Unable to disable TLSv1 on Nginx - ssl

I've spent the last 3 hours trying everything to disable TLSv1 on Nginx. I've scoured the web and tried everything mentioned but to no avail.
Things I've tried include:
reordering "default_server" to be before ssl in the server tab
removed preferred ciphers
commenting out vast amounts of "ssl_" configs to see if that helps
At all times, I tested the domain using "openssl s_client -connect example.com:443 -tlsv1" after restarting the nginx service
Here is my /etc/nginx/nginx.conf file:
user example www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events {
worker_connections 2048;
multi_accept on;
}
http {
index index.php;
include /etc/nginx/mime.types;
default_type application/octet-stream;
real_ip_header X-Forwarded-For;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_id';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
keepalive_timeout 5;
autoindex off;
server_tokens off;
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 64m;
client_body_buffer_size 128k;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
limit_req_zone $binary_remote_addr zone=goeasy:35m rate=1r/s;
open_file_cache max=35000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types application/javascript application/x-javascript application/rss+xml text/javascript text/css text/plain image/x-icon image/svg+xml;
gzip_buffers 4 16k;
gzip_comp_level 6;
map_hash_max_size 262144;
map_hash_bucket_size 262144;
map $status $writelog {
444 0;
default 1;
}
map $http_user_agent $bad_client {
default 0;
~*(360Spider) 1;
~*(aiHitBot|AhrefsBot) 1;
~*(betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG) 1;
~*(CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo) 1;
~*(Default|DIIbot|DISCo|discobot) 1;
~*(Exabot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE) 1;
~*(FlashGet|Findxbot) 1;
~*(GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|GuzzleHttp) 1;
~*(heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack) 1;
~*(ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot) 1;
~*(JetCar) 1;
~*(larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|LinkpadBot|lwp-trivial|ltx71) 1;
~*(Maxthon$|Mail.RU_Bot|MegaIndex.ru|meanpathbot|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage) 1;
~*(Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch) 1;
~*(Octopus) 1;
~*(PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|Pi-Monster|PHPCrawl|PleaseCrawl|psbot|prijsbest|python-requests) 1;
~*(Qwantify) 1;
~*(RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler) 1;
~*(SBIder|Scrapy|Screaming|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|SemrushBot|sitecheck.internetseer.com|SiteSnagger) 1;
~*(SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap) 1;
~*(tAkeOut|Teleport|Toata|TwengaBot|Typhoeus) 1;
~*(URI::Fetch|User-Agent|UserAgent) 1;
~*(voltron|Vagabondo|VoidEYE|Visbot) 1;
~*(webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WhatsApp) 1;
~*(WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE) 1;
~*(zermelo|Zeus|Zeus.*Webster|ZyBorg) 1;
}
map $uri $redirected_url {
default "none";
include /etc/nginx/redirects.conf;
}
server {
listen 80;
listen [::]:80;
server_name www.example.co.uk example.co.uk;
if ($redirected_url != "none") {
rewrite ^ $redirected_url permanent;
}
return 302 https://www.example.co.uk$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.co.uk;
ssl_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co.uk/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff always;
add_header X-Xss-Protection "1; mode=block" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;
if ($redirected_url != "none") {
rewrite ^ $redirected_url permanent;
}
return 302 https://www.example.co.uk$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.example.co.uk;
ssl_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co.uk/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff always;
add_header X-Xss-Protection "1; mode=block" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;
if ($redirected_url != "none") {
rewrite ^ $redirected_url permanent;
}
root /var/www/current;
access_log /var/log/nginx/access.log main if=$writelog;
error_log /var/log/nginx/error.log error;
if ($bad_client) {
return 444;
}
location = /js/index.php/x.js {
rewrite ^(.*\.php)/ $1 last;
}
location / {
try_files $uri $uri/ #rewrite;
}
location ~ /(app|var|downloader|includes|pkginfo)/ {
deny all;
}
location ~ rss/(order|catalog) {
deny all;
}
location ~ ^/([^/])+\.(sh|pl|py|lua|inc|swp|phar|php_|log|ini|md|sql|conf|yml|zip|tar|.+gz)$ {
deny all;
}
location ~ /\.(svn|git|hg|htpasswd|bash|ssh) {
deny all;
}
location ~ /(dev/tests/|errors/local.xml|cron\.php) {
deny all;
}
location ~* /(tmp|lib|media|shell|skin)/.*\.php$ {
deny all;
}
location ~ ^/(wishlist|customer|catalogsearch|newsletter|tag/product/list|sales/guest/view|contacts/index/post|review/product/(view|list|post)|(fire|one.+)?checkout)/ {
limit_req zone=goeasy burst=5;
limit_req_status 429;
if ($http_user_agent ~* "Baiduspider|AdsBot-Google|Googlebot|bingbot|Yahoo|Yandex") {
return 410;
}
try_files $uri $uri/ #rewrite;
}
if ($request_uri !~ "/insights/") {
set $no_index_php A;
}
if ($request_uri ~* "^(.*/)index\.php(/?)(.*)") {
set $no_index_php "${no_index_php}B";
}
if ($no_index_php = AB) {
return 301 $1$3;
}
if ($args ~ ^(brand|cat|color|dir|from|limit|price|type|mode|size|manufacturer)=.+) {
set $filters A;
}
if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|Yandex") {
set $filters "${filters}B";
}
if ($filters = AB) {
return 410;
}
location ~ /jbwp/wp-config\.php {
deny all;
}
location ~ /jbwp/wp-includes/(.*)\.php {
deny all;
}
location ~ /jbwp/wp-admin/includes(.*)$ {
deny all;
}
location ~ /jbwp/xmlrpc\.php {
deny all;
}
location ~ /jbwp/wp-content/uploads/(.*)\.php(.?) {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
}
location ~* \.(swf|eot|ttf|otf|woff|woff2)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
add_header Access-Control-Allow-Origin "example.co.uk, www.example.co.uk";
add_header Cache-Control "public";
}
location #rewrite {
rewrite / /index.php;
}
location ~ \.php$ {
try_files $uri =404;
add_header X-Request-Time $request_time always;
add_header X-Request-ID $request_id always;
add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"" always;
include fastcgi_params;
fastcgi_read_timeout 600;
fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS 'on';
fastcgi_param DEBUG_MODE 'false';
fastcgi_param MAINTENANCE_MODE 'false';
fastcgi_keep_conn on;
}
}
}

