/ Register

Join the community today
Become a Member

Nginx I'm missing the error in this nginx config. Help?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by fly, Aug 8, 2023.

Previous Thread Next Thread
Loading...
  1. Aug 8, 2023 #1
    fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    3:41 AM
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7
    • Centmin Mod Version Installed: 130
    • Nginx Version Installed: 1.23.3
    • When was last time updated Centmin Mod code base ? : Today
    Here is the config: #x# HTTPS-DEFAULT server { listen 80;#x# server_name mydomain.or - Pastebin.com

    I created a new Option 22 vhost about a month ago. Everything was fine. My client had to reboot the machine and nginx wouldn't start. nginx -t gives the following error

    Code:
    nginx: [emerg] duplicate location "/" in /usr/local/nginx/conf/conf.d/mydomain.org.ssl.conf:72
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    If I disable the offending conf, nginx loads just fine. As far as I can tell, this file hasn't been updated since I created it a month ago. What's the error and what went wrong here?
     
  2. Aug 8, 2023 #2
    eva2000

    eva2000 Administrator Staff Member

    58,894
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    5:41 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    if you disable the autoprotect include file, does it work
    Code (Text):
     include /usr/local/nginx/conf/autoprotect/mydomain.org/autoprotect-mydomain.org.conf;

    If on Centmin Mod 123.09beta01 or higher, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community Your uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
    Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example
    Code (Text):
    include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;

    see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf

    i.e.
    Code (Text):
    # /home/nginx/domains/domain.com/public/subdirectory/js
location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }

    If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/js
touch .autoprotect-bypass
/usr/local/src/centminmod/tools/autoprotect.sh
nprestart

    it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/
touch .autoprotect-bypass
cd /home/nginx/domains/domain.com/public/subdirectory/js
touch .autoprotect-bypass
/usr/local/src/centminmod/tools/autoprotect.sh
nprestart

    then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js
     
  3. Aug 8, 2023 #3
    fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    3:41 AM
    Ahhh, that is indeed the cause. In that autoprotect file is:

    Code:
    location / {
  location ~ ^/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
  location ~ ^/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
  location ~ ^/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
  location ~ ^/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
}
    Seemingly, that's not going to work. Could the script be changed to see if the locations already exist in the main .conf files?
     
  4. Aug 8, 2023 #4
    eva2000

    eva2000 Administrator Staff Member

    58,894
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    5:41 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Probably could, but the point of autoprotect is to alert end users like yourself of Apache server only .htaccess supported files in your web site code base which won't work with Nginx so you can address it at Nginx config file level or via the above mentioned autoprotect bypass method :)

    So in your case you had an Apache .htaccess in public web root / which you should look into if you need to setup manually an Nginx configuration to address it or just bypass and ignore it.
     
  5. Aug 8, 2023 #5
    fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    3:41 AM
    This is a pretty default WordPress install. Odd. I will see what generated that.

    At any rate, are we alerted to these changes that autoprotect finds somehow that I missed?
     
  6. Aug 8, 2023 #6
    eva2000

    eva2000 Administrator Staff Member

    58,894
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    5:41 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    The nginx failing to load due to config error would be the alert usually for ones at web root. For others it would just be auto generated workarounds in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
     
  7. Aug 8, 2023 #7
    fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    3:41 AM
    That makes for a bit of an insidious issue. nginx is broken, but you don't know until you reboot (for patching or any other issue where you might not run 'nginx -t' first). And now you have an outage troubleshooting what's wrong.
     
  8. Aug 9, 2023 #8
    eva2000

    eva2000 Administrator Staff Member

    58,894
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    5:41 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    FYI, autoprotect updates run on a cronjob, so you will know sooner than a server reboot, at least a nginx restart. So nginx upgrade/recompile isn't only time you'll know. You'd know within less than <24hrs from initial Nginx vhost creation where you have uploaded your site's code and the offending .htaccess files.
    Code (Text):
    crontab -l | grep autoprotect
13 23 * * * /usr/local/src/centminmod/tools/autoprotect.sh >/dev/null 2>&1

    But yes, I understand what you mean, so a better way to inform folks would be ideal. Or to check for existing location paths.
     
  9. Aug 9, 2023 #9
    fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    3:41 AM
    I'm sure you understand, but as another example, some WordPress plugins add .htaccess files. So if someone adds a new plugin six months down the road, they could suffer an outage whenever the next nginx restart happens.
     
  10. Aug 9, 2023 #10
    eva2000

    eva2000 Administrator Staff Member

    58,894
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    5:41 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Yes that is how to date autoprotect.sh alerted folks to the potential issue, downtime is arguably better than an Apache .htaccess intended private directory in Wordpress plugin being public revealed and accessible on Nginx server due to Nginx not supporting .htaccess file method of blocking directory access. Some Wordpress plugins save debug logs to publicly access directories and rely on .htaccess in that directory to prevent public access which only works on Apache servers and not Nginx servers.

    Guess my predicament is finding a better way without hand holding end users to educate them on Nginx and .htaccess files for everytime an unknown script/plugin utilises Apache only supported .htaccess files on Centmin Mod Nginx.

    I created a test updated tools/autoprotect.sh at Updated Centmin Mod tools/autoprotect.sh August 9, 2023 you can try to replace /usr/local/src/centminmod/tools/autoprotect.sh with via command below
    Code (Text):
    wget -O /usr/local/src/centminmod/tools/autoprotect.sh https://gist.githubusercontent.com/centminmod/316da21874fa0dbe779c49f13cb1004f/raw/autoprotect.sh
chmod +x /usr/local/src/centminmod/tools/autoprotect.sh

    then manually run
    /usr/local/src/centminmod/tools/autoprotect.sh to regenerate the autoprotect include files
    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh

    The updated version does skip generating autoprotect include file entries if it detects the location path context in existing Nginx vhost config files to lessen the number of duplicate location path errors. But it won't resolve when path directory has a deny all .htaccess detected by autoprotect.sh that isn't already covered in existing Nginx vhost config files.

    If folks don't like autoprotect method, they can just comment out with hash # in front of /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file in their Nginx vhosts. Then Nginx will act just like regular non-Centmin Mod Nginx setups that ignore .htaccess Apache deny all based files without any form of notice (errors) to users that they need to add specific Nginx location deny protections to cover paths with .htaccess.
     
  11. Aug 10, 2023 #11
    fly

    fly Member

    109
    16
    18
    Jul 27, 2019
    Ratings:
    +28
    Local Time:
    3:41 AM
    I don't know if its too hand holdy, but if a conflict were found, could it be added to the MOTD when you log in?

    ALERT: autoproect can't resovle .htaccess issue

    or something like that. Also, how irritating it is that nginx runs the majority of the web and scripts don't check for it. :mad:
     
Previous Thread Next Thread
Loading...

.