Learn about Centmin Mod LEMP Stack today
Register Now

Nginx How to customize default Centmin Mod Nginx Vhost Generated Templates?

Discussion in 'Centmin Mod Insights' started by eva2000, Nov 9, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    37,261
    8,140
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,532
    Local Time:
    8:48 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    For Centmin Mod 123.09beta01 and newer versions this is a workaround guide for folks to customize their default Centmin Mod Nginx vhost templates for their sites. Currently, there is no way to do easily do this but prep work is being done to lay the foundations for such.

    Adding new Nginx site domain vhost accounts on Centmin Mod has always been easy via shell based menu, centmin.sh menu option 2 and for Centmin Mod 123.08stable/123.09beta01 and higher via /usr/bin/nv command. Once a new site's Nginx vhost configuration files are created:
    1. they will be located at either /usr/local/nginx/conf/conf.d/yourdomain.com.conf (for non-HTTPS) and/or /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf (for HTTPS) as per official config page outline
    2. they will default to whatever default Nginx vhost template is in place at the time. The default Nginx vhost templates are currently inlined in the Nginx vhost generation routine's include files at inc/nginx_addvhost.inc (for centmin.sh menu option 2, 22) and tools/nv.sh (for /usr/bin/nv command line)

    Customizing centmin.sh menu option 2, 22



    centmin.sh menu option 2, 22 routines Nginx vhost templates are contained in your /usr/local/src/centminmod/inc/nginx_addvhost.inc include file.

    Using October 1, 2018 snapshot of inc/nginx_addvhost.inc at centminmod/centminmod
    1. If you choose to have nginx HTTPS vhost site, the Nginx vhost templates would be on lines 702 to 711 of the file for non-HTTPS nginx vhost and on lines 775 to 866 of the file for HTTPS nginx vhost.
    2. If you choose to have only non-HTTPS nginx vhost site, then Nginx vhost template is on lines 872 to 935
    In all Nginx vhost template cases, native Nginx variables with $ in front need to be escaped with backslash i.e. Nginx vhost template try_files
    Code (Text):
    # Wordpress Permalinks example
    #try_files \$uri \$uri/ /index.php?q=\$uri&\$args;
    

    When centmin.sh creates the Nginx vhost, those templates will process the native Nginx variables and the backslash will be removed as
    Code (Text):
    # Wordpress Permalinks example
    #try_files $uri $uri/ /index.php?q=$uri&$args;
    

    which is what you see in resulting generated Nginx vhost when you got to edit for HTTPS vhost at /usr/local/nginx/conf/conf.d/yourdomain.ssl.conf. Without backslash set in Nginx vhost templates, centmin mod bash will treat those as bash variables and try to evalute them and you will end up wiping those native Nginx variables out and result in Nginx vhost template only showing
    Code (Text):
    try_files  / /index.php?q=&;
    

    as $uri and $args would be considered a bash variable which has an empty value when backslash is not in the template.

    Note:

    When editing the Nginx vhost templates you also need to be careful of not removing some of the conditional variables contained in them as they are only populated or not depending on some logic in Centmin Mod Nginx vhost generation routines. I will use a HTTPS based Nginx vhost template below as an illustrative example which contains the following conditional variables which should NOT be removed.
    • ${DEDI_IP} - used by SECOND_IP persistent config variable function. Centmin Mod 123.09beta01 and higher have native support to configure Nginx vhost creation routines to use a separate second IP from the main server IP address via persistent config file /etc/centminmod/custom_config.inc set variable called SECOND_IP discussed and added at https://community.centminmod.com/th...r-routines-support-second-ip.5292/#post-22203. So out of the box, new nginx vhosts generated will use the defined SECOND_IP=111.222.333.444 where the IP is a secondary IP addressed added to the server.
    • ${vhostname} - this is variable that is used for your domain name that is pass on when centmin.sh menu prompts for your intended domain name used for new Nginx vhost site creation.
    • $LISTENOPT - variable is dynamically populated based on centmin mod detected server environment which includes checking whether your Linux Kernel supports SO_REUSEPORT. Possible combinations include ssl, spdy, http2, reuseport. So if only http/2 is detected and Linux Kernel supports SO_REUSEPORT, $LISTENOPT variable is populated with just ssl http2 reuseport. As reusepport can only be used once per IP/PORT pairing globally, Centmin Mod nginx routine also evalues at time of Nginx vhost creation whether any other HTTPS based Nginx vhost that already exists has used reuseport directive and if there are no others, the currently generated Nginx vhost will populate and use reuseport. Thus globally server wide only one IP and port 443 pairing will use reuseport directive while all other Nginx vhosts will leave reuseport off.
    • $CFAUTHORIGINPULL_INCLUDES - populates the Cloudflare Authenticated Origin Pull certificate file which is commented out by default and allows you to just uncomment it to enable Cloudflare Authenticated Origin Pulls outlined here.
    • $HTTPTWO_MAXFIELDSIZE populates the directive setting for http2_max_field_size 16k;
    • $HTTPTWO_MAXHEADERSIZE populates the directive setting for http2_max_header_size 32k;
    • ${TLSONETHREE_CIPHERS} populates the TLS v1.3 ssl ciphers only if Nginx detected crypto library supports TLS v1.3 i.e. BoringSSL or OpenSSL 1.1.1. If OpenSSL 1.1.x or 1.0.2 is detected which doesn't support TLS v1.3, then the variable's value is empty.
    • $SPDY_HEADER - legacy population for add_header Alternate-Protocol 443:npn-spdy/3; and probably can be deleted eventually unless some folks still using Nginx SPDY patched HTTPS. Variable will be empty if Nginx SPDY support is not detected.
    • $COMP_HEADER - legacy for population for spdy_headers_comp 5;. Variable will be empty if Nginx SPDY support is not detected.
    • $NGX_LOGFORMAT - conditionally determines the nginx log format used by default
    • ${PRESTATIC_INCLUDES} - populates additional nginx include files which allow you to set commonly used nginx rules/settings in each Nginx vhost as outlined at Beta Branch - add VHOST_PRESTATICINC='y' additional include files.
      Code (Text):
        include /usr/local/nginx/conf/pre-staticfiles-local-newdomain.com.conf;
        include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      
    • ${MULTIPHP_INCLUDES} - future support for multiple PHP-FPM version include files which conditionally enable a specific include file when a specific PHP-FPM version is detected. Not currently used but laying the foundation for it's support while undergoing private testing.
      Code (Text):
        #include /usr/local/nginx/conf/php73-remi.conf;
        #include /usr/local/nginx/conf/php72-remi.conf;
        #include /usr/local/nginx/conf/php71-remi.conf;
        #include /usr/local/nginx/conf/php70-remi.conf;
        #include /usr/local/nginx/conf/php56-remi.conf;
      
