I have a nginx server running with ssl enabled.
Currently I have https enabled for all directories.
How enable ssl only for www.example.com/shop/* directory and disable for other??
here is my conf file :
# Redirect everything to the main site.
server {
server_name *.example.com;
listen 80;
ssl on;
ssl_certificate /opt/nginx/conf/server.crt;
ssl_certificate_key /opt/nginx/conf/server.key;
keepalive_timeout 70;
access_log /home/example/nginx_logs/access.log ;
error_log /home/example/nginx_logs/error.log ;
root /home/example/public_html/example.com;
location ~ \.php$ {
try_files $uri $uri/ /index.php?q=$uri&$args;
root /home/example/public_html/example.com/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /opt/nginx/conf/fastcgi_params;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /home/example/public_html/example.com$fastcgi_script_name;
index index.php index.html index.htm;
}
if ($http_host != "example.com") {
rewrite ^ http://example.com$request_uri permanent;
}
include global/restrictions.conf;
# Additional rules go here.
#Only include one of the files below.
include global/wordpress.conf;
# include global/wordpress-ms-subdir.conf;
# include global/wordpress-ms-subdomain.conf;
}
tnanks,
D
It is easy to achieve in Nginx. There are two steps involved in it.
Port 443 will be used only when yourdomain.com/shop is accessed. All other requests would be redirected to port 80 (HTTP)
Port 80 will check for yourdomain.com/shop. If found, it'd be redirected to port 443 (HTTPS).
Here is a quick overview of how it could be done...
server {
listen 443;
server_name yourdomain.com;
# directives for SSL certificates
# root, index, error_log, access_log directives
location /shop {
# directives to handle what's inside /shop, for example
# try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# directives to handle PHP files
}
# leave everything else to port 80
location / {
rewrite ^ http://$host$request_uri permanent;
}
}
server {
listen 80;
server_name yourdomain.com;
# root, index, error_log, access_log directives
# redirect yourdomain.com/shop to port 443
# Please put this before location / block as
# nginx stops after seeing the first match
location /shop {
rewrite ^ https://$host$request_uri permanent;
}
location / {
# directives to handle what's inside /, for example
# try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# directives to handle PHP files
}
}
Related
I've just configured this site to use a Let's Encrypt certificate: https://secureshop.dnd1.com But the browser bar show the site as not secure. What I'm I doing wrong here?
This is my NGINX config file:
server {
listen 80;
server_name secureshop.dnd1.com;
return 301 https://$host$request_uri;
}
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
#listen 80;
# SSL configuration
#
# listen 443 ssl default_server;
listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
#root /var/www/html;
root /usr/share/nginx/html/secureshop;
# Add index.php to the list if you are using PHP
index index.html index.php index.htm index.nginx-debian.html;
server_name secureshop.dnd1.com;
#SSL
ssl_certificate /etc/letsencrypt/live/secureshop.dnd1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/secureshop.dnd1.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Logs
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location ~ /.well-known {
allow all;
}
location = /robots.txt {
auth_basic off;
allow all;
log_not_found off;
access_log off;
}
# Gzip Settings
#gzip on;
#gzip_disable "msie6";
#gzip_vary on;
#gzip_proxied any;
#gzip_comp_level 1;
#gzip_buffers 16 8k;
#gzip_http_version 1.0;
#gzip_types application/json text/css application/javascript;
rewrite ^/api/?(.*)$ /webservice/dispatcher.php?url=$1 last;
rewrite ^/([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$1$2$3.jpg last;
rewrite ^/([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last;
rewrite ^/([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
rewrite ^/c/([0-9]+)(-[.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+.jpg$ /img/c/$1$2$3.jpg last;
rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+.jpg$ /img/c/$1$2.jpg last;
rewrite ^/images_ie/?([^/]+).(jpe?g|png|gif)$ /js/jquery/plugins/fancybox/images/$1.$2 last;
rewrite ^/order$ /index.php?controller=order last;
# Admin URL
location /admin-dev/ { #Change this to your admin folder
if (!-e $request_filename) {
rewrite ^/.*$ /admin-dev/index.php last; #Change this to your admin folder
}
}
location / {
if (!-e $request_filename) {
rewrite ^/.*$ /index.php last;
}
}
# location / {
# # First attempt to serve request as file, then
# # as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
client_max_body_size 10M;
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
I don't get why this certificate makes my site appear "Not Secure". Do I have to do something else?
