Join the community today
Register Now

Xenforo Nginx vhost configuration

Discussion in 'Forum software usage' started by pdinh97qng, Dec 29, 2016.

  1. pdinh97qng

    pdinh97qng New Member

    16
    2
    3
    Jan 24, 2016
    Ratings:
    +2
    Local Time:
    7:01 AM
    I have a problem with my nginx vhost configuration, I can't restart my nginx to apply the new "newdomain.com.conf" file. I'm trying to use IPV6 + ssl for my XenForo and force WWW.
    This is my file:
    Code:
    server {
        listen 45.63.95.227:80
        listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:80;
        server_name www.vietfriend.xyz vietfriend.xyz;
        return 302 https://www.vietfriend.xyz$request_uri;
    }
    
    server {
        listen 45.63.95.227:443 ssl http2;
        listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
        server_name vietfriend.xyz;
        return 302 https://www.vietfriend.xyz$request_uri;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #add_header Alternate-Protocol 443:npn-spdy/3;
        ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:30m;
        ssl_session_timeout  12h;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #spdy_headers_comp 5;
        ssl_buffer_size 4000;
        ssl_session_tickets on;
        resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
    }
    
    server {
        listen 45.63.95.227:443 ssl http2;
        listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
        server_name www.vietfriend.xyz;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #add_header Alternate-Protocol 443:npn-spdy/3;
        ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:30m;
        ssl_session_timeout  12h;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #spdy_headers_comp 5;
        ssl_buffer_size 4000;
        ssl_session_tickets on;
        resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
    
        #include /usr/local/nginx/conf/pagespeed.conf;
        #include /usr/local/nginx/conf/pagespeedhandler.conf;
        #include /usr/local/nginx/conf/pagespeedstatslog.conf;
        
        ssi  on;
    
        access_log /home/nginx/domains/vietfriend.xyz/log/access.log combined buffer=32k;
        error_log /home/nginx/domains/vietfriend.xyz/log/error.log;
    
        include /usr/local/nginx/conf/autoprotect/vietfriend.xyz/autoprotect-vietfriend.xyz.conf;
        root /home/nginx/domains/vietfriend.xyz/public;
    
        location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        }
        
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
        }
        
        location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
        }
        
        location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
        }
        
        location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
        }
        
        #error_page 403 /403.html;
        #error_page 404 /404.html;
        error_page 504 /504.html;
        
        location = /504.html {
            access_log off;
            internal;
        }
        
        #location = /404.html {
        #    access_log off;
        #    internal;
        #}
        
        #location = /403.html {
        #    access_log off;
        #    internal;
        #}
        
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
    }

     
  2. eva2000

    eva2000 Administrator Staff Member

    30,963
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    1:01 AM
    Nginx 1.13.x
    MariaDB 5.5
    what's output for testing nginx config syntax
    Code (Text):
    nginx -t
    

    Might want to use CODE tags for code How to use forum BBCODE code tags :)

    also read
    you don't really need the 2nd http2 port 443 server{} context for server_name vietfriend.xyz, just add the value to server_name in server{} context for server_name www version of vietfriend.xyz

    don't need this
    Code (Text):
    server {
       listen 45.63.95.227:443 ssl http2;
        listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
        server_name vietfriend.xyz;
        return 302 https://www.vietfriend.xyz$request_uri;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #add_header Alternate-Protocol 443:npn-spdy/3;
        ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:30m;
        ssl_session_timeout  12h;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #spdy_headers_comp 5;
        ssl_buffer_size 4000;
        ssl_session_tickets on;
        resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
    }
    

    can be combined with
    Code (Text):
    server {
       listen 45.63.95.227:443 ssl http2;
        listen [2001:19f0:ac01:17:5400:00ff:fe4a:81ea]:443 ssl http2;
        server_name vietfriend.xyz www.vietfriend.xyz;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #add_header Alternate-Protocol 443:npn-spdy/3;
        ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:30m;
        ssl_session_timeout  12h;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #spdy_headers_comp 5;
        ssl_buffer_size 4000;
        ssl_session_tickets on;
        resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
    
        #include /usr/local/nginx/conf/pagespeed.conf;
        #include /usr/local/nginx/conf/pagespeedhandler.conf;
        #include /usr/local/nginx/conf/pagespeedstatslog.conf;
       
        ssi  on;
    
        access_log /home/nginx/domains/vietfriend.xyz/log/access.log combined buffer=32k;
        error_log /home/nginx/domains/vietfriend.xyz/log/error.log;
    
        include /usr/local/nginx/conf/autoprotect/vietfriend.xyz/autoprotect-vietfriend.xyz.conf;
        root /home/nginx/domains/vietfriend.xyz/public;
    
        location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        }
       
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
        }
       
        location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
        }
       
        location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
        }
       
        location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
        }
       
        #error_page 403 /403.html;
        #error_page 404 /404.html;
        error_page 504 /504.html;
       
        location = /504.html {
            access_log off;
            internal;
        }
       
        #location = /404.html {
        #    access_log off;
        #    internal;
        #}
       
        #location = /403.html {
        #    access_log off;
        #    internal;
        #}
       
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
    }
    


    resolver wise, i'd just use ipv4 resolvers like 8.8.8.8

    also ipv6 needs setup properly as per FAQ item 34 as it's missing ipv6only=on directive. Unless you have other ipv6 nginx vhosts and one already has ipv6only=on directive in which case only one nginx ipv6 nginx vhost is required to specify ipv6only=on on listen directive line.
     
