Join the community today
Register Now

Upgrade Centmin Mod 123.09beta - Nginx + openssl 1.0.2g update issues

Discussion in 'Install & Upgrades or Pre-Install Questions' started by ModeltogTossen, Mar 2, 2016.

Tags:
  1. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    No - I think that @pamamolf also have this maintenance site view instead of our main web sites..

    I will try to see if I can give some more info while I'm at work.. I got access to mine *nginx_upgrade.log file - will look at that to see if I can find something.
     
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,858
    379
    83
    May 31, 2014
    Ratings:
    +731
    Local Time:
    4:29 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    yup
     
  3. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    In my nginx_upgrade.log file - I see alot of line like this snippets here shows:

    Code:
    *** Because of configuration changes, you MUST do the following before
    *** building:
    
        make depend
    making depend in crypto...
    make[1]: Entering directory `/svr-setup/openssl-1.0.2g/crypto'
    makedepend: warning:  cryptlib.c (reading /usr/include/stdlib.h, line 32): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/bits/byteswap-16.h), line 20: # error "Never use <bits/byteswap-16.h> directly; include <byteswap.h> instead."
    makedepend: warning:  /usr/include/time.h includes /usr/include/bits/types.h more than once!
    Already have
        /usr/include/bits/types.h
    makedepend: warning:  /usr/include/time.h includes /usr/include/bits/types.h more than once!
    Already have
        /usr/include/bits/types.h
    makedepend: warning:  /usr/include/time.h includes /usr/include/bits/types.h more than once!
    Already have
        /usr/include/bits/types.h
    makedepend: warning:  cryptlib.c (reading /usr/include/sys/types.h, line 146): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/alloca.h, line 24): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/string.h, line 32): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/unistd.h, line 226): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/stdio.h, line 33): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/_G_config.h, line 15): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/wchar.h, line 51): cannot find include file "stddef.h"
        not in ./stddef.h
        not in ../stddef.h
        not in ../include/stddef.h
        not in /usr/include/stddef.h
    makedepend: warning:  cryptlib.c (reading /usr/include/libio.h, line 50): cannot find include file "stdarg.h"
    
    But that starts first after entering directory `/svr-setup/openssl-1.0.2g/crypto' ..
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    that's normal as source compiles are never 100% without such heh

    if nginx recompiles and restarts with nginx and openssl version it's meant to, then it's usually fine and what you see for 503 maintenance is down to your specific nginx vhost configuration setup.

    FYI, I've just updated 100+ Centmin Mod 123.09beta01 servers with nginx 1.9.12 and openssl 1.02g and all are working fine - including this forum and centminmod.com cluster :)

    Oh and double check the default value of 0 is in /usr/local/nginx/conf/sitestatus.conf
    Code (Text):
    default 0;
    
     
    Last edited: Mar 2, 2016
  5. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    Okay then - In the end of the log file I see those here:

    Code:
    ccache gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DCHAPOLY_x86_64_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM   -c -o e_chacha20poly1305.o e_chacha20poly1305.c
    e_chacha20poly1305.c: In function 'EVP_chacha20_poly1305_cipher':
    e_chacha20poly1305.c:251:9: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
             ((uint64_t *)(aead_ctx->nonce))[4]--;
             ^
    e_chacha20poly1305.c:292:9: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
             cmp = (*(uint64_t *)(poly_mac)) ^ (*(uint64_t *)(in + inl));
             ^
    e_chacha20poly1305.c: In function 'EVP_chacha20_poly1305_ctrl':
    e_chacha20poly1305.c:333:17: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
                     *(uint64_t *)(aead_ctx->nonce + 40) ^= *(uint64_t *)(ptr);
                     ^
    ar  r ../../libcrypto.a encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o e_rc4.o e_aes.o names.o e_seed.o e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o m_null.o m_md2.o m_md4.o m_md5.o m_sha.o m_sha1.o m_wp.o m_dss.o m_dss1.o m_mdc2.o m_ripemd.o m_ecdsa.o p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o e_chacha20poly1305.o
    /bin/ranlib ../../libcrypto.a || echo Never mind.
    Code:
    make[4]: Entering directory `/svr-setup/openssl-1.0.2g'
    Doing certs/demo
    WARNING: can't open config file: /svr-setup/nginx-1.9.12/../openssl-1.0.2g/.openssl/ssl/openssl.cnf
    WARNING: can't open config file: /svr-setup/nginx-1.9.12/../openssl-1.0.2g/.openssl/ssl/openssl.cnf
    WARNING: can't open config file: /svr-setup/nginx-1.9.12/../openssl-1.0.2g/.openssl/ssl/openssl.cnf
    WARNING: can't open config file: /svr-setup/nginx-1.9.12/../openssl-1.0.2g/.openssl/ssl/openssl.cnf
    make[4]: Leaving directory `/svr-setup/openssl-1.0.2g'
    That log file is crazy log - more that 15k+ lines :eek: ..

