Help With Nginx, Domain, and Reverse DNS

[B-cock #1 641]

So I figured this would be a better place to post what exactly I'm doing.

 

First of all, despite the terrible name I'm trying to setup a image/file host for my dedi server. It is named loli-safe. It is a well written code that supports mobile, .gif, .png, .txt, etc... file storage and sharing, and a lot more and works similar to imgur/gyazo in how it generates file names etc... https://github.com/WeebDev/lolisafe

 

Besides that, I have my server setup for www.homepage.com and www.homepage.com/rutorrent for HTTP and HTTPS using Nginx in /etc/nginx/sites-available/default on listen ports 80 and 443 respectively and that's about it for my pages setup.

 

My goal is to leave my www.homepage.com as default nginx page or nothing at all either and have it when I go to i.hostname.com or www.hostname.com/i/ it goes to the port occupied by lolisafe.js. The pages it uses are something like auth.html, dashboard.html, etc... I'm not sure how it appends it after what I want or how it handles it but that's just how I can explain it.

 

I thought all I would have to do is edit the server_name to something line i.hostname.com and then attach the following for the Reverse DNS so I don't have to have a port in the web address.

location / { proxy_pass http://www.hostname.com:9999; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; }

But I'm obviously missing something because that doesn't work, and if I put that under my current listen 80; port it takes over my www.hostname.com, so I may have to setup a new server{ line?

 

I tried to explain this the best I can, let me know if you have any other questions.

 

Thanks

 

Resolved now, thanks ctark!

[ctark 1983]

so personally I would put each sub domain under a new file instead of under the location block of the default file.

 

I have something like:  (assuming you are Linux, if not, it's pretty much the same structure but different start folder)

/etc/nginx/sites-available

- This is where all your sites are.

/etc/nginx/sites-enabled

- This is where the active sites are, symlink or shortcut from modules-available

 

/etc/nginx/sites-available/lolisafe

-  This is the file for the lolisafe.hostname.com domain

Here is an example of my config for site abc.hostname.com  (don't just copy it, but use it as an example  (it's probably not the best, but it shows you a good starting point))

upstream php_backend_abc {
    server  unix:/var/run/php-fpm_webapp.sock;
}

 

server {

    # Basic server configuration
    listen       80;
    server_name  abc.hostname.com;
    root         /srv/http/hostname.com/abc/html/;
    index        doku.php index.php index.html;

    # Maximum allowed upload size
    client_max_body_size 100M;

    include /etc/nginx/conf.d/mime.types;
    # Logging
    #access_log  /srv/http/yourdomain.com/root/logs/access.log.gz combined gzip flush=5m;
    error_log   /srv/http/hostname.com/abc/logs/error.log error;

    # Friendly URL "rewrite" rules
    location / {
        try_files   $uri $uri/ @webapp;
    }

    # Allow access to the letsencrypt ACME Challenge
    location ~ /\.well-known\/acme-challenge {
        allow all;
    }

    # Configuration includes
    include /etc/nginx/includes/ips/protect_upload_directories;
    include /etc/nginx/includes/deny_dotfiles;
    include /etc/nginx/includes/stub_status;
    include /etc/nginx/includes/php_fpm_status;

    location ~ /(data|conf|bin|inc)/ {
      deny all;
    }

    location ~ ^/wiki/(|lib/(exe|plugins/[^/]+)/)[^/]+\.php {
        include             /etc/nginx/includes/php_fastcgi_params;
        fastcgi_pass        php_backend_abc;

#        fastcgi_param       SCRIPT_FILENAME  $document_root/index.php;
#        fastcgi_param       SCRIPT_NAME      /index.php;

#        fastcgi_buffers     38 4k;
#        fastcgi_buffer_size 16k;
    }
    location ~ /(data|conf|bin|inc)/ {
      deny all;
    }


    # Assign cache headers to static files
    location ~* ^.+\.(?:jpg|jpeg|gif|css|png|js|ico|xml|htm|swf|cur)$ {
        # If the static resource doesn't exist, pass off to webapp' 404 handler
        try_files   $uri @webapp404;

        access_log  off;
        expires     2w;
    }

    # Execute the requested PHP script if it exists, otherwise pass off to webapp
    location ~ \.php$ {
        try_files   $uri @webapp;

        include             /etc/nginx/includes/php_fastcgi_params;
        fastcgi_pass        php_backend_abc;

        fastcgi_buffers     38 4k;
        fastcgi_buffer_size 16k;
    }

    # Pass off not found errors to webapp' 404 handler
    location @webapp404 {
        include             /etc/nginx/includes/php_fastcgi_params;
        fastcgi_pass        php_backend_abc;

        fastcgi_param       SCRIPT_FILENAME  $document_root/404error.php;
        fastcgi_param       SCRIPT_NAME      404error.php;
    }

    # Send rewritten requests directly to webapp
    location @webapp {
        include             /etc/nginx/includes/php_fastcgi_params;
        fastcgi_pass        php_backend_abc;

        fastcgi_param       SCRIPT_FILENAME  $document_root/index.php;
        fastcgi_param       SCRIPT_NAME      /index.php;

        fastcgi_buffers     38 4k;
        fastcgi_buffer_size 16k;
    }

}

 

So few things, I use a websock for php, each sub site should be on it's own upstream, but can share the same socket.

Maybe you can guess, this config is for doku wiki.

 

Although this site doesn't have ssl, all of my other's do, hence the letsencrypt location  (hint, just copy the "server {" block a second time, and change the port to 443 to serve both ssl and non ssl on the same subdomain.

