Nginx Archives - ServerOK

Nginx HTTP 414 request-URI too large

February 6, 2020

by ServerOk with No Comment Nginx

On a Nginx server, when accessing a long url, i get error

HTTP 414 Request-URI Too Large

1	HTTP 414 Request-URI Too Large

To fix the error, edit

vi /etc/nginx/nginx.conf

1	vi /etc/nginx/nginx.conf

inside “http” section, find

large_client_header_buffers

1	large_client_header_buffers

Replace the line with

large_client_header_buffers 4 32k;

1	large_client_header_buffers 4 32k;

If your URL is very large, you may need to increase the 32k to higher or reduce the url length.

Large url like this mostly happend due to bad application design, so if possible try to make URL smaller.

Restart nginx

systemctl restart nginx

1	systemctl restart nginx

On older servers (centos 6, ubuntu 14, etc..), run

service nginx restart

1	service nginx restart

Show Real IP Nginx Behind Reverse Proxy

November 22, 2019

by ServerOk with No Comment Nginx

When your Nginx web server is running behind a reverse proxy, you will see IP of the reverse proxy server as visitor IP in web servers access log.

To fix this, edit nginx.conf file

vi /etc/nginx/nginx.conf

1	vi /etc/nginx/nginx.conf

Find

http {

http {

Inside http section, add

set_real_ip_from IP_ADDRESS_OF_PROXY_SERVER_HERE;
real_ip_header X-Forwarded-For;

1 2	set_real_ip_from IP_ADDRESS_OF_PROXY_SERVER_HERE; real_ip_header X-Forwarded-For;

Example

set_real_ip_from 192.168.122.1;
real_ip_header X-Forwarded-For;

1 2	set_real_ip_from 192.168.122.1; real_ip_header X-Forwarded-For;

Restart Nginx

nginx -s reload

1	nginx -s reload

Nginx Location Directive

September 29, 2019

by ServerOk with No Comment Nginx

Nginx Location Directive is used to route request to correct files.

Match

Exact match is used to match an exact URL.

server {
    listen 80 default_server;
    root /var/www/html;
    index index.html;
    server_name _;

    location /ok/ {
        root /home/;
    }
}

server {

listen 80 default_server;

root /var/www/html;

index index.html;

server_name _;

location /ok/ {

root /home/;

}

When location is used with no modifiers, then beginning of the URL is matched. In this case, any url http://domain/ok/FILE_NAME will be served from /home/ok/FILE_NAME

Exact Match (=)

Exact match is used to match an exact URL.

server {
    listen 80 default_server;
    root /var/www/html;
    index index.html;
    server_name _;

    location = /ok/index.html {
        root /home/;
    }
}

server {

listen 80 default_server;

root /var/www/html;

index index.html;

server_name _;

location = /ok/index.html {

root /home/;

}

In this example http://domain/ok/index.html get served from /home/ok/index.html. Only this specific file will be matched.

Cause Insensitive Regular Expression Match (~*)

server {
    listen 80 default_server;
    root /var/www/html;
    index index.html;
    server_name _;

    location /ok/ {
        root /home/;
    }
}

server {

listen 80 default_server;

root /var/www/html;

index index.html;

server_name _;

location /ok/ {

root /home/;

}

Above code routes URL http://domain/ok/ to /home/ok/index.html. But won’t match http://domain/OK/.

If you need both /ok and /OK work, you need to use

    location ~* /ok/ {
        root /home/;
    }

location ~* /ok/ {

root /home/;

}

With this config, http://domain/OK/FILE will be served from /home/OK/FILE.

See Nginx

Nginx Password Protect a website

August 3, 2019

by ServerOk with No Comment Nginx

To password protect a web site, you need to install htpasswd utility. On Ubuntu/Debian, you can install it with command

apt install apache2-utils -y

1	apt install apache2-utils -y

Now create a password file with command

htpasswd -c /etc/nginx/.htpasswd  USER_NAME_HERE

1	htpasswd -c /etc/nginx/.htpasswd USER_NAME_HERE

It will ask for password.

