#StackBounty: #nginx #percona #pmm Nginx: location with proxy_pass, including uri (Percona PMM)

Bounty: 100

I’m trying to setup a proxy with Nginx for Percona Monitoring and Management (PMM). I’m using their public demo site for a testing purpose.

The goal is to expose PMM interface via URL like https://localhost.local/pmm.

server {
    listen 443 default_server ssl http2;
    server_name localhost;

    ssl_certificate /etc/pki/tls/certs/localhost.crt;
    ssl_certificate_key /etc/pki/tls/private/localhost.key;

    location ^~ /pmm/ {
        proxy_pass https://pmmdemo.percona.com/;
        rewrite ^/pmm/(.*) /$1 break;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "";
    }

}

There are a few different URLs on the backend software.

This is currently NOT working properly and I can see a 404 requests in the browser console for URLs like https://localhost/graph/public/build/grafana.dark.css?v5.0.4

I tried to add a rewrite rule: rewrite ^/pmm/(.*) /$1 break; but this still didn’t help.


Get this bounty!!!

#StackBounty: #nginx #proxy #tomcat #rewrite Nginx rewrite .jsp extension and proxy to tomcat

Bounty: 100

Outgoing

How can i create a Nginx rewrite rule in the appropriate server block, that takes any URL ending on .jsp and removes the .jsp extension after retrieving the correct .jsp page from the tomcat server, but before sending the response to the client?

Incoming

How can i create a Nginx rewrite rule in the appropriate server block, that takes any URL that does not end on .do and add a .jsp extension, after receiving a HTTP request, but before fetching the .jsp file from the tomcat server. And than follow the outgoing rewrite rule to remove the extension again before sending response?

Test

I tried to play around with the following

server {
        listen 443 ssl;
        server_name www.test.local test.local;

        location / {
                if ($request_uri ~ ^/(.*).jsp$) {
                        return 302 /$1;
                }
                try_files $uri.jsp @proxy;
        }

        location @proxy {
                proxy_pass http://websites/;
                include proxy_params;
        }
}

Nginx removes the .jsp extension, but it also sends the request to Tomcat without the .jsp extension, so tomcat does not know what to look for and returns a 404.

As far as i can tell, Nginx is not asking Tomcat do you have a $uri.jsp page but is instead asking if tomcat has a $uri page (without .jsp extension).

As far as i can read and understand try_files syntax is

try_files [Location[file, folder]] [fallback[file, folder, HTTP code]]

But the official documentation does not say (as far as i can find) how to instruct Nginx to (in this case) ask the proxy for the different files and folders to try, but is instead quering its own local root location for $uri.jsp and than using @proxy as fallback.


Get this bounty!!!

#StackBounty: #nginx #reverse-proxy #cache Debugging Nginx Cache Misses: Hitting high number of MISS despite high proxy valid

Bounty: 100

My proxy cache path is set to a very high size

proxy_cache_path  /var/lib/nginx/cache  levels=1:2   keys_zone=staticfilecache:180m  max_size=700m;

and the size used is only

sudo du -sh *
14M cache
4.0K    proxy

Proxy cache valid is set to

proxy_cache_valid 200 120d;

I track HIT and MISS via

add_header X-Cache-Status $upstream_cache_status;

Despite these settings I am seeing a lot of MISSes. And this is for pages I intentionally ran a cache warmer an hour ago.

How do I debug why these MISSes are happening? How do I find out if the miss was due to eviction, expiration, some rogue header etc? Does Nginx provide commands for this?


Get this bounty!!!

#StackBounty: #linux #ubuntu #permissions #php #nginx Nextcloud: Can’t create or write into the data directory /var/nc_data

Bounty: 50

I’m getting the above error. What I tried so far:

  • checked the permissions. I even did chmod 777 /var/nc_data -R
  • first included all used party in open_basedir in my php.ini. When that didn’t work, I commented it out completely (in fpm and cli php.ini)
  • checked if SELinux is active. It isn’t.

I don’t have any more ideas to start with. I run an ubuntu server 18.04 inside a Hyper-V virtual machine. I use nginx 1.14.0, mariadb 10.1.29, php 7.2 and nextcloud 13.0.2.

