Server config for Nginx

[clemenslermen]

Hi guys,
sorry if this is the wrong place. I already googled a lot but can't get userfrosting running on nginx. Also I read that a lot of you guys a using nginx. Is there some sort of default rule I need to copy into location?
Tried now several things - but screen stays blank during install also everything seems to be in correct place and served correctly.

[r3wt]

@clemenslermen please provide your nginx.conf or vhost file. i'll make modifications to it to get you up and running.

[clemenslermen]

The nginx.conf is nearly untouched, but i've got this for regular http/https in my available site. I added
try_files $uri/ /index.php?q=$uri&$args; as seen at another users config

server {
    listen 443;
    server_name servername.de;
    root /usr/share/nginx/html;
    index index.html index.htm index.php index.php5;
    autoindex on;
    add_header 'Access-Control-Allow-Origin' "*";


    access_log /var/log/nginx/brandpage/access.log;
    error_log /var/log/nginx/brandpage/error.log;

    ssl on;
    ssl_certificate ssl/ssl-bundle.crt;
    ssl_certificate_key ssl/myserver.key;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

    location /userfrosting 
    {
    try_files $uri/ /index.php?q=$uri&$args;
    }



    location ~* \.php$ {
        autoindex on;
        include fastcgi_params;
        fastcgi_pass php;
        fastcgi_index index.php;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'X_API_KEY'; # and all headers ', ' separated

    }
}

[alexweissman]

I found this on the Slim help forum (please note that UserFrosting is built on top of Slim, which might be helpful: http://help.slimframework.com/discussions/show-and-tell/209-sample-nginx-config

[r3wt]

fastcgi_pass php;

unless php has been defined as a proxy, or group of proxies, this is your problem. you must pass the request to php, so this is either a file descriptor socket ie, /var/run/php.sock or host port, ie 127.0.0.1:9000. This depends on how you are running php of course. unix socket will have slightly less latency

another possible problem is the location /userfrosting block. that looks suspect.

[clemenslermen]

Hi guys, thx for your help so far.
somehow I came across that the first show stopper were an typo error in my mysql conf. I also altered the cgi pass (but don't think this was the problem, as it was serving other PHP Contents without a problem)
So far so good, i've got one step closer, there is something happening on the database (stuff is inserted) but I get a "File not found" from PHP when the script redirects to /public/install/? - could this have something to do with the rewrite rule?

[turyn]

I am affected by the same issue i.e. upon installation I get 404 with "/public/install/?"

[alexweissman]

@klearvue Are you using nginx, apache, or iis?

[turyn]

@alexweissman , nginx with the following config:

server {
  listen 8081;
  root /home/klearvue/www/app4264;
  index index.php index.html index.htm; 
  server_name center-new.localhost;

  charset UTF-8;
  add_header  Cache-Control public;
  default_type image/png;
  client_body_buffer_size 1m;
  proxy_buffering on;
  proxy_buffer_size 4k;
  proxy_buffers 8 32k; 

  location / {
    try_files $uri $uri/ /index.php?$request_uri;
  }

  location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_read_timeout 300;
    include fastcgi_params;
  }

  location ~* \.(htc|jpg|jpeg|gif|css|png|js|ico|html|swf|flv)$ {
    expires 30d;
    access_log off;
    log_not_found off;
  }
}

[alexweissman]

Alright, I don't know too much about nginx, but hopefully someone will come along (perhaps @r3wt) who can help. You could try the sample config file here: http://help.slimframework.com/discussions/show-and-tell/209-sample-nginx-config and see if that works.

[clemenslermen]

Actually tried this... without success.

[alexweissman]

So, are you guys both still stuck? Are there any errors in the php error log, or Nginx's log?

[crabstance]

Having the same issue, after copying userfrosting to my web folder I got to:
http://localhost/userfrosting/public

Which resolves to:
http://localhost/userfrosting/public/install/?

This throws a 404 error:
404 Not Found
nginx/1.4.6 (Ubuntu)

No errors in nginx or php error logs. I suspect php-fpm isn't error reporting as you would expect some 404s but perhaps not, not sure. There is also a table in my database called "uf_configuration" so i believe the configuration of userfrosting is correct. Perplexed.

Anyone with insight on this? Thanks!

[alexweissman]

@crabstance you tried the suggested nginx config file?

[crabstance]

Yes, but now I can't connect at all. I'm not sure exactly what's happening in the example file, for one, what is cannon? Is that simply the folder name the user was using in his web project? What about api? what's supposed to be in that folder? At any rate still no luck. here's my config

server {
    # for my local dev since port 80 is taken
    listen 81; ## listen for ipv4; this line is default and implied
    #listen [::]:80 default_server ipv6only=on; ## listen for ipv6

    server_name cannon;
    root /usr/share/nginx/html;

    location / {
        root /usr/share/nginx/html;
        index index.html index.htm ;
    }

   location /api/ {
        root /usr/share/nginx/html/api;
        index index.php;
        try_files $uri /api/index.php;
    }

    location ~ \.php$ {
        root /usr/share/nginx/html/api;
        # NOTE: You should have "cgi.fix_pathinfo = 1;" in php.ini
        # With php5-fpm:
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        # see http://wiki.nginx.org/HttpFastcgiModule#.24fastcgi_script_name
        fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
    }
}

Thanks for the help!