I managed to find out that the issue was not caused by the Nginx configuration file but instead was down to a Cloudflare setting (https://community.cloudflare.com/t/how-do-i-disable-tls-1-0/2670/10).
I used this repo to find out that the server was not at fault (testing the servers ip_address:port) - https://github.com/drwetter/testssl.sh
The command I used was "/bin/bash testssl.sh 256.98.767.762:443" (not my servers real ip)

Related

NGINX Redirct All traffic www and non-www http TO https://example.com?

my problem is i want to redirect all traffic https and http , www and non-www TO https://example.com but if I go to my website at https://example.com I get 'your connection is insecure'.
I followed this answer NGINX: redirect non-www https to https://www but it redirects only from http to https and non www to www !
How do I redirect all to https://?
server
{
listen :80;
server_name example.com www.example.com ;
access_log /var/log/nginx/domains/example.com.log;
access_log /var/log/nginx/domains/example.com.bytes bytes;
error_log /var/log/nginx/domains/example.com.error.log;
root /home/admin/domains/example.com/public_html;
index index.php index.html index.htm;
include /usr/local/directadmin/data/users/admin/nginx_php.conf;
include /etc/nginx/webapps.conf;
return 301 https://$host$request_uri;
}
server
{
listen :443 ssl http2;
server_name example.com www.example.com ;
access_log /var/log/nginx/domains/example.com.log;
access_log /var/log/nginx/domains/example.com.bytes bytes;
error_log /var/log/nginx/domains/example.com.error.log;
root /home/admin/domains/example.com/private_html;
index index.php index.html index.htm;
ssl_certificate
/usr/local/directadmin/data/users/admin/domains/example.com.cert.combined;
ssl_certificate_key
/usr/local/directadmin/data/users/admin/domains/example.com.key;
include /usr/local/directadmin/data/users/admin/nginx_php.conf;
include /etc/nginx/webapps.ssl.conf;
add_header Strict-Transport-Security "max-age=3411" always;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
client_header_timeout 3m;
client_body_timeout 10;
send_timeout 2;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
gzip on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-
javascript application/json application/xml;
gzip_disable msie6;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
send_lowat 12000;
keepalive_timeout 65;
keepalive_requests 100000;
reset_timedout_connection on;
server_tokens off;
client_body_buffer_size 128k;
client_max_body_size 10m;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~* ^/.well-known/ {
allow all;
}
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri /index.php?$query_string; # For Drupal >= 7
if ($allowed_country = no) {
return 443;
}
}
location #rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri #rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri #rewrite;
expires max;
log_not_found off;
}
}
you're redirects looks fine but are you sure you have valid ssl certificate for example.com and it is installed properly on your host? the 'your connection is insecure' message usually does not have anything to do with the redirects it is because of certificate problems.
instead of using this:
return 301 https://$host$request_uri;
use:
return 301 https://$server_name$request_uri;