Does someone have an idea?

Or could tell me where more error details could be logged so I have something to start with. nginx and php logs just have notices in them.

Thank you guys in advance πŸ™‚

Marin

PS: Nextcloud vHost configuration: https://pastebin.com/wZJLp0rx

PPS: Nextcloud config.php:

<?php
$CONFIG = array (
  'instanceid' => 'oc2xpzs4xkog',
);

(it’s not much written in because it’s not set up yet)


Get this bounty!!!

#StackBounty: #nginx #log-files NGINX Access Log by Location

Bounty: 50

Hello so I have two platforms where one operates as a subdirectory. I would like to be able to have an access and error log for each application; however it is not working as I intended πŸ™

Here is what I have:

server {
    listen 80 default;
    listen [::]:80;

    root /var/www/html/app1;
    index index.php;

    server_name localhost;

    access_log /var/log/nginx/app1.access.log;
    error_log /var/log/nginx/app1.error.log;    

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~ /.(?!well-known).* {
            deny all;
            access_log off;
            log_not_found off;
    }
    location ~*  .(woff|jpg|jpeg|png|gif|ico|css|js)$ {
        access_log off;
        log_not_found off;
        expires 365d;
    }

    location / {
        try_files $uri $uri/ /index.php?$is_args$args;
    }   


    location /app2 {

        try_files $uri $uri/ /app2/index.php$is_args$args;

        access_log /var/log/nginx/app2.access.log;
        error_log  /var/log/nginx/app2.error.log;
    }

    # SECURITY : Deny all attempts to access PHP Files in the uploads directory
    location ~* /(?:uploads|files)/.*.php$ {
            deny all;
    }

    # PHP : pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    location ~ .php$ {
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;    
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Yoast SEO Sitemaps
    location ~ ([^/]*)sitemap-rewrite-disabled(.*).x(m|s)l$ {
            ## this redirects sitemap.xml to /sitemap_index.xml
        rewrite ^/sitemap.xml$ /sitemap_index.xml permanent;
            ## this makes the XML sitemaps work
            rewrite ^/([a-z]+)?-?sitemap.xsl$ /index.php?xsl=$1 last;
        rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
        rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
            ## The following lines are optional for the premium extensions
        ## News SEO
            rewrite ^/news-sitemap.xml$ /index.php?sitemap=wpseo_news last;
        ## Local SEO
        rewrite ^/locations.kml$ /index.php?sitemap=wpseo_local_kml last;
        rewrite ^/geo-sitemap.xml$ /index.php?sitemap=wpseo_local last;
        ## Video SEO
        rewrite ^/video-sitemap.xsl$ /index.php?xsl=video last;
    }
}

Only visits to the app2 homepage get logged in the app2 logs while further into the site like /app2/help will appear in the app1 logs.

Examples:

/help == app1.access.log && app1.error.log OK

/app2 == app2.access.log && app2.error.log OK

/app2/help == app1.access.log && app1.error.log *(want
to be in app2 logs) NOT OK


Get this bounty!!!

#StackBounty: #nginx #http-status-code-404 #denial-of-service #attacks Mitigating 404 bomb with Nginx

Bounty: 50

I am hit with 404 queries and this is bringing down my machine. Close to all of my pages are cached via varnish and I have some basic Dos protection with

limit_conn_zone $http_x_forwarded_for zone=addr:10m;
limit_conn addr 8;

limit_req_zone $http_x_forwarded_for zone=one:10m rate=2r/s;
limit_req zone=one burst=50;

client_body_timeout 5s;
client_header_timeout 5s;
send_timeout 10s;

What can I do to prevent these 404 attacks besides the above?


Get this bounty!!!

#StackBounty: #ubuntu #nginx #docker Update fastcgi_pass in nginx conf with docker container IP on startup

Bounty: 50

We have the following setup:

We host multiple website on an Ubuntu server, most of them running PHP 5.6. One of them, runs inside a Docker container with PHP 7.1.

The nginx conf for this website has the following line:

fastcgi_pass 172.17.0.4:9000;

which points to the IP of the docker container, which we get from

docker inspect <container>|grep IP

The problem is whenever the system restarts, the container gets a new IP assigned and we have to copy it into the nginx conf again and restart nginx. How could we do this automatically?