    Would it matter anything that I try to compile against 1.0.2f version again?
     
  6. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    @pamamolf - Do you have your site at Cloudflare? - I have mine there also - and its only a wild guess..
     
  7. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  8. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    If this was addressed to me - then I'm with 7.2 64bit - PHP 7.0.3 - and do always options 23, 2 before I alter my system.
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Try and see but doubt your 503 maintenance issue is related. 100+ servers of mine and none have nginx 1.9.12 + openssl 1.02g issues
     
  10. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    Is it OK that I empty the svr-setup to force re-download, re-compile everything ?

    Another thing - is it also ok to empty the /etc/centminmod/custom_config.inc file to be sure I only have active variable in one place?
     
  11. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    Oh no - the openssl-1.0.2f is gone from OpenSSL ..
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yup and yup

    though if you use ngx_pagespeed and lua you'd need these at least
    Code:
    NGXDYNAMIC_NGXPAGESPEED=y
    NGINX_PAGESPEED=y
    NGXPGSPEED_VER='1.10.33.5-beta'
    NGINX_PAGESPEEDPSOL_VER='1.10.33.5'
    ORESTY_LUANGINX='y'
    ORESTY_LUANGINXVER='0.10.1rc1'
     
  13. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    OpenSSL :)

    just set in /etc/centminmod/custom_config.inc
    Code:
    OPENSSL_VERSION='1.0.2f'
     
  14. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    Thanks for moving those posts, right thing to do - Okay, did empty the svr-setup directory.. Also altered the custom as hints by @eva2000 2 post up .. And now I got this compile error:

    Code:
    adding module in ../nginx-module-vts
    + ngx_http_vhost_traffic_status_module was configured
    adding module in ../nginx-accesskey-2.0.3
    ./configure: error: no ../nginx-accesskey-2.0.3/config was found
    
     
  15. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    ah you need that from downloads/svr-setup.zip in /svr-setup as there's no download link anymore

    or setup in custom_config.inc
    Code:
    NGINX_ACCESSKEY='n'
     
  16. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    I disabled Lua .. Now - After empty the svr-setup I first try with the g version. Still the same thing - did sitestatus on, off, on - still the same.. Right now I'm on the f version of openssl-1.0.2f - but did, as you expected, not change a thing - still same issues..

    Is it something with cache - redis, memcache etc?

    Will compile to 1.0.2g again..
     
  17. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    When you create a new nginx vhost domain via centmin.sh menu option 2 or /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of the site with 503 maintenence page showing for /usr/local/nginx/conf/conf.d/yourdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags | Centmin Mod Community
     
  18. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    non-ssl conf:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
      listen 80;
      server_name modeltog-tossen.dk www.modeltog-tossen.dk;
        return 301 https://www.modeltog-tossen.dk$request_uri;
      }
    
    server {
      listen 80;
      server_name modeltogtossen.dk www.modeltogtossen.dk;
      return 301 https://www.modeltog-tossen.dk/;
      }
    
    server {
      listen 80;
      server_name modeltogforum.dk www.modeltogforum.dk modeltog-forum.dk www.modeltog-forum.dk;
      return 301 https://www.modeltog-tossen.dk/;
      }
    
    
    server {
      listen 80;
      server_name n-forum.dk www.n-forum.dk n-scale.dk www.n-scale.dk nforum.dk www.nforum.dk nscale.dk www.nscale.dk;
      return 301 https://www.modeltog-tossen.dk/forums/n-skala.31/;
      }
    
    server {
      listen 80;
      server_name z-forum.dk www.z-forum.dk z-scale.dk www.z-scale.dk zscale.dk www.zscale.dk zforum.dk www.zforum.dk;
      return 301 https://www.modeltog-tossen.dk/forums/z-skala.33/;
      }
    
