Nginx configuration on Centos Web Panel

Fantomen

Hello all Flarumites,

I´m running Flarum on Centos Web Panel but I am having some issues to get the nginx configuration correctly. I currently run the forum using nginx+apache but would like to move on to nginx only.

The nginx configuartion files appear to be a little bit different on CWP (perhaps I should change to Plesk..) and I was hoping I could get some help from any of you guys.

The force-https config looks as follows;

server {
	listen 136.244.101.88:443 ssl ;
	server_name hockeybulletin.se  www.hockeybulletin.se;
	root /home/hockeyb/hockeybulletin.se/public/;
	index index.php index.html index.htm;
	access_log /usr/local/apache/domlogs/hockeybulletin.se.bytes bytes;
	access_log /usr/local/apache/domlogs/hockeybulletin.se.log combined;
	error_log /usr/local/apache/domlogs/hockeybulletin.se.error.log error;

	ssl_certificate      /etc/pki/tls/certs/hockeybulletin.se.bundle;
	ssl_certificate_key  /etc/pki/tls/private/hockeybulletin.se.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
	ssl_prefer_server_ciphers   on;

	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 60m;

	location / {
	
		add_header Strict-Transport-Security "max-age=31536000";
		add_header X-Content-Type-Options nosniff;

		location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {			
			expires max;
		}
		
		location ~ [^/]\.php(/|$) {
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			if (!-f $document_root$fastcgi_script_name) {
				return  404;
			}

			fastcgi_pass    unix:/opt/alt/php-fpm74/usr/var/sockets/hockeyb.sock;
			fastcgi_index   index.php;
			include         /etc/nginx/fastcgi_params;
		}

	}

	location ~* "/\.(htaccess|htpasswd)$" {deny all;return 404;}

	disable_symlinks if_not_owner from=/home/hockeyb/hockeybulletin.se/public/;

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
	}
}

server {
	listen 136.244.101.88:443 ssl ;	
	server_name webmail.hockeybulletin.se;

	access_log /usr/local/apache/domlogs/hockeybulletin.se.bytes bytes;
	access_log /usr/local/apache/domlogs/hockeybulletin.se.log combined;
	error_log /usr/local/apache/domlogs/hockeybulletin.se.error.log error;

	ssl_certificate      /etc/pki/tls/certs/hockeybulletin.se.bundle;
	ssl_certificate_key  /etc/pki/tls/private/hockeybulletin.se.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
	ssl_prefer_server_ciphers   on;

	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 60m;

	location / {
		proxy_pass  http://127.0.0.1:2095;
		include proxy.inc;
	}

	location ~ /\.ht    {deny all;}
	location ~ /\.svn/  {deny all;}
	location ~ /\.git/  {deny all;}
	location ~ /\.hg/   {deny all;}
	location ~ /\.bzr/  {deny all;}

	disable_symlinks if_not_owner from=/home/hockeyb/hockeybulletin.se/public/;

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
	}
}

server {
	listen 136.244.101.88:443 ssl ;	
	server_name mail.hockeybulletin.se;

	access_log /usr/local/apache/domlogs/hockeybulletin.se.bytes bytes;
	access_log /usr/local/apache/domlogs/hockeybulletin.se.log combined;
	error_log /usr/local/apache/domlogs/hockeybulletin.se.error.log error;

	ssl_certificate      /etc/pki/tls/certs/hockeybulletin.se.bundle;
	ssl_certificate_key  /etc/pki/tls/private/hockeybulletin.se.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
	ssl_prefer_server_ciphers   on;

	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 60m;

	location / {
		proxy_pass  http://127.0.0.1:2095;
		include proxy.inc;
	}

	location ~ /\.ht    {deny all;}
	location ~ /\.svn/  {deny all;}
	location ~ /\.git/  {deny all;}
	location ~ /\.hg/   {deny all;}
	location ~ /\.bzr/  {deny all;}

	disable_symlinks if_not_owner from=/home/hockeyb/hockeybulletin.se/public/;

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
	}
}

server {
	listen 136.244.101.88:443 ssl ;	
	server_name cpanel.hockeybulletin.se;

	access_log /usr/local/apache/domlogs/hockeybulletin.se.bytes bytes;
	access_log /usr/local/apache/domlogs/hockeybulletin.se.log combined;
	error_log /usr/local/apache/domlogs/hockeybulletin.se.error.log error;

	ssl_certificate      /etc/pki/tls/certs/hockeybulletin.se.bundle;
	ssl_certificate_key  /etc/pki/tls/private/hockeybulletin.se.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
	ssl_prefer_server_ciphers   on;

	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 60m;

	location / {
		proxy_pass  https://127.0.0.1:2083;
		include proxy.inc;
	}

	location /pma {
		proxy_pass  https://127.0.0.1:2031;
		include proxy.inc;
	}

	location /roundcube {
		proxy_pass  https://127.0.0.1:2031;
		include proxy.inc;
	}

	location ~ /\.ht    {deny all;}
	location ~ /\.svn/  {deny all;}
	location ~ /\.git/  {deny all;}
	location ~ /\.hg/   {deny all;}
	location ~ /\.bzr/  {deny all;}

	disable_symlinks if_not_owner from=/home/hockeyb/hockeybulletin.se/public/;

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
	}
}

Where would you paste include /home/hockeyb/hockeybulletin.se/.nginx.conf;?

