Nginx: Difference between revisions
m (→Error messages) |
mNo edit summary |
||
(7 intermediate revisions by the same user not shown) | |||
Line 77: | Line 77: | ||
==Rate limiting== | ==Rate limiting== | ||
*[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting] | *[https://www.nginx.com/blog/rate-limiting-nginx/ NGINX Rate limiting] | ||
==Limit access== | |||
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html | |||
=FAQ= | =FAQ= | ||
==Security settings== | |||
===X-Content-Type-Options=== | |||
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | |||
add_header X-Content-Type-Options nosniff always; | |||
===Content-Security-Policy (CSP)=== | |||
==nginx serving wrong page== | ==nginx serving wrong page== | ||
Forgot to tell it to listen on ipv6? | Forgot to tell it to listen on ipv6? | ||
Line 91: | Line 105: | ||
==Error messages== | ==Error messages== | ||
===client intended to send too large body=== | ===nginx: [emerg] unknown log format=== | ||
Define log_format in '''http''' section before the includes. | |||
=== upstream prematurely closed connection while reading upstream === | |||
Maybe trying to fetch a large file, like jpg? | |||
=== client intended to send too large body === | |||
server { | server { | ||
# default 1m | # default 1m | ||
Line 132: | Line 153: | ||
===upstream timed out=== | ===upstream timed out=== | ||
Look for proxy_pass | Look for proxy_pass | ||
===failed (104: Unknown error) while reading response header from upstream=== | |||
===[emerg] duplicate listen options for [::]:443 === | |||
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help | |||
==Logging== | ==Logging== | ||
Line 139: | Line 167: | ||
[[Category: Proxy]] | [[Category: Proxy]] | ||
[[Category: Web Services]] |
Latest revision as of 08:49, 13 August 2024
HTTP server, proxy, reverse proxy etc
Links
Documentation
Nginx and php-fpm
Monitoring php-fpm under nginx
Create /etc/nginx/site-enabled/fpmstatus
server { listen 89; listen [::]:89; server_name localhost; location = /fpm-status { access_log off;
allow 127.0.0.1; deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php/php-fpm.sock; # fastcgi_pass 127.0.0.1:9001; } location = /fpm-ping { access_log off;
allow 127.0.0.1; deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php/php-fpm.sock; } }
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work
Notes
SSL certificates
The host.crt goes first in the bundle
server { listen 443; ssl on; ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt) ssl_certificate_key /etc/ssl/your_domain_name.key; server_name your.domain.com; access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; location / { root /home/www/public_html/your.domain.com/public/; index index.html; } }
HOWTO
Get configuration items
getconf PAGESIZE
Redirecting in nginx
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/
enable ipv6
In server section add
listen [::]:443;
Configure buffer sizes
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
Rate limiting
Limit access
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html
FAQ
Security settings
X-Content-Type-Options
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff always;
Content-Security-Policy (CSP)
nginx serving wrong page
Forgot to tell it to listen on ipv6? Like
listen [::]:443 ssl;l
Conflicting server name XXX on 0.0.0.0:80
FastCGI sent in stderr: "Primary script unknown"
Usually means the php script just isn't there
Error messages
nginx: [emerg] unknown log format
Define log_format in http section before the includes.
upstream prematurely closed connection while reading upstream
Maybe trying to fetch a large file, like jpg?
client intended to send too large body
server { # default 1m client_max_body_size 4m;
no live upstreams while connecting to upstream
can't connect to whatever backend?
upstream sent too big header while reading response header from upstream
an upstream response is buffered to a temporary file
Usually just a bad client or a scan.
cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem
Probably ubuntu?
apt install ssl-cert
access forbidden by rule
look for allow or deny lines
a client request body is buffered to a temporary file
PLay some with
client_body_buffer_size 10M; client_max_body_size 10M;
TODO check, this doesn't seem to apply If all else fails just set:
proxy_max_temp_file_size 0;
and see if you get some feedback :)
upstream timed out
Look for proxy_pass
failed (104: Unknown error) while reading response header from upstream
[emerg] duplicate listen options for [::]:443
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help
Logging
Log level
Doesn't seem to be documented, defaults to log all?