Nginx
HTTP server, proxy, reverse proxy etc
Links
Documentation
Nginx and php-fpm
Monitoring php-fpm under nginx
Create /etc/nginx/site-enabled/fpmstatus
server {
listen 89;
listen [::]:89;
server_name localhost;
location = /fpm-status {
access_log off;
allow 127.0.0.1;
deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
# fastcgi_pass 127.0.0.1:9001;
}
location = /fpm-ping {
access_log off;
allow 127.0.0.1;
deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
}
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work
Notes
SSL certificates
The host.crt goes first in the bundle
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)
ssl_certificate_key /etc/ssl/your_domain_name.key;
server_name your.domain.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/your.domain.com/public/;
index index.html;
}
}
HOWTO
SSL configuration
- onfiguring HTTPS servers
- Security/Server Side TLS Mozilla: Security/Server Side TLS]
- Mozilla SSL config generator outdated?
In case of letsencrypt check /etc/letsencrypt/options-ssl-nginx.conf
Cipher order
ssl_prefer_server_ciphers on;
Set server directives globally
Put them in /etc/nginx/conf.d/directives.conf
CSP
Content Security Policy
- [https://content-security-policy.com/examples/nginx/ Content Security Policy (CSP)
Examples ]
CSP config example
add_header Content-Security-Policy "
default-src 'self';
frame-src 'none';
script-src 'self';
frame-ancestors 'self';
img-src 'self' data:;
manifest-src 'self';
media-src 'self';
object-src 'self';
base-uri: 'self';
form-action: 'self';
worker-src 'self';" always;
Client certificates
Create client certificate
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
Add client certificate to chromium
Add the .p12 in Advanced->Manage certificates->Your certificates
Logging
Log level
Doesn't seem to be documented, defaults to log all?
Ignore IP addresses in logs
Create /etc/nginx/conf.d/logignore.conf or put in your vhost config:
map $remote_addr $loggable {
"1.2.3.4" 0;
# allow rest
default 1;
}
and then in your vhost configuration:
access_log /var/log/nginx/myhost.access.log combined if=$loggable;
Regular expression on $request
To filter out the nextcloud preview 404s:
map $request $loggable {
"~^GET \/index\.php\/core\/preview.*$" 0;
default 1;
}
Get configuration items
getconf PAGESIZE
Redirecting in nginx
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/
enable ipv6
In server section add
listen [::]:443;
Configure buffer sizes
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
Dump nginx configuration
nginx -T
Rate limiting
Limit access
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html
nginx and OCSP (stapling)
To make sure everything works have *all* certificates in bundle.pem
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/pki/tls/certs/bundle.pem
ssl_certificate /etc/pki/tls/certs/bundle.pem; ssl_certificate_key /etc/pki/tls/private/mydomain.key;
Letsencrypt and stapling
Will be discontinued: https://kbeezie.com/nginx-ssl_stapling-ignored-ocsp-letsencrypt/
Exclude not found from log
log_not_found off;
Allow zabbix to read nginx error log
setfacl -m g:zabbix:r /var/log/nginx/error.log
(perhaps put this in logrotate postrotate)
FAQ
php not executed but downloaded
In case of php-fpm see:
Security settings
X-Content-Type-Options
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff always;
Content-Security-Policy (CSP)
security.txt
nginx serving wrong page
Forgot to tell it to listen on ipv6? Like
listen [::]:443 ssl;l
Conflicting server name XXX on 0.0.0.0:80
FastCGI sent in stderr: "Primary script unknown"
Usually means the php script just isn't there
Error messages
ERR_HTTP2_PROTOCOL_ERROR
Check with curl:
curl --http2 https://example.com
I got
curl: (92) : frame type: 1, stream: 1, Invalid HTTP header field was receivedname: [content-security-policy]
found out the hard way that add_header arguments have to be on single line
nginx: [emerg] unknown log format
Define log_format in http section before the includes.
upstream prematurely closed connection while reading upstream
Maybe trying to fetch a large file, like jpg?
client intended to send too large body
server {
# default 1m
client_max_body_size 4m;
no live upstreams while connecting to upstream
can't connect to whatever backend?
upstream sent too big header while reading response header from upstream
In case of fastcgi
https://gist.github.com/magnetikonline/11312172#determine-fastcgi-response-sizes
Try settings like
fastcgi_buffers 32 32k; fastcgi_buffer_size 32k;
an upstream response is buffered to a temporary file
(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking
Usually just a bad client or a scan.
cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem
Probably ubuntu?
apt install ssl-cert
access forbidden by rule
look for allow or deny lines
a client request body is buffered to a temporary file
PLay some with
client_body_buffer_size 10M; client_max_body_size 10M;
TODO check, this doesn't seem to apply If all else fails just set:
proxy_max_temp_file_size 0;
and see if you get some feedback :)
upstream timed out
Look for proxy_pass
failed (104: Unknown error) while reading response header from upstream
[emerg] duplicate listen options for [::]:443
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help
nginx: [emerg] a duplicate default server for 0.0.0.0:80
Multiple vhosts having "default_server" in their listen lines
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Try
systemctl restart nginx
upstream sent no valid HTTP/1.0
Check for confusion between http and https
