Setting up a secure Nginx+PHP-FPM installation for IPS4

[ASTRAPI]

You only need to use:

try_files    $uri $uri/ /index.php;

or

try_files $uri $uri/ /index.php?$args;

 

Don't forget to protect your uploads folder also with a rewrite rule

Edited November 26, 2016 by ASTRAPI

[Foolboy]

EDIT: Never mind, it is working now. Thanks!

Hello,

Thank you for sharing this information. I attempted to follow your instruction on my server environment with a little bit different approach. (as I have Directadmin installed on my CentOS server instead of pure CentOS) Everything works fine, including the IPS FURLs, except tiny issues with CKEditor. On some areas that are loaded CKEditor asynchronously, such as Contact Us form or Status Update Widget, it is refused to load. However, it works fine on the other areas like Forum posting.

Here is my nginx.conf

# Auto generated nginx config file by DirectAdmin version 1.50.1
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to their website

# For global config changes that affect all Users, see this guide:
# http://help.directadmin.com/item.php?id=558
# For local config changes that only affect one User, see this guide:
# http://help.directadmin.com/item.php?id=3


server
{
    location / {
        try_files    $uri $uri/ /index.php$query_string;
    }
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php$query_string;
    }
    location ~ \.php$ {
        try_files    $uri =404;
        fastcgi_pass    unix:/usr/local/php70/sockets/example.sock;
        fastcgi_index    index.php;
        fastcgi_buffers 16 8k;
        fastcgi_buffer_size 16k;
        fastcgi_param    SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include          fastcgi_params;
    }
    location ~ ^/applications/(birthdaygreeter|blog|calendar|chat|classifieds|cms|core|featuredcontent|forums|gallery|loginlogs|nexus|pokes|quizzes|spaciouswidgets)/interface/.*\.(?:php\d*|phtml)$ {
        allow all;
    }
    location ~ ^/(uploads|datastore|system|plugins)/.*\.(?:php\d*|phtml)$ {
        allow 127.0.0.1;
        deny all;
    }
    location ~ ^/applications/(birthdaygreeter|blog|calendar|chat|classifieds|cms|core|featuredcontent|forums|gallery|loginlogs|nexus|pokes|quizzes|spaciouswidgets)/.*\.(?:php\d*|phtml)$ {
        allow 127.0.0.1;
        deny all;
    }
	listen my.server.ip.address:80;
	server_name example.com www.example.com ;
	access_log /var/log/nginx/domains/example.com.log;
	access_log /var/log/nginx/domains/example.com.bytes bytes;
	error_log /var/log/nginx/domains/example.com.error.log;
	root /home/example/domains/example.com/public_html;
	index index.php index.html index.htm;
	include /usr/local/directadmin/data/users/example/nginx_php.conf;
	include /etc/nginx/webapps.conf;
}

server
{
    location / {
        try_files    $uri $uri/ /index.php$query_string;
    }
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php$query_string;
    }
    location ~ \.php$ {
        try_files    $uri =404;
        fastcgi_pass    unix:/usr/local/php70/sockets/example.sock;
        fastcgi_index    index.php;
        fastcgi_buffers 16 8k;
        fastcgi_buffer_size 16k;
        fastcgi_param    SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include          fastcgi_params;
    }
    location ~ ^/applications/(birthdaygreeter|blog|calendar|chat|classifieds|cms|core|featuredcontent|forums|gallery|loginlogs|nexus|pokes|quizzes|spaciouswidgets)/interface/.*\.(?:php\d*|phtml)$ {
        allow all;
    }
    location ~ ^/(uploads|datastore|system|plugins)/.*\.(?:php\d*|phtml)$ {
        allow 127.0.0.1;
        deny all;
    }
    location ~ ^/applications/(birthdaygreeter|blog|calendar|chat|classifieds|cms|core|featuredcontent|forums|gallery|loginlogs|nexus|pokes|quizzes|spaciouswidgets)/.*\.(?:php\d*|phtml)$ {
        allow 127.0.0.1;
        deny all;
    }
	listen my.server.ip.address:443 ssl;
	server_name example.com www.example.com ;
	access_log /var/log/nginx/domains/example.com.log;
	access_log /var/log/nginx/domains/example.com.bytes bytes;
	error_log /var/log/nginx/domains/example.com.error.log;
	root /home/example/domains/example.com/private_html;
	index index.php index.html index.htm;
	ssl on;
	ssl_certificate /usr/local/directadmin/data/users/example/domains/example.com.cert.combined;
	ssl_certificate_key /usr/local/directadmin/data/users/example/domains/example.com.key;
	include /usr/local/directadmin/data/users/example/nginx_php.conf;
	include /etc/nginx/webapps.ssl.conf;
}

