We Keep Coding

Convert Nginx template to Apache2

I'm struggling creating proper Apache2 .conf file for my Funkwhale instance from the nginx.template. Could you help me?
Here is the template:
# This file was generated from Funkwhale's nginx.template
upstream funkwhale-api {
# depending on your setup, you may want to update this
server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
}
server {
listen 80;
listen [::]:80;
# update this to match your instance name
server_name ${FUNKWHALE_HOSTNAME};
# useful for Let's Encrypt
location /.well-known/acme-challenge/ {
allow all;
}
location / {
return 301 https://$host$request_uri;
}
}
# Required for websocket support.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
charset utf-8;
server_name ${FUNKWHALE_HOSTNAME};
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem;
# HSTS
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root ${FUNKWHALE_FRONTEND_PATH};
# compression settings
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/javascript
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# end of compression settings
location /api/ {
include /etc/nginx/funkwhale_proxy.conf;
# This is needed if you have file import via upload enabled.
client_max_body_size ${NGINX_MAX_BODY_SIZE};
proxy_pass http://funkwhale-api;
}
location / {
alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 1d;
try_files $uri $uri/ /index.html;
}
location = /embed.html {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
expires 1d;
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api;
}
# You can comment this if you do not plan to use the Subsonic API.
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/api/subsonic/rest/;
}
location /.well-known/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api;
}
location /media/ {
alias ${MEDIA_ROOT}/;
add_header Access-Control-Allow-Origin '*';
}
# This is an internal location that is used to serve
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
# Comment the "NON-S3" commented lines and uncomment "S3" commented lines
# if you're storing media files in a S3 bucket.
location ~ /_protected/media/(.+) {
internal;
alias ${MEDIA_ROOT}/$1; # NON-S3
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
# proxy_set_header Authorization ""; # S3
# proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
}
location /_protected/music/ {
# This is an internal location that is used to serve
# local music files once correct permission / authentication
# has been checked on API side.
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
internal;
alias ${MUSIC_DIRECTORY_SERVE_PATH};
add_header Access-Control-Allow-Origin '*';
}
location /manifest.json {
return 302 /api/v1/instance/spa-manifest.json;
}
}
And here is the apache2 conf I tried to create:
# Following variables MUST be modified according to your setup
Define funkwhale-sn funkwhale.example.net
# Following variables should be modified according to your setup and if you
# use different configuration than what is described in our installation guide.
Define funkwhale-api http://localhost:5000
Define funkwhale-api-ws ws://localhost:5000
Define FUNKWHALE_ROOT_PATH /var/www/datas/funkwhale
Define MUSIC_DIRECTORY_PATH ${FUNKWHALE_ROOT_PATH}/data/music
Define MEDIA_DIRECTORY_PATH ${FUNKWHALE_ROOT_PATH}/data/media
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ${funkwhale-sn}
ServerAlias www.funkwhale.example.net music.example.net musique.example.net www.musique.example.net www.music.example.net
# Path to ErrorLog and access log
ErrorLog ${APACHE_LOG_DIR}/funkwhale_error.log
CustomLog ${APACHE_LOG_DIR}/funkwhale_access.log combined
# Default is to force https
# RewriteEngine on
# RewriteCond %{SERVER_NAME} =${funkwhale-sn}
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
<Location "/.well-known/acme-challenge/">
Options None
Require all granted
</Location>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLProxyEngine On
# Tell the api that the client is using https
RequestHeader set X-Forwarded-Proto "https"
# Configure Proxy settings
# ProxyPreserveHost pass the original Host header to the backend server
ProxyVia On
ProxyPreserveHost On
<IfModule mod_remoteip.c>
RemoteIPHeader X-Forwarded-For
</IfModule>
# Turning ProxyRequests on and allowing proxying from all may allow
# spammers to use your proxy to send e-mail.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order Allow,Deny
Allow from all
</Proxy>
<Location "/api/">
# similar to nginx 'client_max_body_size 100M;'
LimitRequestBody 104857600
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
</Location>
<Location "/federation/">
ProxyPass ${funkwhale-api}
ProxyPassReverse ${funkwhale-api}
</Location>
# You can comment this if you don't plan to use the Subsonic API
<Location "/rest">
ProxyPass ${funkwhale-api}/api/subsonic/rest
ProxyPassReverse ${funkwhale-api}/api/subsonic/rest
</Location>
<Location "/.well-known/">
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
</Location>
<Location "/">
ProxyPass "!"
</Location>
Alias / ${FUNKWHALE_ROOT_PATH}/front/dist
<Location "/embed.html">
ProxyPass "!"
</Location>
Alias /embed.html ${FUNKWHALE_ROOT_PATH}/front/dist/embed.html
<Location "/media">
ProxyPass "!"
</Location>
Alias /media ${FUNKWHALE_ROOT_PATH}/data/media
<Location "/manifest.json">
ProxyPass "!"
</Location>
Alias /manifest.json ${FUNKWHALE_ROOT_PATH}/api/v1/instance/spa-manifest.json
<Location "/staticfiles">
ProxyPass "!"
</Location>
Alias /staticfiles ${FUNKWHALE_ROOT_PATH}/data/static
<Location "/_protected/music/">
ProxyPass "!"
</Location>
Alias /_protected/music/ ${MUSIC_DIRECTORY_PATH}/
# Activating WebSockets
<Location "/api/v1/activity">
ProxyPass ${funkwhale-api-ws}/api/v1/activity
</Location>
# Setting appropriate access levels to serve frontend
<Directory "${FUNKWHALE_ROOT_PATH}/data/static">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "${FUNKWHALE_ROOT_PATH}/front/dist">
Options FollowSymLinks
AllowOverride None
Require all granted
DirectoryIndex ${FUNKWHALE_ROOT_PATH}/front/dist/index.html
</Directory>
<Directory "${MEDIA_DIRECTORY_PATH}">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# XSendFile is serving audio files
# WARNING : permissions on paths specified below overrides previous definition,
# everything under those paths is potentially exposed.
# Following directive may be needed to ensure xsendfile is loaded
LoadModule xsendfile_module modules/mod_xsendfile.so
<IfModule mod_xsendfile.c>
XSendFile On
XSendFilePath ${MEDIA_DIRECTORY_PATH}
XSendFilePath ${MUSIC_DIRECTORY_PATH}
SetEnv MOD_X_SENDFILE_ENABLED 1
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
</VirtualHost>
</IfModule>
Unfortunately, trying to access to various paths (embed.html or the root of the subdomain) leads to errors (403 for the root, 404 for embed.html or /subscriptions)
Could you help me fix this?
Thanks for your help.