Edit configuration file for your web site and add following in the server entry for the web site.

auth_basic "Members Only";
auth_basic_user_file /etc/nginx/.htpasswd;

1 2	auth_basic "Members Only"; auth_basic_user_file /etc/nginx/.htpasswd;

Restart Nginx.

systemctl restart nginx

1	systemctl restart nginx

Now on visiting the web site, you will be asked to enter username and password.

See Nginx

Configure Nginx to listen on single IP Address

July 30, 2019

by ServerOk with 2 Comments Nginx

By default Nginx listens on all IP address on a server. To make nginx listen on specific IP address, edit nginx configuration file

vi /etc/nginx/nginx.conf

1	vi /etc/nginx/nginx.conf

And VirtualHost/server files for each domain located in folders

/etc/nginx/conf.d => on CentOS/RHEL
/etc/nginx/sites-available => on Debian/Ubuntu

1 2	/etc/nginx/conf.d => on CentOS/RHEL /etc/nginx/sites-available => on Debian/Ubuntu

Find

listen 80

listen 80

Replace with

listen IP_ADDR_HERE:80

1	listen IP_ADDR_HERE:80

IP_ADDR_HERE = your server IP address on which you need nginx listen on.

See Nginx

Nginx Config for Laravel Application in sub folder

May 21, 2019

by ServerOk with No Comment Nginx

To run Laravel Application on sub folder of a web site, use following configuration. If you run Laravel application as main site, see Nginx Config for Laravel Application

# subFolderApp1

location /subFolderApp1 {  
    alias /home/yorudomain.com/html/subFolderApp1/public;  
    try_files $uri $uri/ @nested1;
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/run/php/php7.2-fpm-torrentp.sock;
    }
}  

location @nested1 {
    rewrite /subFolderApp1/(.*)$ /subFolderApp1/index.php?/$1 last;
}

# end subFolderApp1

# subFolderApp1

location /subFolderApp1 {

alias /home/yorudomain.com/html/subFolderApp1/public;

try_files $uri $uri/ @nested1;

location ~ \.php$ {

include snippets/fastcgi-php.conf;

fastcgi_param SCRIPT_FILENAME $request_filename;

fastcgi_pass unix:/run/php/php7.2-fpm-torrentp.sock;

}

location @nested1 {

rewrite /subFolderApp1/(.*)$ /subFolderApp1/index.php?/$1 last;

}

# end subFolderApp1

Here you place Laravel application in a subdirectory “subFolderApp1”.

Example

server {
    server_name serverok.in www.serverok.in;
    root /home/serverok.in/html/;
    index index.php index.html index.htm;
    client_max_body_size 1000M;
    proxy_read_timeout 600s;
    fastcgi_read_timeout 600s;
    fastcgi_send_timeout 600s;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }


    # service

    location /service {  
        alias /home/serverok.in/html/service/public;  
        try_files $uri $uri/ @nested1;
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            fastcgi_pass unix:/run/php/php7.2-fpm-torrentp.sock;
        }
    }  

    location @nested1 {
        rewrite /service/(.*)$ /service/index.php?/$1 last;
    }

    # end service

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_intercept_errors on;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_pass unix:/run/php/php7.2-fpm-torrentp.sock;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/serverok.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/serverok.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.serverok.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = serverok.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name serverok.in www.serverok.in;
    return 404; # managed by Certbot
}

server {

server_name serverok.in www.serverok.in;

root /home/serverok.in/html/;

index index.php index.html index.htm;

client_max_body_size 1000M;

proxy_read_timeout 600s;

fastcgi_read_timeout 600s;

fastcgi_send_timeout 600s;

location / {

try_files $uri $uri/ /index.php?$query_string;

}

# service

location /service {

alias /home/serverok.in/html/service/public;

try_files $uri $uri/ @nested1;

location ~ \.php$ {

include snippets/fastcgi-php.conf;

fastcgi_param SCRIPT_FILENAME $request_filename;

fastcgi_pass unix:/run/php/php7.2-fpm-torrentp.sock;