OpenResty : Response

I want to capture http response body and send it to another endpoint using resty.http . Here is my config , I am not able to get the body inside the content_by_lua_block (it is null). The response body is printed in access.log but is not present inside the content_by_lua_block. Any pointers appreciated . I am new to openresty and links appreciated.
--- nginx.conf --- start
worker_processes 1;
error_log /tmp/error.log debug;
events {
worker_connections 128;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
lua_package_path "/usr/local/Cellar/openresty/1.13.6.2/lualib/resty/?.lua;;";
lua_need_request_body on;
log_format bodylog '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time '
'<"$request_body" >"$response_body"';
server {
listen 8081 ;
server_name 127.0.0.1;
set $response_body "";
location /posts/1 {
mirror /mirror;
mirror_request_body on;
proxy_pass http://localhost:3000/posts/1;
access_log /tmp/access.log bodylog;
}
location = /mirror { // mirror traffic for requests
internal;
proxy_pass http://127.0.0.1:8080/analyzeservlet-1.0.0/analyzeservlet;
content_by_lua_block {
if ngx.var.resp_body ~= "" then
local http = require "resty.http"
local httpc = http.new()
local res, err = httpc:request_uri("<uri", {
method = "POST",
body = ngx.var.resp_body,
headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
} })
end
}
}
}
client_body_buffer_size 16k;
client_max_body_size 16k;
body_filter_by_lua_block {
local response_body = string.sub(ngx.arg[1], 1, 1000)
ngx.ctx.buffered = (ngx.ctx.buffered or "") .. response_body
if ngx.arg[2] then
ngx.var.response_body = ngx.ctx.buffered
end
}
include servers/*;
}
You can read body data using ngx.req.get_body_data. More information available here: https://github.com/openresty/lua-nginx-module/#ngxreqget_body_data

Nginx separate Access Log for each domain

I use Nginx in combination with Typo3. My Typo3 installation has about 8 domains. Everything works like a charm. Now I have the problem that I want to use AWStats working for each domain but I don't know how can I separate the Access Log for every domain. In the following you can see how my configuration is actually running:
Config file inside sites-available:
server {
listen 127.0.0.1:80;
server_name www.domain1.de
www.domain2.de
www.domain3.de
root "/var/www/oz/htdocs/";
disable_symlinks if_not_owner;
location ~ /\.ht {
deny all;
}
location ~ ^/cgi-bin/ {
deny all;
}
# PHP is enabled
index index.php index.html index.htm;
location ~ \.php(/|$) {
try_files $fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include /etc/nginx/fastcgi_params;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass unix:/var/www/oz/conf/sockets/nginx-php-fcgi.sock;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
}
location = / {
error_page 403 /.errorFiles/coming-soon.html;
}
location /.errorFiles/ {
alias /usr/share/liveconfig/html/;
}
#### NGINX Typo3 Config - Start #####
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
client_max_body_size 200M;
location ~ /\.(js|css)$ {
expires 604800s;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
if (!-e $request_filename){
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
location ~* ^/fileadmin/(.*/)?_recycler_/ {
deny all;
}
location ~* ^/fileadmin/templates/.*(\.txt|\.ts)$ {
deny all;
}
location ~* ^/typo3conf/ext/[^/]+/Resources/Private/ {
deny all;
}
location ~* ^/(typo3/|fileadmin/|typo3conf/|typo3temp/|uploads/|favicon\.ico) {
}
location / {
if ($query_string ~ ".+") {
return 405;
}
if ($http_cookie ~ 'nc_staticfilecache|be_typo_user|fe_typo_user' ) {
return 405;
} # pass POST requests to PHP
if ($request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_pragma = 'no-cache') {
return 405;
}
if ($http_cache_control = 'no-cache') {
return 405;
}
error_page 405 = #nocache;
try_files /typo3temp/tx_ncstaticfilecache/$host${request_uri}index.html #nocache;
}
location #nocache {
try_files $uri $uri/ /index.php$is_args$args;
}
#### NGINX Typo3 Config - End #####
}
server {
listen 127.0.0.1:80;
server_name domain1.de;
rewrite ^/(.*)$ "http://www.domain1.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain2.de;
rewrite ^/(.*)$ "http://www.domain2.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain3.de;
rewrite ^/(.*)$ "http://www.domain3.de/$1" permanent;
}
nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 5000;
multi_accept on;
use epoll;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
I tried to separate it inside the server-blocks. But I don't get it working. Anybody here who can help me or have some hints?
Each server can override it's own access log location:
server {
listen 127.0.0.1:80;
server_name domain1.de;
access_log /var/log/nginx/domain1-access.log;
error_log /var/log/nginx/domain1-error.log;
rewrite ^/(.*)$ "http://www.domain1.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain2.de;
access_log /var/log/nginx/domain2-access.log;
error_log /var/log/nginx/domain2-error.log;
rewrite ^/(.*)$ "http://www.domain2.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain3.de;
access_log /var/log/nginx/domain3-access.log;
error_log /var/log/nginx/domain3-error.log;
rewrite ^/(.*)$ "http://www.domain3.de/$1" permanent;
}

