IPS4 on CENTMIN MOD / vhost Creation

Bluto · November 11, 2015

CENTMIN MOD is incredible. Read about it: http://centminmod.com/

@Makoto created a great guide for installing LEMP Stack for use with IPS v3: https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/

LEMP = Linux, Nginx, MySQL, and PHP. LEMP Stack intro: https://lemp.io/

This thread isn't about installing the LEMP stack. If you use the CENTMIN MOD you can install an entire LEMP stack on your server with 1 line of code. You can check that out here: http://centminmod.com/download.html#method3

The CENTMIN MOD LEMP Stack isn't cPanel. It's not going to have fancy buttons for you to press when you want to do something. I personally want the smallest footprint on my server. I want to reduce my attack surface and run the server as fast a possible... so I'm switching to CENTMIN MOD. If it's not minimal, it's too much.

After you install CENTMIN MOD, besides tweaks to the various configuration files (my test site works fine without any conf file tweaks), the vhost file needs to be created / customized for the software running - in this case IPB. In most cases, creating a solid vhost is easy. A lot of vhost examples exist for most of the major pieces of software out there. Being that IPB v4 is so new, I haven't found a solid vhost file that I can use with my server. A thread anywhere online saying "this is exactly the basic vhost file you use with IPB v4".

Below is the vhost file I created for IPB v4 which I'm using on my testing server. I'm hoping to get something final so that people can use this vhost file when using IPB with CENTMIN MOD or a standard LEMP Stack.

Here is the thread I created on the CENTMIN MOD forum about this subject: https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/

Let's just say, IPB is BLAZING fast on a LEMP Stack.

NGINX experts please let me know what changes / modifications I need to make to the vhost file. The file below is working perfect on my testing forum. I've yet to run into an issue.

The vhost file below is for a fully https setup. 10.0.0.121 is my testing server IP address, which would be replace by the website address. Spanky is the admin directory for this example.

# IPB4 Working NGINX site conf file

# redirect from non-www to www 
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301

# Redirect to HTTPS from port 80
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 $scheme://10.0.0.121$request_uri;
    
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen       443 ssl spdy;
    server_name  10.0.0.121;

    #ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # Limit Connections Per IP Address
    #limit_conn limit_per_ip 16;
    
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error.log;

    root /home/nginx/domains/10.0.0.121/public;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
    
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
    
    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny all;
    }
    
    # Secure real admin directory
    location ~^(/spanky/).*(\.php) {
        allow           127.0.0.1;
        allow           10.0.0.245;
        deny            all;
        #auth_basic     "Restricted Area";
        #auth_basic_user_file $document_root/mynewadmin/.htpasswd;
        include /usr/local/nginx/conf/php.conf;
    }
    
    # IP.Board PHP/CGI Protection
    
    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    }  
    
    # Allow access to JS file
    location ~^/(applications/core/interface/js/js.php) {
        include /usr/local/nginx/conf/php.conf;
        allow     all;
    }

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }   

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

p4guru · November 11, 2015

FYI, your https vhost is missing a few things

First, is Centmin Mod has switched from SPDY to HTTP/2 based SSL http://centminmod.com/http2-nginx.html see notes at HTTP2 notes at http://centminmod.com/nginx_configure_https_ssl_spdy.html. By default Centmin Mod now sets up 2 vhosts one for htttp and one for HTTP/2 ssl if you answer yes to setting up self-signed SSL vhost support see http://centminmod.com/nginx_domain_dns_setup.html#vhost
For HTTP/2 ssl only see http://centminmod.com/nginx_domain_dns_setup.html#httpsredirect
If you skipped self-signed SSL vhost setup at vhost creation time, you can generate the basic HTTP/2 https vhost config via online vhost generator at http://centminmod.com/vhost.php - selecting the basic vhost format option and self-signed ssl = yes
Switching from the default self-signed SSL to paid trusted SSL certificate http://centminmod.com/nginx_domain_dns_setup.html#switchssl

HTH

Bluto · November 11, 2015

7 hours ago, p4guru said:

FYI, your https vhost is missing a few things

First, is Centmin Mod has switched from SPDY to HTTP/2 based SSL http://centminmod.com/http2-nginx.html see notes at HTTP2 notes at http://centminmod.com/nginx_configure_https_ssl_spdy.html. By default Centmin Mod now sets up 2 vhosts one for htttp and one for HTTP/2 ssl if you answer yes to setting up self-signed SSL vhost support see http://centminmod.com/nginx_domain_dns_setup.html#vhost

