Server configuration :
Centos 7 + PHP7 + PHP-FPM + MariaDB 10 +Nginx as reverse proxy for Apache + Virtualmin
I'm new to setting up a server. I'm not sure where did I mess up and I have tried searching online and editing according to suggestion on Digital Ocean and many other forum but still no success. I always restart nginx, httpd and php-fpm after changes have been made.
I have 2 virtual servers, all of them open Nginx test page instead of their respective homepage.
I have been trying to configure but with no success. Please help.
Below are the configuration files for my virtual servers.
1) etc/nginx/conf.d/default.conf
server {
listen 80;
root /home/~;
index index.php index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ /index.php;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $uri $uri/ =404;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
2) etc/nginx/conf.d/php-fpm.conf
# PHP-FPM FastCGI server
# network or unix domain socket configuration
upstream php-fpm {
server 127.0.0.1:9000;
#server unix:/run/php-fpm/www.sock;
}
3) etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 10000;
# only log critical errors
error_log /var/log/nginx/error.log crit;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include mime.types;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
log_format download '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_range" "$sent_http_content_range"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
# cache informations about FDs, frequently accessed files
# can boost performance, but you need to test those values
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 2m;
open_file_cache_min_uses 5;
open_file_cache_errors on;
# to boost I/O on HDD we can disable access logs
access_log off;
# copies data between one FD and other from within the kernel
# faster then read() + write()
sendfile on;
# send headers in one peace, its better then sending them one by one
tcp_nopush on;
# don't buffer data sent, good for small data bursts in real time
tcp_nodelay on;
types_hash_max_size 2048;
index index.php index.html index.htm;
include /etc/nginx/conf.d/*.conf;
index index.php index.html index.htm;
server_names_hash_bucket_size 128;
##
# Gzip Settings
##
# reduce the data that needs to be sent over network -- for testing environment
gzip on;
gzip_http_version 1.1;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_vary on;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_buffers 16 8k;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
# request timed out -- default 60
client_body_timeout 3m;
# if client stop responding, free up memory -- default 60
send_timeout 3m;
# server will close connection after this time -- default 75
keepalive_timeout 65;
# number of requests client can make over keep-alive -- for testing environment
keepalive_requests 100000;
ignore_invalid_headers on;
client_max_body_size 100m;
connection_pool_size 256;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
# limit the number of connections per single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
# limit the number of requests for a given session
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file
client_body_buffer_size 128k;
# headerbuffer size for the request header from client -- for testing environment
client_header_buffer_size 3m;
# maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 4 256k;
# how long to wait for the client to send a request header -- for testing environment
client_header_timeout 3m;
server_tokens off;
#nginx compression
log_format compression '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$gzip_ratio"';
# Upstream to abstract backend connection(s) for PHP.
upstream php {
#this should match value of "listen" directive in php-fpm pool
#server unix:/tmp/php-fpm.sock;
server 127.0.0.1:9000;
}
server {
listen 80;
# listen [::]:80 default_server;
server_name _;
#root /home/~;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# zone which we want to limit by upper values, we want limit whole server
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|ico|css|js)$ {
expires max;
}
gzip on;
access_log /var/log/nginx/access.log compression;
}
#1st virtual server
server {
listen 80;
server_name website1.co www.website1.co;
root /home/website1/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/website1_access_log;
error_log /var/log/virtualmin/website1_error_log;
# nginx configuration
location / {
#for web application
if (!-e $request_filename){
rewrite ^(/)?api/.*$ /api/index.php;
}
if (!-e $request_filename){
rewrite ^(/)?customer/.*$ /customer/index.php;
}
if (!-e $request_filename){
rewrite ^(/)?backend/.*$ /backend/index.php;
}
if (!-e $request_filename){
rewrite ^(.*)$ /index.php;
}
index index.html index.htm index.php;
#web application end
# [pre-existing configurations, if applicable]
autoindex on;
autoindex_exact_size off;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
try_files $uri $uri/ /index.php?$args;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_read_timeout 600s;
fastcgi_send_timeout 600s;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
listen 443 ssl;
ssl_certificate /home/website1/ssl.cert;
ssl_certificate_key /home/website1/ssl.key;
}
#2nd virtual server
server {
server_name website2.co www.website2.co;
listen 80;
root /home/website2/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/website2_access_log;
error_log /var/log/virtualmin/website2_error_log;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /home/website2/public_html$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /home/website2/public_html;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $uri $uri/ =404;
fastcgi_pass 127.0.0.1:9000;
include fastcgi.conf;
}
location / {
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
listen 443 ssl;
ssl_certificate /home/website2/ssl.cert;
ssl_certificate_key /home/website2/ssl.key;
}
Any help would be very helpful.
Thanks in advance.
Remove the below section from your nginx.conf
server {
listen 80;
# listen [::]:80 default_server;
server_name _;
#root /home/~;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# zone which we want to limit by upper values, we want limit whole server
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|ico|css|js)$ {
expires max;
}
gzip on;
access_log /var/log/nginx/access.log compression;
}
The server_name _; means any virtual host and hence it is the first thing to respond in your config. Rest of the virtual hosts are not consulted only
Edit - Aug 17
You have lot of mess in your configs, including includes from different directory. I would suggest you remove nginx and reinstall and modify the base config again. Also you are using httpd also in your setup.