    Centmin Mod Nginx HTTPS vhost template from October 1, 2018 snapshot of inc/nginx_addvhost.inc at centminmod/centminmod containing above mentioned must have variables.
    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    # redirect from www to non-www forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    # listen ${DEDI_IP}80;
    # server_name ${vhostname} www.${vhostname};
    # return 302 https://\$server_name\$request_uri;
    # }
    server {
    listen ${DEDI_IP}443 $LISTENOPT;
    server_name $vhostname www.$vhostname;
    ssl_dhparam /usr/local/nginx/conf/ssl/${vhostname}/dhparam.pem;
    ssl_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}.key;
    include /usr/local/nginx/conf/ssl_include.conf;
    $CFAUTHORIGINPULL_INCLUDES
    $HTTPTWO_MAXFIELDSIZE
    $HTTPTWO_MAXHEADERSIZE
    # mozilla recommended
    ssl_ciphers ${TLSONETHREE_CIPHERS}ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:${CHACHACIPHERS}DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    ssl_prefer_server_ciphers on;
    $SPDY_HEADER
    # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
    #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    #add_header X-Frame-Options SAMEORIGIN;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    #add_header Referrer-Policy "strict-origin-when-cross-origin";
    $COMP_HEADER;
    ssl_buffer_size 1369;
    ssl_session_tickets on;
    # enable ocsp stapling
    #resolver 8.8.8.8 8.8.4.4 valid=10m;
    #resolver_timeout 10s;
    #ssl_stapling on;
    #ssl_stapling_verify on;
    #ssl_trusted_certificate /usr/local/nginx/conf/ssl/${vhostname}/${vhostname}-trusted.crt;
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    # limit_conn limit_per_ip 16;
    # ssi on;
    access_log /home/nginx/domains/$vhostname/log/access.log $NGX_LOGFORMAT buffer=256k flush=5m;
    error_log /home/nginx/domains/$vhostname/log/error.log;
    include /usr/local/nginx/conf/autoprotect/$vhostname/autoprotect-$vhostname.conf;
    root /home/nginx/domains/$vhostname/public;
    # uncomment cloudflare.conf include if using cloudflare for
    # server and/or vhost site
    #include /usr/local/nginx/conf/cloudflare.conf;
    include /usr/local/nginx/conf/503include-main.conf;
    location / {
    include /usr/local/nginx/conf/503include-only.conf;
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    # Enables directory listings when index file not found
    #autoindex on;
    # Shows file listing times as local time
    #autoindex_localtime on;
    # Wordpress Permalinks example
    #try_files \$uri \$uri/ /index.php?q=\$uri&\$args;
    }
    ${PRESTATIC_INCLUDES}
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    ${MULTIPHP_INCLUDES}
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
    }
    


    Customizing tools/nv.sh



    Editing default Nginx vhost template for /usr/bin/nv command line method for Nginx site vhost creation is similar to above just you need to edit /usr/local/src/centminmod/tools/nv.sh for the Nginx vhost templates.

    There is prep work being done to make editing default Nginx vhost templates easier, but for now it is the way it is due to conditionally populated variables that depend on the server environment your server is operating in.
     
    Last edited: Nov 9, 2018
..
Thread Status:
Not open for further replies.