Bluto Posted November 11, 2015 Posted November 11, 2015 CENTMIN MOD is incredible. Read about it: http://centminmod.com/ @Makoto created a great guide for installing LEMP Stack for use with IPS v3: https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ LEMP = Linux, Nginx, MySQL, and PHP. LEMP Stack intro: https://lemp.io/ This thread isn't about installing the LEMP stack. If you use the CENTMIN MOD you can install an entire LEMP stack on your server with 1 line of code. You can check that out here: http://centminmod.com/download.html#method3 The CENTMIN MOD LEMP Stack isn't cPanel. It's not going to have fancy buttons for you to press when you want to do something. I personally want the smallest footprint on my server. I want to reduce my attack surface and run the server as fast a possible... so I'm switching to CENTMIN MOD. If it's not minimal, it's too much. After you install CENTMIN MOD, besides tweaks to the various configuration files (my test site works fine without any conf file tweaks), the vhost file needs to be created / customized for the software running - in this case IPB. In most cases, creating a solid vhost is easy. A lot of vhost examples exist for most of the major pieces of software out there. Being that IPB v4 is so new, I haven't found a solid vhost file that I can use with my server. A thread anywhere online saying "this is exactly the basic vhost file you use with IPB v4". Below is the vhost file I created for IPB v4 which I'm using on my testing server. I'm hoping to get something final so that people can use this vhost file when using IPB with CENTMIN MOD or a standard LEMP Stack. Here is the thread I created on the CENTMIN MOD forum about this subject: https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/ Let's just say, IPB is BLAZING fast on a LEMP Stack. NGINX experts please let me know what changes / modifications I need to make to the vhost file. The file below is working perfect on my testing forum. I've yet to run into an issue. The vhost file below is for a fully https setup. 10.0.0.121 is my testing server IP address, which would be replace by the website address. Spanky is the admin directory for this example. # IPB4 Working NGINX site conf file # redirect from non-www to www # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 # Redirect to HTTPS from port 80 server { listen 80; server_name 10.0.0.121; return 301 $scheme://10.0.0.121$request_uri; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via80.log; } server { listen 443 ssl spdy; server_name 10.0.0.121; #ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # Limit Connections Per IP Address #limit_conn limit_per_ip 16; # ssi on; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error.log; root /home/nginx/domains/10.0.0.121/public; # Prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location / { # block common exploits, sql injections etc include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found # autoindex on; # Shows file listing times as local time autoindex_localtime on; try_files $uri $uri/ /index.php; } location ~^(/page/).*(\.php)$ { try_files $uri $uri/ /index.php; } # Mask fake admin directory location ~^/admin/(.*)$ { deny all; } # Secure real admin directory location ~^(/spanky/).*(\.php) { allow 127.0.0.1; allow 10.0.0.245; deny all; #auth_basic "Restricted Area"; #auth_basic_user_file $document_root/mynewadmin/.htpasswd; include /usr/local/nginx/conf/php.conf; } # IP.Board PHP/CGI Protection location ~^(/uploads/).*(\.php)$ { deny all; } location ~^(/system/).*(\.php)$ { deny all; } location ~^(/datastore/).*(\.php)$ { deny all; } location ~^(/plugins/).*(\.php)$ { deny all; } location ~^(/applications/blog/).*(\.php)$ { deny all; } location ~^(/applications/calendar/).*(\.php)$ { deny all; } location ~^(/applications/chat/).*(\.php)$ { deny all; } location ~^(/applications/cms/).*(\.php)$ { deny all; } # Allow access to JS file location ~^/(applications/core/interface/js/js.php) { include /usr/local/nginx/conf/php.conf; allow all; } location ~^(/applications/core/).*(\.php)$ { deny all; } location ~^(/applications/downloads/).*(\.php)$ { deny all; } location ~^(/applications/forums/).*(\.php)$ { deny all; } location ~^(/applications/gallery/).*(\.php)$ { deny all; } location ~^(/applications/nexus/).*(\.php)$ { deny all; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
p4guru Posted November 11, 2015 Posted November 11, 2015 FYI, your https vhost is missing a few things First, is Centmin Mod has switched from SPDY to HTTP/2 based SSL http://centminmod.com/http2-nginx.html see notes at HTTP2 notes at http://centminmod.com/nginx_configure_https_ssl_spdy.html. By default Centmin Mod now sets up 2 vhosts one for htttp and one for HTTP/2 ssl if you answer yes to setting up self-signed SSL vhost support see http://centminmod.com/nginx_domain_dns_setup.html#vhost For HTTP/2 ssl only see http://centminmod.com/nginx_domain_dns_setup.html#httpsredirect If you skipped self-signed SSL vhost setup at vhost creation time, you can generate the basic HTTP/2 https vhost config via online vhost generator at http://centminmod.com/vhost.php - selecting the basic vhost format option and self-signed ssl = yes Switching from the default self-signed SSL to paid trusted SSL certificate http://centminmod.com/nginx_domain_dns_setup.html#switchssl HTH
