Xenforo Nginx vhost configuration

pdinh97qng · Dec 29, 2016

I have a problem with my nginx vhost configuration, I can't restart my nginx to apply the new "newdomain.com.conf" file. I'm trying to use IPV6 + ssl for my XenForo and force WWW.
This is my file:

Code:

server {
    listen 45.63.95.227:80
    listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:80;
    server_name www.vietfriend.xyz vietfriend.xyz;
    return 302 https://www.vietfriend.xyz$request_uri;
}

server {
    listen 45.63.95.227:443 ssl http2;
    listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
    server_name vietfriend.xyz;
    return 302 https://www.vietfriend.xyz$request_uri;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    #add_header Alternate-Protocol 443:npn-spdy/3;
    ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout  12h;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    ssl_prefer_server_ciphers on;
    #spdy_headers_comp 5;
    ssl_buffer_size 4000;
    ssl_session_tickets on;
    resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
    resolver_timeout 10s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
}

server {
    listen 45.63.95.227:443 ssl http2;
    listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
    server_name www.vietfriend.xyz;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    #add_header Alternate-Protocol 443:npn-spdy/3;
    ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout  12h;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    ssl_prefer_server_ciphers on;
    #spdy_headers_comp 5;
    ssl_buffer_size 4000;
    ssl_session_tickets on;
    resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
    resolver_timeout 10s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;

    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    ssi  on;

    access_log /home/nginx/domains/vietfriend.xyz/log/access.log combined buffer=32k;
    error_log /home/nginx/domains/vietfriend.xyz/log/error.log;

    include /usr/local/nginx/conf/autoprotect/vietfriend.xyz/autoprotect-vietfriend.xyz.conf;
    root /home/nginx/domains/vietfriend.xyz/public;

    location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    
    location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
    
    location ~ ^/(admin.php) {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow myip;
        deny all;
    }
    
    location /install/ {
        index index.php index.html index.htm;
        allow 127.0.0.1;
        allow myip;
        deny all;
        include /usr/local/nginx/conf/php.conf;
    }
    
    #error_page 403 /403.html;
    #error_page 404 /404.html;
    error_page 504 /504.html;
    
    location = /504.html {
        access_log off;
        internal;
    }
    
    #location = /404.html {
    #    access_log off;
    #    internal;
    #}
    
    #location = /403.html {
    #    access_log off;
    #    internal;
    #}
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
}

eva2000 · Dec 29, 2016

what's output for testing nginx config syntax

Code (Text):

nginx -t

Might want to use CODE tags for code How to use forum BBCODE code tags

also read

Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS
Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS

you don't really need the 2nd http2 port 443 server{} context for server_name vietfriend.xyz, just add the value to server_name in server{} context for server_name www version of vietfriend.xyz

don't need this

Code (Text):

server {
   listen 45.63.95.227:443 ssl http2;
    listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
    server_name vietfriend.xyz;
    return 302 https://www.vietfriend.xyz$request_uri;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    #add_header Alternate-Protocol 443:npn-spdy/3;
    ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout  12h;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    ssl_prefer_server_ciphers on;
    #spdy_headers_comp 5;
    ssl_buffer_size 4000;
    ssl_session_tickets on;
    resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
    resolver_timeout 10s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
}

can be combined with

Code (Text):

server {
   listen 45.63.95.227:443 ssl http2;
    listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
    server_name vietfriend.xyz www.vietfriend.xyz;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    #add_header Alternate-Protocol 443:npn-spdy/3;
    ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout  12h;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    ssl_prefer_server_ciphers on;
    #spdy_headers_comp 5;
    ssl_buffer_size 4000;
    ssl_session_tickets on;
    resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
    resolver_timeout 10s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;

    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
   
    ssi  on;

    access_log /home/nginx/domains/vietfriend.xyz/log/access.log combined buffer=32k;
    error_log /home/nginx/domains/vietfriend.xyz/log/error.log;

    include /usr/local/nginx/conf/autoprotect/vietfriend.xyz/autoprotect-vietfriend.xyz.conf;
    root /home/nginx/domains/vietfriend.xyz/public;

    location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
    }
   
    location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
   
    location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
   
    location ~ ^/(admin.php) {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow myip;
        deny all;
    }
   
    location /install/ {
        index index.php index.html index.htm;
        allow 127.0.0.1;
        allow myip;
        deny all;
        include /usr/local/nginx/conf/php.conf;
    }
   
    #error_page 403 /403.html;
    #error_page 404 /404.html;
    error_page 504 /504.html;
   
    location = /504.html {
        access_log off;
        internal;
    }
   
    #location = /404.html {
    #    access_log off;
    #    internal;
    #}
   
    #location = /403.html {
    #    access_log off;
    #    internal;
    #}
   
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
}

resolver wise, i'd just use ipv4 resolvers like 8.8.8.8

also ipv6 needs setup properly as per FAQ item 34 as it's missing ipv6only=on directive. Unless you have other ipv6 nginx vhosts and one already has ipv6only=on directive in which case only one nginx ipv6 nginx vhost is required to specify ipv6only=on on listen directive line.

pdinh97qng · Dec 29, 2016

Thanks for your help @eva2000 , now everything works perfectly
Just to make sure, can you take a look at my .conf (no pagespeed)

