Nginx gateway host configuration

MelBourbon

New Member
Joined
Feb 7, 2019
Messages
3
Points
3
Hi, I have set my Ubuntu server with nginx using a configuration with a gateway host and then virtual hosts for the several apps (nextcloud, wekan).

Now I'm struggling with setting up this nginx configuration for chevereto. My installation path is
Code:
/var/www/html/chevereto/
My gateway host configuration looks like this (simplefied):

Code:
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    location ^~ /nextcloud/ {
        # Set max. size of a request (important for uploads to Nextcloud)
        client_max_body_size 10G;
        # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_max_temp_file_size 10240m;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:82;
        proxy_redirect off;
    }
    }
Which means any requests on my domain with the path nextcloud will be redirected to a local host with a specific port (in this case 82). Please note, all requests to http (port 80) are automatically redirected to https (433).

My configuration for a virtual host looks like this (simplefied):

Code:
server {
    listen 127.0.0.1:82;
    server_name 127.0.0.1;
 
    # Path to the root of your installation
    root /var/www/;
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    location ^~ /nextcloud {
        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;
 
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
 
        location /nextcloud {
            rewrite ^ /nextcloud/index.php$request_uri;
        }
        }
So the virtual host of nextcloud is now listening on port 82 and takes care of this.

But I tried several things and was not able to set this up for chevereto.

Does anybody uses a similar approach and can share their nginx configuration for this? This would be really appreciated.
 

MelBourbon

New Member
Joined
Feb 7, 2019
Messages
3
Points
3
Below my current configuration. If I open the url my.domain/chevereto my browser dowloads index.php but does not open it. So maybe forwarding of PHP is wrong. Can anybody help?

Gateway Host:
Code:
upstream php-handler {
    server unix:/run/php/php7.2-fpm.sock;
}

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
        listen 80 default_server;
        server_name my.domain server.ip.adress;

        root /var/www;

        location ^~ /.well-known/acme-challenge {
                proxy_pass http://127.0.0.1:81;
                proxy_redirect off;
        }

        location / {
                # Enforce HTTPS
                # Use this if you always want to redirect to the DynDNS address (no local access).
                return 301 https://$server_name$request_uri;
        }
}

server {
        listen 443 ssl http2;
        server_name my.domain server.ip.adress;

        ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ...
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        ssl_ecdh_curve ...;
        ssl_prefer_server_ciphers on;

        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;

        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "same-origin" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        location = / {
                deny all;
        }

        #
        # Nextcloud
        #
        location ^~ /nextcloud/ {
                client_max_body_size 10G;
                proxy_connect_timeout 3600;
                proxy_send_timeout 3600;
                proxy_read_timeout 3600;
                send_timeout 3600;
                proxy_buffering off;
                proxy_request_buffering off;
                proxy_max_temp_file_size 10240m;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://127.0.0.1:82;
                proxy_redirect off;
        }
                location = /.well-known/carddav {
                return 301 $scheme://$host/nextcloud/remote.php/dav;
        }

                location = /.well-known/caldav {
                return 301 $scheme://$host/nextcloud/remote.php/dav;
        }
         #
        # Chevereto
        #
        location ^~ /chevereto/ {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://127.0.0.1:83;
                proxy_redirect off;
        }
}
Code:
server {
        server_name 127.0.0.1;
        listen 127.0.0.1:83;
        root /var/www/;

        location ^~ /chevereto {
        #       index index.php;

        #Chevereto: Disable access to sensitive files
        location ~* /(app|content|lib)/.*\.(po|php|lock|sql)$ {
           deny all;
        }

        #Chevereto: CORS headers
        location ~* /.*\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js) {
           add_header Access-Control-Allow-Origin "*";
        }

        #Chevereto: Upload path for image content only and set 404 replacement
        location ^~ /chevereto/images/ {
           location ~* (jpe?g|png|gif) {
           log_not_found off;
           error_page 404 /chevereto/content/images/system/default/404.gif;
        }
        return 403;
        }

        #Chevereto: Pretty URLs
        location /chevereto {
           index index.php;
           try_files $uri $uri/ /index.php?$query_string;
        }
    }
}
 

MelBourbon

New Member
Joined
Feb 7, 2019
Messages
3
Points
3
It's running now, here the configuration which works for now if someone is interested:

Gateway host:
Code:
upstream php-handler {
    server unix:/run/php/php7.2-fpm.sock;
}

server {
        listen 443 ssl http2;
        server_name domain IP;

        ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ...;
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        ssl_ecdh_curve ...;
        ssl_prefer_server_ciphers on;
        ssl_stapling on;
        ssl_stapling_verify on;
       
        ssl_trusted_certificate /etc/letsencrypt/live/domain/chain.pem;

        resolver 192.168.178.1;

        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "same-origin" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        location = / {
                deny all;
        }
        #
        # Chevereto
        #
        location ^~ /chevereto/ {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://127.0.0.1:83;
                proxy_redirect off;
        }
}
Virtual host:
Code:
server {
        server_name 127.0.0.1;
        listen 127.0.0.1:83;
        root /var/www/;

        location ^~ /chevereto/ {
#               index index.php;

                location ~ \.php$ {
                                try_files $uri =404;
                                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                                include fastcgi_params;
                                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                                fastcgi_param PATH_INFO $fastcgi_path_info;
                                fastcgi_pass php-handler;
                                fastcgi_connect_timeout 60;
                                fastcgi_index index.php;
                }

                #Chevereto: Disable access to sensitive files
                location ~* /chevereto/(app|content|lib)/.*\.(po|php|lock|sql)$ {
                deny all;
                }

                #Chevereto: CORS headers
                location ~* /chevereto/.*\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js) {
                add_header Access-Control-Allow-Origin "*";
                }

                #Chevereto: Upload path for image content only and set 404 replacement
                location ^~ /chevereto/images/ {
                        location ~* (jpe?g|png|gif) {
                        log_not_found off;
                        error_page 404 /chevereto/content/images/system/default/404.gif;
                        }
                        return 403;
                }

                #Chevereto: Pretty URLs
                location /chevereto/ {
                index index.php;
                try_files $uri $uri/ /chevereto/index.php?$query_string;
                }

#               location ~* /wordpress/\.(js|css|png|jpg|jpeg|gif|ico)$ {
#                               expires max;
#                               log_not_found off;
#               }
        }
}
 
Reactions: Rodolfo