Apache2 config to Nginx config?

I have 2 ports running on my server right now.
that is the main application port 5455
socket port 8433
we are migrating this apache setup to Nginx.
In Apache, we had 2 conf files 1 for the application server and 1 for the socket
I have been able to move the application server correctly but not able to make the socket work
<VirtualHost _default_:8443>
ServerAdmin admin#abc.tech
ServerName api.abc.tech
DocumentRoot /var/www/api.abc.tech/socket
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
<Proxy *>
Require all granted
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:8000/$1 [P,L]
ProxyPass /socket.io/ http://127.0.0.1:8000/socket.io/
ProxyPassReverse /socket.io/ http://127.0.0.1:8000/socket.io/
SSLCertificateFile /etc/apache2/sites-available/api.abc.tech.crt
SSLCertificateKeyFile /etc/apache2/sites-available/api.abc.tech.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
My current Nginx file is as below
server {
listen 8443;
server_name _;
location / {
proxy_pass http://localhost:8443;
}
}
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/api.abc.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.abc.tech/privkey.pem;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name api.abc.tech;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5455;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' '*';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 200;
}
}
location ^~ /.well-known/acme-challenge/ {
allow all;
}
}
so when the application hits the below route
https://api.abc.tech:8443/socket.io/?EIO=3&transport=polling&t=MvOh2
it is returning below error
Referrer Policy: no-referrer-when-downgrade
If you need any other information please feel free to ask
Any assistance on this will be highly appreciated.