nginx rewrite rule for strip numbers from final

Can someone help me with this issue on nginx or using .htaccess?
I want to redirect an url like:
[http][www]domainName.tld/folderName/a-name-with-dashes-15-and-numbers-and-a-number-of-at-least-5-digits
Becomes
[http][www]domainName.tld/newFolderName/a-name-with-dashes-15-and-numbers
or
[http][www]domainName.tld/a-name-with-dashes-15-and-numbers
with www or without www.
a more real example (without domain):
/folderName/test-1-test-again-123456789
becomes
/newFolder/test-1-test-again
# or
/test-1-test-again
Thanks a lot
#Later Edit: Add Nginx Config from server block
listen ip:80;
server_name domain.tld www.domain.tld;
root /var/www/domain.tld/web;
if ($http_host = "www.domain.tld") {
rewrite ^ $scheme://domain.tld$request_uri? permanent;
}
index index.html index.htm index.php index.cgi index.pl index.xhtml;
error_log /var/log/domain.tld/error.log;
access_log /var/log/domain.tld/access.log combined;
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /stats {
index index.html index.php;
auth_basic "Members Only";
auth_basic_user_file /var/www/clients/client/web/web/stats/.htpasswd_stats;
}
location ^~ /awstats-icon {
alias /usr/share/awstats/icon;
}
location ~ \.php$ {
try_files /c91e3e9dc234ca8eec5e7e5309e2fcca.htm #php;
}
location #php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/lib/php5-fpm/web24.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
client_max_body_size 20M;
location ~* ^.+\.(css|png|ico|ttf|rss|atom|js|jpg|jpeg|gif|zip|tgz|gz|rar|bz2|doc|xls|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max;
add_header Pragma public;
add_header Cache-Control: public;
}
location ~* ^/wp-admin/.*.(html|htm|shtml|php)$ {
client_max_body_size 30M;
}
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php)$ {
types { }
default_type text/plain;
}
location ~* ^/static/.*.(html|htm|shtml|php)$ {
types { }
default_type text/plain;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~* (wp-comments-posts|wp-login)\.php$ {
if ($http_referer !~ ^(http://www.domain.tld) ) {
return 405;
}
}
Try something like this
location ~ '(.*)\-[0-9]{5,}$' {
return 301 $scheme://$server_name$1;
}
This should strip all trailing numbers, if the numbers at the end of the url are more than 5 numbers

Magento 1.7 REST API nginx rewrite rule. api.php no executed

all
If I open the link http://example.com/api/rest/products, it just downloaded api.php, and not the script is executed.
what can it be?
there is my nginx rules for magento site
location /api {
rewrite ^/api/rest /api.php?type=rest break;
}
location / {
index index.html index.php;
try_files $uri $uri/ #handler;
expires 30d;
}
location ~ (/(app/|includes/|lib/|/pkginfo/|var/|report/config.xml)|/\.svn/|/.hta.+) {
deny all;
}
location ^~ /(app|includes|lib|media/downloadable|pkginfo|report/config.xml|var)/ { internal; }
location /var/export/ { internal; }
location /. { return 404; }
location #handler { rewrite / /index.php; }
location ~* .php/ { rewrite ^(.*.php)/ $1 last; }
location ~* .php$ {
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params;
}
I saw that post, too, and got the same thing.
I changed the rule from break to last and things seem to work now:
location /api {
rewrite ^/api/rest /api.php?type=rest last;
}
I believe it works this way because last re-scans the rewrites and can execute your '.php' location directive, where break only considers the current location block (/api). Source: http://wiki.nginx.org/HttpRewriteModule#rewrite
you should write this in your nginx configuration:
location /api
{
rewrite ^/api/rest /api.php?type=rest last;
rewrite ^/api/v2_soap /api.php?type=v2_soap last;
rewrite ^/api/soap /api.php?type=soap last;
}