For HTTP/2 ssl only see http://centminmod.com/nginx_domain_dns_setup.html#httpsredirect

If you skipped self-signed SSL vhost setup at vhost creation time, you can generate the basic HTTP/2 https vhost config via online vhost generator at http://centminmod.com/vhost.php - selecting the basic vhost format option and self-signed ssl = yes

Switching from the default self-signed SSL to paid trusted SSL certificate http://centminmod.com/nginx_domain_dns_setup.html#switchssl

HTH

Thanks! I'll make the updates and post the new vhost file for review.

Bluto · November 17, 2015

Updated vhost file for Centmin Mod. I just tested this on an upgraded site 3.4.8 to 4.1.3.2. Everything appears to be working. If anyone has any modifications they feel I should make, please let me know.

The version below is an ALL SSL version. If someone needs a non-SSL version, let me know and I can modify the one below.

# IPB4 Working NGINX site conf file
# This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.

# Information gathered from
# Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
# Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.

# Redirect to HTTPS from port 80
# Redirect from www to non-www with forced SSL
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 https://10.0.0.121$request_uri;
    
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen 443 ssl http2;
    server_name  10.0.0.121;
    root /home/nginx/domains/10.0.0.121/public;
    
    ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
    include /usr/local/nginx/conf/ssl_include.conf;
    
    # Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header  X-Content-Type-Options "nosniff";
    add_header X-Frame-Options DENY;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

    # ngx_pagespeed & ngx_pagespeed handler
    # include /usr/local/nginx/conf/pagespeed.conf;
    # include /usr/local/nginx/conf/pagespeedhandler.conf;
    # include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # Limit Connections Per IP Address
    # limit_conn limit_per_ip 16;
    
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
    
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
    
    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny all;
    }
    
    # Secure real admin directory
    location ~^(/spanky/).*(\.php) {
        include /usr/local/nginx/conf/php.conf;
        allow           10.0.0.245;
        deny            all;
        #auth_basic     "Restricted Area";
        #auth_basic_user_file /usr/local/nginx/conf/htpasswd;       
    }
    
    # IP.Board PHP/CGI Protection
    
    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    }  
    
    # Allow access to JS file
    location ~^/(applications/core/interface/js/js.php) {
        include /usr/local/nginx/conf/php.conf;
        allow     all;
    }

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }   
    
    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|htm|txt|swf|cur)$ {
        access_log off;
        expires    1w;
    }

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

p4guru · November 17, 2015

you can remove spdy related options

add_header Alternate-Protocol  443:npn-spdy/3;
spdy_headers_comp 5;

and remove

    # GZIP static content not processed by IPB.
    gzip  on;
    gzip_static on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 3;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

Bluto · November 17, 2015

3 minutes ago, p4guru said:

you can remove spdy related options


add_header Alternate-Protocol  443:npn-spdy/3;
spdy_headers_comp 5;

and remove


    # GZIP static content not processed by IPB.
    gzip  on;
    gzip_static on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 3;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

Updated. Thanks!

Bluto · November 17, 2015

Update. Removed the last location because it's included in another file.

# IPB4 Working NGINX site conf file
# This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.

# Information gathered from
# Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
# Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.

# Redirect to HTTPS from port 80
# Redirect from www to non-www with forced SSL
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 https://10.0.0.121$request_uri;
    
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen 443 ssl http2;
    server_name  10.0.0.121;
    root /home/nginx/domains/10.0.0.121/public;
    
    ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
    include /usr/local/nginx/conf/ssl_include.conf;
    
    # Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header  X-Content-Type-Options "nosniff";
    add_header X-Frame-Options DENY;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

    # ngx_pagespeed & ngx_pagespeed handler
    # include /usr/local/nginx/conf/pagespeed.conf;
    # include /usr/local/nginx/conf/pagespeedhandler.conf;
    # include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # Limit Connections Per IP Address
    # limit_conn limit_per_ip 16;
    
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
    
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
    
    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny all;
    }
    
    # Secure real admin directory
    location ~^(/spanky/).*(\.php) {
        include /usr/local/nginx/conf/php.conf;
        allow           10.0.0.245;
        deny            all;
        #auth_basic     "Restricted Area";
        #auth_basic_user_file /usr/local/nginx/conf/htpasswd;       
    }
    
    # IP.Board PHP/CGI Protection
    
    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    }  
    
    # Allow access to JS file
    location ~^/(applications/core/interface/js/js.php) {
        include /usr/local/nginx/conf/php.conf;
        allow     all;
    }

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }   

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

Bluto · November 17, 2015

Note: using

# Limit Connections Per IP Address
    # limit_conn limit_per_ip 16;

will cause issues with the ACP. So, if you're going to use that, you need to exclude that from the ACP folder.