[crabstance]

Okay, I understand now. I don't need those extra location declarations. I have duplicated the php block and replaced the paths to my own web folder but still getting a 404.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.php index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ =404;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    location ~ \.php$ {
        root /usr/share/nginx/html;
        # NOTE: You should have "cgi.fix_pathinfo = 1;" in php.ini
        # With php5-fpm:
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        # see http://wiki.nginx.org/HttpFastcgiModule#.24fastcgi_script_name
        fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
    } 

}

[alexweissman]

Alright, I'll try to set up nginx at some point and see if I can't get this figured out myself.

[lilfade]

Maybe it's something with the .htaccess since nginx don't use apache
.htaccess so no rewrites are being done as with apache2.

On Fri, Aug 28, 2015, 8:46 PM Alex Weissman notifications@github.com
wrote:

Alright, I'll try to set up nginx at some point and see if I can't get
this figured out myself.

—
Reply to this email directly or view it on GitHub
#373 (comment)
.

[r3wt]

I can only help those who are willing to help their selves.

You must understand NGINX fully. it is not a webserver you can just copy and paste codes together in the config file and it will work hunky dorey. you must understand what you are doing.

Now the key part about any webserver is that it needs to have a location block for fastcgi requests, here's what mine looks like:

location ~ \.(php)$ {
    try_files $uri = 404;
    location ~ \..*/.*\.php$ {return 404;} #detect Local File Inclusion Exploit attempts, return 404
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_keep_conn on;
    fastcgi_pass unix:/var/run/hhvm/hhvm.sock; # in my case i'm running hhvm. you're running php though. yours will be like /var/run/php5/php5-cgi.sock or some shit.
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include        fastcgi_params;
}

now, we have defined a way to pass files ending in .php to our fastcgi php daemon. but with slim, our requests will technically have no .php, so how do we include the index.php filename in the request?

short answer:

location / {
    # in the root of my app, i want to transfer any request without a file name to `index.php`
    # this enables us to trigger this request being passed into the fast cgi server we setup in the above location ~(php) directive.
    index index.php;
    try_files $request_uri $request_uri/ /index.php?$query_string; 
}

Now to iterate, this is a bare minimum server block for nginx + slim applications, such as userfrosting.:

server {
    listen 80;

    server_name example.com;

    root /usr/share/nginx/html/;

    location ~ \.(php)$ {
        try_files $uri = 404;
        location ~ \..*/.*\.php$ {return 404;}
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_keep_conn on;
        fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    location / {
        include /etc/nginx/mime.types;
        index index.php;
        try_files $request_uri $request_uri/ /index.php?$query_string;
    }

}

Note, my example uses HHVM: change the line fastcgi_pass unix:/var/run/hhvm/hhvm.sock; to whatever fastcgi program you are using, php5 or whatever.

[r3wt]

Here's an minimal example with SSL for good performance and reasonable 90/100 Qualsys score security.

server {
    listen 443 ssl spdy; # we listen ssl first with spdy second. if browser support spdy it will attempt to upgrade immediately on handshake
    server_name example.com;


    ssl_certificate /etc/nginx/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/server.key;

    # enable session resumption to enable low latency for repeat visitors.
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/dhparam.pem; # google will tell you how to make this

    # enables server-side protection from BEAST attacks
    ssl_prefer_server_ciphers on;

    # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # ciphers chosen for forward secrecy and compatibility
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
    resolver 8.8.8.8;
    ssl_stapling on;
    ssl_trusted_certificate /etc/nginx/ssl-bundle.crt; # same as your ssl-bundle.crt

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    add_header X-XSS-Protection "1; mode=block"; #optional

    root /usr/share/nginx/html/;


    # handle php requests.
    location ~ \.(php)$ {
        location ~ \..*/.*\.php$ {return 404;}
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_keep_conn on;
        fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # we can cache some static files
    location ~* .(png|gif|jpg|jpeg|ico|css|js|woff|ttf|otf|woff2|eot)$ {
        include /etc/nginx/mime.types;
        expires max;
    }

    # serve UserFrosting from root directory
    location / {
        include /etc/nginx/mime.types;
        index index.php;
        try_files $request_uri $request_uri/ /index.php?$query_string;
    }

}

[alexweissman]

@r3wt thanks, but please be more polite and professional.

