NGINX redirect for non whitelisted IPs

fixing an infinity loop issue

map $remote_addr $notwhitelisted_ip {

  default   1;

# VPN

  1.2.3.4   0;

}

server {

    ...

   

    set $maintenance_redirect 0;

    if ($notwhitelisted_ip = 1) {

      set $maintenance_redirect 1;

    }

    if ($request_uri = "/maintenance-vik.html") {

      set $maintenance_redirect 0;

    }

    if ($maintenance_redirect = 1) {

      return 301 /maintenance-vik.html;      

    } 

    ...

Nginx map $request_uri example

If I need to add http auth to special location I can use map

http block

map $request_uri $auth {
    /2.3.5/  "Authorization Required";
    default  "off";
}

server block

    auth_basic $auth;

    auth_basic_user_file /etc/nginx/.htpasswd;

Nginx security headers

Usually, I added

X-Frame-Options SAMEORIGIN

There was a task with CWE-693: Protection Mechanism Failure
I added security headers for strong security.

Useful links
https://www.keycdn.com/blog/http-security-headers
https://devdocs.magento.com/guides/v2.3/config-guide/secy/secy-xframe.html
magento 1 since 1.9.2 version

Tested the site headers via https://securityheaders.com/
Added to nginx.conf in
http block

add_header x-xss-protection "1; mode=block" always;

to vhost.conf in
server block

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header x-content-type-options "nosniff" always;
add_header feature-policy "autoplay 'none'; camera 'none'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Links related Referrer-Policy
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
http://okiseleva.blogspot.com/2018/07/referrer-policy.html

It's the most difficult security header Content-Security-Policy

add_header Content-Security-Policy "default-src 'self'; img-src * 'self' data:; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; frame-src *; object-src *; connect-src *; media-src *; font-src *;";

Links related Content-Security-Policy
https://benjaminhorn.io/code/content-security-policy-what-it-is-what-it-does-and-how-to-implement-it/
https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy.html

Error with img-src https://forum.framework7.io/t/content-security-policy-directive-img-src-self-data-https/5678

Short instruction for setting Content-Security-Policy header parameters:

Set to default-src 'none';
Open develop panel F12, check console log and add rules with all supported directives

Supported directives

default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback) script-src: Define which scripts the protected resource can execute object-src: Define from where the protected resource can load plugins style-src: Define which styles (CSS) the user applies to the protected resource img-src: Define from where the protected resource can load images media-src: Define from where the protected resource can load video and audio frame-src: Define from where the protected resource can embed frames font-src: Define from where the protected resource can load fonts connect-src: Define which URIs the protected resource can load using script interfaces

Nginx 403 error directory index of is forbidden, client 1.2.3.4

There wasn't index index.php; in config file in my case.

https://www.ionos.com/community/server-cloud-infrastructure/nginx/solve-an-nginx-403-forbidden-error/

Nginx php in subdirectory

Wordpress is in sub-directory nested, and blog address is domain.tld/nested

useful links
https://serversforhackers.com/c/nginx-php-in-subdirectory
https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

server {

  listen 80 default_server; 

  listen [::]:80 default_server; 

  root /var/www/top/public; 

  index index.html index.htm index.php; 

  server_name _; 

  location / { 

    try_files $uri $uri/ /index.php$is_args$args; 

  } 

  location /nested { 

    alias /var/www/nested/public; 

    try_files $uri $uri/ @nested; 

    location ~ \.php$ { 

      index index.php;

      include snippets/fastcgi-php.conf; 

      fastcgi_param SCRIPT_FILENAME $request_filename; 

      fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; 

    } 

  } 

  location @nested { 

    rewrite /nested/(.*)$ /nested/index.php?/$1 last; 

  } 

  location ~ \.php$ { 

    include snippets/fastcgi-php.conf; 

    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; 

  }

}

Short explanations.