}

location @nested1 {

rewrite /service/(.*)$ /service/index.php?/$1 last;

}

# end service

location ~ \.php$ {

include snippets/fastcgi-php.conf;

fastcgi_intercept_errors on;

fastcgi_buffers 16 16k;

fastcgi_buffer_size 32k;

fastcgi_pass unix:/run/php/php7.2-fpm-torrentp.sock;

}

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/serverok.in/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/serverok.in/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

if ($host = www.serverok.in) {

return 301 https://$host$request_uri;

} # managed by Certbot

if ($host = serverok.in) {

return 301 https://$host$request_uri;

} # managed by Certbot

listen 80;

server_name serverok.in www.serverok.in;

return 404; # managed by Certbot

}

Nginx Config for Laravel Application

April 27, 2019

by ServerOk with No Comment Nginx

Here is Nginx configuration for a laravel application

server {
    listen 80;
    server_name www.domain.com;
    access_log  /var/log/nginx/domain.com.log;
    root /home/domain.com/html/public;
    index index.html index.php;
    access_log /var/log/nginx/domain.com.log;
    error_log /var/log/nginx/domain.com-error.log;
    client_max_body_size 1000M;
    proxy_read_timeout 600s;
    fastcgi_read_timeout 600s;
    fastcgi_send_timeout 600s;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
       try_files $uri =404;
       access_log off;
       expires max;
    }

    location = /robots.txt      { access_log off; log_not_found off; }
    location = /favicon.ico    { access_log off; log_not_found off; }  

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_intercept_errors on;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

server {
    listen 80;
    server_name  domain.com;
    return       301 http://www.domain.com$request_uri;
}

server {

listen 80;

server_name www.domain.com;

access_log /var/log/nginx/domain.com.log;

root /home/domain.com/html/public;

index index.html index.php;

access_log /var/log/nginx/domain.com.log;

error_log /var/log/nginx/domain.com-error.log;

client_max_body_size 1000M;

proxy_read_timeout 600s;

fastcgi_read_timeout 600s;

fastcgi_send_timeout 600s;

location / {

try_files $uri $uri/ /index.php$is_args$args;

}

location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {

try_files $uri =404;

access_log off;

expires max;

}

location = /robots.txt { access_log off; log_not_found off; }

location = /favicon.ico { access_log off; log_not_found off; }

location ~ \.php$ {

include snippets/fastcgi-php.conf;

fastcgi_intercept_errors on;

fastcgi_buffers 16 16k;

fastcgi_buffer_size 32k;

fastcgi_pass unix:/run/php/php7.2-fpm.sock;

}

server {

listen 80;

server_name domain.com;

return 301 http://www.domain.com$request_uri;

}

Nginx Config for Laravel Application in sub folder

Disable TLSv1 in Nginx

February 6, 2019

by ServerOk with No Comment Nginx

To disable TLSv1 in nginx, add

ssl_protocols TLSv1.1 TLSv1.2;

1	ssl_protocols TLSv1.1 TLSv1.2;

in your server config.

if you are using letsencrypt SSL, edit file

vi /etc/letsencrypt/options-ssl-nginx.conf

1	vi /etc/letsencrypt/options-ssl-nginx.conf

Find

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

1	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Replace with

ssl_protocols TLSv1.1 TLSv1.2;

1	ssl_protocols TLSv1.1 TLSv1.2;

Restart Nginx

service nginx restart

1	service nginx restart

To verify, run

nmap --script ssl-enum-ciphers -p 443 DOMAIN.EXTN

1	nmap --script ssl-enum-ciphers -p 443 DOMAIN.EXTN

This will list all supported SSL protocols.

Nginx Rails Origin header didn’t match request.base_url

January 30, 2019

by ServerOk with No Comment Nginx

After installing SSL on Nginx server, rails application login page stopped working.