I would appreciate for any help on this. Thank you in advance for your supoort.

My VPS server specification:
CPU: 6 vCore
RAM: 20 GB
OS: CentOS 6.0 x64
CP: Directadmin 1.50.1
PHP: 7.0.13

Edited November 29, 2016 by Foolboy

[yacenty]

Guys,

on ipb3 and nginx we had a huge discussion how to cache and tweak sites.
Now we are going to move from 3 to 4 and we have a crazy issues with site performance.
Imaginge that gallery main page is loading 16-20x longer that it was loading on ipb3. Forum main site is loading about 50-100% slower than on ipb3.
We have enabled memcached and php7 optimization and it looks really crazy becase sometimes gallery is generated in 100ms, sometimes is generated in 2s, what is interesting when I test on firebug I see such a  load times:

900ms, 80,900,900,900,80,80,900,80,900,80

memcached is set for 60s.

On other board - which is very small i have such times:

500,60,60,60,60,500,60,60,60,60,500.

Which definietly shows me that on first server something is wrong with caching. On second site it looks very good: first time - collect data from db, process and store to memecached, second, third, forth and others: collect data from memcached, next one - regenerate data: collect from db, process, store to cache.

How to handle this topic? Any hints?

[Morgin]

On 11/26/2016 at 0:58 PM, ASTRAPI said:

You only need to use:

try_files    $uri $uri/ /index.php;

or

try_files $uri $uri/ /index.php?$args;

 

Don't forget to protect your uploads folder also with a rewrite rule

Can you expand on this topic?

Part of the reason I am not using nginx is that I'm way more comfortable with apache - friendly URLS and replacing mod_rewrite is one of the areas I feel extremely deficient in understanding how nginx does it. does try_files work as a replacement for friendly URLS? How would you protect the uploads folder?

[ASTRAPI]

You can convert Apache rules to Nginx rules and done :-)

[Morgin]

47 minutes ago, ASTRAPI said:

You can convert Apache rules to Nginx rules and done :-)

Do you mean the ones in the .htaccess file generated by ips's security centre?

[ASTRAPI]

Any .htaccess from IPB/addon/app can be converted to Nginx rule and it will work much better than Apache's .htaccess :-)

[Morgin]

Just now, ASTRAPI said:

Any .htaccess from IPB/addon/app can be converted to Nginx rule and it will work much better than Apache's .htaccess :-)

I get that - I just wasn't sure if you meant the only thing you need to add to get friendly URL's to work is the 

try_files $uri $uri/ /index.php;

or

try_files $uri $uri/ /index.php?$arg

config option in your nginx virtual host config. 

[ASTRAPI]

For friendly urls yes you need only one line of the above

[bidorbuy tech]

Be aware that on various blogs and Gists suggest to implement IP.Board PHP protection and including commented out sections below (such as mentioned by @Foolboy) will break IP.Board:

    # -- Block Access to PHP / PHTML Files
    location ~ ^/(uploads|datastore|system|plugins)/.*\.(?:php\d*|phtml)$ {
      allow 127.0.0.1;
      deny all;
    }

    # -- Allow Access to Interface Files
#    location ~ ^/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus|pastebin|companydirectory|rules|videos|notes|iawards|links|pmviewer|readthattopic|rules)/interface/.*\.(?:php\d*|phtml)$ {
#      allow all;
#    }

    # -- Block Access to Application PHP / PHTML Files
#    location ~ ^/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus|pastebin|companydirectory|rules|videos|notes|iawards|links|pmviewer|readthattopic|rules)/.*\.(?:php\d*|phtml)$ {
#        allow 127.0.0.1;
#        deny all;
#    }

 

Edited March 29, 2017 by bidorbuy tech

[Foolboy]

Not sure about this but these configuration I mentioned earlier is working fine on my VPS.

