The try_files directive is evil without open_file_cache & static instead of PHP?

Projects NGINX
, , ,
1

Me again…

In order to have some possible solutions at hand I decided to install everything again from ground onto my Raspberry Pi. I made notes about every single step so just in case I can go back whenever something is not working the expected way. Until now I got my Raspberry Pi Nginx server secured quite well giving me “A+” at

https://securityheaders.com

and 95 points of 100 at

https://protocolguard.com.

Took me some time to get there but I am a little bit proud as I did not knew anything about Nginx before and I learned quite a lot by some contributions of members in here. Again: Thank You very much!

Right now I am facing two problems I do not know how to eliminate. The first one is a result of online configuration check at

When entering the results of sudo nginx -T over there it throws me this:

" Issue #1: The try_files directive is evil without open_file_cache

Severity: MEDIUM

The try_files directive introduces performance overhead without open_file_cache
The try_files directive introduces performance overhead.

I read the linked page about that and some others but I do not really understand what is going on here and why this is a medium risk. Any hint?

The second thing… I think it started after installing nginx-extras and / or PHP 8.4 and PHP-FPM but not sure of it. It looks like Nginx seems to serve just static html pages without any formatting or maybe even without using any PHP. To give You an impression: I Think everybody in here knows how index.nginx-debian.html looks like in anybody’s browser when Nginx is installed from scratch. Mine looked the same in the beginning but right now… Well, take a look:

https://liedtke.ddns.net

A bit like Berners Lee first versions. What might be going on? Again any helpful hint is very welcome! Thanks in advance

Jens

2

Hey again!

By parts:

I have never heard of this, but I suppose the “warning” makes a bit of sense. You could try to configure open_file_cache and see what happens, but I wouldn’t worry too much about it unless you start running into performance issues or are constantly querying files using try_files.

I am actually not familiar at all with how that file looks like! Seems like you are installing NGINX from the Debian repo instead of our repo which is why you are getting that file. Coincidentally, that might also be why you can install nginx-extras (as weird as it might sound, that is a Debian built package, not an NGINX built package). My debugging suggestion would be to restart again your setup and see what change causes this issue. And if you can, consider using our prebuilt packages :slight_smile:

3

Hey again, Alessandro, thanks for Your patience!

Regarding the different look: I guess You will have seen standard PHP info pages before, the ones giving info on any PHP related aspect. These pages look formatted, have colours (that blue-lilac thing), nice fonts and else. When I am placing a PHP info.php in a directory of my choice it is rendered like a very basic html page, no colours at all. Looks to me like Nginx does somewhat prefer standard html formatting instead of PHP… And I don’t know exactly why this does happen at all. To give You an impression how it should look like:

Thanks again, I will have a look into that nginx-extra thing. Maybe modules?

4

I might date myself but it’s actually been years since I dealt with PHP directly :sweat_smile:. Based on what you are saying the issue seems to be with your php fpm setup inside NGINX. Can you share that part of your config? There is a small chance this might also be due to a compatibility issue between the nginx and nginx-extras packages, which is why I suggested starting from scratch (again, I know…) to see where your config breaks.

5

You call Yourself “dated”? Man, I still need 3 oversized monitors to get along with all the windows I am dealing with on my Mac (I will never get used to some new technologies) while messing around with by now 4 Linux boxes! And I would call myself “at least a bit organized” :smiley: Just jokin… Alright.

What I am up to right now: I am still using the default configuration in /etc/nginx-sitesavailable/ as some sort of template for future websites I intend to host so please do not bash me too much, I am still learning (and I learned a lot the past few weeks). My basic nginx.conf file looks like this:

worker_processes auto;
worker_rlimit_nofile 8192;
worker_cpu_affinity auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 4096;
        multi_accept on;
}

http {

        ##
        # Fail2Ban Bot Logging
        ##

        log_format      fail2banlog     '{"ip": "$remote_addr",'
                                        '"host": "$host",'
                                        '"path": "$request_uri",'
                                        '"status": "$status",'
                                        '"referrer": "$http_referer",'
                                        '"user_agent": "$http_user_agent",'
                                        '"length": $bytes_sent,'
                                        '"generation_time_milli": $request_time,'
                                        '"date": "$time_iso8601"}';