  3. pdinh97qng

    pdinh97qng New Member

    16
    2
    3
    Jan 24, 2016
    Ratings:
    +2
    Local Time:
    7:01 AM
    Thanks for your help @eva2000 , now everything works perfectly
    Just to make sure, can you take a look at my .conf (no pagespeed)
    Code (Text):
    server {
        listen 45.32.128.181:80;
        server_name vietfriend.xyz www.vietfriend.xyz;
        return 302 https://www.vietfriend.xyz$request_uri;
    }
    
    server {
        listen 45.32.128.181:443 ssl http2;
        server_name www.vietfriend.xyz;
        if ($host = 'vietfriend.xyz' ) {
            return 302 https://www.vietfriend.xyz$request_uri;
        }
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #add_header Alternate-Protocol 443:npn-spdy/3;
        ssl_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/vietfriendxyz/vietfriend_xyz.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:30m;
        ssl_session_timeout  12h;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers on;
        #spdy_headers_comp 5;
        ssl_buffer_size 4000;
        ssl_session_tickets on;
        resolver 8.8.8.8 8.8.4.4 valid=10m;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/vietfriendxyz/ssl-trusted.crt;
    
        #include /usr/local/nginx/conf/pagespeed.conf;
        #include /usr/local/nginx/conf/pagespeedhandler.conf;
        #include /usr/local/nginx/conf/pagespeedstatslog.conf;
      
        ssi  on;
    
        access_log /home/nginx/domains/vietfriend.xyz/log/access.log combined buffer=32k;
        error_log /home/nginx/domains/vietfriend.xyz/log/error.log;
    
        include /usr/local/nginx/conf/autoprotect/vietfriend.xyz/autoprotect-vietfriend.xyz.conf;
        root /home/nginx/domains/vietfriend.xyz/public;
    
        location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        }
      
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
        }
      
        location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
        }
      
        location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
        }
      
        location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
        }
      
        #error_page 403 /403.html;
        #error_page 404 /404.html;
        error_page 504 /504.html;
      
        location = /504.html {
            access_log off;
            internal;
        }
      
        #location = /404.html {
        #    access_log off;
        #    internal;
        #}
      
        #location = /403.html {
        #    access_log off;
        #    internal;
        #}
      
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
    }
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,963
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    1:01 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks okay :)
     
    • Like Like x 1
  5. pdinh97qng

    pdinh97qng New Member

    16
    2
    3
    Jan 24, 2016
    Ratings:
    +2
    Local Time:
    7:01 AM
    @eva2000 can i have your nginx pagespeed configuration for the forum since i'm using the same style + [bd]cache + redis + Zencache
    I found this one: Nginx PageSpeed - This forum's pagespeed.conf, but i still see memcache config which is not used as cache anymore
    Also i want to ask that can i create a new file myforum_pagespeed.conf to separate each website on my vps.
    Thanks
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,963
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    1:01 AM
    Nginx 1.13.x
    MariaDB 5.5
    that config still applies as i use memcached for ngx_pagespeed while using redis cache for xenforo
    not really needed as pagespeed.conf is global to all nginx vhosts via include file
    Code (Text):
    include /usr/local/nginx/conf/pagespeed.conf;

    and it's setup that way for global usage. You can make a copy of /usr/local/nginx/conf/pagespeed.conf and name it /usr/local/nginx/conf/pagespeed_domain.com.conf
    Code (Text):
    include /usr/local/nginx/conf/pagespeed_domain.com.conf;

    but then pscontrol on/off won't work on the new file as that controls pagespeed off/on value in pagespeed.conf main global so would have to manually set it on or off in /usr/local/nginx/conf/pagespeed_domain.com.conf
    Code (Text):
    pagespeed off;
    
     
    • Informative Informative x 1
  7. pdinh97qng

    pdinh97qng New Member

    16
    2
    3
    Jan 24, 2016
    Ratings:
    +2
    Local Time:
    7:01 AM
    i got this warn message, is this ok or anyway to fix it (i keep using pagespeed.conf)
    Code (Text):
    [root@oxygen ~]# nprestart
    nginx: [warn] [ngx_pagespeed 1.12.34.2-0] [0103/164233:WARNING:google_message_handler.cc(56)] 'MessageBufferSize' is global and is ignored at this scope
    nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
    Stopping nginx:                                            [  OK  ]
    Starting nginx: nginx: [warn] [ngx_pagespeed 1.12.34.2-0] [0103/164233:WARNING:google_message_handler.cc(56)] 'MessageBufferSize' is global and is ignored at this scope
                                                               [  OK  ]
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,963
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,420
    Local Time:
    1:01 AM
    Nginx 1.13.x
    MariaDB 5.5
    message buffer is not longer enabled via /usr/local/nginx/conf/pagespeed.conf but via the pagespeed admin config file /usr/local/nginx/conf/pagespeedadmin.conf included in /usr/local/nginx/conf/nginx.conf when you type
    Code (Text):
    pscontrol admin

    so you can't set it per vhost so comment out in /usr/local/nginx/conf/pagespeed.conf and enable it in /usr/local/nginx/conf/pagespeedadmin.conf

    see Nginx PageSpeed - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Informative Informative x 1