Nginx: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(16 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
==Nginx and php-fpm== | ==Nginx and php-fpm== | ||
*[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04] | *[https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04 How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04] | ||
===Monitoring php-fpm under nginx=== | |||
Create /etc/nginx/site-enabled/fpmstatus | |||
server { | |||
listen 89; | |||
listen [::]:89; | |||
server_name localhost; | |||
location = /fpm-status { | |||
access_log off; | |||
allow 127.0.0.1; | |||
deny all; | |||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; | |||
include fastcgi_params; | |||
fastcgi_pass unix:/run/php/php-fpm.sock; | |||
# fastcgi_pass 127.0.0.1:9001; | |||
} | |||
location = /fpm-ping { | |||
access_log off; | |||
allow 127.0.0.1; | |||
deny all; | |||
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; | |||
include fastcgi_params; | |||
fastcgi_pass unix:/run/php/php-fpm.sock; | |||
} | |||
} | |||
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work | |||
=Notes= | =Notes= | ||
Line 43: | Line 73: | ||
==Configure buffer sizes== | ==Configure buffer sizes== | ||
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size | See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size | ||
==Rate limiting== | |||
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting] | |||
==Limit access== | |||
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html | |||
=FAQ= | =FAQ= | ||
==Security settings== | |||
===X-Content-Type-Options=== | |||
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | |||
add_header X-Content-Type-Options nosniff always; | |||
===Content-Security-Policy (CSP)=== | |||
==nginx serving wrong page== | |||
Forgot to tell it to listen on ipv6? | |||
Like | |||
listen [::]:443 ssl;l | |||
==Conflicting server name XXX on 0.0.0.0:80== | |||
==FastCGI sent in stderr: "Primary script unknown" == | |||
Usually means the php script just isn't there | |||
==Error messages== | ==Error messages== | ||
===nginx: [emerg] unknown log format=== | |||
Define log_format in '''http''' section before the includes. | |||
=== upstream prematurely closed connection while reading upstream === | |||
Maybe trying to fetch a large file, like jpg? | |||
=== client intended to send too large body === | |||
server { | |||
# default 1m | |||
client_max_body_size 4m; | |||
===no live upstreams while connecting to upstream=== | ===no live upstreams while connecting to upstream=== | ||
can't connect to whatever backend? | can't connect to whatever backend? | ||
Line 64: | Line 134: | ||
Usually just a bad client or a scan. | Usually just a bad client or a scan. | ||
===cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem=== | |||
Probably ubuntu? | |||
apt install ssl-cert | |||
===access forbidden by rule=== | ===access forbidden by rule=== | ||
Line 77: | Line 150: | ||
proxy_max_temp_file_size 0; | proxy_max_temp_file_size 0; | ||
and see if you get some feedback :) | and see if you get some feedback :) | ||
===upstream timed out=== | |||
Look for proxy_pass | |||
===failed (104: Unknown error) while reading response header from upstream=== | |||
===[emerg] duplicate listen options for [::]:443 === | |||
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help | |||
==Logging== | ==Logging== | ||
Line 84: | Line 167: | ||
[[Category: Proxy]] | [[Category: Proxy]] | ||
[[Category: Web Services]] |
Latest revision as of 08:49, 13 August 2024
HTTP server, proxy, reverse proxy etc
Links
Documentation
Nginx and php-fpm
Monitoring php-fpm under nginx
Create /etc/nginx/site-enabled/fpmstatus
server { listen 89; listen [::]:89; server_name localhost; location = /fpm-status { access_log off;
allow 127.0.0.1; deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php/php-fpm.sock; # fastcgi_pass 127.0.0.1:9001; } location = /fpm-ping { access_log off;
allow 127.0.0.1; deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php/php-fpm.sock; } }
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work
Notes
SSL certificates
The host.crt goes first in the bundle
server { listen 443; ssl on; ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt) ssl_certificate_key /etc/ssl/your_domain_name.key; server_name your.domain.com; access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; location / { root /home/www/public_html/your.domain.com/public/; index index.html; } }
HOWTO
Get configuration items
getconf PAGESIZE
Redirecting in nginx
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/
enable ipv6
In server section add
listen [::]:443;
Configure buffer sizes
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
Rate limiting
Limit access
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html
FAQ
Security settings
X-Content-Type-Options
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff always;
Content-Security-Policy (CSP)
nginx serving wrong page
Forgot to tell it to listen on ipv6? Like
listen [::]:443 ssl;l
Conflicting server name XXX on 0.0.0.0:80
FastCGI sent in stderr: "Primary script unknown"
Usually means the php script just isn't there
Error messages
nginx: [emerg] unknown log format
Define log_format in http section before the includes.
upstream prematurely closed connection while reading upstream
Maybe trying to fetch a large file, like jpg?
client intended to send too large body
server { # default 1m client_max_body_size 4m;
no live upstreams while connecting to upstream
can't connect to whatever backend?
upstream sent too big header while reading response header from upstream
an upstream response is buffered to a temporary file
Usually just a bad client or a scan.
cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem
Probably ubuntu?
apt install ssl-cert
access forbidden by rule
look for allow or deny lines
a client request body is buffered to a temporary file
PLay some with
client_body_buffer_size 10M; client_max_body_size 10M;
TODO check, this doesn't seem to apply If all else fails just set:
proxy_max_temp_file_size 0;
and see if you get some feedback :)
upstream timed out
Look for proxy_pass
failed (104: Unknown error) while reading response header from upstream
[emerg] duplicate listen options for [::]:443
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help
Logging
Log level
Doesn't seem to be documented, defaults to log all?