[crabstance]

So I'm fairly sure the url rewrite rules are the issue. I've tried using htaccess conversion tools online but all 3 available render different results so I'm not exactly confident about them. After reading a bunch I think using conditionals in the nginx conf file should at least work so i tried that and I can load nginx successfully with most of the rewrite declarations from the original user frosting htaccess. Now when I attempt to navigate to /userfrosting/public I don't get even a 404 but simply my default document which i think is the reault of the uri not resolving to 404 but that isn't a big deal and I can figure that out later. Right now I am still at the point of trying to figure out if UF will even run on nginx.

my configuration file (note I commented out the calls that prevent nginx from loading):

server {

listen 80;

    server_name localhost;

    root /usr/share/nginx/html/;

    location ~ \.(php)$ {
        try_files $uri = 404;
        location ~ \..*/.*\.php$ {return 404;}
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_keep_conn on;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    location / {
    if ($http_host ~* "^www.(.*)$"){
        set $rule_0 1$rule_0;
        set $bref_1 $1;
    }
    if ($rule_0 = "1"){
        rewrite ^/(.*)$ http://$bref_1/$1 permanent;
    }
    if (!-d $request_filename){
        set $rule_1 1$rule_1;
    }
    if ($uri ~ "(.+)/$"){
        set $rule_1 2$rule_1;
        set $bref_1 $1;
    }
    if ($rule_1 = "21"){
        rewrite ^/ /$bref_1 permanent;
    }

    #if ($0#$uri ~ "^([^#]*)#(.*)1$"){
    #   set $rule_2 1$rule_2;
    #   set $bref_2 $2;
    #}

    #if ($rule_2 = "1"){
    #   setenv BASE:$bref_2;
    #ignored: "-" thing used or unknown variable in regex/rew 
    #}
    #ignored: condition 0
    #if ($rule_3 = "1"){
    #ignored: "-" thing used or unknown variable in regex/rew 
    #}
    if (!-f $request_filename){
        set $rule_4 1$rule_4;
    }
    if ($rule_4 = "1"){
        rewrite ^/ /index.php last;
    }


        include /etc/nginx/mime.types;
        index index.php;

    try_files $request_uri $request_uri/ /index.php?$query_string;
    }

}

So basically as I understand it, the nginx configuration is incorrect meaning the requests are never properly processed or passed to any scripts. However when I attempt to use the rewrite rules, some of them keep nginx from loading and I am also getting different results when attempting to convert the re-write rules using online tools so if anyone has a tool they know and trust that would be helpful as well.

I'm doing this for educational purposes so sorry if I seem a bit lost. I would really love to get this resolved so that there is at least a working example of UF running on nginx I know I will find it useful.

[alexweissman]

Well, I'll start with your config file and see what I can do from there. The question you should be asking isn't whether UF can run on nginx, but whether Slim can run on nginx. A lot of people seem to forget or ignore the fact that UF is built on top of Slim, and it is Slim that handles all of the routing.

I don't see any reason why it shouldn't be possible, though. Have you tried the Slim help forums?

[crabstance]

Good point actually, i will take a deeper look at the docs on slim, thanks!

On Mon, Aug 31, 2015 at 12:21 PM, Alex Weissman notifications@github.com
wrote:

Well, I'll start with your config file and see what I can do from there.
The question you should be asking isn't whether UF can run on nginx,
but whether Slim http://www.slimframework.com can run on nginx. A lot
of people seem to forget or ignore the fact that UF is built on top of
Slim, and it is Slim that handles all of the routing.

I don't see any reason why it shouldn't be possible, though. Have you
tried the Slim help forums http://help.slimframework.com?

—
Reply to this email directly or view it on GitHub
#373 (comment)
.

[r3wt]

@crabstance could you list out each rewrite rule, and explain what it is supposed to accomplish?

also, have you tried:

listen 80 default_server;
server_name _;

[rez]

Hey, @alexweissman thanks for creating the project. There should be more simple user system starters out there.

I have been trying to deploy my project to my nginx server today and saw this post still open. The following, I can confirm, has got your project working with a lemp stack for me...Obviously it will probably need tweaking for anyone else and I probably won't be able to relate very well to others as my server has a lot going on and I am no nginx expert. But hopefully it can kickstart others if this is still an issue. You will need to replace the listen,allow and host variables if you need them, obviously.

server {
    listen address:80;

        access_log /var/log/nginx/access.log haproxy_log;

        allow xxx;
        deny all;

        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
    root /usr/share/nginx/yourdirectory;

    index index.php index.html index.htm;

    # Make site accessible from http://localhost/
    server_name your.hostname;

    location / {
        location ~ \.[^css|js|jpg|jpeg|png|gif]$ {
              fastcgi_pass 127.0.0.1:9000;
                  include fastcgi_params;
         }  
            try_files $uri $uri/ /index.php$is_args$args;
     }

         location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

[alexweissman]

@rez I've successfully managed to use a version of your configuration (modified for PHP 7) on our new demo server, and it's working great! Thanks so much - I will add this to the repo on the next hotfix.

[alexweissman]

At long last, I've finally added a working nginx config file in c16825d. It's powering our demo server on Ubuntu with UF4!

It should work with UF3 as well.