I´ve tried in multiple places with no success - either nginx won´t restart or the forum gives a 403, forbidden.

For Wordpress I was able to get permalinx using code below;

	location / {

		add_header Strict-Transport-Security "max-age=31536000";
		add_header X-Content-Type-Options nosniff;

		location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {			
			expires max;
		}
		
        location / {
	        # WordPress permalinks in Nginx
	        try_files $uri $uri/ /index.php?$args;
        }		
		
		
		location ~ [^/]\.php(/|$) {
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			if (!-f $document_root$fastcgi_script_name) {
				return  404;
			}

			fastcgi_pass    unix:/opt/alt/php-fpm74/usr/var/sockets/odobros.sock;
			fastcgi_index   index.php;
			include         /etc/nginx/fastcgi_params;
		}

	}

Any chances to use something similar?

[deleted]

You should be able to insert the include inside your server block, so

server { // Other configuration here etc include /home/hockeyb/hockeybulletin.se/.nginx.conf; }
Can you post your full config ?

Fantomen

[deleted]

Isn´t my full config included above? I´m pasting here the config used for another domain which works with nginx.

File is called /etc/nginx/conf.d/vhosts/odobros.com.ssl.conf (note that its another domain currently using nginx)

server {
	listen 136.244.101.88:443 ssl ;
	server_name odobros.com  www.odobros.com;
	root /home/odobros/public_html;
	index index.php index.html index.htm;
	access_log /usr/local/apache/domlogs/odobros.com.bytes bytes;
	access_log /usr/local/apache/domlogs/odobros.com.log combined;
	error_log /usr/local/apache/domlogs/odobros.com.error.log error;

	ssl_certificate      /etc/pki/tls/certs/odobros.com.bundle;
	ssl_certificate_key  /etc/pki/tls/private/odobros.com.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
	ssl_prefer_server_ciphers   on;

	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 60m;

	location / {

		add_header Strict-Transport-Security "max-age=31536000";
		add_header X-Content-Type-Options nosniff;

		location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {			
			expires max;
		}
		
        location / {
	        # WordPress permalinks in Nginx
	        try_files $uri $uri/ /index.php?$args;
        }		
		
		
		location ~ [^/]\.php(/|$) {
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			if (!-f $document_root$fastcgi_script_name) {
				return  404;
			}

			fastcgi_pass    unix:/opt/alt/php-fpm74/usr/var/sockets/odobros.sock;
			fastcgi_index   index.php;
			include         /etc/nginx/fastcgi_params;
		}

	}

	location ~* "/\.(htaccess|htpasswd)$" {deny all;return 404;}

	disable_symlinks if_not_owner from=/home/odobros/public_html;

	location /.well-known/acme-challenge {
		default_type "text/plain";
		alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
	}
}

The nginx config looks like this (/etc/nginx/nginx.conf)

user nobody;
worker_processes auto;
#worker_rlimit_nofile    65535;
error_log               /var/log/nginx/error.log crit;
pid                     /var/run/nginx.pid;

events {
	worker_connections  1024;
	use                 epoll;
	multi_accept        on;

}
http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	client_header_timeout 3m;
	client_body_timeout 3m;
	client_max_body_size 256m;
	client_header_buffer_size 4k;
	client_body_buffer_size 256k;
	large_client_header_buffers 4 32k;
	send_timeout 3m;
	keepalive_timeout 60 60;
	reset_timedout_connection       on;
	server_names_hash_max_size 1024;
	server_names_hash_bucket_size 1024;
	ignore_invalid_headers on;
	connection_pool_size 256;
	request_pool_size 4k;
	output_buffers 4 32k;
	postpone_output 1460;

	include mime.types;
	default_type application/octet-stream;

	# Compression gzip
	gzip on;
	gzip_vary on;
	gzip_disable "MSIE [1-6]\.";
	gzip_proxied any;
	gzip_min_length 512;
	gzip_comp_level 6;
	gzip_buffers 8 64k;
	gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

	# Proxy settings
	proxy_redirect      off;
	proxy_set_header    Host            $host;
	proxy_set_header    X-Real-IP       $remote_addr;
	proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header   Set-Cookie;
	proxy_connect_timeout   300;
	proxy_send_timeout  300;
	proxy_read_timeout  300;
	proxy_buffers       32 4k;
	proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
	proxy_cache_key "$host$request_uri $cookie_user";
	proxy_temp_path  /var/cache/nginx/temp;
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_valid any 1d;

	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	open_file_cache max=5000 inactive=30s;
	open_log_file_cache max=1024 inactive=30s min_uses=2;

	# SSL Settings
	ssl_session_cache   shared:SSL:10m;
	ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

	# Logs
	log_format  main    '$remote_addr - $remote_user [$time_local] $request '
		                '"$status" $body_bytes_sent "$http_referer" '
		                '"$http_user_agent" "$http_x_forwarded_for"';
	log_format  bytes   '$body_bytes_sent';
	#access_log          /var/log/nginx/access.log main;
	access_log off;

	# Cache bypass
	map $http_cookie $no_cache {
		default 0;
		~SESS 1;
		~wordpress_logged_in 1;
	}

	# Include additional configuration
	include /etc/nginx/cloudflare.inc;
	include /etc/nginx/conf.d/*.conf;
        
}