I'm struggling creating proper Apache2 .conf file for my Funkwhale instance from the nginx.template. Could you help me?
Here is the template:
# This file was generated from Funkwhale's nginx.template
upstream funkwhale-api {
# depending on your setup, you may want to update this
server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
}
server {
listen 80;
listen [::]:80;
# update this to match your instance name
server_name ${FUNKWHALE_HOSTNAME};
# useful for Let's Encrypt
location /.well-known/acme-challenge/ {
allow all;
}
location / {
return 301 https://$host$request_uri;
}
}
# Required for websocket support.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
charset utf-8;
server_name ${FUNKWHALE_HOSTNAME};
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem;
# HSTS
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root ${FUNKWHALE_FRONTEND_PATH};
# compression settings
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/javascript
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# end of compression settings
location /api/ {
include /etc/nginx/funkwhale_proxy.conf;
# This is needed if you have file import via upload enabled.
client_max_body_size ${NGINX_MAX_BODY_SIZE};
proxy_pass http://funkwhale-api;
}
location / {
alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 1d;
try_files $uri $uri/ /index.html;
}
location = /embed.html {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
expires 1d;
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api;
}
# You can comment this if you do not plan to use the Subsonic API.
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/api/subsonic/rest/;
}
location /.well-known/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api;
}
location /media/ {
alias ${MEDIA_ROOT}/;
add_header Access-Control-Allow-Origin '*';
}
# This is an internal location that is used to serve
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
# Comment the "NON-S3" commented lines and uncomment "S3" commented lines
# if you're storing media files in a S3 bucket.
location ~ /_protected/media/(.+) {
internal;
alias ${MEDIA_ROOT}/$1; # NON-S3
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
# proxy_set_header Authorization ""; # S3
# proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
}
location /_protected/music/ {
# This is an internal location that is used to serve
# local music files once correct permission / authentication
# has been checked on API side.
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
internal;
alias ${MUSIC_DIRECTORY_SERVE_PATH};
add_header Access-Control-Allow-Origin '*';
}
location /manifest.json {
return 302 /api/v1/instance/spa-manifest.json;
}
}
And here is the apache2 conf I tried to create:
# Following variables MUST be modified according to your setup
Define funkwhale-sn funkwhale.example.net
# Following variables should be modified according to your setup and if you
# use different configuration than what is described in our installation guide.
Define funkwhale-api http://localhost:5000
Define funkwhale-api-ws ws://localhost:5000
Define FUNKWHALE_ROOT_PATH /var/www/datas/funkwhale
Define MUSIC_DIRECTORY_PATH ${FUNKWHALE_ROOT_PATH}/data/music
Define MEDIA_DIRECTORY_PATH ${FUNKWHALE_ROOT_PATH}/data/media
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ${funkwhale-sn}
ServerAlias www.funkwhale.example.net music.example.net musique.example.net www.musique.example.net www.music.example.net
# Path to ErrorLog and access log
ErrorLog ${APACHE_LOG_DIR}/funkwhale_error.log
CustomLog ${APACHE_LOG_DIR}/funkwhale_access.log combined
# Default is to force https
# RewriteEngine on
# RewriteCond %{SERVER_NAME} =${funkwhale-sn}
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
<Location "/.well-known/acme-challenge/">
Options None
Require all granted
</Location>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLProxyEngine On
# Tell the api that the client is using https
RequestHeader set X-Forwarded-Proto "https"
# Configure Proxy settings
# ProxyPreserveHost pass the original Host header to the backend server
ProxyVia On
ProxyPreserveHost On
<IfModule mod_remoteip.c>
RemoteIPHeader X-Forwarded-For
</IfModule>
# Turning ProxyRequests on and allowing proxying from all may allow
# spammers to use your proxy to send e-mail.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order Allow,Deny
Allow from all
</Proxy>
<Location "/api/">
# similar to nginx 'client_max_body_size 100M;'
LimitRequestBody 104857600
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
</Location>
<Location "/federation/">
ProxyPass ${funkwhale-api}
ProxyPassReverse ${funkwhale-api}
</Location>
# You can comment this if you don't plan to use the Subsonic API
<Location "/rest">
ProxyPass ${funkwhale-api}/api/subsonic/rest
ProxyPassReverse ${funkwhale-api}/api/subsonic/rest
</Location>
<Location "/.well-known/">
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
</Location>
<Location "/">
ProxyPass "!"
</Location>
Alias / ${FUNKWHALE_ROOT_PATH}/front/dist
<Location "/embed.html">
ProxyPass "!"