[fourg6x]

My REST API page is showing:  Your server does not support authentication headers. You can authenticate by passing the API key as a query string parameter named 'key' in the request.

Running nginx.  The webroot is a Wordpress install.  IPB lives at /forums

What is required to get auth headers to operate properly?

upstream php_backend {
        server  unix:/run/php/php7.0-fpm.sock;
}

# Default server configuration
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        root /var/www/html;
        index index.php;

        # Maximum allowed upload size
        client_max_body_size    100M;

		#Wordpress root
        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass php_backend;
                fastcgi_index index.php;
                fastcgi_pass_header Authorization;
                fastcgi_param HTTP_PROXY "";
                fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        }

        location /doc/ {
                alias /usr/share/doc/;
                autoindex on;
                allow 127.0.0.1;
                deny all;
        }

        # deny access to .htaccess files, if Apache's document root
        location ~ /\. {
                deny all;
        }

        #Deny access to any files with a .php extension in the uploads directory
        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
        }

        # Assign cache headers to static files
        location ~* ^.+\.(?:jpg|jpeg|gif|css|png|js|ico|xml|htm|swf|cur)$ {
                # If the static resource doesn't exist, pass off to IPS' 404 handler
                try_files   $uri @ips404;
                access_log  off;
                expires     2w;
        }

        # IPB forums location
        location /forums {
                try_files   $uri $uri/ @ips;
        }

        # Lock down access to the AdminCP
        location ~ ^/forums/admin/.+\.php$ {
                try_files   $uri @ips404;
                include         /etc/nginx/fastcgi_params;
                fastcgi_pass    php_backend;
        }

        # Pass off not found errors to IPS' 404 handler
        location @ips404 {
                include             /etc/nginx/fastcgi_params;
                fastcgi_pass        php_backend;
                fastcgi_param       SCRIPT_FILENAME  $document_root/404error.php;
                fastcgi_param       SCRIPT_NAME      404error.php;
        }

        # Send rewritten requests directly to IPS
        location @ips {
                include             /etc/nginx/fastcgi_params;
                fastcgi_pass        php_backend;
                fastcgi_param       SCRIPT_FILENAME  $document_root/index.php;
                fastcgi_param       SCRIPT_NAME      /index.php;
                fastcgi_buffers     38 4k;
                fastcgi_buffer_size 16k;
        }

}

Wondering if there is anything obvious that jumps out from my own configuration that is either problematic, or the reason behind why the http authentication headers are not working.  Is this a module I have to enable?  I cannot see how to do this. 

Many thanks,

Edited June 20, 2017 by fourg6x

[Steph40]

On 6/20/2017 at 4:12 PM, fourg6x said:

Wondering if there is anything obvious that jumps out from my own configuration that is either problematic, or the reason behind why the http authentication headers are not working.  Is this a module I have to enable?  I cannot see how to do this. 

Maybe this could help. 

http://shairosenfeld.blogspot.ca/2011/03/authorization-header-in-nginx-for.html

[Makoto]

Hey guys!

Thanks for all the feedback and support. I'm glad this topic was able to help so many people. Sorry I haven't been around to reply much lately, but if anyone here is ever in need of services beyond the scope of what this thread can offer, I am now accepting clients again and am happy to help with anyone's server needs!

So if you need help getting your server set up and optimized for IPS, just shoot me a message here and I'll do my best to provide you an estimate within 24 to 48 hours!

[shyest]

So I followed the guide to a T exactly other than the security optional part. I have 2 sites I would like to use so I added a second virtual host and can serve any html files perfectly on it however when trying to serve a php file I get 

Quote

No input file specified.

 

Am I missing anything here?

