Join the community today
Register Now

Nginx nginx won't restart, duplicate location error

Discussion in 'Install & Upgrades or Pre-Install Questions' started by RC Mike, Mar 19, 2019.

  1. RC Mike

    RC Mike New Member

    4
    3
    3
    Mar 19, 2019
    Ratings:
    +3
    Local Time:
    9:32 AM
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.00 beta01
    • Nginx Version Installed: 1.15.8
    My server has been up happily up and running for sometime now, well until this morning.

    I have my Xenforo /install/ directory access restricted using the autoprotect-MYDOMAIN.com.conf file.

    I commented out the line:
    Code:
    location ~* ^/forum/install/ { allow 127.0.0.1; deny all; }
    and then restarted NGINX, but the restart failed with the following error:

    Code:
    Mar 18 11:12:45 sageweb01 nginx[5249]: Starting nginx: nginx: [emerg] duplicate location "/forum/" in /usr/local/nginx/conf/conf.d/MYDOMAIN.com.conf:57
    I went back into the autoprotect-MYDOMAIN.com.conf and un-commented out the same line and again tried to restart nginx but it too failed with the same above error.

    Prior to me trying to unprotect the /install/ directory everything had been working fine.

    Here is my /usr/local/nginx/conf/conf.d/MYDOMAIN.com.conf file. I only see one instance of /forum/ listed.

    Code:
    server {
                listen   80;
                listen [::]:80;
                server_name MYDOMAIN.com;
                return 301 https://www.MYDOMAIN.com$request_uri;
           }
    
    server {
                listen   80;
                listen [::]:80;
                server_name www.MYDOMAIN.com;
                return 301 https://www.MYDOMAIN.com$request_uri;
           }
    
    server {
            listen 443 ssl;
            listen [::]:443 ssl;
            server_name MYDOMAIN.com;
    
            ssl_certificate      /usr/local/nginx/conf/ssl/MYDOMAIN.com.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/MYDOMAIN.com.key;
    
            ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare.crt;
            ssl_verify_client on;
    
            return 301 https://www.MYDOMAIN.com$request_uri;
    }
    
    server {
    
      listen 443 ssl;
      listen [::]:443 ssl;
     
      ssl_certificate      /usr/local/nginx/conf/ssl/MYDOMAIN.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/MYDOMAIN.com.key;
    
      ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare.crt;
      ssl_verify_client on;
    
      server_name www.MYDOMAIN.com;
    
      access_log /home/nginx/domains/MYDOMAIN.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/MYDOMAIN.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/MYDOMAIN.com/autoprotect-MYDOMAIN.com.conf;
      root /home/nginx/domains/MYDOMAIN.com/public;
    
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
      try_files $uri $uri/ /index.php?$uri&$args;
    
      }
    
      location /forum/ {
      include /usr/local/nginx/conf/503include-only.conf;
    
      try_files $uri $uri/ /forum/index.php?$uri&$args;
    
      }
    
     
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

     
  2. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:32 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    did you recently upgrade xenforo and upload new files that also uploaded a .htaccess file to /forum/install directory ? that could of been captured by autoprotect routine so it added a denyall rule for that location which would be a duplicate of what you have in your nginx vhost config file at MYDOMAIN.com.conf

    best way is to bypass autoprotect routine for /forum/install/ using a .autoprotect-bypass file.

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
    Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example
    Code (Text):
    include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    

    i.e.
    Code (Text):
    # /home/nginx/domains/domain.com/public/subdirectory/js
    location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }
    

    If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/
    touch .autoprotect-bypass
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js
     
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:32 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  4. RC Mike

    RC Mike New Member

    4
    3
    3
    Mar 19, 2019
    Ratings:
    +3
    Local Time:
    9:32 AM
    Actually I was going to attempt a XF 2.1.1. upgrade which is why I was going to un-protect my /install/ directory. That said there isn't an .htaccess file included in the upgrade ZIP from Xenforo.

    Actually I am running 123.09beta01 which was upgraded thanks to another admin (I believe he's a member here), however the server has been running fine for some time now, why would it suddenly stop now after I tried to restart nginx?
     
  5. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:32 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    hard to know exactly especially if there is no .htaccess in /forum/install as autoprotect wouldn't setup a deny all otherwise.
     
  6. RC Mike

    RC Mike New Member

    4
    3
    3
    Mar 19, 2019
    Ratings:
    +3
    Local Time:
    9:32 AM
    @eva2000 so I stand corrected. There was an .htacess file already in the /install/ folder. When I looked I was only looking in the uploaded .ZIP file I extracted.

    It seems autoprotect is the one that bite me this time with the pre-existing .htaccess file that's been there for some time now and was brought over from the migration to Centmin Mod.

    I removed the file, followed your instructions above and all is good now. Thank you sir!
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    40,190
    8,888
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,698
    Local Time:
    11:32 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Good to hear :)
     
..