Bluto Posted November 11, 2015 Author Posted November 11, 2015 7 hours ago, p4guru said: FYI, your https vhost is missing a few things First, is Centmin Mod has switched from SPDY to HTTP/2 based SSL http://centminmod.com/http2-nginx.html see notes at HTTP2 notes at http://centminmod.com/nginx_configure_https_ssl_spdy.html. By default Centmin Mod now sets up 2 vhosts one for htttp and one for HTTP/2 ssl if you answer yes to setting up self-signed SSL vhost support see http://centminmod.com/nginx_domain_dns_setup.html#vhost For HTTP/2 ssl only see http://centminmod.com/nginx_domain_dns_setup.html#httpsredirect If you skipped self-signed SSL vhost setup at vhost creation time, you can generate the basic HTTP/2 https vhost config via online vhost generator at http://centminmod.com/vhost.php - selecting the basic vhost format option and self-signed ssl = yes Switching from the default self-signed SSL to paid trusted SSL certificate http://centminmod.com/nginx_domain_dns_setup.html#switchssl HTH Thanks! I'll make the updates and post the new vhost file for review.
Bluto Posted November 17, 2015 Author Posted November 17, 2015 Updated vhost file for Centmin Mod. I just tested this on an upgraded site 3.4.8 to 4.1.3.2. Everything appears to be working. If anyone has any modifications they feel I should make, please let me know. The version below is an ALL SSL version. If someone needs a non-SSL version, let me know and I can modify the one below. # IPB4 Working NGINX site conf file # This file is for a FORCED SSL site. Non-SSL requests will be directed to SSL. # Information gathered from # Centminmod.com / Information pulled from multiple guides. Thx eva2000! # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide. # Redirect to HTTPS from port 80 # Redirect from www to non-www with forced SSL server { listen 80; server_name 10.0.0.121; return 301 https://10.0.0.121$request_uri; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via80.log; } server { listen 443 ssl http2; server_name 10.0.0.121; root /home/nginx/domains/10.0.0.121/public; ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key; include /usr/local/nginx/conf/ssl_include.conf; # Mozilla Recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options DENY; ssl_buffer_size 1400; ssl_session_tickets on; # ngx_pagespeed & ngx_pagespeed handler # include /usr/local/nginx/conf/pagespeed.conf; # include /usr/local/nginx/conf/pagespeedhandler.conf; # include /usr/local/nginx/conf/pagespeedstatslog.conf; # Limit Connections Per IP Address # limit_conn limit_per_ip 16; # ssi on; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via443.log; # Prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location / { # block common exploits, sql injections etc include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found # autoindex on; # Shows file listing times as local time autoindex_localtime on; try_files $uri $uri/ /index.php; } location ~^(/page/).*(\.php)$ { try_files $uri $uri/ /index.php; } # Mask fake admin directory location ~^/admin/(.*)$ { deny all; } # Secure real admin directory location ~^(/spanky/).*(\.php) { include /usr/local/nginx/conf/php.conf; allow 10.0.0.245; deny all; #auth_basic "Restricted Area"; #auth_basic_user_file /usr/local/nginx/conf/htpasswd; } # IP.Board PHP/CGI Protection location ~^(/uploads/).*(\.php)$ { deny all; } location ~^(/system/).*(\.php)$ { deny all; } location ~^(/datastore/).*(\.php)$ { deny all; } location ~^(/plugins/).*(\.php)$ { deny all; } location ~^(/applications/blog/).*(\.php)$ { deny all; } location ~^(/applications/calendar/).*(\.php)$ { deny all; } location ~^(/applications/chat/).*(\.php)$ { deny all; } location ~^(/applications/cms/).*(\.php)$ { deny all; } # Allow access to JS file location ~^/(applications/core/interface/js/js.php) { include /usr/local/nginx/conf/php.conf; allow all; } location ~^(/applications/core/).*(\.php)$ { deny all; } location ~^(/applications/downloads/).*(\.php)$ { deny all; } location ~^(/applications/forums/).*(\.php)$ { deny all; } location ~^(/applications/gallery/).*(\.php)$ { deny all; } location ~^(/applications/nexus/).*(\.php)$ { deny all; } location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|htm|txt|swf|cur)$ { access_log off; expires 1w; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
p4guru Posted November 17, 2015 Posted November 17, 2015 you can remove spdy related options add_header Alternate-Protocol 443:npn-spdy/3; spdy_headers_comp 5; and remove # GZIP static content not processed by IPB. gzip on; gzip_static on; gzip_http_version 1.1; gzip_vary on; gzip_comp_level 3; gzip_proxied any; gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js; gzip_buffers 16 8k; gzip_disable "MSIE [1-6].(?!.*SV1)";
Bluto Posted November 17, 2015 Author Posted November 17, 2015 3 minutes ago, p4guru said: you can remove spdy related options add_header Alternate-Protocol 443:npn-spdy/3; spdy_headers_comp 5; and remove # GZIP static content not processed by IPB. gzip on; gzip_static on; gzip_http_version 1.1; gzip_vary on; gzip_comp_level 3; gzip_proxied any; gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js; gzip_buffers 16 8k; gzip_disable "MSIE [1-6].(?!.*SV1)"; Updated. Thanks!