    
    
    server {
     
    #  server_name modeltog-tossen.dk www.modeltog-tossen.dk;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/modeltog-tossen.dk/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/modeltog-tossen.dk/log/error.log;
    
      root /home/nginx/domains/modeltog-tossen.dk/public;
    
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
      deny all;
      }
    
      location / {
        include /usr/local/nginx/conf/503include-only.conf;
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;   
      }
    
      location /internal_data/ {
      internal;
      allow 127.0.0.1;
       allow xx.xx.xx.232;
      deny all;
      }
    
      location /library/ {
      internal;
      allow 127.0.0.1;
       allow xx.xx.xx.232;
      deny all;
      }
    
      location /admin.php {
    #  auth_basic "Private";
    #  auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
      include /usr/local/nginx/conf/php_disabled_openbasedir.conf;
      allow 127.0.0.1;
      allow xx.xx.xx.232;
         allow xx.xx.xx.228;
      deny all;
      }
    
      location /install/ {
    #  auth_basic "Private";
    #  auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
      include /usr/local/nginx/conf/php_disabled_openbasedir.conf;
      allow 127.0.0.1;
      allow xx.xx.xx.232;
      deny all;
      }
    
    # block common exploits, sql injections etc
    include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      include /usr/local/nginx/conf/staticfiles.conf;
    #  include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/php_disabled_openbasedir.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
      #include /usr/local/nginx/conf/cloudflare.conf;
    }
    
    
    The ssl-part conf
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #       listen 443;
    #       server_name modeltog-tossen.dk;
    #       return 302 https://www.modeltog-tossen.dk$request_uri;
    #}
    
    server {
      listen 443 ssl http2;
      server_name www.modeltog-tossen.dk;
    #  return 302 https://www.modeltog-tossen.dk$request_uri;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/modeltog-tossen.dk/dhparam.pem;
    #  ssl_certificate      /usr/local/nginx/conf/ssl/modeltog-tossen.dk/modeltog-tossen.dk.crt;
      ssl_certificate      /usr/local/nginx/conf/ssl/modeltog-tossen.dk/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/modeltog-tossen.dk/modeltog-tossen.dk.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
    #  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    #  ssl_protocols  TLSv1.2;
    
      # mozilla recommended
      #ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      ##################add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="iAohr08REOhE8EBXYthVZyxrIE/yuZbTNz/8+c5JBeE="; pin-sha256="bgLN5U0V2ougSd/t2WghRaaU8Yx3xMTMxNOp0bHqHiI="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="iAohr08REOhE8EBXYthVZyxrIE/yuZbTNz/8+c5JBeE="; pin-sha256="bgLN5U0V2ougSd/t2WghRaaU8Yx3xMTMxNOp0bHqHiI="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      ##################spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/modeltog-tossen.dk/ssl-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/modeltog-tossen.dk/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/modeltog-tossen.dk/log/error.log;
    
      root /home/nginx/domains/modeltog-tossen.dk/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      } 
    
    
      location / {
              include /usr/local/nginx/conf/503include-only.conf;
                index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;   
            }
    
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
        allow xx.xx.xx.232;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
        allow xx.xx.xx.232;
            deny all;
            }
    
            location /admin.php {
    #             auth_basic "Private";
    #             auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                    include /usr/local/nginx/conf/php_disabled_openbasedir.conf;
                    allow 127.0.0.1;
                    allow xx.xx.xx.232;
            allow xx.xx.xx.228;
                    deny all;
            }
    
            location /install/ {
    #             auth_basic "Private";
    #             auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                    include /usr/local/nginx/conf/php_disabled_openbasedir.conf;
                    allow 127.0.0.1;
                    allow xx.xx.xx.232;
                    deny all;
            }
    