The red bar indicates that the certificate is self signed.
Probably you have non installed the let's encrypt certificate correctly.
Depending of your system configuration, you can find a lot of tutorials on how to install a Ssl manually on nginx.
Have a nice day,
Vlad
After installing Owncloud on my server, on a subdomain (let's say) cloud.motherboard.fr, I have the issue that all my https requests (like https://hey.motherboard.fr) redirect to the following Owncloud page :
while going to https://hey.motherboard.fr
So I guess that my Nginx configuration redirect all https connections to Owncloud. Here is my configuration file :
upstream php-handler {
server 127.0.0.1:9000;
# server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name cloud.motherboard.fr; #YourIP or domain
return 301 https://$server_name$request_uri; # redirect all to use ssl
}
server {
listen 443 ssl;
server_name cloud.motherboard.fr; #YourIP or domain
#SSL Certificate you created
ssl_certificate /etc/nginx/cert/owncloud.crt;
ssl_certificate_key /etc/nginx/cert/owncloud.key;
# owncloud path
root /var/www/cloud/owncloud/;
client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}
location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ index.php;
}
location ~ ^(.+?\.php)(/.*)?$ {
try_files $1 = 404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$1;
fastcgi_param PATH_INFO $2;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}
# Optional: set long EXPIRES header on static assets
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don't log access to assets
access_log off;
}
}
It looks like it comes from the two first server block, but I didn't managed to change it. Can it have a link with php-pfm ?
My hey.motherboard.fr configuration is pretty simple :
server {
server_name hey.motherboard.fr;
location / {
root /var/www/hey;
index index.html index.htm;
}
}
I have working SSL enabled domain , server and it's up and running HTTP as default. explicitly when I request https://domain.tld it works fine but How to make it as default instead of HTTP
right now I have the following directives of my nginx vhost
server {
listen 80 ;
listen 443 ssl default_server;
ssl on ;
ssl_certificate /etc/nginx/ssl/XX.crt;
ssl_certificate_key /etc/nginx/ssl/XX.key;
server_name x.me www.x.me;
root /usr/share/nginx/www/x/site;
index index.html index.php;
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
redirect http requests to https. This can be done with scripting, but also with nginx using 'return'.
Tutorial: https://christiaanconover.com/blog/how-to-redirect-http-to-https-in-nginx
Add a separate server, that will redirect to https:
server {
listen 80;
server_name x.me www.x.me;
return 301 https://$host$request_uri;
}
and remove listen 80 from your existing code block
I have nginx web server installed and https domain. I want to make a sub-directory /dap in root folder to use http and exclude from ssl. Please guide me through this.
My /etc/nginx/sites-available virtual host file for this domain is as below,
# WPSINGLE FAST CGI NGINX CONFIGURATION
server {
listen 198.27.70.206:80;
server_name howtofightnow.com;
return 301 https://howtofightnow.com$request_uri;
}
server {
listen 443 ssl;
server_name howtofightnow.com;
ssl on;
ssl_certificate /etc/nginx/ssl/howtofightnow_com.pem;
ssl_certificate_key /etc/nginx/ssl/server.key;
#listen 198.27.70.206:80;
#server_name howtofightnow.com;
access_log /var/log/nginx/howtofightnow.com.access.log rt_cache;
error_log /var/log/nginx/howtofightnow.com.error.log;
root /var/www/howtofightnow.com/htdocs;
index index.php index.htm index.html;
location /zabbix {
if ($scheme ~ ^http:){
rewrite ^(.*)$ https://$host$1 permanent;
}
alias /usr/share/zabbix;
index index.php;
error_page 403 404 502 503 504 /zabbix/index.php;
location ~ \.php$ {
if (!-f $request_filename) { return 404; }
expires epoch;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass php;
}
location ~ \.(jpg|jpeg|gif|png|ico)$ {
access_log off;
expires 33d;
}
}
# Use Cached Or Actual File If They Exists, Otherwise Pass Request To WordPress
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
try_files $uri /index.php?args;
include fastcgi_params;
fastcgi_pass php;
}
location /vma {
root /usr/local/vimbadmin/public ;
try_files $uri $uri/ /index.php?$args;
location ~ .php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php;
}
}
rewrite ^/index.php/register/thanks(.*) /register/thanks$1 permanent;
include /etc/nginx/common/locations.conf;
}
Simply add this location (/dap) to your http server section, plus add a separate root location, as following:
server {
listen 198.27.70.206:80;
server_name howtofightnow.com;
location / {
return 301 https://howtofightnow.com$request_uri;
}
location /dap/ {
# specific rules for this location go here
}
}
I have a server that runs both development and staging instances of a site and each version has to answer on ports 80 & 443. The staging instance -- there's only one -- works exactly as I'd expect, but the development instances -- configured for each user -- loads a given page on either protocol directly just fine, but if I'm on a page on one port and try to link to the other it fails.