1) root of blog is not domain as domain.tld, but it is address location as domain.tld/nested. So there should be rewrite rule:

    rewrite /nested/(.*)$ /nested/index.php?/$1 last;

2) We use alias, because of explanation from one of useful links below.

Note that distinction - with that alias, Nginx does NOT look for files within /var/www/nested/public/nested/foo, like it would with the root directive.

3) We use $request_filename instead of $document_root$fastcgi_script_name because of next explanation.
If you use the alias directive with $document_root$fastcgi_script_name, $document_root$fastcgi_script_name will return the wrong path.

Request /api/testing.php:

• $document_root$fastcgi_script_name == /app/www//api/testing.php
• $request_filename == /app/www/testing.php

Request /api/:

• $document_root$fastcgi_script_name == /app/www//api/index.php
• $request_filename == /app/www/index.php

4) And if you use $request_filename, you should set index using index directive, fastcgi_index will not work.

It means index index.php; in location

Nginx inclusive locations processing

https://habr.com/ru/company/oleg-bunin/blog/313666/

Short explanation afterwards

https://www.zagirov.name/post/nginx-config/

manual - http://nginx.org/ru/docs/http/ngx_http_core_module.html#location

Example: how to open phpinfo.php only for 1.2.3.4 address

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/dev/shm/php-user72.sock;                
                deny all;
        }

        location ^~ /phpinfo {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/dev/shm/php-user72.sock;

                allow 1.2.3.4;
                deny all;
        }

Prefix location with ^~ disables first regexp location.

PHP Nginx error "No input file specified." display on a page, and FastCGI sent in stderr: "Unable to open primary script: *.php (Operation not permitted)" in nginx log

/var/log/nginx/error.log

FastCGI sent in stderr: "Unable to open primary script: /var/www/html/phpinfo.php (Operation not permitted)

Don't forget to check open_basedir parameter

fastcgi_param PHP_ADMIN_VALUE   "open_basedir=/var/www/html/:/tmp/";

Nginx testing proxy_cache_valid parameter

Firstly, I created proxy pass for the site. Test location is there for testing cache.

# the site
http {
    ...
    proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
}

server {

    listen 8080;

    ...

    access_log /var/log/nginx/access.log;
    location /test {
        return 200 “It’s now $time_local\n”;
    }

}
# the proxy
server {
    listen 80 default_server;

    root /var/www/;

    index index.html index.htm;

    server_name example.com;

    charset utf-8;

    location / {
        include proxy_params;

        proxy_pass http://localhost:8080;

        proxy_cache my_cache;

        proxy_cache_revalidate on;

        proxy_cache_min_uses 3;

        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;

        proxy_cache_background_update on;

        proxy_cache_lock on;

        proxy_cache_valid 200 15s;

    }

}
proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

The cache server is already confgured to cache responses with status code 200 for 15 seconds. This typically results in cache updates every 15 or 16 seconds.

proxy_cache_valid 200 15s;

Once per second, we send an HTTP request to the address. The response does not change until the caches on the server expire. This happens every 15 or 16 seconds

$ while sleep 1; do curl http://example.com/test; done
...
It’s now 23/Oct/2019:15:11:12 +0000
It’s now 23/Oct/2019:15:11:12 +0000
It’s now 23/Oct/2019:15:11:12 +0000
It’s now 23/Oct/2019:15:11:28 +0000
It’s now 23/Oct/2019:15:11:28 +0000
It’s now 23/Oct/2019:15:11:28 +0000
^C

We can also inspect the logs on the origin server to confrm that it is receiving
a request only every 15 or 16 seconds

/var/log/nginx/access.log
...
127.0.0.1 - - [23/Oct/2019:15:11:12 +0000] "GET /test HTTP/1.0" 200 38 "-" "curl/7.58.0"
127.0.0.1 - - [23/Oct/2019:15:11:28 +0000] "GET /test HTTP/1.0" 200 38 "-" "curl/7.58.0"

useful link
https://serversforhackers.com/c/nginx-caching

Nginx CORS

На одном нашем сайт site1.com добавили статистику с двух других наших сайтов site2.com site3.com . Нужно разрешить CORS на 2 и 3 сайте для 1 сайта, иначе видим ошибку

Access to XMLHttpRequest at 'https://www.site2.com/api/get-registered-users-count' from origin 'http://www.site1.com' has been blocked by CORS policy.

