Nginx: Difference between revisions
mNo edit summary |
|||
(37 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
*[http://nginx.org/ Homepage] | *[http://nginx.org/ Homepage] | ||
*[https://deliciousbrains.com/page-caching-varnish-vs-nginx-fastcgi-cache/ Varnish vs nginx] | *[https://deliciousbrains.com/page-caching-varnish-vs-nginx-fastcgi-cache/ Varnish vs nginx] | ||
==Documentation== | |||
*[https://www.nginx.com/resources/wiki/start/ Getting started] | |||
==Nginx and php-fpm== | |||
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04] | |||
===Monitoring php-fpm under nginx=== | |||
Create /etc/nginx/site-enabled/fpmstatus | |||
server { | |||
listen 89; | |||
listen [::]:89; | |||
server_name localhost; | |||
location = /fpm-status { | |||
access_log off; | |||
allow 127.0.0.1; | |||
deny all; | |||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; | |||
include fastcgi_params; | |||
fastcgi_pass unix:/run/php/php-fpm.sock; | |||
# fastcgi_pass 127.0.0.1:9001; | |||
} | |||
location = /fpm-ping { | |||
access_log off; | |||
allow 127.0.0.1; | |||
deny all; | |||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; | |||
include fastcgi_params; | |||
fastcgi_pass unix:/run/php/php-fpm.sock; | |||
} | |||
} | |||
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work | |||
=Notes= | =Notes= | ||
Line 25: | Line 60: | ||
} | } | ||
[[:Category: Proxy]] | =HOWTO= | ||
==Get configuration items== | |||
getconf PAGESIZE | |||
==Redirecting in nginx== | |||
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/ | |||
==enable ipv6== | |||
In server section add | |||
listen [::]:443; | |||
==Configure buffer sizes== | |||
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size | |||
==Rate limiting== | |||
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting] | |||
==Limit access== | |||
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html | |||
=FAQ= | |||
==Security settings== | |||
===X-Content-Type-Options=== | |||
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | |||
add_header X-Content-Type-Options nosniff always; | |||
===Content-Security-Policy (CSP)=== | |||
==nginx serving wrong page== | |||
Forgot to tell it to listen on ipv6? | |||
Like | |||
listen [::]:443 ssl;l | |||
==Conflicting server name XXX on 0.0.0.0:80== | |||
==FastCGI sent in stderr: "Primary script unknown" == | |||
Usually means the php script just isn't there | |||
==Error messages== | |||
===nginx: [emerg] unknown log format=== | |||
Define log_format in '''http''' section before the includes. | |||
=== upstream prematurely closed connection while reading upstream === | |||
Maybe trying to fetch a large file, like jpg? | |||
=== client intended to send too large body === | |||
server { | |||
# default 1m | |||
client_max_body_size 4m; | |||
===no live upstreams while connecting to upstream=== | |||
can't connect to whatever backend? | |||
===upstream sent too big header while reading response header from upstream=== | |||
*[https://techglimpse.com/upstream-sent-too-big-header-while-reading-response-header-from-upstream-nginx/ Upstream sent too big header] | |||
*[https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx Tuning proxy_buffer_size in NGINX] | |||
===an upstream response is buffered to a temporary file=== | |||
===(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking=== | |||
Usually just a bad client or a scan. | |||
===cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem=== | |||
Probably ubuntu? | |||
apt install ssl-cert | |||
===access forbidden by rule=== | |||
look for allow or deny lines | |||
===a client request body is buffered to a temporary file=== | |||
PLay some with | |||
client_body_buffer_size 10M; | |||
client_max_body_size 10M; | |||
TODO check, this doesn't seem to apply | |||
If all else fails just set: | |||
proxy_max_temp_file_size 0; | |||
and see if you get some feedback :) | |||
===upstream timed out=== | |||
Look for proxy_pass | |||
===failed (104: Unknown error) while reading response header from upstream=== | |||
===[emerg] duplicate listen options for [::]:443 === | |||
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help | |||
==Logging== | |||
===Log level=== | |||
Doesn't seem to be documented, defaults to log all? | |||
[[Category: Proxy]] | |||
[[Category: Web Services]] |
Latest revision as of 08:49, 13 August 2024
HTTP server, proxy, reverse proxy etc
Links
Documentation
Nginx and php-fpm
Monitoring php-fpm under nginx
Create /etc/nginx/site-enabled/fpmstatus
server { listen 89; listen [::]:89; server_name localhost; location = /fpm-status { access_log off;
allow 127.0.0.1; deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php/php-fpm.sock; # fastcgi_pass 127.0.0.1:9001; } location = /fpm-ping { access_log off;
allow 127.0.0.1; deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php/php-fpm.sock; } }
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work
Notes
SSL certificates
The host.crt goes first in the bundle
server { listen 443; ssl on; ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt) ssl_certificate_key /etc/ssl/your_domain_name.key; server_name your.domain.com; access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; location / { root /home/www/public_html/your.domain.com/public/; index index.html; } }
HOWTO
Get configuration items
getconf PAGESIZE
Redirecting in nginx
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/
enable ipv6
In server section add
listen [::]:443;
Configure buffer sizes
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
Rate limiting
Limit access
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html
FAQ
Security settings
X-Content-Type-Options
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff always;
Content-Security-Policy (CSP)
nginx serving wrong page
Forgot to tell it to listen on ipv6? Like
listen [::]:443 ssl;l
Conflicting server name XXX on 0.0.0.0:80
FastCGI sent in stderr: "Primary script unknown"
Usually means the php script just isn't there
Error messages
nginx: [emerg] unknown log format
Define log_format in http section before the includes.
upstream prematurely closed connection while reading upstream
Maybe trying to fetch a large file, like jpg?
client intended to send too large body
server { # default 1m client_max_body_size 4m;
no live upstreams while connecting to upstream
can't connect to whatever backend?
upstream sent too big header while reading response header from upstream
an upstream response is buffered to a temporary file
Usually just a bad client or a scan.
cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem
Probably ubuntu?
apt install ssl-cert
access forbidden by rule
look for allow or deny lines
a client request body is buffered to a temporary file
PLay some with
client_body_buffer_size 10M; client_max_body_size 10M;
TODO check, this doesn't seem to apply If all else fails just set:
proxy_max_temp_file_size 0;
and see if you get some feedback :)
upstream timed out
Look for proxy_pass
failed (104: Unknown error) while reading response header from upstream
[emerg] duplicate listen options for [::]:443
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help
Logging
Log level
Doesn't seem to be documented, defaults to log all?