</Location>
Alias /embed.html ${FUNKWHALE_ROOT_PATH}/front/dist/embed.html
<Location "/media">
ProxyPass "!"
</Location>
Alias /media ${FUNKWHALE_ROOT_PATH}/data/media
<Location "/manifest.json">
ProxyPass "!"
</Location>
Alias /manifest.json ${FUNKWHALE_ROOT_PATH}/api/v1/instance/spa-manifest.json
<Location "/staticfiles">
ProxyPass "!"
</Location>
Alias /staticfiles ${FUNKWHALE_ROOT_PATH}/data/static
<Location "/_protected/music/">
ProxyPass "!"
</Location>
Alias /_protected/music/ ${MUSIC_DIRECTORY_PATH}/
# Activating WebSockets
<Location "/api/v1/activity">
ProxyPass ${funkwhale-api-ws}/api/v1/activity
</Location>
# Setting appropriate access levels to serve frontend
<Directory "${FUNKWHALE_ROOT_PATH}/data/static">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "${FUNKWHALE_ROOT_PATH}/front/dist">
Options FollowSymLinks
AllowOverride None
Require all granted
DirectoryIndex ${FUNKWHALE_ROOT_PATH}/front/dist/index.html
</Directory>
<Directory "${MEDIA_DIRECTORY_PATH}">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# XSendFile is serving audio files
# WARNING : permissions on paths specified below overrides previous definition,
# everything under those paths is potentially exposed.
# Following directive may be needed to ensure xsendfile is loaded
LoadModule xsendfile_module modules/mod_xsendfile.so
<IfModule mod_xsendfile.c>
XSendFile On
XSendFilePath ${MEDIA_DIRECTORY_PATH}
XSendFilePath ${MUSIC_DIRECTORY_PATH}
SetEnv MOD_X_SENDFILE_ENABLED 1
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
</VirtualHost>
</IfModule>
Unfortunately, trying to access to various paths (embed.html or the root of the subdomain) leads to errors (403 for the root, 404 for embed.html or /subscriptions)
Could you help me fix this?
Thanks for your help.
Related
I'm trying to set-up this self-hosted service but the example web configuration they give is for Nginx and I only have experience with Apache. Could someone help me write the equivalent config of below into Apache?
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name pretix.mydomain.com;
}
server {
listen 443 default_server;
listen [::]:443 ipv6only=on default_server;
server_name pretix.mydomain.com;
ssl on;
ssl_certificate /path/to/cert.chain.pem;
ssl_certificate_key /path/to/key.pem;
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://localhost:8345/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
}
location /media/ {
alias /var/pretix/data/media/;
expires 7d;
access_log off;
}
location ^~ /media/cachedfiles {
deny all;
return 404;
}
location ^~ /media/invoices {
deny all;
return 404;
}
location /static/ {
alias /var/pretix/venv/lib/python3.5/site-packages/pretix/static.dist/;
access_log off;
expires 365d;
add_header Cache-Control "public";
}
}
Edit: This is what I tried as best as I could to try to translate between the two. I think I got caught up on the reverse proxy piece.
<VirtualHost *:80>
ServerAdmin admin#mydomain.com
ServerName tickets.mydomain.com
ServerAlias www.tickets.mydomain.com
DocumentRoot /var/pretix/data/media/
ProxyPass / http://127.0.0.1:8345/
ProxyPassReverse / http://127.0.0.1:8345/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
<Directory /var/pretix/data/media/>
AllowOverride All
Require all granted
</Directory>
<Directory /var/pretix/venv/lib/python3.6/site-packages/pretix/static.dist/>
AllowOverride All
Require all granted
</Directory>
Alias /media "/var/pretix/data/media/"
Alias /static "/var/pretix/venv/lib/python3.6/site-packages/pretix/static.dist/"
<Directory /var/pretix/data/media/cachedfiles>
order deny,allow
deny from all
</Directory>
<Directory /var/pretix/data/media/invoices>
order deny,allow
deny from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
</IfModule>
RewriteEngine on
RewriteCond %{SERVER_NAME} =tickets.mydomain.com [OR]
RewriteCond %{SERVER_NAME} =www.tickets.mydomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
I am trying to create a ticket via the WHMCS Api (latest version) using axios from my react app.