The proxy_pass http://127.0.0.1:8080; means that anything that is not php is getting proxied to your httpd server and your actually root is not being used only.
Your try_files $uri $uri/ =404; should not be inside the location ~ \.php$ { block, rather it should be inside the location \ { block. Also there should be no proxy_pass in your location \ { block
Related
I followed this tutorial: https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-centos-7/
My server is running CentOS7 of course with NGINX. After following the entire thing and debugging what is going on, I am stuck.
I am now getting a 403 Forbidden when visiting the subdomain we installed the Cert on. Below are my nginx.conf file and my sites conf file from /etc/nginx/conf.d
I can't access my site because we force redirection to HTTPS of course and getting the 403. /var/www/pterodactyl/public is the root of my website.
NGINX.CONF:
//
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/pterodactyl/public;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /var/www/pterodactyl/public;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
//
and then my sites config
//
server {
listen 80;
server_name www.panel.example.com panel.example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.panel.example.com;
ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/fullchainchain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://panel.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name panel.example.com;
ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
location ~ /\.ht {
deny all;
}
}
So I do have a letsencrypt.conf file where I have location laid out like this:
//
location ~ /\.well-known {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
Weird though when I run the nginx -t right now I get this:
nginx: [warn] conflicting server name "www.panel.example.com" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "panel.example.com" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
My letsencrypt file is above and ssl.conf file match that tutorial. Of course example.com is replaced with my domain.
AFTER RUNNING NGINX -T
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/pterodactyl/public;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /var/www/pterodactyl/public;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
# configuration file /usr/share/nginx/modules/mod-http-geoip.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so";
# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";
# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";
# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";
# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document d ocx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet x lsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation p ptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/pterodactyl.conf:
server {
listen 80;
server_name panel.example.com;
include snippets/letsencrypt.conf;
root /var/www/pterodactyl/public;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# the fastcgi_pass path needs to be changed accordingly when using CentO S
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100 M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
location ~ /\.ht {
deny all;
}
}
server {
listen 443 ssl http2;
server_name www.panel.example.com;
ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem ;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://panel.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name panel.example.com;
ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100 M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
location ~ /\.ht {
deny all;
}
}
# configuration file /etc/nginx/snippets/letsencrypt.conf:
location ~ /\.well-known {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/snippets/ssl.conf:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECD SA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:E CDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:E CDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RS A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES25 6-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES2 56-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH -RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA25 6:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; prelo ad";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
# configuration file /etc/nginx/conf.d/pterodactyl_old.conf:
server {
listen 80;
server_name www.panel.example.com panel.example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.panel.example.com;
ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://panel.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name panel.example.com;
ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/panel.example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/pterodactyl.app-error.log error;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/pterodactyl.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100 M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
location ~ /\.ht {
deny all;
}
}
i'm trying to use lets encrypt to generate ssl certificate for my website but getting the error below :
[emerg] "ssl_certificate" directive is not allowed here in /etc/nginx/sites-enabled/example.com.conf:33 nginx: configuration file /etc/nginx/nginx.conf
I'm using Virtualmin , Nginx
Any help would be highly appreciated
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
site.com.conf
server {
server_name example.com www.example.com;
listen 10.0.1.4;
root /home/example/public_html/public;
index index.html index.php;
access_log /var/log/virtualmin/example.com_access_log;
error_log /var/log/virtualmin/example.com_error_log;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /home/example/public_html/public$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /home/example/public_html/public;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
location /
{
try_files $uri $uri/ /index.php?$query_string;
gzip on;
}
location ~* \.(?:css|js|woff|eot|svg|ttf|otf|png|gif|jpe?g)
{
expires max;
}
location ~ \.php$
{
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht
{
deny all;
}
location ^~ /.well-known/acme-challenge/ {
alias /home/example/public_html/;
}
listen 10.0.1.4:443 default_server ssl;
ssl_certificate /home/example/ssl.cert;
ssl_certificate_key /home/example/ssl.key;
}
Nginx Conf :
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain application/x-font-ttf text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
server_names_hash_bucket_size 128;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
Result of grep -rHn "ssl_certificate" /etc/nginx
/etc/nginx/snippets/snakeoil.conf:4:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:5:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/sites-available/example.com.conf.save:31: ssl_certificate /home/example/ssl.cert;
/etc/nginx/sites-available/example.com.conf.save:32: ssl_certificate_key /hom/example/ssl.key;
/etc/nginx/sites-available/example.com.conf:57: ssl_certificate /home/example/ssl.cert;
/etc/nginx/sites-available/example.com.conf:58: ssl_certificate_key /home/example/ssl.key;
Your issue is that you edited a file in a editor which created a backup .save file
So delete the file
rm /etc/nginx/sites-available/example.com.conf.save
Also change
include /etc/nginx/sites-enabled/*;
to
include /etc/nginx/sites-enabled/*.conf;
So that next time such problem doesn't happen
In case this can help someone else...