Bluto · November 19, 2015

One issue I found with embedding Twitter content was

add_header X-Frame-Options DENY;

If this is active, Twitter / Instagram Iframes won't show up. You'll get a warning in the box that says

"This content can't be shown in a frame" - Windows 10 Edge.

There will be NO warning about this in any other browser - you'll just see white / blank box.

This probably has to be the first time a Windows browser product has actually helped me solve a problem instead of causing them.

icedream · November 22, 2015

On ‎2015‎年‎11‎月‎17‎日‎ ‎10‎:‎25‎:‎03, p4guru said:

you can remove spdy related options


add_header Alternate-Protocol  443:npn-spdy/3;
spdy_headers_comp 5;

and remove


    # GZIP static content not processed by IPB.
    gzip  on;
    gzip_static on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 3;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

Hi, why remove gzip? Http 2.0 supports gzip?

Bluto · November 22, 2015

via the Centmin Mod developer eva2000:

Quote

yes remove it as it's already enabled server wide in /usr/local/nginx/conf/nginx.conf in http {} context

maddog107_merged · November 23, 2015

Thanks @Bluto

Can you provide the contents of the conf files you are referencing? I am having some issues with that /admin or /spanky to install a fresh copy. Thanks

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;

Bluto · November 23, 2015

Those are standard conf file part of CENTMIN MOD. Just open them up and look for yourself. I'm not going to paste all the contents of those files here.

What issues are you having? Did you install Centmin Mod?

If you are having problems installing... just comment out those sections and do your install. Change the "spanky" to whatever you name your admin directory AFTER you install IPS4.

Also remember that you're going to need change the directory name in the admin, just don't rename the admin directory. Doing it in the admin will give you a constants.php file which you need to add to your root directory so that IPB knows that the admin directory name changed.

maddog107_merged · November 23, 2015

^ Thanks, I figured out my problem with the admin dir. But now I have a new issue (sorry im an apache guy so nginx config is a bit new).

So if I install the new forum on the root and enable FURL it complains in the admin page but it works fine, the index.php? disapears and it looks good

If I install it on www.example.com/main/

it works fine but once i enable FURL it breaks and I get "File not found." errors when I click any topic.

2015/11/22 23:32:23 [error] 7150#7150: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 66.27.74.206, server: www.example.com, request: "GET /main/topic/1-welcome/ HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "www.example.com", referrer: "https://www.example.com/main/"

Any ideas? Thanks

Bluto · November 23, 2015

You never answered my question if you installed CENTMIN MOD or not. If you're applying that vhost file to a straight Nginx install then things are going to be different. It's hard to know how to answer your question, without the necessary information.

If you installed IPB in public/main/ versus public/ then you're going to have to adjust the vhost file above by adding /main. Everything in the vhost example above is setup to be in the public folder, not in a folders inside the public folder.

maddog107_merged · November 23, 2015

Yes I have been testing CENTMIN MOD.

So I tried this in your config

Replacing the

 location ~^(/page/).*(\.php)$ {

With

location ~^(/main/page/).*(\.php)$ {

As well as changing the following to

location / {

location /main/ {

But that did not resolve the FURL issues unfortunately.

Bluto · November 23, 2015

I believe you don't have to modify all the locations. Just update the root.

root /home/nginx/domains/10.0.0.121/public;

Is there a specific reason why you're putting the forum in public/main/ and not in the public/ folder?