 

Update: The one main common theme is the error logs are stating that the:

Quote

FastCGI sent in stderr: "Unable to open primary script: /srv/http/littlelundgrenladies.com/root/html/index.php (Operation not permitted)" while reading response header from upstream, client: 97.43.196.135, server: littlelundgrenladies.com, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm_webapp.sock:", host: "littlelundgrenladies.com"

 

I am totally at a loss now. Any help would be awesome!

 

Update 2: Now I am really frustrated I got the main site to show php files, however, the 2nd site still no go.

Edited September 26, 2017 by shyest

[IPv6Freely]

I'm having difficulty with my rewrites. I want to lose the 'index.php?' from my URLs.

This is my conf file:

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /mnt/mshvol-01/www;
        index index.php index.html;
        server_name modsquadhockey.com;
        client_max_body_size 10M;

        location / {
                try_files $uri $uri/ @ips;
        }

        location @ips {
                rewrite ^ /index.php?$args last;
        }

        error_page 404 /404.php;
        error_page 500 502 503 504 /50x.php;

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

        location ~ /.well-known {
                allow all;
        }

}

Am I doing something wrong? Is there something in AdminCP or a config file I have to modify to make this happen?

[ASTRAPI]

Go to the admin panel at System->Search Engine Optimization-> and enable rewrite Urls ?

[IPv6Freely]

1 hour ago, ASTRAPI said:

Go to the admin panel at System->Search Engine Optimization-> and enable rewrite Urls ?

I knew I had to be missing a step. So, I did that and got the "doesn't seem to be working" message. On the forum the links all had the correct URL (no more 'index.php?' in them), but clicking them just gave me 404s. So I must be missing something else as well. 

[Nathan Explosion]

Did you put the provided htaccess file in place as described?

Your config might be conflicting with something that is native to the software, so it would be a good idea to revert your own config and use the IPS functionality 'as is'

[IPv6Freely]

1 minute ago, Nathan Explosion said:

Did you put the provided htaccess file in place as described?

Your config might be conflicting with something that is native to the software, so it would be a good idea to revert your own config and use the IPS functionality 'as is'

I didn't think nginx used htaccess files? 

[IPv6Freely]

That said, I just downloaded the htaccess file from the link with the description To see the .htaccess used for Apache servers for comparison, download this file. It had this:

<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteBase /forums/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule \.(js|css|jpeg|jpg|gif|png|ico|map)(\?|$) /forums/404error.php [L,NC]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /forums/index.php [L]
</IfModule>

Realized for this to work my line in my config file has to have the /forums/ in the rewrite rule because that's where the forum is installed.

        location @ips {
                rewrite ^ /forums/index.php?$args last;
        }

Now, to move the forum into the root dir instead of having URLs like domain.com/forums/forum/87-msh-front-page ? 

[FabioPaz]

@Makoto, thank you for your time doing this guide. It helped me a lot understanding the nginx conf structure.

But how do you manage the fastCGI with IPB4? Might I ask you if you have a example conf for caching?

I'm asking because I got nginx working fine, but when I try the cache there's a lot of problems regarding content not being refreshed after a user changed the content.

 

[CoffeeCake]

1 hour ago, FabioPaz said:

I'm asking because I got nginx working fine, but when I try the cache there's a lot of problems regarding content not being refreshed after a user changed the content.

Like I shared in your other thread, this doesn't work the way you think it works. You can use nginx to cache content, yet nginx has no way to know that someone has changed the content on your installation to work the way you're thinking it will.

You can cache static content, and Makoto provides examples here of how you'd do that, however you can't cache dynamic content and expect nginx to magically know that someone has modified a field in your database. That must be parsed by the php, and php is only getting parsed when the caching you setup expires. You can instruct nginx to cache things for a set period of time, yet when you do that, expect to see that content served exactly as you configured it, absent of any changes made by your users.

[6ichem]

Anybody knows how I can solve this on nginx? I want to have my forum displayed at example.com/forums instead of example.com

 

Edited January 12, 2021 by 6ichem

[Makoto]

Just now, 6ichem said:

Anybody knows how I can solve this?

 

Can you post your Nginx configuration for your IPS installation, and can you verify that rewrite rules are indeed not working when this is enabled (ignoring the warning)?