The error I was getting is similar:
"ssl_certificate" directive is not allowed here in /etc/nginx/sites-enabled/website:22
It turns out I had incorrectly inserted the ssl_certificate and ssl_certificate_key entries inside of the curly braces like so:
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/website/public;
index index.php index.html index.htm;
server_name pamsnetwork.com www.pamsnetwork.com;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri $uri/ /index.php?$query_string;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
ssl_certificate /etc/ssl/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
}
}
When it should be like this:
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/website/public;
index index.php index.html index.htm;
server_name pamsnetwork.com www.pamsnetwork.com;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri $uri/ /index.php?$query_string;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
ssl_certificate /etc/ssl/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;
}
I'm running a node js application rest api service and wordpress on same nginx server. There is android application which call my node js service to get data from the server. Many times I'm getting ssl handsake failed or refused error on my android application. While surfing my server configuration file and log file I'm getting this in my logs
SSL_do_handshake() failed (SSL: error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL handshaking, client:::::
My nginx.conf file :
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 8096;
multi_accept on;
}
worker_rlimit_nofile 40000;
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 45;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# buffer optimizations
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
access_log off;
error_log /var/log/nginx/error.log;
}
server {
listen 443 ssl;
root /var/www/html;
index index.php index.html index.htm;
ssl_certificate /etc/nginx/ssl/crtfile.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
try_files $uri $uri/ /index.php?q=$uri&$args;
#try_files $uri $uri/index.html;
}
location = /index.html {return 301 https://appyappy.com/;}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
Also when no of users are too large around 2k-5k I'm also getting time out and connection refused error in adroid application.
I want traffic to go to https://example.com. No www prefix is allowed and SSL is required.
The problem we are experiencing is that many (though not all) first time visitors are not being redirected to HTTPS until they hit refresh.
Do you see anything in my config that would allow this behavior?
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 80;
listen 443 ssl;
server_name example.com;
root /var/www/html/mm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
client_max_body_size 200m;
location / {
try_files $uri $uri/ /index.php?$query_string;
index index.php index.html index.htm install.php;
client_max_body_size 200m;
}
location ~ \.php$ {
try_files $uri /index.php =404;
#fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_param PHP_VALUE "upload_max_filesize = 150M \n upload_max_filesize=151M";
fastcgi_param PHP_VALUE "post_max_size = 150M \n post_max_size=151M";
include fastcgi_params;
}
As #PeeHaa mentioned, you are missing a redirect from http to https for www.example.com. Try this where I've rearranged the server blocks a bit to add an HSTS header to the www server and to address a potential security misconfig where http://www is directly redirected to https://(notwww) (per https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections):
# HTTP server (non-www) -- redirect to https://example.com
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
# HTTP server (www) -- redirect to https://www.example.com
server {
listen 80;
server_name www.example.com;
return 301 https://www.example.com$request_uri;
}
# HTTPS server (www) -- redirect to https://example.com -- Add HSTS header
server {
listen 443 ssl;
server_name www.example.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
return 301 https://example.com$request_uri;
}
# HTTPS server (non-www)
server {
listen 80;
listen 443 ssl;
server_name example.com;
root /var/www/html/mm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
client_max_body_size 200m;
location / {
try_files $uri $uri/ /index.php?$query_string;
index index.php index.html index.htm install.php;
client_max_body_size 200m;
}
location ~ \.php$ {
try_files $uri /index.php =404;
#fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_param PHP_VALUE "upload_max_filesize = 150M \n upload_max_filesize=151M";
fastcgi_param PHP_VALUE "post_max_size = 150M \n post_max_size=151M";
include fastcgi_params;
}
I'm very new to nginx. I've used apache2 but when I decided to try hosting my site on a raspberry pi 2, it was recommended to use nginx. I have my set setup with https and a commercial ssl. I installed guacamole on my FreeNAS in a jail (Still trying to get RDP to Windows 10 working...) and even forwarded the 8080 port in my firewall for external access. When I attempt to go to http://website.com:8080/guacamole it automatically changes to https and shows the following:
Secure Connection Failed
An error occurred during a connection to website.com:8080. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
But, when I access it via http://IPaddress:8080/guacamole it works just fine.
Here is my enabled-site file:
server {
listen 80;
server_name website.com www.website.com;
location /guacamole/ {
proxy_pass http://website.com:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
###### phpMyAdmin ############################################################
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
root /usr/share/;
#include fastcgi-gen.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 240;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
}
server {
listen 443 ssl;
server_name website.com www.website.com;
ssl_certificate /etc/nginx/ssl/website.com_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/website.com.key;
root /data/website.com/www;
index index.php index.html index.htm;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /data/website.com/www;
}
# Error & Access logs
error_log /data/website.com/logs/error.log error;
access_log /data/website.com/logs/access.log;
location / {
index index.html index.php;
}
###### phpMyAdmin ############################################################
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
root /usr/share/;
#include fastcgi-gen.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_read_timeout 240;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
#server unix:/var/run/php5-fpm.sock;
}
}
Any help would be appreciated!