Пользовался этой статьей
добавил

location / 

{ 

    add_header 'Access-Control-Allow-Origin' 'https://www.site1.com'; 

    add_header 'Access-Control-Allow-Credentials' 'true'; 

    add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept'; 

    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE'; 

}

Тест

curl -H "Access-Control-Request-Method: GET" -H "Origin: https://www.site1.com" --head http://www.site2.com

После разрешения появились записи

Access-Control-Allow-Origin: https://site1.com

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: Content-Type,Accept

Access-Control-Allow-Methods: POST, OPTIONS

Linux Nginx страница обслуживания

При появлении в каталоге файла maitainance_on отображать 503 страницу обслуживания
Проверка на файл:

    location / {
        if (-f /home/www/site/maintenance_on) {
            return 503;
        }

        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
    }

и обработка 503 ошибки

    error_page 503 /maintenance.html;

    location = /maintenance.html {
         root /home/www/site/public;
    }

    location ~ ^/maintenance-assets/(.+\.(jpg|png))$ {
         alias /home/www/site/public/maintenance-assets/$1;
    }

Linux Nginx location

https://www.linode.com/docs/web-servers/nginx/how-to-configure-nginx/
http://world-blog.ru/nginx-location-regulyarnye-vyrazheniya
https://habr.com/ru/post/348206/

Linux nginx proxy_pass

Make port with basic http authentication for json requests

server {
    listen 3001;

    location /
    {
        access_log off;
        error_log /var/log/nginx/error_gateway.log;

        auth_basic "gateway";
        auth_basic_user_file /etc/nginx/gateway;

        default_type application/json;
        proxy_pass http://127.0.0.1:3000;
    }
}

Linux upgrade nginx on fly

Nginx скомпилирован

#!/bin/bash
set -x
VER=1.16.0
rm -rf nginx-$VER
tar zxvf nginx-$VER.tar.gz
cd nginx-$VER

echo OK
./configure \
--with-ld-opt="-ljemalloc" \
--with-cc-opt="-march=native -mtune=native" \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--with-http_stub_status_module \
--without-http_geo_module \
--without-http_memcached_module \
--without-http_scgi_module \
--with-http_geoip_module \
--without-http_autoindex_module \
--without-http_ssi_module \
--without-http_browser_module \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_sub_module \
--with-http_addition_module \
--with-http_auth_request_module \
--with-threads \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_realip_module

make -j23

Остался make install
Сначала проверяем на совместимость
cd nginx-1.16.0
objs/nginx -tЕсли ОК, то
cd nginx-1.16.0
make install

Следующие действия, чтобы обновить версию на лету и не делать рестарт
ps aux | grep nginx | grep master 
(read pid)
kill -USR2 $pid
kill -WINCH $pid
kill -QUIT $pid

Linux Clear cache after site release

Проект Symphony, Nginx
Используется opcache
Как очистить cache, чтобы сайт корректно отображался после релиза.

Symphony
export APP_ENV=prod && php bin/console cache:clear

chown -R user:www-data user
opcache
php /usr/local/bin/cachetool.phar opcache:reset --fcgi=/dev/shm/php-user.sock --tmp-dir=/tmp
Nginx
очистить cache на стороне клиента

добавить в конфиг сервера

server

{

...

expires 10m

...

}

NGINX alias

Нужно отдавать png файлы из папки email подпапок folder1 folder2 etc на сайте domain.tld/email/folder/img.png
Использую alias
    location ~ ^/email/(.+\.(?:gif|jpe?g|png))$ {
        alias /home/www/email/$1;
    }