Thank you!

BR,
Peter


Get this bounty!!!

#StackBounty: #apt #upgrade #mysql #php #nginx Is it safe to apt-get upgrade an all default LEMP?

Bounty: 100

I have backups for my current MySQL database and related data but I ask generally, is it safe to do the following?

apt-get update nginx mysql-server php-fpm php-mysql
apt-get upgrade nginx mysql-server php-fpm php-mysql

I do use unattended-upgrades defaultly, only for security upgrades, but I do feel I should upgrade LEMP entirely due to performance needs.

BTW, I know CMs like Ansible do just that (if indeed, it’s a basically-all-default LEMP).


Get this bounty!!!

#StackBounty: #apache-2.2 #nginx #virtualhost #.htaccess Rewrite Performance, and rules that work in .htaccess but not vhost

Bounty: 50

I’m working on moving my .htaccess rules over to our vhost_ssl.conf file. I’m hitting some snags with rules that worked fine in .htaccess but aren’t working in vhost. For example, in .htaccess this works fine:

RewriteRule ^example$ /example/ [L,R=301]
RewriteRule ^example/$ somewhere/something.php [QSA,L]

With the idea being that if someone visits example.com/example – they get redirected to example.com/example/ (just adding the trailing slash). Then the trailing slash version of the URL gets rewritten behind the scenes.

When I move this over to vhost:

RewriteRule ^/example/$ somewhere/something.php [QSA,L]

I hit a couple of snags:

  1. it turns into an infinite loop of redirects (my server stops it at 10), because the first rule is always triggered
  2. after I comment out the first rule, I get a “Bad Request” 400 error:

Bad Request
Your browser sent a request that this server could not
understand.
Client sent malformed Host header

Any ideas why this might be happening? We’re running apache/nginx if that means anything. I read another thread on SF for a similar issue, and the response was that it’s a context issue and to add a leading slash to the final destination on the rewrite. But in my case when I do that:

RewriteRule ^/example/$ /somewhere/something.php [QSA,L]

The error changes to:

Unable to execute 'example/': No such file or directory

Also on the performance side of this in vhost, is there any difference between, for example:

RewriteRule ^/example/$ somewhere/something.php [QSA,L]

vs

RewriteCond %{REQUEST_URI} ^/example/$
RewriteRule .* somewhere/something.php [QSA,L]

Seems to me that the first version would be superior, it should accomplish the same goal but in less lines. But maybe having the RewriteCond separately makes it more efficient overall?


Get this bounty!!!

#StackBounty: #16.04 #server #php #nginx #cache Failed to implement Nginx caching – connection refused

Bounty: 50

I’m having trouble getting my site to work after trying to implement Nginx caching.

I use Ubuntu 16.04 (xenial), Nginx (1.10.3), PHP-FPM (7.0) and WordPress.

Port 9000 (for php-fpm) is unfiltered by UFW.

Reproducing my environment

1 – setting confs:

2 – Creating a cache dir:

mkdir -p /var/cache/nginx/fastcgi_temp/cache/
chmod 755 /var/cache/nginx/fastcgi_temp/cache/
chown www-data:www-data /var/cache/nginx/fastcgi_temp/cache/

3 – Server restart:

systemctl restart nginx.service
/etc/init.d/php*-fpm restart

4- Error and debug tries:

/etc/init.d/php*-fpm status

● php7.0-fpm.service - The PHP 7.0 FastCGI Process Manager

Loaded: loaded (/lib/systemd/system/php7.0-fpm.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2018-04-13 07:07:02 UTC; 2h 34min ago
Process: 15060 ExecStart=/usr/sbin/php-fpm7.0 --nodaemonize --fpm-config /etc/php/7.0/fpm/php-fpm.conf (code=exited, status=78)
Process: 15051 ExecStartPre=/usr/lib/php/php7.0-fpm-checkconf (code=exited, status=0/SUCCESS)
Main PID: 15060 (code=exited, status=78)

My question

Why is the connection refused and my site is down?


Get this bounty!!!