Learn about Centmin Mod LEMP Stack today
Register Now

How are we supposed to manage files in CMM-created Nginx vhost directory?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by deltahf, Oct 25, 2020.

  1. deltahf

    deltahf Premium Member Premium Member

    381
    176
    43
    Jun 8, 2014
    Ratings:
    +294
    Local Time:
    1:51 AM
    I've added a second site to my server using Centminmod's "Option 2" to create a second Nginx vhost, and I'm getting incredibly frustrated figuring out how I'm actually supposed to use it. I only want to use SFTP/SSH to access the server, not FTP.

    Am I supposed to add a new user to the server and give it permissions in /home/nginx/domains/mydomain.com? I tried that and it didn't work. I also tried changing the root directory in mydomain.conf file to point to a directory in the new user's home directory (as it's set up with my other main site on my server, like I've always used), and that doesn't work either.

    I feel like I'm missing something here.
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:51 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  3. deltahf

    deltahf Premium Member Premium Member

    381
    176
    43
    Jun 8, 2014
    Ratings:
    +294
    Local Time:
    1:51 AM
    Hmm... OK, I think the real source of my confusion is the two Nginx vhost conf files that were created, mysite.com.conf and mysite.com.ssl.conf.

    I only want to use SSL, so I just disabled mysite.com.conf by renaming it to mysite.com.conf-disabled and assumed that I would do all of my necessary configuration in mysite.com.ssl.conf but it doesn't seem to work that way.

    Even if I rename mysite.com.ssl.conf to mysite.com.conf it still doesn't work!

    I only have one single conf file for my first/main site on this server and it works fine, so I'm really confused. I don't see this discussed in the documentation anywhere.

    Which .conf file should I be editing? Why do both files need to exist?
     
  4. Jon Snow

    Jon Snow Active Member

    589
    88
    28
    Jun 30, 2017
    Ratings:
    +141
    Local Time:
    2:51 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    You don't need the two if you only want HTTPS. I only keep one to make sure the server pulls from it instead of renaming it. If I must keep it for some reason, I'd make an entirely new directory and dump it in there.

    But if you're only using the ssl config, you'll need to make sure the other domain config's server context is in it:

    Code (Text):
    server {
      listen   IP-Address:80;
      server_name domain.com www.domain.com;
    }


    So in the ssl config, you'll see something like:
    Code (Text):
    server {
      listen   IP-Address:80;
      server_name domain.com www.domain.com;
      return 301 https://$server_name$request_uri;
    }
    
    server {
      listen IP-Address:443 ssl http2;
      server_name domain.com www.domain.com;
    
    ...and so on with the remaining contents

    That's an example for https non-www.

    Then you can delete, rename or move domain.com.conf then restart nginx. Make sure you keep backups.
     
  5. deltahf

    deltahf Premium Member Premium Member

    381
    176
    43
    Jun 8, 2014
    Ratings:
    +294
    Local Time:
    1:51 AM
    That's exactly how I thought it should be configured, but it doesn't work.

    I get infinite redirects by uncommenting the first server block. I don't understand why this is so difficult.
     
  6. Jon Snow

    Jon Snow Active Member

    589
    88
    28
    Jun 30, 2017
    Ratings:
    +141
    Local Time:
    2:51 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    What's the final contents of your ssl config file and the steps you're taking to disable domain.conf?
     
  7. deltahf

    deltahf Premium Member Premium Member

    381
    176
    43
    Jun 8, 2014
    Ratings:
    +294
    Local Time:
    1:51 AM
    I've got it setup per the instructions at:

    Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

    I want SSL only, non-www redirect, so I now have three server blocks. The only difference I can see is the "reuseport" option included in the main listen directive, but I don't think that matters and taking it out doesn't fix anything.

    Code (Text):
    server {
      listen 80;
      server_name mysite.com www.mysite.com;
      return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name www.mysite.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mysite.com/dhparam.pem;
      ssl_certificate /usr/local/nginx/conf/ssl/mysite.com/mysite.com.crt;
      ssl_certificate_key /usr/local/nginx/conf/ssl/mysite.com/mysite.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      return 302 https://mysite.com$request_uri;
    }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name mysite.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mysite.com/dhparam.pem;
      ssl_certificate /usr/local/nginx/conf/ssl/mysite.com/mysite.com.crt;
      ssl_certificate_key /usr/local/nginx/conf/ssl/mysite.com/mysite.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # everything else default CMM vhost code below
    }
    


    The non-SSL redirects work as expected:

    Code (Text):
     ~ % curl -I http://mysite.com
    HTTP/1.1 302 Found
    Date: Sun, 25 Oct 2020 21:34:39 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=dc1660d0b6507e7755a75a288bfacd1591603661679; expires=Tue, 24-Nov-20 21:34:39 GMT; path=/; domain=.mysite.com; HttpOnly; SameSite=Lax
    location: https://mysite.com/
    x-powered-by: centminmod
    CF-Cache-Status: DYNAMIC
    cf-request-id: 060348636900003043d9a47000000001
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jk8PEBD8LOUnCOGspEapbk1bgyj6FpsKKn%2FOtisfx4nYKaywNZKjNrxfDSY5%2FYIe6URqGeofWSl1LsGNeDvMU2mfTDdYRQP0gvtXsfJbzNk%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 5e7f1018a81a3043-ORD
    


    Code (Text):
     ~ % curl -I http://www.mysite.com
    HTTP/1.1 302 Moved Temporarily
    Date: Sun, 25 Oct 2020 21:34:48 GMT
    Content-Type: text/html
    Connection: keep-alive
    Set-Cookie: __cfduid=d172ba3f630016dd888f6d0e3b79796a41603661688; expires=Tue, 24-Nov-20 21:34:48 GMT; path=/; domain=.mysite.com; HttpOnly; SameSite=Lax
    Location: https://mysite.com/
    X-Powered-By: centminmod
    CF-Cache-Status: DYNAMIC
    cf-request-id: 060348874a0000f21e46aac000000001
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?lkg-colo=14&lkg-time=1603661689"}],"group":"cf-nel","max_age":604800}
    NEL: {"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 5e7f10520b4af21e-ORD
    


    But the SSL domains keep redirecting:

    Code (Text):
    curl -I https://www.mysite.com
    HTTP/2 302
    date: Sun, 25 Oct 2020 21:34:59 GMT
    content-type: text/html
    set-cookie: __cfduid=dd729527d883763b73a263022a9f1edc51603661699; expires=Tue, 24-Nov-20 21:34:59 GMT; path=/; domain=.mysite.com; HttpOnly; SameSite=Lax
    location: https://mysite.com/
    x-powered-by: centminmod
    cf-cache-status: DYNAMIC
    cf-request-id: 060348b1af0000309216260000000001
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=D6rSjdmRnASFS0IFhucSBuvkRmalgvBa9%2BIns%2FROi7aF9r7dMc9nA8%2Bh5WkWP3Z4T2VoviqlfRWkDckUzSlBTdtZdSC3ulqQImyIVS7mqsjo0pBY"}],"group":"cf-nel","max_age":604800}
    nel: {"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 5e7f1095ec573092-ORD
    


    Code (Text):
    curl -I https://mysite.com
    HTTP/2 302
    date: Sun, 25 Oct 2020 21:45:40 GMT
    content-type: text/html
    set-cookie: __cfduid=d475942030f3d76be796d6e2f7154161e1603662340; expires=Tue, 24-Nov-20 21:45:40 GMT; path=/; domain=.mysite.com; HttpOnly; SameSite=Lax
    location: https://mysite.com/
    x-powered-by: centminmod
    cf-cache-status: DYNAMIC
    cf-request-id: 0603527b1a000003acf5261000000001
    expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=8Io0izbFtxKOCdrZn4ajMEGu5WnVtx7Q0YSS3S5HiORW5aXJ6hJkKgzEpyE7O%2FpB1uvMtsj3bpA2ePCmqsbS1E3Cp7OTUVkplTYjpCZv7po%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 5e7f203e98c903ac-ORD
    


    The unused non-SSL conf file is named mysite.com.conf-disabled.

    And yes, the domain is behind Cloudflare already, but I currently have Development Mode enabled and have everything else turned off (including the Cloudflare-provided SSL redirects).
     
    Last edited: Oct 26, 2020
  8. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:51 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    If you have cloudflare always HTTPS and auto redirect non-https to https then you do not need nginx https vhost doing 302 redirect for non-https to https. If you had both then you'll get infinite https redirects if you use Cloudflare flexible SSL
     
  9. deltahf

    deltahf Premium Member Premium Member

    381
    176
    43
    Jun 8, 2014
    Ratings:
    +294
    Local Time:
    1:51 AM
    Hmm.

    I had both Cloudflare SSL/TLS encryption "off" (it was originally "flexible") and non-https to https redirects disabled already, because I wanted to make sure that Nginx was configured to work correctly independently of Cloudflare.

    I just set Cloudflare SSL/TLS encryption to "full" and now it's working... I guess I don't really understand that option.
     
  10. eva2000

    eva2000 Administrator Staff Member

    45,654
    10,358
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,076
    Local Time:
    4:51 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Cloudflare SSL off = https to non=https forced redirect - it literally removes https support when you turn off

    Cloudflare Full SSL is needed if you have Centmin Mod Nginx using HTTPS too