Also, every time you modify the vhost conf file you need to restart nginx for the changes to take effect.

maddog107_merged · November 23, 2015

Just legacy from IPB1/2. Its always been under /main (as we are suppose to make a landing page on root but has never happened)

So the root is fine, it sees the files on the OS. The issue is with the

http://www.bellazon.com/main/index.php/....

thats why I thought I had to change the locations. I had to switch back to Apache as apparently nginx and ipb dont play nice for the "upgrade" from 3.x -> 4.x. Even a incredibly bare bone config of the following still doesnt work for the upgrade.

server {
    listen       80;
    server_name  bellazon.com;


    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    root   /usr/share/nginx/html/bellazon.com;
    index  index.php index.html index.htm;
        
    location / {
        try_files $uri $uri/ =404;
    }

    error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    
    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

Once I finish the upgrade ill fire up nginx again and mess around with it one more time.

Thanks

Bluto · November 24, 2015

I upgraded from 3.4.8 to 4.1.3.2 without a problem on a CENTMIN MOD system. Though, I didn't have the directory setup like you did with the main/. Anyway, if you want to try to get it working again, post here and we can try to figure it out! Up to this point, on my test system, with all the apps, I haven't had any issues.

Bluto · November 27, 2015

Updated vhost sample file.

Added Image Proxy location. Updated Javascript location.

# IPB4 Working NGINX site conf file
# This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.

# Information gathered from
# Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
# Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.

# Redirect to HTTPS from port 80
# Redirect from www to non-www with forced SSL
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 https://10.0.0.121$request_uri;
 
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen 443 ssl http2;
    server_name  10.0.0.121;
    root /home/nginx/domains/10.0.0.121/public;
 
    ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
    include /usr/local/nginx/conf/ssl_include.conf;
 
    # Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header  X-Content-Type-Options "nosniff";
    #add_header X-Frame-Options DENY;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

    # ngx_pagespeed & ngx_pagespeed handler
    # include /usr/local/nginx/conf/pagespeed.conf;
    # include /usr/local/nginx/conf/pagespeedhandler.conf;
    # include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # Limit Connections Per IP Address
    # limit_conn limit_per_ip 16;
 
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
 
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
 
    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny all;
    }
 
    # Secure real admin directory
    location ~^(/spanky/).*(\.php) {
        include /usr/local/nginx/conf/php.conf;
        allow           10.0.0.245;
        deny            all;
        #auth_basic     "Restricted Area";
        #auth_basic_user_file /usr/local/nginx/conf/htpasswd;    
    }
 
    # IP.Board PHP/CGI Protection
 
    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    }

    # Allow access to imageproxy
    location ^~ /applications/core/interface/imageproxy/imageproxy.php {
        include /usr/local/nginx/conf/php.conf;
        allow  all;
    }

    # Allow access to JS file
    location ^~ /applications/core/interface/js/js.php {
        include /usr/local/nginx/conf/php.conf;
        allow  all;
    }

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
 
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

Gary_J_Wright · November 29, 2015

Now about to try this from scratch already converted my LAMP to LEMP via unixmen guide - but so much original cr#p left over and badly + blindly hacked it to run - it does all except rewrite url (due to needing to remove/convert .htaccess to nginx format rewrite) == thought I'd use my test board URL to start a new test board, once running will migrate to live board. currently php5.6.11 / nginx 1.9.5 / mysql 5.6.27 on ubuntu 15.10

loaded centmin mod to a DO droplet (centos7.1) so far upgraded NGINX to 1.9.7, installed customcurl 7.43? (well higher than needed 7.36!) and rebuild / upgraded php to 5.6.16 now about to tackle the vhost file.....

Question?: on hostname, you use hostname.yourdomain.com. I'd prefere to use vps.mydomain.co.uk ( I can't see a problem with this) can you?

Bluto · November 29, 2015

The vhost file doesn't have the hostname, it's has the domain name.

You can use anything you want for your hostname.

Bluto · November 29, 2015

For my local Centmin LEMP I use either localhost or a local IP address... just to make things easier for me.

Bluto · December 3, 2015

Sorry, wanted to correct my previous post. The hostname is included in the vhost file. The hostname is whatever you entered when you setup your server.

Find your hostname:

Centos7

nano -w /etc/hostname

Centos6

nano -w /etc/sysconfig/network

Gary_J_Wright · December 5, 2015

currently running a copy of live board (as a test board) on centminmod123.09beta on php7.0.0 nginx 1.9.7 and mariadb10.1 - sorter following your other thread on centmin -- whats your latest vhost sample file is it the 27th november version?

IPS4 on CENTMIN MOD / vhost Creation

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Recently Browsing 0 members

Upcoming Events