Bluto Posted November 17, 2015 Author Posted November 17, 2015 Update. Removed the last location because it's included in another file. # IPB4 Working NGINX site conf file # This file is for a FORCED SSL site. Non-SSL requests will be directed to SSL. # Information gathered from # Centminmod.com / Information pulled from multiple guides. Thx eva2000! # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide. # Redirect to HTTPS from port 80 # Redirect from www to non-www with forced SSL server { listen 80; server_name 10.0.0.121; return 301 https://10.0.0.121$request_uri; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via80.log; } server { listen 443 ssl http2; server_name 10.0.0.121; root /home/nginx/domains/10.0.0.121/public; ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key; include /usr/local/nginx/conf/ssl_include.conf; # Mozilla Recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options DENY; ssl_buffer_size 1400; ssl_session_tickets on; # ngx_pagespeed & ngx_pagespeed handler # include /usr/local/nginx/conf/pagespeed.conf; # include /usr/local/nginx/conf/pagespeedhandler.conf; # include /usr/local/nginx/conf/pagespeedstatslog.conf; # Limit Connections Per IP Address # limit_conn limit_per_ip 16; # ssi on; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via443.log; # Prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location / { # block common exploits, sql injections etc include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found # autoindex on; # Shows file listing times as local time autoindex_localtime on; try_files $uri $uri/ /index.php; } location ~^(/page/).*(\.php)$ { try_files $uri $uri/ /index.php; } # Mask fake admin directory location ~^/admin/(.*)$ { deny all; } # Secure real admin directory location ~^(/spanky/).*(\.php) { include /usr/local/nginx/conf/php.conf; allow 10.0.0.245; deny all; #auth_basic "Restricted Area"; #auth_basic_user_file /usr/local/nginx/conf/htpasswd; } # IP.Board PHP/CGI Protection location ~^(/uploads/).*(\.php)$ { deny all; } location ~^(/system/).*(\.php)$ { deny all; } location ~^(/datastore/).*(\.php)$ { deny all; } location ~^(/plugins/).*(\.php)$ { deny all; } location ~^(/applications/blog/).*(\.php)$ { deny all; } location ~^(/applications/calendar/).*(\.php)$ { deny all; } location ~^(/applications/chat/).*(\.php)$ { deny all; } location ~^(/applications/cms/).*(\.php)$ { deny all; } # Allow access to JS file location ~^/(applications/core/interface/js/js.php) { include /usr/local/nginx/conf/php.conf; allow all; } location ~^(/applications/core/).*(\.php)$ { deny all; } location ~^(/applications/downloads/).*(\.php)$ { deny all; } location ~^(/applications/forums/).*(\.php)$ { deny all; } location ~^(/applications/gallery/).*(\.php)$ { deny all; } location ~^(/applications/nexus/).*(\.php)$ { deny all; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
Bluto Posted November 17, 2015 Author Posted November 17, 2015 Note: using # Limit Connections Per IP Address # limit_conn limit_per_ip 16; will cause issues with the ACP. So, if you're going to use that, you need to exclude that from the ACP folder.
Bluto Posted November 19, 2015 Author Posted November 19, 2015 One issue I found with embedding Twitter content was add_header X-Frame-Options DENY; If this is active, Twitter / Instagram Iframes won't show up. You'll get a warning in the box that says "This content can't be shown in a frame" - Windows 10 Edge. There will be NO warning about this in any other browser - you'll just see white / blank box. This probably has to be the first time a Windows browser product has actually helped me solve a problem instead of causing them.
icedream Posted November 22, 2015 Posted November 22, 2015 On 2015年11月17日 10:25:03, p4guru said: you can remove spdy related options add_header Alternate-Protocol 443:npn-spdy/3; spdy_headers_comp 5; and remove # GZIP static content not processed by IPB. gzip on; gzip_static on; gzip_http_version 1.1; gzip_vary on; gzip_comp_level 3; gzip_proxied any; gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js; gzip_buffers 16 8k; gzip_disable "MSIE [1-6].(?!.*SV1)"; Hi, why remove gzip? Http 2.0 supports gzip?
