Nginx: Difference between revisions
imported>Nathan-gs NGINX: PAM auth, no longer needed to disable hardening features |
imported>Dmo84 added troubleshooting for locations (double escape). fixed the wrong not-doubble escaped example. |
||
| Line 38: | Line 38: | ||
This will set up nginx to serve files for <code>myhost.org</code>, automatically request an ACME SSL Certificate and will configure systemd timers to renew the certificate if required. | This will set up nginx to serve files for <code>myhost.org</code>, automatically request an ACME SSL Certificate and will configure systemd timers to renew the certificate if required. | ||
== Troubleshooting == | |||
=== Read-only Filesystem for nginx upgrade to 20.09 ==== | |||
With the upgrade to nixos-20.09 the nginx comes with extra hardening parameters, most prominently the restriction of write access to the Operating System Disk. | With the upgrade to nixos-20.09 the nginx comes with extra hardening parameters, most prominently the restriction of write access to the Operating System Disk. | ||
| Line 49: | Line 49: | ||
</syntaxHighlight> | </syntaxHighlight> | ||
=== SIGTERM received from 1 === | |||
If you turn debug logging on: | If you turn debug logging on: | ||
| Line 68: | Line 68: | ||
And it should fix nginx so systemd won't go killing your nginx anymore. | And it should fix nginx so systemd won't go killing your nginx anymore. | ||
==== General | === Escape special chars in Regular Expressions === | ||
Some nginx configuration options like <code>locations</code> allows using Regular Expressions provided in a string. | |||
Be ware that you [https://nixos.org/manual/nix/stable/language/values.html#type-string need to escape some special chars] like <code>\</code>. | |||
A common example found in the internet is: | |||
<syntaxHighlight> | |||
locations."~ ^(.+\.php)(.*)$" = { | |||
... | |||
}; | |||
</syntaxHighlight> | |||
But in this case the <code>\.php</code> part will be parsed by Nix to <code>.php</code>. In RegEx the dot represents any character instead of the dot character itself. | |||
Thus the path /gly'''php'''ro.css will be matched, too. Additionaly to the intended match of <code>/somephpfile.php?param=value</code>. | |||
To circumvent this error <code>\.php</code> has to be double escaped as <code>\\.php</code> | |||
<syntaxHighlight> | |||
locations."~ ^(.+\\.php)(.*)$" = { | |||
... | |||
}; | |||
</syntaxHighlight> | |||
=== General === | |||
Nginx is run as the systemd service nginx, so <code>systemctl status nginx</code> may say something useful. If you have a problem with configuration, you can find the configuration location in the <code>systemctl status</code>, it should be at <code>/nix/store/*-nginx.conf</code>. | Nginx is run as the systemd service nginx, so <code>systemctl status nginx</code> may say something useful. If you have a problem with configuration, you can find the configuration location in the <code>systemctl status</code>, it should be at <code>/nix/store/*-nginx.conf</code>. | ||
| Line 104: | Line 124: | ||
forceSSL = true; | forceSSL = true; | ||
root = "/var/www/blog"; | root = "/var/www/blog"; | ||
locations."~ \.php$".extraConfig = '' | locations."~ \\.php$".extraConfig = '' | ||
fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; | fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; | ||
fastcgi_index index.php; | fastcgi_index index.php; | ||