Code (Text):

server {
    listen 45.32.128.181:80;
    server_name vietfriend.xyz www.vietfriend.xyz;
    return 302 https://www.vietfriend.xyz$request_uri;
}

server {
    listen 45.32.128.181:443 ssl http2;
    server_name www.vietfriend.xyz;
    if ($host = 'vietfriend.xyz' ) {
        return 302 https://www.vietfriend.xyz$request_uri;
    }
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    #add_header Alternate-Protocol 443:npn-spdy/3;
    ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout  12h;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    ssl_prefer_server_ciphers on;
    #spdy_headers_comp 5;
    ssl_buffer_size 4000;
    ssl_session_tickets on;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;

    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
  
    ssi  on;

    access_log /home/nginx/domains/vietfriend.xyz/log/access.log combined buffer=32k;
    error_log /home/nginx/domains/vietfriend.xyz/log/error.log;

    include /usr/local/nginx/conf/autoprotect/vietfriend.xyz/autoprotect-vietfriend.xyz.conf;
    root /home/nginx/domains/vietfriend.xyz/public;

    location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
    }
  
    location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
  
    location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
    }
  
    location ~ ^/(admin.php) {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow myip;
        deny all;
    }
  
    location /install/ {
        index index.php index.html index.htm;
        allow 127.0.0.1;
        allow myip;
        deny all;
        include /usr/local/nginx/conf/php.conf;
    }
  
    #error_page 403 /403.html;
    #error_page 404 /404.html;
    error_page 504 /504.html;
  
    location = /504.html {
        access_log off;
        internal;
    }
  
    #location = /404.html {
    #    access_log off;
    #    internal;
    #}
  
    #location = /403.html {
    #    access_log off;
    #    internal;
    #}
  
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
}

eva2000 · Dec 29, 2016

looks okay

pdinh97qng · Jan 3, 2017

@eva2000 can i have your nginx pagespeed configuration for the forum since i'm using the same style + [bd]cache + redis + Zencache
I found this one: Nginx PageSpeed - This forum's pagespeed.conf, but i still see memcache config which is not used as cache anymore
Also i want to ask that can i create a new file myforum_pagespeed.conf to separate each website on my vps.
Thanks

eva2000 · Jan 3, 2017

pdinh97qng said: ↑

I found this one: Nginx PageSpeed - This forum's pagespeed.conf, but i still see memcache config which is not used as cache anymore
Click to expand...

that config still applies as i use memcached for ngx_pagespeed while using redis cache for xenforo

pdinh97qng said: ↑

Also i want to ask that can i create a new file myforum_pagespeed.conf to separate each website on my vps.
Thanks
Click to expand...

not really needed as pagespeed.conf is global to all nginx vhosts via include file
Code (Text):
include /usr/local/nginx/conf/pagespeed.conf;
and it's setup that way for global usage. You can make a copy of /usr/local/nginx/conf/pagespeed.conf and name it /usr/local/nginx/conf/pagespeed_domain.com.conf
Code (Text):
include /usr/local/nginx/conf/pagespeed_domain.com.conf;
but then pscontrol on/off won't work on the new file as that controls pagespeed off/on value in pagespeed.conf main global so would have to manually set it on or off in /usr/local/nginx/conf/pagespeed_domain.com.conf
Code (Text):
pagespeed off;

pdinh97qng · Jan 3, 2017

i got this warn message, is this ok or anyway to fix it (i keep using pagespeed.conf)

Code (Text):

[root@oxygen ~]# nprestart
nginx: [warn] [ngx_pagespeed 1.12.34.2-0] [0103/164233:WARNING:google_message_handler.cc(56)] 'MessageBufferSize' is global and is ignored at this scope
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Stopping nginx:                                            [  OK  ]
Starting nginx: nginx: [warn] [ngx_pagespeed 1.12.34.2-0] [0103/164233:WARNING:google_message_handler.cc(56)] 'MessageBufferSize' is global and is ignored at this scope
                                                           [  OK  ]

eva2000 · Jan 3, 2017

message buffer is not longer enabled via /usr/local/nginx/conf/pagespeed.conf but via the pagespeed admin config file /usr/local/nginx/conf/pagespeedadmin.conf included in /usr/local/nginx/conf/nginx.conf when you type
Code (Text):
pscontrol admin
so you can't set it per vhost so comment out in /usr/local/nginx/conf/pagespeed.conf and enable it in /usr/local/nginx/conf/pagespeedadmin.conf

see Nginx PageSpeed - CentminMod.com LEMP Nginx web stack for CentOS

Edit pagespeed.conf (prior to 1.9.32.1) or edit pagespeedadmin.conf (from 1.9.32.1 onwards) and enable MessageBufferSize setting by uncommenting the option (remove hash # in front of it).
Click to expand...

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Xenforo Nginx vhost configuration

pdinh97qng Member

eva2000 Administrator Staff Member

pdinh97qng Member

eva2000 Administrator Staff Member

pdinh97qng Member

eva2000 Administrator Staff Member

pdinh97qng Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Xenforo Nginx vhost configuration

pdinh97qng Member

eva2000 Administrator Staff Member

pdinh97qng Member

eva2000 Administrator Staff Member

pdinh97qng Member

eva2000 Administrator Staff Member

pdinh97qng Member

eva2000 Administrator Staff Member

.