When I make the call, there are two calls from the client: one for the OPTIONS (CORS) and the second for the actual POST, with all the the necessary fields, however, I am getting two errors:
1. Request one:
Request URL: https://my-domain/includes/api.php?accesskey=<KEY>q&identifier=<ID>&secret<SECRET>&action=OpenTicket
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: 62.*.*.*:443
Response:
result=error;message=An admin user is required
2. Request 2:
Request URL: https://my-domain/includes/api.php?accesskey=<KEY>q&identifier=<ID>&secret<SECRET>&action=OpenTicket
Request Method: POST
Status Code: 200 OK
Remote Address: 62.*.*.*:443
Payload:
{
admin: true
deptid: "1"
email: "something#mail.domain"
markdown: true
message: "test"
name: "text"
priority: "Medium"
responsetype: "json"
subject: "test"
}
Response:
result=error;message=Name and email address are required if not a client
JS code:
...
const ticketObject = {
admin: true
deptid: "1"
email: "something#mail.domain"
markdown: true
message: "test"
name: "text"
priority: "Medium"
responsetype: "json"
subject: "test"
};
const res = await axios.post(
"https://my-domain/includes/api.php?accesskey=<KEY>q&identifier=<ID>&secret<SECRET>&action=OpenTicket",
ticketObject
);
...
Server details:
OS: CentOS 7
Webserver: Nginx (latest version) proxy_pass to httpd
Nginx conf:
server {
server_name my-domain www.my-domain;
error_log /var/log/httpd/domains/my-domain.error.log error;
location / {
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/admin/web/my-domain/public_html;
access_log /var/log/httpd/domains/my-domain.log combined;
access_log /var/log/httpd/domains/my-domain.bytes bytes;
expires max;
try_files $uri #fallback;
}
# Check if the origin of th request
set $cors '';
if ($http_origin ~* (https?://.*\.proudtech\.ro?(:[0-9]+)?$)) {
set $cors 'on';
}
if ($request_method = OPTIONS) {
set $cors "${cors}_options";
}
# Allow CORS on preflight request
if ($cors = 'on_options') {
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept';
return 204;
}
# Proxy pass to upstream
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
# Allow CORS on other requests after returning from the upstreams
if ($cors = 'on') {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept';
}
proxy_pass http://62.*.*.*:8080;
}
location /error/ {
alias /home/admin/web/my-domain/document_errors/;
}
location #fallback {
proxy_pass http://62.*.*.*:8080;
}
include /home/admin/conf/web/nginx.my-domain.conf*;
}
server {
if ($host = my-domain) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 62.*.*.*:80;
server_name my-domain www.my-domain;
return 404; # managed by Certbot
}
VirtualHost conf:
ServerName my-domain
ServerAlias www.my-domain
ServerAdmin info#my-domain
DocumentRoot /home/admin/web/my-domain/public_html
ScriptAlias /cgi-bin/ /home/admin/web/my-domain/cgi-bin/
Alias /vstats/ /home/admin/web/my-domain/stats/
Alias /error/ /home/admin/web/my-domain/document_errors/
#SuexecUserGroup admin admin
CustomLog /var/log/httpd/domains/my-domain.bytes bytes
CustomLog /var/log/httpd/domains/my-domain.log combined
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
ErrorLog /var/log/httpd/domains/my-domain.error.log
<Directory /home/admin/web/my-domain/public_html>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/admin/web/my-domain/public_html:/home/admin/tmp
php_admin_value upload_tmp_dir /home/admin/tmp
php_admin_value session.save_path /home/admin/tmp
</Directory>
<Directory /home/admin/web/my-domain/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid admin admin
RGroups apache
</IfModule>
<IfModule itk.c>
AssignUserID admin admin
</IfModule>
IncludeOptional /home/admin/conf/web/httpd.my-domain.conf*
See this documentation about the OpenTicket API function: https://developers.whmcs.com/api-reference/openticket/
You shouldn't both use admin and email. Email should only be entered if it's a non-existing client that creates the ticket. You shouldn't use name either.
I have 2 ports running on my server right now.
that is the main application port 5455
socket port 8433
we are migrating this apache setup to Nginx.
In Apache, we had 2 conf files 1 for the application server and 1 for the socket
I have been able to move the application server correctly but not able to make the socket work
<VirtualHost _default_:8443>
ServerAdmin admin#abc.tech
ServerName api.abc.tech
DocumentRoot /var/www/api.abc.tech/socket
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
<Proxy *>
Require all granted
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:8000/$1 [P,L]
ProxyPass /socket.io/ http://127.0.0.1:8000/socket.io/
ProxyPassReverse /socket.io/ http://127.0.0.1:8000/socket.io/
SSLCertificateFile /etc/apache2/sites-available/api.abc.tech.crt
SSLCertificateKeyFile /etc/apache2/sites-available/api.abc.tech.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
My current Nginx file is as below
server {
listen 8443;
server_name _;
location / {
proxy_pass http://localhost:8443;
}
}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/api.abc.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.abc.tech/privkey.pem;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name api.abc.tech;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5455;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' '*';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 200;
}
}
location ^~ /.well-known/acme-challenge/ {
allow all;
}
}
so when the application hits the below route
https://api.abc.tech:8443/socket.io/?EIO=3&transport=polling&t=MvOh2
it is returning below error
Referrer Policy: no-referrer-when-downgrade
If you need any other information please feel free to ask
Any assistance on this will be highly appreciated.
