Nginx

From DWIKI
Revision as of 08:49, 13 August 2024 by Tony (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

HTTP server, proxy, reverse proxy etc

Links

Documentation

Nginx and php-fpm

Monitoring php-fpm under nginx

Create /etc/nginx/site-enabled/fpmstatus

server {
       listen 89;
       listen [::]:89;
       server_name localhost;
       location = /fpm-status {
               access_log off;
               allow 127.0.0.1;
               deny all;
               fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
               include fastcgi_params;
               fastcgi_pass unix:/run/php/php-fpm.sock;
               # fastcgi_pass 127.0.0.1:9001;
       }
       location = /fpm-ping {
               access_log off;
               allow 127.0.0.1;
               deny all;
               fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
               include fastcgi_params;
               fastcgi_pass unix:/run/php/php-fpm.sock;
       }
}

TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work

Notes

SSL certificates

The host.crt goes first in the bundle


server {
 listen   443;
 ssl    on;
 ssl_certificate    /etc/ssl/your_domain_name.pem; (or bundle.crt)
 ssl_certificate_key    /etc/ssl/your_domain_name.key;
 server_name your.domain.com;
 access_log /var/log/nginx/nginx.vhost.access.log;
 error_log /var/log/nginx/nginx.vhost.error.log;
 location / {
  root   /home/www/public_html/your.domain.com/public/;
  index  index.html;
 }
}

HOWTO

Get configuration items

getconf PAGESIZE

Redirecting in nginx

https://www.liquidweb.com/kb/redirecting-urls-using-nginx/

enable ipv6

In server section add

listen [::]:443;

Configure buffer sizes

See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size


Rate limiting


Limit access

https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html

FAQ

Security settings

X-Content-Type-Options

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;

Content-Security-Policy (CSP)

nginx serving wrong page

Forgot to tell it to listen on ipv6? Like

listen [::]:443 ssl;l

Conflicting server name XXX on 0.0.0.0:80

FastCGI sent in stderr: "Primary script unknown"

Usually means the php script just isn't there

Error messages

nginx: [emerg] unknown log format

Define log_format in http section before the includes.


upstream prematurely closed connection while reading upstream

Maybe trying to fetch a large file, like jpg?

client intended to send too large body

server {
  # default 1m
  client_max_body_size 4m;


no live upstreams while connecting to upstream

can't connect to whatever backend?


upstream sent too big header while reading response header from upstream


an upstream response is buffered to a temporary file

(SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking

Usually just a bad client or a scan.

cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem

Probably ubuntu?

apt install ssl-cert

access forbidden by rule

look for allow or deny lines

a client request body is buffered to a temporary file

PLay some with

client_body_buffer_size 10M;
client_max_body_size 10M;

TODO check, this doesn't seem to apply If all else fails just set:

   proxy_max_temp_file_size 0;

and see if you get some feedback :)

upstream timed out

Look for proxy_pass


failed (104: Unknown error) while reading response header from upstream

[emerg] duplicate listen options for [::]:443

looks like "ipv6only=on" added by letsencrypt causes that, removing it might help


Logging

Log level

Doesn't seem to be documented, defaults to log all?