Learn about Centmin Mod LEMP Stack today
Register Now

From Nginx (cache-enabler) to Varnish

Discussion in 'Other Centmin Mod Installed software' started by ahmed, May 5, 2017.

  1. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    2:07 AM
    Hello

    After setting the varnish, I think the Nginx rules that is optimized for wordpress will not be usefull as In my setup Nginx act in front of Nginx

    I have 2 questions please:

    1-will centminmod override virtual.conf during centminmod updates?
    2-the following rules and more need to be replaced? or is it only be inserted insdie the .VCL, and it is of no use inside nginx * see below?
    3-Will object cache (Zend/apcu) of any use while on varnish??

    some of the rules are

    *
    Code:
     # include /usr/local/nginx/conf/wpincludes/domain.com/wpsecure_domain.com.conf;
      #include /usr/local/nginx/conf/php-wpsc.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    
    thanks in advance
     
    Last edited: May 5, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    10:07 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod generally doesn't touch nginx vhosts or virtual.conf once initial install is done.

    Varnish cache only speeds up page performance but does nothing for security as such

    include /usr/local/nginx/conf/wpincludes/domain.com/wpsecure_domain.com.conf file is needed for security

    php.conf include file or include /usr/local/nginx/conf/php-wpsc.conf file is needed as it processings php other wise php files prompt for download in users browsers

    include /usr/local/nginx/conf/staticfiles.conf for static browser caching configuration

    include /usr/local/nginx/conf/drop.conf don't need to enable it should be optional security

    include /usr/local/nginx/conf/vts_server.conf required for nginx vhost stats

    Yes Zend Opcache for PHP is needed still any cache miss by Varnish hits PHP itself.
     
    • Winner Winner x 1
  3. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    2:07 AM
    thanks so much, I will debug the rules, However on of the rules was limiting my access to wp-admin, wp-login

    I think it is here

    Code:
    #location ~* /(wp-login\.php) {
     #   limit_req zone=xwplogin burst=1 nodelay;
     #   limit_conn xwpconlimit 30;
      # auth_basic "Private";
    
    but will try enabling the rules one by one and see
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    10:07 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages.

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  5. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    2:07 AM
    very informative as usual, I just need to celebrate the install and will study them

    But I noticed I don't need to open port 8080 as it is mainly between local host just like the PHP port, am I right?
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    10:07 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes no need
     
  7. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    2:07 AM
    I reinstalled the domain from menuu 22, and commented the cachenabler on vhost and uninstalled the cache enabler plugin

    Im GETTING these errors:

    Code:
    2017/05/04 20:17:30 [error] 7640#7640: *7 FastCGI sent in stderr: "Access to the script '/home/nginx/domains/domain.com/public' has been denied (see security.limit_extensions)"
     while reading response header from upstream, client: 'my'vps'IP', server: domain.com, request:
    "POST /wp-cron.php?doing_wp_cron=1493929050.7103888988494873046875 HTTP/1.1",
    upstream: "fastcgi://127.0.0.1:9000", host: "domain.com", referrer: "https://domain.com/wp-cron.php?doing_wp_cron=1493929050.7103888988494873046875"
    2017/05/04 20:18:04 [error] 7643#7643: *9 FastCGI sent in stderr:
    "Access to the script '/home/nginx/domains/domain.com/public
    ' has been denied (see security.limit_extensions)" while reading response header from upstream,
     client: MY_LOCAL_IP, server: domain.com, request: "GET /wp-login.php?redirect_to=https%3A%2F%2Fdomain.com%2Fwp-admin%2F&reauth=1
     HTTP/2.0", upstream: "fastcgi://127.0.0.1:9000", host: "domain.com"'my'vps'IP'
    

    First error comes from my server external Ip, I guess it is from varnish? but why varnish comes from extrernal Ip?

    second one comes from my ISP public Ip "a browser session"


    - i think I need to remove the cache enabler rules altogether, I know it has some in crons, but is that all?
     
  8. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    2:07 AM
    after disabling this

    ######cgi.fix_pathinfo=0
    in nano /etc/centminmod/php.d/b_customphp.ini

    -However it was advised in some guides to enable it

    here is a quote:
    uncomment and set it to 0. If this parameter is set to 1, the PHP interpreter will try to process the file whose path is closest to the requested path; if it’s set to 0, the interpreter will only process the file with the exact path, which is a safer option.

    shall I ignore that without having issues in the future>>????
     
  9. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    2:07 AM
    this is my 8080 server block

    Code:
    server {
    listen 127.0.0.1:8080; 
       server_name domain www.domain;
    root /home/nginx/domains/domain/public;
       index index.php;
       port_in_redirect off;
    
       location / {
          try_files $uri $uri/ /index.php?$args;
       }
    
       location ~ \.php$ {
           try_files $uri =404;
           fastcgi_split_path_info ^(.+\.php)(/.+)$;
           include fastcgi_params;
           fastcgi_index index.php;
           fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
           fastcgi_param HTTPS on;
            fastcgi_pass 127.0.0.1:9000;
            }
    }
    
     
    Last edited by a moderator: Jun 24, 2017
  10. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    10:07 AM
    Nginx 1.13.x
    MariaDB 5.5
    no you will break php for a lot of web apps if you set it to = 0

    see Is the PHP option 'cgi.fix_pathinfo' really dangerous with Nginx + PHP-FPM?

    Centmin Mod PHP-FPM is properly secured as per official Nginx wiki documentation PHP FastCGI Example | NGINX and doesn't require cgi.fix_pathinfo disabled

    each vhost include file for /usr/local/nginx/conf/php.conf top portion
    Code (Text):
    location ~ [^/]\.php(/|$) {
      include /usr/local/nginx/conf/503include-only.conf;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
        fastcgi_pass   127.0.0.1:9000;