I deplyed two web-server on my machine, one is Apache (port 80) which launches the PHP5.3, the other one is Nginx (port 8080) which launches the PHP 7.0.2.
I had made Apache to act as a proxy to Nginx.
I set a VirtualHost of Apache, below is the setting:
<VirtualHost *:80>
ServerAdmin 369273264#qq.com
ServerName wxforum.com
ServerAlias wxforum.com
Header set Access-Control-Allow-Origin "http://wxforum.com"
ErrorLog "/private/var/log/apache2/wxforum.com-error_log"
CustomLog "/private/var/log/apache2/wxforum-access_log" common
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
Below is the partial setting of Nginx:
server {
listen 8080;
server_name localhost;
set $root_path '/usr/local/var/www';
root $root_path;
#index index.php index.html index.htm
#charset koi8-r;
access_log /usr/local/var/log/nginx/localhost.access.log main;
error_log /usr/local/var/log/nginx/localhost.error.log;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php$is_args$query_string;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root $root_path;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
#root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index /index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Now When I access http://wxforum.com, the Nginx works, But when I issue an AJAX request, it fails, and shows me:
XMLHttpRequest cannot load http://127.0.0.1:8080/_debugbar/open?op=get&id=9932e2decca12d5f5109a1a61d4ce5dc. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://wxforum.com' is therefore not allowed access..
In this case, how could I enable CORS on pure web-server?
I solved my problem after reading Using CORS, CORS on Nginx, it does not need to edit configuration file of Apache, thanks so much!
Finally, my nginx.conf is like below:
server {
listen 8080;
server_name localhost;
set $root_path '/usr/local/var/www';
root $root_path;
#charset koi8-r;
access_log /usr/local/var/log/nginx/localhost.access.log main;
error_log /usr/local/var/log/nginx/localhost.error.log;
index index.php index.html index.htm;
# enable CORS
# http://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
# http://enable-cors.org/server_nginx.html
# http://stackoverflow.com/questions/14499320/how-to-properly-setup-nginx-access-control-allow-origin-into-response-header-bas/29113949#29113949
set $allow_origin 'http://wxforum.com';
add_header 'Access-Control-Allow-Origin' $allow_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
location / {
# add_header Access-Control-Allow-Origin $cors_header;
try_files $uri $uri/ /index.php$is_args$query_string;
}
...
}
I've installed RedMine on my cPanel Centos 6.7 Final with nGinx as reverse proxy on Apache 2.4 (with Passenger).
Sometimes, when I try to navigate my Redmine I get ERR_TOO_MANY_REDIRECTS error and I have to clean my browser cache to make it works.
So this is the question: which can be the problem to solve?
I don't know a lot about Ruby, Gem, Passenger, Bundler, and Rake.
Here is my Redmine configuration:
Environment:
Redmine version 3.2.1.stable
Ruby version 2.3.0-p0 (2015-12-25) [x86_64-linux]
Rails version 4.2.5.2
Environment production
Database adapter Mysql2
SCM:
Git 1.7.1
Filesystem
Redmine plugins:
redmine_checklists 3.1.3
redmine_mail_reminder 3.0.0.0001
Here is my Apache (httpd) conf (relevant parts):
<VirtualHost 92.222.180.93:8081>
ServerName xxxxxxxx.xx
ServerAlias xxxxxxxx.xx
DocumentRoot /home/xxxxxxxx/public_html/public
ServerAdmin webmaster#xxxxxxxx.xx
UseCanonicalName Off
Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
CustomLog /usr/local/apache/domlogs/xxxxxxxx.xx combined
<IfModule log_config_module>
<IfModule logio_module>
CustomLog /usr/local/apache/domlogs/xxxxxxxx.xx-bytes_log "%{%s}t %I .\n%{%s}t %O ."