        ##
        # Basic Settings
        ##

        keepalive_timeout 15;

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        server_tokens off;
        more_set_headers 'Server: Nice try! Try again...';

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##
        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3 (POODLE), TLS 1.0, 1.1
        ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
        ssl_prefer_server_ciphers on; # Don't force server cipher order.
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1h;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com";
        add_header Referrer-Policy "strict-origin";
        add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header Cross-Origin-Embedder-Policy "require-corp";
        add_header Cross-Origin-Resource-Policy "same-origin";
        add_header Cross-Origin-Opener-Policy "same-origin";
        add_header Feature-Policy "geolocation 'self'; midi 'self'; camera 'self';";
        add_header Timing-Allow-Origin "*";
        add_header Expect-CT "max-age=86400, enforce, report-uri='https://domain.com/report'";

        ##
        # Rate Limiting
        ##

        limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
        limit_req zone=one burst=5 nodelay;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        access_log /var/log/nginx/fail2ban.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip off;

        # gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 5;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 ##
        # Brotli Settings
        ##

        brotli on;
        brotli_comp_level 5;
        brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;



}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

I know, Fail2Ban still has some troubles with Bot blocking but this is not of interest right now (in fact I do understand Fail2Ban by now better than Nginx… :-/ ) The config file in /etc/nginx/sites-available/default looks like this right now:

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;


        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php8.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}


}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

server {

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm index.nginx-debian.html;
        server_name liedtke.ddns.net; # managed by Certbot

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        location ~ \.php$ {
               include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
                fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ \.php$ {
                deny all;
        }


    listen 443 ssl; # managed by Certbot
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/liedtke.ddns.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/liedtke.ddns.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = liedtke.ddns.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 ;
        listen [::]:80 ;
    server_name liedtke.ddns.net;
    return 404; # managed by Certbot

        index index.php index.html;

        location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }



}

I triple checked that the php-fpm connection is aiming to the right file and directory. In fact after installing nginx-extras I noticed that the fastcgi_pass directive was actually wrong in one line, had to change it from fastcgi_pass unix:/run/php/php8.4-fpm.sock; to fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; Corrected that one, no change.

6

And just to be extra sure, this is the config with which your PHP files are not rendering correctly, right?

7

I guess so, yes.

1 Like
8

Okay so looking at NGINX Modules provided by GetPageSpeed - NGINX Extras Documentation, it does seem there are no PHP specific modules in nginx-extras, which probably means that that package is not the issue, which is good. However, like you deduced everything seems to point to this being an issue with PHP-FPM. It’s very hard to actually debug this without access to your system, so all I can really advise on my end is to keep on keeping on trying to see if everything is set up correctly and pointing to the right places.

9

I use php-fpm extensively and in the past have had several php versions running in parallel on several ports. Switching is just a matter of switching the port used in the vhost file and my go to check is phpinfo to confirm what is loading. Problems do arise when I need to access files like .css and often formatting is messed up if an old version is picked up in place of the right version for the selected php build. I use Firefox as my browser, and the F12 tools are VERY useful at spotting just what is going wrong and often it’s not finding a file I expect it to see. That and a (shift)(reload) of the page often clears the BROWSERS duff cached copy of a file :wink:

10

In fact I am setting up all this for the third time by now. I fiddled around a lot with PHP, PHP-FPM and especially with almost every php.ini file that resided on my Raspberry Pi with no effort. So I read my own notes I made at the second attempt. The only more or less obvious difference between the first and second attempt was to install a dedicated 8.4 PHP-FPM version while in the second attempt I chose - how should I call it - a “general” PHP-FPM install without version number. I might be wrong here but maybe this causes these errors. Nevertheless I will start the third attempt with the official versions of Nginx, PHP and PHP-FPM these days and compare the steps and differences by adapting the descriptions of these steps in my notes. So more questions will appear I think…

1 Like