure it out how to make the websockets reversed proxy, for meteor work with Apache.
Now in Nginx I created a vhost configuration to load for the main domain, www.example.com and example.com, from a meteor server that runs with pm2-meteor:
server_tokens off; # for security-by-obscurity: stop displaying nginx version
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl spdy; # we enable SPDY here
server_name www.example.com; # this domain must match Common Name (CN) in the SSL certificate
root /var/www/html/example/bundle; # irrelevant
index index.html; # irrelevant
ssl_certificate /etc/httpd/ssl/example/example.crt; # full path to SSL certificate and CA certificate concatenated together
ssl_certificate_key /etc/httpd/ssl/example/example.key; # full path to SSL key
# performance enhancement for SSL
ssl_stapling off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# safety enhancement to SSL: make sure we actually use a safe cipher
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
#if ($http_user_agent ~ "MSIE" ) {
# return 303 https://browser-update.org/update.html;
#}
# pass all requests to Meteor
location / {
proxy_pass http://127.0.0.1:4001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
# this setting allows the browser to cache the application in a way compatible with Meteor
45,1 Top
I'm running the meteor server on 4001 port.
Ok, this works perfectly for meteor. My problem now is that I want to create a vhost for a subdomain, payment.example.com, which will load larval 5.
Normally I want this subdomain to load over HTTPS also.
How on earth can I do this without loading the default nginx vhost settings or the domain vhost which loads meteor?
I can't figure out a way to make it work. This is the payment subdomain virtual host I'm trying to make and it's not working:
server {
listen 431 ssl spdy; # we enable SPDY here
listen [::]:431 ipv6only=on default_server;
server_name payment.example.ro; # this domain must match Common Name (CN) in the SSL certificate
root /var/www/html/example/payment/;
access_log /var/log/nginx/nginx_access.log;
error_log /var/log/nginx/nginx_error.log;
ssl_certificate /etc/httpd/ssl/example/example.crt; # full path to SSL certificate and CA certificate concatenated together
ssl_certificate_key /etc/httpd/ssl/example/example.key; # full path to SSL key
# performance enhancement for SSL
ssl_stapling off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# safety enhancement to SSL: make sure we actually use a safe cipher
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
location / {
root /var/www/html/example/payment/;
index index.php index.html index.htm;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Now when I load payment.example.com I load the meteor reversed proxy.
Any suggestions or ideas on what to do to make this work. Is this even possible?
Do I have to put it in a subfolder rather that subdomain? I prefer the subdomain...
Thank you guy!