My Config
server {
listen 80;
server_name ~^dev\.(?<username>[^.]+)\.client\.tld\.net$
~^(?<username>[^.]+)\.client\.dev\.tld\.net$
~^(?<username>[^.]+)\.dev\.client\.tld\.net$;
location / {
rewrite ^(.*) http://$username.client.tld.net$1 permanent;
}
}
# This is the primary host that will ultimately answer requests.
server {
listen 80;
server_name ~^(?<username>[^.]+)\.client\.tld\.net$;
root /home/$username/client/www/app/webroot;
index index.php;
access_log /var/log/nginx/client.sandbox.access.log;
error_log /var/log/nginx/client.sandbox.error.log;
location / {
try_files $uri $uri/ /index.php?url=$uri;
}
location ~ \.php$ {
include /etc/nginx/conf/php;
}
include /etc/nginx/conf/expire_content;
include /etc/nginx/conf/ignore;
}
server {
listen 443 ssl;
server_name ~^dev\.(?<username>[^.]+)\.client\.tld\.net$
~^(?<username>[^.]+)\.client\.dev\.tld\.net$
~^(?<username>[^.]+)\.dev\.client\.tld\.net$;
location / {
rewrite ^(.*) https://$username.client.tld.net$1 permanent;
}
}
# This is the primary host that will ultimately answer requests.
server {
listen 443 ssl;
server_name ~^(?<username>[^.]+)\.client\.tld\.net$;
root /home/$username/client/www/app/webroot;
index index.php;
include /etc/nginx/conf/ssl;
access_log /var/log/nginx/client.sandbox.access.log;
error_log /var/log/nginx/client.sandbox.error.log;
location / {
try_files $uri $uri/ /index.php?url=$uri;
}
location ~ \.php$ {
include /etc/nginx/conf/php;
}
include /etc/nginx/conf/expire_content;
include /etc/nginx/conf/ignore;
}
Any idea where I've borked up my config?
First of all, there is no need to create four separate configurations, as both your servers (HTTP and HTTPS) have exactly the same body. You can use the $scheme variable which contains either http or https according to the context your're just working in (for the redirects). Secondly I don't see any root declaration in your dev configuration, also no certificates which might cause problems with browsers.
Other then that the configuration looks okay to me (well, you could move the index declaration to your http configuration; so you don't have to repeat it all the time).
Please check out the following (commented) example configuration I made up for you. Maybe it helps.
# Put this in http context!
index index.php;
server {
# One server configuration to rule them all!
listen 80;
listen 443 ssl;
# Seems legit.
server_name ~^dev\.(?<username>[^.]+)\.client\.tld\.net$
~^(?<username>[^.]+)\.client\.dev\.tld\.net$
~^(?<username>[^.]+)\.dev\.client\.tld\.net$;
# Where am I?
#root /home/$username/client/www/app/webroot;
# No wildcard certificate? No need to specify /etc/nginx as all paths
# in the configuration are relative to the installation path.
#include conf/ssl;
location / {
# May work as well, can't test.
#rewrite ^(.*) $scheme://$server_name$1 permanent;
rewrite ^(.*) $scheme://$username.client.tld.net$1 permanent;
}
}
server {
listen 80;
listen 443 ssl;
server_name ~^(?<username>[^.]+)\.client\.tld\.net$;
root /home/$username/client/www/app/webroot;
include conf/ssl;
access_log /var/log/nginx/client.sandbox.access.log;
error_log /var/log/nginx/client.sandbox.error.log;
location / {
try_files $uri $uri/ /index.php?url=$uri;
}
location ~ \.php$ {
include conf/php;
}
include conf/expire_content;
include conf/ignore;
}