          #Adminer Security
          location /xx/adminer.php {
               #auth_basic "Adminer";
               #auth_basic_user_file /home/nginx/adminer_login;
               #OPTIONAL - Uncomment to only allow the server, and your ip to access the page.
               allow 127.0.0.1;
               allow xx.xx.xx.232;
            allow xx.xx.xx.228;
               deny all;
          }
    
    # block common exploits, sql injections etc
    include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      include /usr/local/nginx/conf/staticfiles.conf;
    #  include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/php_disabled_openbasedir.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
      #include /usr/local/nginx/conf/cloudflare.conf;
    }
    
     
  19. eva2000

    eva2000 Administrator Staff Member

    45,434
    10,311
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,991
    Local Time:
    12:29 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    post contents of /usr/local/nginx/conf/php_disabled_openbasedir.conf

    try disabling / comment out maintenance mode first to rule out cloudflare cache
    Code:
    #include /usr/local/nginx/conf/503include-main.conf;
    Code:
    #include /usr/local/nginx/conf/503include-only.conf;
    from vhosts and /usr/local/nginx/conf/php_disabled_openbasedir.conf if you added there
     
  20. ModeltogTossen

    ModeltogTossen I wish I could??

    313
    97
    28
    Dec 20, 2015
    Denmark
    Ratings:
    +143
    Local Time:
    3:29 AM
    1.9.12
    10.0.23
    php_disabled_openbasedir.conf have you here:

    Code:
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   127.0.0.1:9000;
        #fastcgi_pass   unix:/tmp/php5-fpm.sock;
        fastcgi_index  index.php;
        #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #    fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    
    # might shave 200+ ms off PHP requests
    # which don't pass on a content length header
    # slightly faster page response time at the
    # expense of throughput / scalability
    #sendfile on;
    #tcp_nopush off;
    #keepalive_requests 0;
    
    fastcgi_connect_timeout 60;
    fastcgi_send_timeout 180;
    fastcgi_read_timeout 180;
    fastcgi_buffer_size 512k;
    fastcgi_buffers 512 16k;
    fastcgi_busy_buffers_size 1m;
    fastcgi_temp_file_write_size 4m;
    fastcgi_max_temp_file_size 4m;
    fastcgi_intercept_errors on;
    
    # next 3 lines when uncommented / enabled
    # allow Nginx to handle uploads which then
    # passes back the completed upload to PHP
    #fastcgi_pass_request_body off;
    #client_body_in_file_only clean;
    #fastcgi_param  REQUEST_BODY_FILE  $request_body_file;
    
    #new .04+ map method
    fastcgi_param HTTPS $server_https;
    
    # comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
    # cgi.fix_pathinfo=0
    # as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1
    
    fastcgi_param  PATH_INFO          $fastcgi_path_info;
    fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
    
    fastcgi_param  QUERY_STRING       $query_string;
    fastcgi_param  REQUEST_METHOD     $request_method;
    fastcgi_param  CONTENT_TYPE       $content_type;
    fastcgi_param  CONTENT_LENGTH     $content_length;
    
    fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
    fastcgi_param  REQUEST_URI        $request_uri;
    fastcgi_param  DOCUMENT_URI       $document_uri;
    fastcgi_param  DOCUMENT_ROOT      $document_root;
    fastcgi_param  SERVER_PROTOCOL    $server_protocol;
    fastcgi_param  REQUEST_SCHEME     $scheme;
    fastcgi_param  HTTPS              $https if_not_empty;
    
    fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
    fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
    
    fastcgi_param  REMOTE_ADDR        $remote_addr;
    fastcgi_param  REMOTE_PORT        $remote_port;
    fastcgi_param  SERVER_ADDR        $server_addr;
    fastcgi_param  SERVER_PORT        $server_port;
    fastcgi_param  SERVER_NAME        $server_name;
    
    # Set php-fpm geoip variables
    fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
    fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
    fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
    fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
    fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
    fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
    fastcgi_param GEOIP_REGION $geoip_region;
    fastcgi_param GEOIP_CITY $geoip_city;
    fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
    fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
    fastcgi_param GEOIP_LATITUDE $geoip_latitude;
    fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
    
    # PHP only, required if PHP was built with --enable-force-cgi-redirect
    fastcgi_param  REDIRECT_STATUS    200;
    
                       }
    
    And will try comment out the 503 lines and update here..