Nginx: Difference between revisions

From DWIKI
mNo edit summary
 
(12 intermediate revisions by the same user not shown)
Line 9: Line 9:
==Nginx and php-fpm==
==Nginx and php-fpm==
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04]
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04]
===Monitoring php-fpm under nginx===
Create /etc/nginx/site-enabled/fpmstatus
server {
        listen 89;
        listen [::]:89;
        server_name localhost;
        location = /fpm-status {
                access_log off;
                allow 127.0.0.1;
                deny all;
                fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/run/php/php-fpm.sock;
                # fastcgi_pass 127.0.0.1:9001;
        }
        location = /fpm-ping {
                access_log off;
                allow 127.0.0.1;
                deny all;
                fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/run/php/php-fpm.sock;
        }
}
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work


=Notes=
=Notes=
Line 47: Line 77:
==Rate limiting==
==Rate limiting==
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting]
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting]
==Limit access==
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html


=FAQ=
=FAQ=
==Security settings==
===X-Content-Type-Options===
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
===Content-Security-Policy (CSP)===
==nginx serving wrong page==
Forgot to tell it to listen on ipv6?
Like
listen [::]:443 ssl;l
==Conflicting server name XXX on 0.0.0.0:80==


==FastCGI sent in stderr: "Primary script unknown" ==
==FastCGI sent in stderr: "Primary script unknown" ==
Line 54: Line 104:


==Error messages==
==Error messages==
===nginx: [emerg] unknown log format===
Define log_format in '''http''' section before the includes.
=== upstream prematurely closed connection while reading upstream ===
Maybe trying to fetch a large file, like jpg?
=== client intended to send too large body ===
server {
  # default 1m
  client_max_body_size 4m;
===no live upstreams while connecting to upstream===
===no live upstreams while connecting to upstream===
can't connect to whatever backend?
can't connect to whatever backend?
Line 85: Line 150:
     proxy_max_temp_file_size 0;
     proxy_max_temp_file_size 0;
and see if you get some feedback :)
and see if you get some feedback :)
===upstream timed out===
Look for proxy_pass
===failed (104: Unknown error) while reading response header from upstream===
===[emerg] duplicate listen options for [::]:443 ===
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help


==Logging==
==Logging==
Line 92: Line 167:


[[Category: Proxy]]
[[Category: Proxy]]
[[Category: Web Services]]

Latest revision as of 08:49, 13 August 2024

HTTP server, proxy, reverse proxy etc

Links

Documentation

Nginx and php-fpm

Monitoring php-fpm under nginx

Create /etc/nginx/site-enabled/fpmstatus

server {
       listen 89;
       listen [::]:89;
       server_name localhost;
       location = /fpm-status {
               access_log off;
               allow 127.0.0.1;
               deny all;
               fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
               include fastcgi_params;
               fastcgi_pass unix:/run/php/php-fpm.sock;
               # fastcgi_pass 127.0.0.1:9001;
       }
       location = /fpm-ping {
               access_log off;
               allow 127.0.0.1;
               deny all;
               fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
               include fastcgi_params;
               fastcgi_pass unix:/run/php/php-fpm.sock;
       }
}

TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work

Notes

SSL certificates

The host.crt goes first in the bundle


server {
 listen   443;
 ssl    on;
 ssl_certificate    /etc/ssl/your_domain_name.pem; (or bundle.crt)
 ssl_certificate_key    /etc/ssl/your_domain_name.key;
 server_name your.domain.com;
 access_log /var/log/nginx/nginx.vhost.access.log;
 error_log /var/log/nginx/nginx.vhost.error.log;
 location / {
  root   /home/www/public_html/your.domain.com/public/;
  index  index.html;
 }
}

HOWTO

Get configuration items

getconf PAGESIZE

Redirecting in nginx

https://www.liquidweb.com/kb/redirecting-urls-using-nginx/

enable ipv6

In server section add

listen [::]:443;

Configure buffer sizes

See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size


Rate limiting


Limit access

https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html

FAQ

Security settings

X-Content-Type-Options

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;

Content-Security-Policy (CSP)

nginx serving wrong page

Forgot to tell it to listen on ipv6? Like

listen [::]:443 ssl;l

Conflicting server name XXX on 0.0.0.0:80

FastCGI sent in stderr: "Primary script unknown"

Usually means the php script just isn't there

Error messages

nginx: [emerg] unknown log format

Define log_format in http section before the includes.


upstream prematurely closed connection while reading upstream

Maybe trying to fetch a large file, like jpg?

client intended to send too large body

server {
  # default 1m
  client_max_body_size 4m;


no live upstreams while connecting to upstream

can't connect to whatever backend?


upstream sent too big header while reading response header from upstream


an upstream response is buffered to a temporary file

(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Usually just a bad client or a scan.

cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem

Probably ubuntu?

apt install ssl-cert

access forbidden by rule

look for allow or deny lines

a client request body is buffered to a temporary file

PLay some with

client_body_buffer_size 10M;
client_max_body_size 10M;

TODO check, this doesn't seem to apply If all else fails just set:

   proxy_max_temp_file_size 0;

and see if you get some feedback :)

upstream timed out

Look for proxy_pass


failed (104: Unknown error) while reading response header from upstream

[emerg] duplicate listen options for [::]:443

looks like "ipv6only=on" added by letsencrypt causes that, removing it might help


Logging

Log level

Doesn't seem to be documented, defaults to log all?