Flarum .0.1.0 and Nginx 1.7.4 rewrite rules

andybond · Oct 26, 2019

Hi

I have the default install "working" on flarum.exiges.com/public

I cannot get to anywhere but the main page without 404 errors.

I followed the documentation listed here : Installation | Flarum Documentation and have the nginx rewrite in place

I appear to be devoid of knowledge on how to do code snippets to demonstrate my nginx configs so I have bunged them on pastebin.

Main config that declares the site :

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html
 
# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#       listen   80;
#       server_name flarum.exiges.com www.flarum.exiges.com;
#       return 302 https://$server_name$request_uri;
# }
 
server {
  listen 443 ssl http2 reuseport;
  server_name flarum.exiges.com www.flarum.exiges.com;
 
  ssl_dhparam /usr/local/nginx/conf/ssl/flarum.exiges.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/flarum.exiges.com/flarum.exiges.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/flarum.exiges.com/flarum.exiges.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;
include /home2/nginx/domains/flarum.exiges.com/public/.nginx.conf;
 
 
 
  # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
  #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/flarum.exiges.com/origin.crt;
  #ssl_verify_client on;
  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
 
  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  #add_header Referrer-Policy "strict-origin-when-cross-origin";
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/flarum.exiges.com/flarum.exiges.com-trusted.crt;
 
# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;
 
  # limit_conn limit_per_ip 16;
  # ssi  on;
 
  access_log /home2/nginx/domains/flarum.exiges.com/log/access.log combined buffer=256k flush=5m;
  error_log /home2/nginx/domains/flarum.exiges.com/log/error.log;
 
  include /usr/local/nginx/conf/autoprotect/flarum.exiges.com/autoprotect-flarum.exiges.com.conf;
  root /home2/nginx/domains/flarum.exiges.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;
 
  #location / {
  #include /usr/local/nginx/conf/503include-only.conf;
 
# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;
 
  # Enables directory listings when index file not found
  #autoindex  on;
 
  # Shows file listing times as local time
  #autoindex_localtime on;
 
  # Wordpress Permalinks example
  #try_files $uri $uri/ /index.php?q=$uri&$args;
 
  #}
 
  include /usr/local/nginx/conf/pre-staticfiles-local-flarum.exiges.com.conf;
  include /usr/local/nginx/conf/pre-staticfiles-global.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
 
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Standard rewrite as issued by site :

Code:

# Pass requests that don't refer directly to files in the filesystem to index.php
location / {
  try_files $uri $uri/ /index.php?$query_string;
}
 
# The following directives are based on best practices from H5BP Nginx Server Configs
# https://github.com/h5bp/server-configs-nginx
 
# Expire rules for static content
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
  add_header Cache-Control "max-age=0";
}
 
location ~* \.(?:rss|atom)$ {
  add_header Cache-Control "max-age=3600";
}
 
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
  add_header Cache-Control "max-age=2592000";
  access_log off;
}
 
location ~* \.(?:css|js)$ {
  add_header Cache-Control "max-age=31536000";
  access_log off;
}
 
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
  add_header Cache-Control "max-age=2592000";
  access_log off;
}
 
# Gzip compression
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;

Any help or pointers will be hugely appreciated.

I am getting 404 on everything but the homepage:

HTML:

<html>
<head><title>404 Not Found</title><script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js" charset="UTF-8"></script></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

eva2000 · Oct 27, 2019

see my post at Centmin Mod .09 + Flarum

eva2000 said: ↑

you don't need php locations as php.conf include file takes care of it all so you can do just

don't need all gzip stuff too as that is done out of box server wide

don't need prevent ./ directories too as include file drop.conf has all security done

don't need html and image locations as staticfiles.conf include takes care of it all
Click to expand...

only thing you need is something like below for starters where first location / {} context is replacing your existing one
Code (Text):
   location / { try_files $uri $uri/ /index.php?$query_string; }
   location /api { try_files $uri $uri/ /api.php?$query_string; }
   location /admin { try_files $uri $uri/ /admin.php?$query_string; }

   location /flarum {
       deny all;
       return 404;
   }
but i've never used flarum myself so use the above as starters for your testing

andybond · Oct 27, 2019

eva2000 said: ↑
see my post at Centmin Mod .09 + Flarum

only thing you need is something like below for starters where first location / {} context is replacing your existing one
Code (Text):
   location / { try_files $uri $uri/ /index.php?$query_string; }
   location /api { try_files $uri $uri/ /api.php?$query_string; }
   location /admin { try_files $uri $uri/ /admin.php?$query_string; }

   location /flarum {
       deny all;
       return 404;
   }
but i've never used flarum myself so use the above as starters for your testing
Click to expand...
Thanks for the pointers. Since 0.8.0 you dont need to declare the api and admin apparently.

andybond · Oct 27, 2019

andybond said: ↑

Thanks for the pointers. Since 0.8.0 you dont need to declare the api and admin apparently.
Click to expand...