On log file (log/production.log), found following error

HTTP Origin header (https://domain.com) didn't match request.base_url (http://domain.com)

The Nginx config used was

upstream app {
   server unix:/var/www/public/shared/sockets/unicorn.sock fail_timeout=0;
}

server {
   listen 443 ssl;
   root /var/www/public;
   ssl_certificate /etc/ssl/ssl.crt;
   ssl_certificate_key /etc/ssl/ssl.key;
   server_name domain.com;
   try_files $uri/index.html $uri @app;
   location @app {
       proxy_pass http://app;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $http_host;
       proxy_redirect off;
   }
   error_page 500 502 503 504 /500.html;
   client_max_body_size 4G;
   keepalive_timeout 10;
}

upstream app {

server unix:/var/www/public/shared/sockets/unicorn.sock fail_timeout=0;

}

server {

listen 443 ssl;

root /var/www/public;

ssl_certificate /etc/ssl/ssl.crt;

ssl_certificate_key /etc/ssl/ssl.key;

server_name domain.com;

try_files $uri/index.html $uri @app;

location @app {

proxy_pass http://app;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_redirect off;

}

error_page 500 502 503 504 /500.html;

client_max_body_size 4G;

keepalive_timeout 10;

}

The problem is solved by adding following to nginx config.

proxy_set_header  X-Forwarded-Proto $scheme;
proxy_set_header  X-Forwarded-Ssl on;
proxy_set_header  X-Forwarded-Port $server_port;
proxy_set_header  X-Forwarded-Host $host;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Ssl on;

proxy_set_header X-Forwarded-Port $server_port;

proxy_set_header X-Forwarded-Host $host;

The new config is

server {
   listen 443 ssl;
   root /var/www/public;
   ssl_certificate /etc/ssl/ssl.crt;
   ssl_certificate_key /etc/ssl/ssl.key;
   server_name domain.com;
   try_files $uri/index.html $uri @app;
   location @app {
       proxy_pass http://app;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $http_host;
       proxy_set_header  X-Forwarded-Proto $scheme;
       proxy_set_header  X-Forwarded-Ssl on;
       proxy_set_header  X-Forwarded-Port $server_port;
       proxy_set_header  X-Forwarded-Host $host;
       proxy_redirect off;
   }
   error_page 500 502 503 504 /500.html;
   client_max_body_size 4G;
   keepalive_timeout 10;
}

server {

listen 443 ssl;

root /var/www/public;

ssl_certificate /etc/ssl/ssl.crt;

ssl_certificate_key /etc/ssl/ssl.key;

server_name domain.com;

try_files $uri/index.html $uri @app;

location @app {

proxy_pass http://app;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Ssl on;

proxy_set_header X-Forwarded-Port $server_port;

proxy_set_header X-Forwarded-Host $host;

proxy_redirect off;

}

error_page 500 502 503 504 /500.html;

client_max_body_size 4G;

keepalive_timeout 10;

}

See Nginx

Nginx Disable Access log

December 4, 2018

by ServerOk with No Comment Nginx

On a high traffic web site, i want to disable access log as we are hitting I/O Limit. Since we don’t use this access log for anything now, there is no point keep writing it to a file. To disable, you need to add following to server entry for your web site.

access_log off;

1	access_log off;

Here is an example nginx config with access logs disabled.

server {
    server_name server3.serverok.in www.server3.serverok.in;
    listen 80;
    listen 443 ssl;
    ssl_certificate /etc/ssl/ssl.cert;
    ssl_certificate_key /etc/ssl/ssl.key;
    root /home/server3/public_html;
    index index.html;
    limit_rate_after 10m;
    limit_rate 512k;
    access_log off;
    location / {
        valid_referers none serverok.in www.serverok.in;
        if ($invalid_referer) {
            return 403;
        }
    }
}

server {

server_name server3.serverok.in www.server3.serverok.in;

listen 80;

listen 443 ssl;

ssl_certificate /etc/ssl/ssl.cert;

ssl_certificate_key /etc/ssl/ssl.key;

root /home/server3/public_html;

index index.html;

limit_rate_after 10m;

limit_rate 512k;

access_log off;

location / {

valid_referers none serverok.in www.serverok.in;

if ($invalid_referer) {

return 403;

}