Bluto Posted November 22, 2015 Author Posted November 22, 2015 via the Centmin Mod developer eva2000: Quote yes remove it as it's already enabled server wide in /usr/local/nginx/conf/nginx.conf in http {} context
maddog107_merged Posted November 23, 2015 Posted November 23, 2015 Thanks @Bluto Can you provide the contents of the conf files you are referencing? I am having some issues with that /admin or /spanky to install a fresh copy. Thanks include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf;
Bluto Posted November 23, 2015 Author Posted November 23, 2015 Those are standard conf file part of CENTMIN MOD. Just open them up and look for yourself. I'm not going to paste all the contents of those files here. What issues are you having? Did you install Centmin Mod? If you are having problems installing... just comment out those sections and do your install. Change the "spanky" to whatever you name your admin directory AFTER you install IPS4. Also remember that you're going to need change the directory name in the admin, just don't rename the admin directory. Doing it in the admin will give you a constants.php file which you need to add to your root directory so that IPB knows that the admin directory name changed.
maddog107_merged Posted November 23, 2015 Posted November 23, 2015 ^ Thanks, I figured out my problem with the admin dir. But now I have a new issue (sorry im an apache guy so nginx config is a bit new). So if I install the new forum on the root and enable FURL it complains in the admin page but it works fine, the index.php? disapears and it looks good If I install it on www.example.com/main/ it works fine but once i enable FURL it breaks and I get "File not found." errors when I click any topic. 2015/11/22 23:32:23 [error] 7150#7150: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 66.27.74.206, server: www.example.com, request: "GET /main/topic/1-welcome/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "www.example.com", referrer: "https://www.example.com/main/" Any ideas? Thanks
Bluto Posted November 23, 2015 Author Posted November 23, 2015 You never answered my question if you installed CENTMIN MOD or not. If you're applying that vhost file to a straight Nginx install then things are going to be different. It's hard to know how to answer your question, without the necessary information. If you installed IPB in public/main/ versus public/ then you're going to have to adjust the vhost file above by adding /main. Everything in the vhost example above is setup to be in the public folder, not in a folders inside the public folder.
maddog107_merged Posted November 23, 2015 Posted November 23, 2015 Yes I have been testing CENTMIN MOD. So I tried this in your config Replacing the location ~^(/page/).*(\.php)$ { With location ~^(/main/page/).*(\.php)$ { As well as changing the following to location / { location /main/ { But that did not resolve the FURL issues unfortunately.
Bluto Posted November 23, 2015 Author Posted November 23, 2015 I believe you don't have to modify all the locations. Just update the root. root /home/nginx/domains/10.0.0.121/public; Is there a specific reason why you're putting the forum in public/main/ and not in the public/ folder? Also, every time you modify the vhost conf file you need to restart nginx for the changes to take effect.
maddog107_merged Posted November 23, 2015 Posted November 23, 2015 Just legacy from IPB1/2. Its always been under /main (as we are suppose to make a landing page on root but has never happened) So the root is fine, it sees the files on the OS. The issue is with the http://www.bellazon.com/main/index.php/.... thats why I thought I had to change the locations. I had to switch back to Apache as apparently nginx and ipb dont play nice for the "upgrade" from 3.x -> 4.x. Even a incredibly bare bone config of the following still doesnt work for the upgrade. server { listen 80; server_name bellazon.com; #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; root /usr/share/nginx/html/bellazon.com; index index.php index.html index.htm; location / { try_files $uri $uri/ =404; } error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } Once I finish the upgrade ill fire up nginx again and mess around with it one more time. Thanks
Bluto Posted November 24, 2015 Author Posted November 24, 2015 I upgraded from 3.4.8 to 4.1.3.2 without a problem on a CENTMIN MOD system. Though, I didn't have the directory setup like you did with the main/. Anyway, if you want to try to get it working again, post here and we can try to figure it out! Up to this point, on my test system, with all the apps, I haven't had any issues.
