Help in cleaning up default config

Projects NGINX
1

Hello again.

I am still fiddling around with NGinx on my Raspberry Pi, I just want to get this working. Right now a complete WordPress installation is up and running without any troubles. So far, so good. I remember someone in here mentioning some “faulty” stuff within my sites-availabe default config, to be more exact:

My default config is driving at least two servers at the same address - if understood the principles of NGinx right by now.

So I again had a view at my default config and noticed that at least three virtual servers are configured, two at the same address (in sense of storage location). I fiddled around a bit as I really want to understand NGinx a bit better and made some edits but I am not sure how to clean up my default conf file. As far as I understand my own conf file by now at least these two server definitions at the same address are somewhat dependent to each other. How can I clean up all this to define just that one server running my Wordpress installation?

I would like to set up several other includes and servers later on but right now it is just about this one definition. Thus is how my default config looks like right now (smaller re-namings made for obvious reasons):

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /storage/Blog;

	# Add index.php to the list if you are using PHP
	index index.php index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        }

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

	#Put our rewrite rules here, i.e.
	#
	rewrite wp-content/uploads/_pda(\/[A-Za-z0-9_@.\/&+-]+)+\.([A-Za-z0-9_@.\/&+-]+)$ "/index.php?pda_v3_pf=$1&is_direct_access=true&file_type=$2" last;
	rewrite private/([a-zA-Z0-9-_.]+)$ "/index.php?pda_v3_pf=$1" last;

}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /storage/Blog;

	# Add index.php to the list if you are using PHP
	index index.php index.html index.htm index.nginx-debian.html;
    server_name selfhosted.site.net; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        }

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/selfhosted.site.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/selfhosted.site.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Content-Security-Policy "default-src 'self' https://*.google-analytics.com https://*.googleapis.com https://*.gstatic.com https://*.gravatar.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval';" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=*, camera=(self 'https://example.com'), microphone=()";


}
server {
    if ($host = selfhosted.site.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name selfhosted.site.net;
    return 404; # managed by Certbot
 	

    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
	include /etc/nginx/bots.d/ddos.conf; 
 	include /etc/nginx/bots.d/blockbots.conf;
 


}

Any help again is highly appreciated! Thanks a lot in advance!

Jens

2

It looks like you have a single domain to serve. And you do that from two ports: 80 and 443. Additionally, there is certbot configuration at the end.

You can comment out the “_” server, add “listen 80;” to your second server and get the same result, probably.

Though personally I would recommend having “empty” default servers for port 80 and 443 and name based access to your main site.

3

Hello oxpa and thanks for Your answer.

How obvious (still learning a lot)! I always was sometimes wondering why some URLs kept dropping me back to http instead of https….

”name based access”…

I am still trying (…) to understand some NGinx principles. Right now I am very happy that I managed to set up all this in order to run my WordPress installation, securing PHP, MariaDB and else, changing login locations and so on to some degree.

What I still do not understand in deep:

Obviously I am running other applications like PHPMyAdmin and a cPanel like derivate running on dedicated (and therefore opened) ports in order to manage my little server. Right now I can access them locally and from the internet by adding the dedicated port number.

Can this be changed to names? Should I “include” these applications into the already working server block (what to my understanding would grant SSL support as SSL is already working and running) or should I use dedicated server blocks for them (what to my understanding would mean additional implementation of SSL to these blocks)?

Thanks a lot for some advice (and some more confusion…. I like my brain getting hot :D)

Jens

4

It’s not really nginx specific. But nginx website a useful text for you: How nginx processes a request . Beginner’s Guide can also be useful, I guess. Though, once again, it’s more of a general tech question, rather than about nginx.

What you want is, probably, a name based virtual hosting. Get yourself a domain, it can be aquired for free sometimes. Set up nginx to serve subdomains of it. Say, cpanel.example.net can lead to cpanel while phpadmin.example.net will lead to phpmyadmin. And blog.example.net will be for wordpress.

You can then create separate server{} blocks for each domain and use ‘proxy_pass’ to feed requests into specific application.

Another approach is to have a single domain name and different paths inside it (for an application it is sometimes called “webroot” or “base url” or similar).

Say, you have example.net/blog, example.net/cpanel and example.net/phpadmin each having it’s own location.

And you can, obviously, mix and match these. Have ‘admin.example.com’ for your cpanel and phpmyadmin under different prefixes, but blog.example.net for wordpress.

5

Now I am getting an idea of it… Thanks a lot oxpa!

Yes, I intend to use a single domain name (already running via DDNS service) and different paths inside that in order to adress phpmyadmin, Webmin, NextCloud and others.

Right now I am glad I was able to remove NGinx Bad Bot Blocker in complete from my box without killing NGinx totally. Will have to deal with that one later :-/

Thanks a lot again!

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.