</IfModule>
</IfModule>
## User xxxxxxxx # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
UserDir enabled xxxxxxxx
</IfModule>
</IfModule>
</IfModule>
# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
<IfModule include_module>
<Directory "/home/xxxxxxxx/public_html/public">
SSILegacyExprParser On
</Directory>
</IfModule>
<IfModule suphp_module>
suPHP_UserGroup xxxxxxxx xxxxxxxx
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup xxxxxxxx xxxxxxxx
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid xxxxxxxx xxxxxxxx
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID xxxxxxxx xxxxxxxx
</IfModule>
# To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/std/2_4/xxxxxxxx/xxxxxxxx.xx/*.conf"
</VirtualHost>
Here is my nGinx as Reverse Proxy conf:
user nobody;
# no need for more workers in the proxy mode
worker_processes auto;
error_log /var/log/nginx/error.log warn;
error_log /var/log/nginx/error.log debug;
worker_rlimit_nofile 20480;
events {
worker_connections 5120; # increase for busier servers
use epoll; # you should use epoll here for Linux kernels 2.6.x
}
http {
server_name_in_redirect off;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
server_tokens off;
# remove/commentout disable_symlinks if_not_owner;if you get Permission denied error
# disable_symlinks if_not_owner;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5;
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
# You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU
gzip_types text/plain text/xml text/css application/x-javascript application/xml application/javascript application/xml+rss text/javascript application/atom+xml;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
reset_timedout_connection on;
connection_pool_size 256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
client_max_body_size 200M;
client_body_buffer_size 128k;
request_pool_size 32k;
output_buffers 4 32k;
postpone_output 1460;
###
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
###
#proxy_set_header X-Forwarded-Proto $scheme;
proxy_temp_path /tmp/nginx_proxy/;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:15m inactive=24h max_size=500m;
client_body_in_file_only on;
log_format bytes_log "$msec $bytes_sent .";
log_format custom_microcache '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" nocache:$no_cache';
include "/etc/nginx/vhosts/*";
}
Here is the nGinx vhost:
server
{
error_log /var/log/nginx/vhost-error_log warn;
listen x.x.x.x:80;
listen [::]:80;
server_name xxxxxx.xx www.xxxxxx.xx;
access_log /usr/local/apache/domlogs/xxxxxx.xx-bytes_log bytes_log;
access_log /usr/local/apache/domlogs/xxxxxx.xx combined;
root /home/xxxxxx/public_html/public;
location ~*.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$
{
expires 1M;
try_files $uri #backend;
}
location /
{
error_page 405 = #backend;
add_header X-Cache "HIT from Backend";
proxy_pass http://x.x.x.x:8081;
include proxy.inc;
include microcache.inc;
}
location #backend
{
internal;
proxy_pass http://x.x.x.x:8081;
include proxy.inc;
include microcache.inc;
}
location ~ .*\.(php|jsp|cgi|pl|py)?$
{
proxy_pass http://x.x.x.x:8081;
include proxy.inc;
include microcache.inc;
}
location ~ /\.ht
{
deny all;
}
}
Edit: production.log
I cleared my logs before the error happened.
Started GET "/" for my.ip.my.ip at 2016-04-01 15:02:26 +0200
Processing by WelcomeController#index as HTML
Current user: anonymous
Redirected to http://my.site.ext/login?back_url=http%3A%2F%2Fmy.site.ext%2F
Filter chain halted as :check_if_login_required rendered or redirected
Completed 302 Found in 123ms (ActiveRecord: 9.5ms)
Started GET "/login?back_url=http%3A%2F%2Fmy.site.ext%2F" for my.ip.my.ip at 2016-04-01 15:02:26 +0200
Processing by AccountController#login as HTML
Parameters: {"back_url"=>"http://my.site.ext/"}
Current user: anonymous
Rendered account/login.html.erb within layouts/base (45.5ms)
Completed 200 OK in 359ms (Views: 342.8ms | ActiveRecord: 9.3ms)
Started POST "/login" for my.ip.my.ip at 2016-04-01 15:02:34 +0200
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"CnO9780juQpbGCuASRL2gy7qYRG8noWBHwgx8BtgpqErMcTNhY9pJRctIqztVVKwVuwVrKeT3HkyjFfzX/c1pg==", "back_url"=>"http://my.site.ext/", "username"=>"my-username", "password"=>"[FILTERED]", "login"=>"Entra »"}
Current user: anonymous
Successful authentication for 'my-username' from my.ip.my.ip at 2016-04-01 13:02:34 UTC
My solution was incorrect. Same problem again.
Finally I found out the solution.
Inside the http block in nginx.conf I changed this line #proxy_set_header X-Forwarded-Proto $scheme; into proxy_set_header X-Forwarded-Proto http; and the error has never shown again (from one week).
This is why my nGinx works as reverse proxy, and I was missing to set the header X-Forwarded-Proto. At the first time I only uncommented the line, but at the end I noticed that inside and http block the $scheme var can only be http.