Bluto Posted November 27, 2015 Author Posted November 27, 2015 Updated vhost sample file. Added Image Proxy location. Updated Javascript location. # IPB4 Working NGINX site conf file # This file is for a FORCED SSL site. Non-SSL requests will be directed to SSL. # Information gathered from # Centminmod.com / Information pulled from multiple guides. Thx eva2000! # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide. # Redirect to HTTPS from port 80 # Redirect from www to non-www with forced SSL server { listen 80; server_name 10.0.0.121; return 301 https://10.0.0.121$request_uri; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via80.log; } server { listen 443 ssl http2; server_name 10.0.0.121; root /home/nginx/domains/10.0.0.121/public; ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key; include /usr/local/nginx/conf/ssl_include.conf; # Mozilla Recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Content-Type-Options "nosniff"; #add_header X-Frame-Options DENY; ssl_buffer_size 1400; ssl_session_tickets on; # ngx_pagespeed & ngx_pagespeed handler # include /usr/local/nginx/conf/pagespeed.conf; # include /usr/local/nginx/conf/pagespeedhandler.conf; # include /usr/local/nginx/conf/pagespeedstatslog.conf; # Limit Connections Per IP Address # limit_conn limit_per_ip 16; # ssi on; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via443.log; # Prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location / { # block common exploits, sql injections etc include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found # autoindex on; # Shows file listing times as local time autoindex_localtime on; try_files $uri $uri/ /index.php; } location ~^(/page/).*(\.php)$ { try_files $uri $uri/ /index.php; } # Mask fake admin directory location ~^/admin/(.*)$ { deny all; } # Secure real admin directory location ~^(/spanky/).*(\.php) { include /usr/local/nginx/conf/php.conf; allow 10.0.0.245; deny all; #auth_basic "Restricted Area"; #auth_basic_user_file /usr/local/nginx/conf/htpasswd; } # IP.Board PHP/CGI Protection location ~^(/uploads/).*(\.php)$ { deny all; } location ~^(/system/).*(\.php)$ { deny all; } location ~^(/datastore/).*(\.php)$ { deny all; } location ~^(/plugins/).*(\.php)$ { deny all; } location ~^(/applications/blog/).*(\.php)$ { deny all; } location ~^(/applications/calendar/).*(\.php)$ { deny all; } location ~^(/applications/chat/).*(\.php)$ { deny all; } location ~^(/applications/cms/).*(\.php)$ { deny all; } # Allow access to imageproxy location ^~ /applications/core/interface/imageproxy/imageproxy.php { include /usr/local/nginx/conf/php.conf; allow all; } # Allow access to JS file location ^~ /applications/core/interface/js/js.php { include /usr/local/nginx/conf/php.conf; allow all; } location ~^(/applications/core/).*(\.php)$ { deny all; } location ~^(/applications/downloads/).*(\.php)$ { deny all; } location ~^(/applications/forums/).*(\.php)$ { deny all; } location ~^(/applications/gallery/).*(\.php)$ { deny all; } location ~^(/applications/nexus/).*(\.php)$ { deny all; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
Gary_J_Wright Posted November 29, 2015 Posted November 29, 2015 Now about to try this from scratch already converted my LAMP to LEMP via unixmen guide - but so much original cr#p left over and badly + blindly hacked it to run - it does all except rewrite url (due to needing to remove/convert .htaccess to nginx format rewrite) == thought I'd use my test board URL to start a new test board, once running will migrate to live board. currently php5.6.11 / nginx 1.9.5 / mysql 5.6.27 on ubuntu 15.10 loaded centmin mod to a DO droplet (centos7.1) so far upgraded NGINX to 1.9.7, installed customcurl 7.43? (well higher than needed 7.36!) and rebuild / upgraded php to 5.6.16 now about to tackle the vhost file..... Question?: on hostname, you use hostname.yourdomain.com. I'd prefere to use vps.mydomain.co.uk ( I can't see a problem with this) can you?
Bluto Posted November 29, 2015 Author Posted November 29, 2015 The vhost file doesn't have the hostname, it's has the domain name. You can use anything you want for your hostname.
Bluto Posted November 29, 2015 Author Posted November 29, 2015 For my local Centmin LEMP I use either localhost or a local IP address... just to make things easier for me.
Bluto Posted December 3, 2015 Author Posted December 3, 2015 Sorry, wanted to correct my previous post. The hostname is included in the vhost file. The hostname is whatever you entered when you setup your server. Find your hostname: Centos7 nano -w /etc/hostname Centos6 nano -w /etc/sysconfig/network
Gary_J_Wright Posted December 5, 2015 Posted December 5, 2015 currently running a copy of live board (as a test board) on centminmod123.09beta on php7.0.0 nginx 1.9.7 and mariadb10.1 - sorter following your other thread on centmin -- whats your latest vhost sample file is it the 27th november version?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.