 

My files are saved under: "/srv/http/hostname.com/abc/html/"

 

 

 

---

 

 

This is my php socket config, located under "/etc/php/7.0/fpm/pool.d/webapp.conf"

 

[webapp]

;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; Basic settings
prefix = /var/run
user = www-data
group = www-data
listen = php-fpm_webapp.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

; Process manager configuration
pm = dynamic
pm.max_children = 40
pm.start_servers = 12
pm.min_spare_servers = 2
pm.max_spare_servers = 20
pm.max_requests = 500
pm.status_path = /php_fpm_status

; Log slow requests (used for performance tuning, 0 = Off)
request_slowlog_timeout = 0
slowlog = /srv/http/hostname.com/www/logs/php_slow.log

; Terminate unresponsive requests, this should match PHP's max_execution_timeout at a minimum
request_terminate_timeout = 60s

; Don't allow executing arbitrary files as PHP scripts. YOU SHOULD NEVER DISABLE THIS.
security.limit_extensions = .php


;;;;;;;;;;;;;;;;;;;;;
; PHP Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; Make sure errors are not displayed publicly, error logging can be enabled as needed
php_flag[display_errors] = off
php_admin_flag[log_errors] = off
php_admin_value[error_log] = /srv/http/hostname/www/logs/php_error.log

; Set the maximum upload size, memory limit and execution timeout
php_admin_value[upload_max_filesize] = 100M
php_admin_value[post_max_size] = 100M
php_admin_value[memory_limit] = 128M
php_admin_value[max_execution_time] = 60

; PHP security directives, adjust open_basedir appropriately
php_admin_value[cgi.fix_pathinfo] = 0
php_admin_value[disable_functions] = system,popen,proc_open,shell_exec
php_admin_value[open_basedir] = /tmp/:/usr/bin/:/srv/http/hostname.com/www/html:/srv/http/hostname.com/ghi/html:/srv/http/hostname.com/def/html:/srv/http/hostname.com/abc/html

 

Last line is important, update this with the location of your files you want to be able to be executed.  Try to limit this as much as possible, allowing everything is a huge security risk.

 

Things to note, I was lazy and didn't want to make lots of these files, so my "abc" subdomain php logs will go into the same file as all the other sites that use this socket.  If you want separate php logs, you should have a separate socket for each subdomain.

 

 

---

 

 

 

Final thoughts, binding different sites to different ports gets messy if they are all listening on the same ip / hostname (or wildcard ip if you haven't specified)

If nothing else, have different server blocks inside your default file, for each subdomain block.

 

Hopefully this helps and driz doesn't shit on me.

 

 

 

 

 

 

[B-cock #1 641]

Just now, ctark said:

So few things, I use a websock for php, each sub site should be on it's own upstream, but can share the same socket.

Maybe you can guess, this config is for doku wiki.

 

Although this site doesn't have ssl, all of my other's do, hence the letsencrypt location  (hint, just copy the "server {" block a second time, and change the port to 443 to serve both ssl and non ssl on the same subdomain.

 

My files are saved under: "/srv/http/hostname.com/abc/html/"

 

So for root /path/to/files would be to where the html pages of the lolisafe script are? Or would this be my /var/www/(iirc) location? Then I would just list all my .html pages in the index if I understand correctly?

 

I'm also not sure what to include in the well...include option.

 

Thanks for the help so far <3

[ctark 1983]

you want to pm me your default file, and I'll try to explain without using generic examples?

also, damn it, I thought I edited out all the "ctark.com" references... fml

 

[ctark 1983]

Taken from the safe.moe website:

 

server {
        listen 80;
        listen [::]:80;
        server_name safe.moe;

        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://$server_name$request_uri;
}

 

server {
        listen [::]:443 ssl http2;
        listen 443 ssl http2;

        server_name safe.moe;

        ssl_certificate /etc/letsencrypt/live/safe.moe/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/safe.moe/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/safe.moe/fullchain.pem;

        #Security
        include /etc/nginx/ssl/ssl-params.conf;

        location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:9999/;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
        proxy_set_header   X-Forwarded-Proto $scheme;
        }

        location /transparency {
                root /srv/cuntflaps.me/html;
                autoindex on;
                default_type text/plain;
        }

        location ~ /mail {
                root /srv/cuntflaps.me/html;
                index index.php index.html;
                try_files $uri $uri/ =404;
                location ~ .php$ {
                        fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
                        fastcgi_index  index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include        fastcgi_params;
                }
        }

        location ~ /grill {
                root /srv/cuntflaps.me/html;
                index index.php index.html;
                try_files $uri $uri/ =404;
                location ~ .php$ {
                        fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
                        fastcgi_index  index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include        fastcgi_params;
                }
        }
}

 

Obviously those last 3 "location" tags aren't needed, as they are specific for that site, but it's a cool, real life example of how they setup sublocation on the site.

for example, going to "https://safe.moe/transparency/" would bring you to the "location ~ /transparency { " block, and follow that stuff.

The first server block listens to all non SSL traffic on port 80, and redirects it to use https.  If you don't want this, then just remove it and change the second server block to listen on port 80 instead.

Comment / remove the lets encrypt info if you don't have ssl setup...

[driz 2626]

On 9/14/2017 at 8:19 PM, ctark said:

so personally I would put each sub domain under a new file instead of under the location block of the default file.

---redacted----

 

 

Final thoughts, binding different sites to different ports gets messy if they are all listening on the same ip / hostname (or wildcard ip if you haven't specified)

If nothing else, have different server blocks inside your default file, for each subdomain block.

 

Hopefully this helps and driz doesn't shit on me.

 

i mean, that is pretty much how i setup sg  looks great to me. 

 

@staff, yah i necro posts, what of it!

[ctark 1983]

20 hours ago, driz said:

i mean, that is pretty much how i setup sg  looks great to me. 

 

@staff, yah i necro posts, what of it!

If you are gonna necro posts, you should at least bribe us 'staff' with rep....