Just tested with the above and exactly the same error.

andybond · Oct 27, 2019

I had a domain free ( as you do ) and started again on a clean domain , no subdomain

Same issue.

I must have something wrong somewhere. The weird thing is on the silly WAMP stack I have on my dev machine it works first time.

eva2000 · Oct 27, 2019

andybond said: ↑
I am getting 404 on everything but the homepage:
Code (Text):
<html>
<head><title>404 Not Found</title><script type="text/javascript" src="https://gc.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js" charset="UTF-8"></script></head>
<body>
Click to expand...
clue might be in 404 page, it mentions https://gc.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js - you might be using Kaspersky anti-virus software on your local computer ? and it's doing man in the middle interception of your HTTPS requests as there might be an option in the software and their client/software might not support the same level of HTTPS ssl ciphers or protocols as your Centmin Mod Nginx web server. You can verify by turning off the MITM interception of HTTPS requests which isn't advisable anyway.

see HTTPS scanning in Kaspersky antivirus exposed users to MITM attacks and Kaspersky in the Middle - what could possibly go wrong?

Roughly a decade ago I read an article that asked antivirus vendors to stop intercepting encrypted HTTPS connections, this practice actively hurting security and privacy. As you can certainly imagine, antivirus vendors agreed with the sensible argument and today no reasonable antivirus product would even consider intercepting HTTPS traffic. Just kidding… Of course they kept going, and so two years ago a study was published detailing the security issues introduced by interception of HTTPS connections. Google and Mozilla once again urged antivirus vendors to stop. Surely this time it worked?

Of course not. So when I decided to look into Kaspersky Internet Security in December last year, I found it breaking up HTTPS connections so that it would get between the server and your browser in order to “protect” you.
Click to expand...

andybond · Oct 27, 2019

eva2000 said: ↑

clue might be in 404 page, it mentions https://gc.kis.v2.scr.kaspersky-labs.com/FD126C42-EBFA-4E12-B309-BB3FDD723AC1/main.js - you might be using Kaspersky anti-virus software on your local computer ? and it's doing man in the middle interception of your HTTPS requests as there might be an option in the software and their client/software might not support the same level of HTTPS ssl ciphers or protocols as your Centmin Mod Nginx web server. You can verify by turning off the MITM interception of HTTPS requests which isn't advisable anyway.

see HTTPS scanning in Kaspersky antivirus exposed users to MITM attacks and Kaspersky in the Middle - what could possibly go wrong?
Click to expand...

Good shout.

Ill check that out.

In the meantime I tried it on yet another domain and got it working. Ill do a little guide if its any use?

eva2000 · Oct 27, 2019

andybond said: ↑

In the meantime I tried it on yet another domain and got it working. Ill do a little guide if its any use?
Click to expand...

you can download both non-working and working domain.com.ssl.conf or domain.com.conf nginx vhosts and then use a diff comparison tool to compare them side by side to see what differences there are or use online diff comapre tools Diff Checker

andybond · Oct 27, 2019

eva2000 said: ↑

you can download both non-working and working domain.com.ssl.conf or domain.com.conf nginx vhosts and then use a diff comparison tool to compare them side by side to see what differences there are or use online diff comapre tools Diff Checker
Click to expand...

There are two key differences between the working and none.

In the non working version : Root has been specified as /home2/nginx/domains/nonworkingdomain.com/public
In the working version : Root has been specified as /hone2/nginx/domains/workingdomain.com/public/public

The duplicated public isnt really a duplicate. Its just it dumps the non secured stuff in there. I could not for the life of me get it to work when I moved the /public/public to /public and changed every variable known to man in the config files.

The addition of these little lines in the workingdomain.conf file

location / {
include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

# Enables directory listings when index file not found
#autoindex on;

# Shows file listing times as local time
#autoindex_localtime on;

# Wordpress Permalinks example
try_files $uri $uri/ /index.php?q=$uri&$args;

}

Log in / Register

Forums

Join the community today

Flarum .0.1.0 and Nginx 1.7.4 rewrite rules

andybond Member

eva2000 Administrator Staff Member

andybond Member

andybond Member

andybond Member

eva2000 Administrator Staff Member

andybond Member

eva2000 Administrator Staff Member

andybond Member

.

Log in / Register

Useful Searches

Join the community today

Flarum .0.1.0 and Nginx 1.7.4 rewrite rules

andybond Member

eva2000 Administrator Staff Member

andybond Member

andybond Member

andybond Member

eva2000 Administrator Staff Member

andybond Member

eva2000 Administrator Staff Member

andybond Member

.