Yii2 + Nginx(proxy) + Apache(back)

I'm learning NGINX and I need to set a frontend webserver with NGINX and a backend webserver with Apache using .htaccess
This is the content of /etc/nginx/sites-available/my_test5.loc
server {
charset utf-8;
client_max_body_size 128M;
listen 80;
server_name my_test5.loc;
root /var/www/my_test5.loc/web;
#root /var/www/my_test5.loc;
index index.php;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# deny accessing php files for the /assets directory
location ~ ^/assets/.*\.php$ {
deny all;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~* /\. {
# deny all;
allow all;
}
}
This is the content of /etc/apache2/sites-available/my_test5.loc.conf
<VirtualHost *:8080>
<Directory /var/www/my_test5.loc/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ServerAdmin admin#my_test5.loc
ServerName my_test5.loc
ServerAlias www.my_test5.loc
DocumentRoot /var/www/my_test5.loc/web/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Now all I have working is the main page. If I try to navigate to site/about for example I can't. What have I done wrong and how to use these 2 web servers?

I think your setup is only pointing correctly into index.php because of your location / {} directive, try editing your to be more permissive about your Apache access changing this block to pass through it and adding specific block to other kind of files, like assets.
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|ttf|ttc|otf|eot|woff|woff2)$ {
try_files $uri $uri/
}
This way NGINX serves your static files and Apache serves everything else.

For Nginx work
use .htaccess for apache
siteName.conf apache must be
siteName conf must be in nginx sites-available and sites-enable
be sure that you send request from 80 port to 8080(as in my case) and Apache are listening it

Nginx as reverse proxy for Apache does not load CSS or javascript

I am trying to insert a new website in a digital ocean server. There are currently 4 websites being hosted there in Nginx. I've created a Nginx Virtual Host that works as a reverse proxy for Apache, which is listening in the port 8000. It is currently redirecting when I try to access the domain, but it is failing to load all the CSS and Javascript. It just loads the HTML. But if I access it through www.domain.com:8000 it loads perfectly.
The Nginx configuration file for the website:
server {
listen 80;
root /usr/share/nginx/html/;
index index.php index.html index.htm;
server_name example.com www.example.com;
location / {
try_files $uri $uri/ /index.html?$args;
# include /etc/nginx/mime.types;
}
# location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
# expires 1s;
# }
location ~ \.css {
add_header Content-Type text/css;
}
location ~ \.js {
add_header Content-Type application/x-javascript;
}
location ~ \.html$ {
include /etc/nginx/mime.types;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://example.com:8000;
}
location ~ /\.ht {
deny all;
}
}
The Apache .conf file:
Listen 8000
<VirtualHost *:8000>
ServerAdmin admin#gmail.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I don't use PHP on the website, just HTML, CSS and JavaScript.

Nginx error log - invalid local address

I have a Amazon EC2 Server setup with Nginx 1.8.1 on port 80 and Apache 2.4 on port 8080.
My Nginx error log is filled with invalid local address "www.domain.com:80"
Can someone advise how to fix this error?
My domain.com under /etc/nginx/sites-enabled is as below
server {
listen 80;
server_name domain.com www.domain.com;
root /home/domain/public_html/;
index index.php index.htm index.html;
location / {
#try_files $uri $uri/ /index.php;
#try_files $uri $uri/ $uri.php;
try_files $uri $uri/ /index.php?/$request_uri;
}
location ~ \.php$ {
proxy_bind $host:80;
proxy_pass http://www.domain.com:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header X-Cache-Status $upstream_cache_status;
# Cache configuration
proxy_cache my-cache;
proxy_cache_valid 10s;
proxy_no_cache $cookie_PHPSESSID;
proxy_cache_bypass $cookie_PHPSESSID;
proxy_cache_key "$scheme$host$request_uri";
}
# Disable Cache for the file type html, json
location ~* .(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
# Enable Cache the file 30 days
location ~* .(jpg|png|gif|jpeg|css|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
proxy_cache_valid 200 120m;
expires 30d;
proxy_cache my-cache;
#access_log off;
add_header X-Cache-Status $upstream_cache_status;
}
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
}
My domain.com under Apache Virtual Host is as below
<VirtualHost 172.31.xx.xxx:8080>
DocumentRoot /home/domain/public_html/
ServerName domaine.com
ServerAlias www.domain.com n1.domain.com
ErrorLog /home/domain/logs/error_log
CustomLog /home/domain/logs/access_log combined
<Directory /home/domain/public_html>
Options -Includes -ExecCGI
AllowOverride All
</Directory>

Is there any particular reason as to why you have the proxy_bind $host:80; directive? If not, remove it and it should stop the error (note that the address that you're binding to must be local, if you chose to go that route).