Nginx: Difference between revisions

From DWIKI
mNo edit summary
 
(35 intermediate revisions by the same user not shown)
Line 4: Line 4:
*[http://nginx.org/ Homepage]
*[http://nginx.org/ Homepage]
*[https://deliciousbrains.com/page-caching-varnish-vs-nginx-fastcgi-cache/ Varnish vs nginx]
*[https://deliciousbrains.com/page-caching-varnish-vs-nginx-fastcgi-cache/ Varnish vs nginx]
==Documentation==
*[https://www.nginx.com/resources/wiki/start/ Getting started]
==Nginx and php-fpm==
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04]
===Monitoring php-fpm under nginx===
Create /etc/nginx/site-enabled/fpmstatus
server {
        listen 89;
        listen [::]:89;
        server_name localhost;
        location = /fpm-status {
                access_log off;
                allow 127.0.0.1;
                deny all;
                fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/run/php/php-fpm.sock;
                # fastcgi_pass 127.0.0.1:9001;
        }
        location = /fpm-ping {
                access_log off;
                allow 127.0.0.1;
                deny all;
                fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
                include fastcgi_params;
                fastcgi_pass unix:/run/php/php-fpm.sock;
        }
}
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work


=Notes=
=Notes=
Line 24: Line 59:
   }
   }
  }
  }
=HOWTO=
==Get configuration items==
getconf PAGESIZE
==Redirecting in nginx==
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/
==enable ipv6==
In server section add
listen [::]:443;
==Configure buffer sizes==
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
==Rate limiting==
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting]
==Limit access==
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html


=FAQ=
=FAQ=
==no live upstreams while connecting to upstream==
==Security settings==
===X-Content-Type-Options===
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
 
===Content-Security-Policy (CSP)===
 
 
 
 
==nginx serving wrong page==
Forgot to tell it to listen on ipv6?
Like
listen [::]:443 ssl;l
 
==Conflicting server name XXX on 0.0.0.0:80==
 
==FastCGI sent in stderr: "Primary script unknown" ==
Usually means the php script just isn't there
 
==Error messages==
 
===nginx: [emerg] unknown log format===
Define log_format in '''http''' section before the includes.
 
 
=== upstream prematurely closed connection while reading upstream ===
Maybe trying to fetch a large file, like jpg?
 
=== client intended to send too large body ===
server {
  # default 1m
  client_max_body_size 4m;
 
 
 
===no live upstreams while connecting to upstream===
can't connect to whatever backend?
can't connect to whatever backend?




==upstream sent too big header while reading response header from upstream==
===upstream sent too big header while reading response header from upstream===
https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
*[https://techglimpse.com/upstream-sent-too-big-header-while-reading-response-header-from-upstream-nginx/ Upstream sent too big header]
[[:Category: Proxy]]
*[https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx Tuning proxy_buffer_size in NGINX]
 
 
===an upstream response is buffered to a temporary file===
 
 
===(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking===
Usually just a bad client or a scan.
 
===cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem===
Probably ubuntu?
apt install ssl-cert
 
===access forbidden by rule===
look for allow or deny lines
 
===a client request body is buffered to a temporary file===
PLay some with
client_body_buffer_size 10M;
client_max_body_size 10M;
 
TODO check, this doesn't seem to apply
If all else fails just set:
    proxy_max_temp_file_size 0;
and see if you get some feedback :)
 
===upstream timed out===
Look for proxy_pass
 
 
===failed (104: Unknown error) while reading response header from upstream===
 
===[emerg] duplicate listen options for [::]:443 ===
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help
 
 
==Logging==
 
===Log level===
Doesn't seem to be documented, defaults to log all?
 
[[Category: Proxy]]
[[Category: Web Services]]

Latest revision as of 08:49, 13 August 2024

HTTP server, proxy, reverse proxy etc

Links

Documentation

Nginx and php-fpm

Monitoring php-fpm under nginx

Create /etc/nginx/site-enabled/fpmstatus

server {
       listen 89;
       listen [::]:89;
       server_name localhost;
       location = /fpm-status {
               access_log off;
               allow 127.0.0.1;
               deny all;
               fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
               include fastcgi_params;
               fastcgi_pass unix:/run/php/php-fpm.sock;
               # fastcgi_pass 127.0.0.1:9001;
       }
       location = /fpm-ping {
               access_log off;
               allow 127.0.0.1;
               deny all;
               fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
               include fastcgi_params;
               fastcgi_pass unix:/run/php/php-fpm.sock;
       }
}

TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work

Notes

SSL certificates

The host.crt goes first in the bundle


server {
 listen   443;
 ssl    on;
 ssl_certificate    /etc/ssl/your_domain_name.pem; (or bundle.crt)
 ssl_certificate_key    /etc/ssl/your_domain_name.key;
 server_name your.domain.com;
 access_log /var/log/nginx/nginx.vhost.access.log;
 error_log /var/log/nginx/nginx.vhost.error.log;
 location / {
  root   /home/www/public_html/your.domain.com/public/;
  index  index.html;
 }
}

HOWTO

Get configuration items

getconf PAGESIZE

Redirecting in nginx

https://www.liquidweb.com/kb/redirecting-urls-using-nginx/

enable ipv6

In server section add

listen [::]:443;

Configure buffer sizes

See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size


Rate limiting


Limit access

https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html

FAQ

Security settings

X-Content-Type-Options

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;

Content-Security-Policy (CSP)

nginx serving wrong page

Forgot to tell it to listen on ipv6? Like

listen [::]:443 ssl;l

Conflicting server name XXX on 0.0.0.0:80

FastCGI sent in stderr: "Primary script unknown"

Usually means the php script just isn't there

Error messages

nginx: [emerg] unknown log format

Define log_format in http section before the includes.


upstream prematurely closed connection while reading upstream

Maybe trying to fetch a large file, like jpg?

client intended to send too large body

server {
  # default 1m
  client_max_body_size 4m;


no live upstreams while connecting to upstream

can't connect to whatever backend?


upstream sent too big header while reading response header from upstream


an upstream response is buffered to a temporary file

(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Usually just a bad client or a scan.

cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem

Probably ubuntu?

apt install ssl-cert

access forbidden by rule

look for allow or deny lines

a client request body is buffered to a temporary file

PLay some with

client_body_buffer_size 10M;
client_max_body_size 10M;

TODO check, this doesn't seem to apply If all else fails just set:

   proxy_max_temp_file_size 0;

and see if you get some feedback :)

upstream timed out

Look for proxy_pass


failed (104: Unknown error) while reading response header from upstream

[emerg] duplicate listen options for [::]:443

looks like "ipv6only=on" added by letsencrypt causes that, removing it might help


Logging

Log level

Doesn't seem to be documented, defaults to log all?