Nginx
HTTP server, proxy, reverse proxy etc
Links
Documentation
Nginx and php-fpm
Monitoring php-fpm under nginx
Create /etc/nginx/site-enabled/fpmstatus
server {
listen 89;
listen [::]:89;
server_name localhost;
location = /fpm-status {
access_log off;
allow 127.0.0.1;
deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
# fastcgi_pass 127.0.0.1:9001;
}
location = /fpm-ping {
access_log off;
allow 127.0.0.1;
deny all;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
}
TODO find out why monitoring via tcp socket 127.0.0.1:9001 doesn't work
Notes
SSL certificates
The host.crt goes first in the bundle
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)
ssl_certificate_key /etc/ssl/your_domain_name.key;
server_name your.domain.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/your.domain.com/public/;
index index.html;
}
}
HOWTO
Client certificates
Create client certificate
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
Add client certificate to chromium
Add the .p12 in Advanced->Manage certificates->Your certificates
Get configuration items
getconf PAGESIZE
Redirecting in nginx
https://www.liquidweb.com/kb/redirecting-urls-using-nginx/
enable ipv6
In server section add
listen [::]:443;
Configure buffer sizes
See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
Rate limiting
Limit access
https://docs.hypernode.com/hypernode-platform/nginx/how-to-block-allow-ip-addresses-in-nginx.html
nginx and OCSP (stapling)
To make sure everything works have *all* certificates in bundle.pem
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/pki/tls/certs/bundle.pem
ssl_certificate /etc/pki/tls/certs/bundle.pem; ssl_certificate_key /etc/pki/tls/private/mydomain.key;
Letsencrypt and stapling
Will be discontinued: https://kbeezie.com/nginx-ssl_stapling-ignored-ocsp-letsencrypt/
FAQ
Security settings
X-Content-Type-Options
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options add_header X-Content-Type-Options nosniff always;
Content-Security-Policy (CSP)
nginx serving wrong page
Forgot to tell it to listen on ipv6? Like
listen [::]:443 ssl;l
Conflicting server name XXX on 0.0.0.0:80
FastCGI sent in stderr: "Primary script unknown"
Usually means the php script just isn't there
Error messages
nginx: [emerg] unknown log format
Define log_format in http section before the includes.
upstream prematurely closed connection while reading upstream
Maybe trying to fetch a large file, like jpg?
client intended to send too large body
server {
# default 1m
client_max_body_size 4m;
no live upstreams while connecting to upstream
can't connect to whatever backend?
upstream sent too big header while reading response header from upstream
an upstream response is buffered to a temporary file
Usually just a bad client or a scan.
cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem
Probably ubuntu?
apt install ssl-cert
access forbidden by rule
look for allow or deny lines
a client request body is buffered to a temporary file
PLay some with
client_body_buffer_size 10M; client_max_body_size 10M;
TODO check, this doesn't seem to apply If all else fails just set:
proxy_max_temp_file_size 0;
and see if you get some feedback :)
upstream timed out
Look for proxy_pass
failed (104: Unknown error) while reading response header from upstream
[emerg] duplicate listen options for [::]:443
looks like "ipv6only=on" added by letsencrypt causes that, removing it might help
Logging
Log level
Doesn't seem to be documented, defaults to log all?
