• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.
  • Chevereto Support CLST

    Support response

    Support checklist

Nginx gateway host configuration

MelBourbon

Chevereto Noob
Hi, I have set my Ubuntu server with nginx using a configuration with a gateway host and then virtual hosts for the several apps (nextcloud, wekan).

Now I'm struggling with setting up this nginx configuration for chevereto. My installation path is
Code:
/var/www/html/chevereto/

My gateway host configuration looks like this (simplefied):

Code:
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    location ^~ /nextcloud/ {
        # Set max. size of a request (important for uploads to Nextcloud)
        client_max_body_size 10G;
        # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_max_temp_file_size 10240m;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:82;
        proxy_redirect off;
    }
    }

Which means any requests on my domain with the path nextcloud will be redirected to a local host with a specific port (in this case 82). Please note, all requests to http (port 80) are automatically redirected to https (433).

My configuration for a virtual host looks like this (simplefied):

Code:
server {
    listen 127.0.0.1:82;
    server_name 127.0.0.1;
 
    # Path to the root of your installation
    root /var/www/;
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    location ^~ /nextcloud {
        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;
 
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
 
        location /nextcloud {
            rewrite ^ /nextcloud/index.php$request_uri;
        }
        }

So the virtual host of nextcloud is now listening on port 82 and takes care of this.

But I tried several things and was not able to set this up for chevereto.

Does anybody uses a similar approach and can share their nginx configuration for this? This would be really appreciated.
 
Below my current configuration. If I open the url my.domain/chevereto my browser dowloads index.php but does not open it. So maybe forwarding of PHP is wrong. Can anybody help?

Gateway Host:
Code:
upstream php-handler {
    server unix:/run/php/php7.2-fpm.sock;
}

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
        listen 80 default_server;
        server_name my.domain server.ip.adress;

        root /var/www;

        location ^~ /.well-known/acme-challenge {
                proxy_pass http://127.0.0.1:81;
                proxy_redirect off;
        }

        location / {
                # Enforce HTTPS
                # Use this if you always want to redirect to the DynDNS address (no local access).
                return 301 https://$server_name$request_uri;
        }
}

server {
        listen 443 ssl http2;
        server_name my.domain server.ip.adress;

        ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ...
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        ssl_ecdh_curve ...;
        ssl_prefer_server_ciphers on;

        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;

        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "same-origin" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        location = / {
                deny all;
        }

        #
        # Nextcloud
        #
        location ^~ /nextcloud/ {
                client_max_body_size 10G;
                proxy_connect_timeout 3600;
                proxy_send_timeout 3600;
                proxy_read_timeout 3600;
                send_timeout 3600;
                proxy_buffering off;
                proxy_request_buffering off;
                proxy_max_temp_file_size 10240m;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://127.0.0.1:82;
                proxy_redirect off;
        }
                location = /.well-known/carddav {
                return 301 $scheme://$host/nextcloud/remote.php/dav;
        }

                location = /.well-known/caldav {
                return 301 $scheme://$host/nextcloud/remote.php/dav;
        }
         #
        # Chevereto
        #
        location ^~ /chevereto/ {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://127.0.0.1:83;
                proxy_redirect off;
        }
}

Code:
server {
        server_name 127.0.0.1;
        listen 127.0.0.1:83;
        root /var/www/;

        location ^~ /chevereto {
        #       index index.php;

        #Chevereto: Disable access to sensitive files
        location ~* /(app|content|lib)/.*\.(po|php|lock|sql)$ {
           deny all;
        }

        #Chevereto: CORS headers
        location ~* /.*\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js) {
           add_header Access-Control-Allow-Origin "*";
        }

        #Chevereto: Upload path for image content only and set 404 replacement
        location ^~ /chevereto/images/ {
           location ~* (jpe?g|png|gif) {
           log_not_found off;
           error_page 404 /chevereto/content/images/system/default/404.gif;
        }
        return 403;
        }

        #Chevereto: Pretty URLs
        location /chevereto {
           index index.php;
           try_files $uri $uri/ /index.php?$query_string;
        }
    }
}
 
It's running now, here the configuration which works for now if someone is interested:

Gateway host:
Code:
upstream php-handler {
    server unix:/run/php/php7.2-fpm.sock;
}

server {
        listen 443 ssl http2;
        server_name domain IP;

        ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ...;
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;
        ssl_ecdh_curve ...;
        ssl_prefer_server_ciphers on;
        ssl_stapling on;
        ssl_stapling_verify on;
       
        ssl_trusted_certificate /etc/letsencrypt/live/domain/chain.pem;

        resolver 192.168.178.1;

        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "same-origin" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        location = / {
                deny all;
        }
        #
        # Chevereto
        #
        location ^~ /chevereto/ {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://127.0.0.1:83;
                proxy_redirect off;
        }
}

Virtual host:
Code:
server {
        server_name 127.0.0.1;
        listen 127.0.0.1:83;
        root /var/www/;

        location ^~ /chevereto/ {
#               index index.php;

                location ~ \.php$ {
                                try_files $uri =404;
                                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                                include fastcgi_params;
                                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                                fastcgi_param PATH_INFO $fastcgi_path_info;
                                fastcgi_pass php-handler;
                                fastcgi_connect_timeout 60;
                                fastcgi_index index.php;
                }

                #Chevereto: Disable access to sensitive files
                location ~* /chevereto/(app|content|lib)/.*\.(po|php|lock|sql)$ {
                deny all;
                }

                #Chevereto: CORS headers
                location ~* /chevereto/.*\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js) {
                add_header Access-Control-Allow-Origin "*";
                }

                #Chevereto: Upload path for image content only and set 404 replacement
                location ^~ /chevereto/images/ {
                        location ~* (jpe?g|png|gif) {
                        log_not_found off;
                        error_page 404 /chevereto/content/images/system/default/404.gif;
                        }
                        return 403;
                }

                #Chevereto: Pretty URLs
                location /chevereto/ {
                index index.php;
                try_files $uri $uri/ /chevereto/index.php?$query_string;
                }

#               location ~* /wordpress/\.(js|css|png|jpg|jpeg|gif|ico)$ {
#                               expires max;
#                               log_not_found off;
#               }
        }
}
 
Back
Top