NGINX Support

[claviska]

This is already a common request, so let's work on getting Nginx supported officially through the installer.

[webanvesh]

Very Interesting Feature / upgrade.

[trentyarwood]

EDIT:

...on second thoughts, it might not be working so well after all - the blog posts aren't displaying properly and there's a few login errors, but it does display and might help people to get started.

Thanks to Cory for this SO link which helped me get it working:

Config file (note that I'm completely terrible at this, so the file might be a bombsite; tips for improvement appreciated).

server {
        listen 80;
        server_name myserver
        return 301 https://$host$request_uri;
       #defaults to https because what is wrong with you?
}

server {
        listen 443 ssl;
        server_name myserver;
#ssl
     ssl_certificate      /home/user/.ssh/server.crt;
     ssl_certificate_key  /home/user/.ssh/server.key;
     ssl_session_timeout  5m;
     ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S$
     ssl_prefer_server_ciphers   on;
     ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
     add_header Strict-Transport-Security max-age=31536000;        

#proxy config
     client_max_body_size 10m;
     client_body_buffer_size 128k;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;
     proxy_redirect     off;
     proxy_http_version 1.1;
     proxy_set_header Connection "";
     proxy_cache_bypass $cookie_session;
     proxy_no_cache $cookie_session;
     proxy_buffers 32 4k;
     send_timeout 5m;
     proxy_read_timeout 240;
     proxy_send_timeout 240;
     proxy_connect_timeout 240;
#end ssl/proxy stuff

        access_log /var/log/nginx/postleaf.access.log;
        error_log /var/log/nginx/postleaf.error.log;

        root /var/www/postleaf/;

  location ~ \.php$ {
        fastcgi_pass        127.0.0.1:8005;
        include             fastcgi_params;
        fastcgi_param       PATH_INFO $fastcgi_script_name;
        fastcgi_param       SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        try_files = $uri @missing;
        fastcgi_index index.php;
        }

  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php$args;
        }

  location ~ /\.ht {
        deny all;
        }

  location @missing {
        rewrite ^ $scheme://$host/index.php permanent;
        }
}

[NinoSkopac]

@trentyarwood You have way too much code in your snippet. You should only focus on the essentials, and let others build on top of it, with, for example, SSL support.

@claviska Is this the only code that needs to be translated to nginx syntax?

# Rewrites
RewriteEngine On

# Forbid access to these folders
RewriteRule ^backups/ - [F]

# Route requests through index
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]

[claviska]

Yep, Postleaf uses Slim so everything that doesn't exist needs to be routed through index.php. We can probably use this config as a baseline to support Nginx.

[jclacherty]

I have it working with the following config and php5-fpm. Won't work with hhvm though :-(

updated: previous config wouldn't work with the installer
updated: previous config didn't pass query parameters

server {
        listen  80;
        server_name postleaf.mydomain.com;

        access_log /var/log/nginx/postleaf.access.log;
        error_log /var/log/nginx/postleaf.error.log error;

        return 301 https://$host$request_uri;
}

server {
        listen  443;
        ssl on;
        server_name postleaf.mydomain.com;

        access_log /var/log/nginx/postleaf.access.log;
        error_log /var/log/nginx/postleaf.error.log error;

        root /opt/postleaf/;
        client_max_body_size 100M;
        fastcgi_buffers 64 4K;

        gzip off;

        index index.php;

        try_files $uri /index.php?$query_string;

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
                deny all;
        }

        location ~ ^/backups/ {
                return 403;
        }

        location /source/installer {
        }

        location ~ ^(/index\.php|/source/installer/.*\.php)$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param HTTPS on;
                fastcgi_pass php-handler;
        }
}

[jclacherty]

I lie. It almost works. When you click on a post it goes to Postleaf's 404. Which seems to suggest it's a Postleaf issue rather than nginx.

192.168.0.1 - - [01/Aug/2016:15:15:34 +1000] "GET /welcome-to-postleaf HTTP/1.1" 404 4159 "https://postleaf.mydomain.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"

So judging by the access log, nginx has correctly redirected to index.php and Postleaf is returning the 404.

[claviska]

That path is routed through Slim, so it's more likely that this is an Nginx config issue than a Postleaf issue. I'll work on Nginx support soon. Still open to sample configs if someone has a working one.

[jclacherty]

Ok, it just works now. Wonder if it's some sort of weird date/time thing... After installing I changed the timezone to Australia.

[claviska]

I'm not an Nginx guru, so correct me if I'm wrong, but due to the way the config seems to work, I don't think this is something we'll be able to do through the installer. It's going to require some preconfig. We may just need to document a general config and have the user update it manually before installing.

The good news is you only have to configure a couple things:

• All requests made to a file or directory that doesn't exist need to go to index.php
• Everything inside the backups folder should be restricted

The bad news is we can't reliably detect the server software that's running, so this will have to be an option in the installer. 🤔

[joshas]

due to the way the config seems to work, I don't think this is something we'll be able to do through the installer

You are correct, NGINX configuration files are stored separately, way out of web apps reach.

[calmdev]

I setup nginx and a postleaf.dev site to try running it locally on OSX using port 6500 (have other stuff bound to 80). This is what's working for me:

server {
  listen                *:6500;
  server_name           postleaf.dev;
  access_log           /path/to/postleaf.dev.access.log;
  error_log            /path/to/postleaf.dev.error.log;

  location / {
    root  /path/to/postleaf/app;
    try_files  $uri  $uri/  /index.php?$args;
    index index.php;
  }

  location ~ /(backups) {
    deny all;
    return 404;
  }

  location ~ \.php$ {
    root  /path/to/postleaf/app;
    try_files  $uri  $uri/  /index.php?$args;
    index  index.html index.htm index.php;

    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_intercept_errors on;
    include fastcgi_params;
  }

}

The last screenshot is 404 to demonstrate that the backup file is not directly accessible.

[doughnet]

If someone could also help out with a Caddy rewrite code would be awesome. I tried to see if I could figure it out myself but unfortunately wasn't able to.

Reference: https://caddyserver.com/docs/rewrite

[claviska]

Looks like we have a good sample config. Closing since there's nothing we can preconfigure with the installer.

Tutorial here: https://www.postleaf.org/running-postleaf-on-nginx

Thanks @calmdev!