Xenforo X-Accel-Redirect Nginx Configuration help for Xenforo

Sunka · Feb 2, 2016

@eva2000 could you help me with this:

X-Accel-Redirect Nginx Configuration
For correct eTag headers sent by XenForo nginx must be properly configured. add_header Etag must be added to theinternal_data location and fastcgi_pass_header Etag to the location for the php files.

Example config if forum located at the root of site:

location ^~ /internal_data/ {
if ($upstream_http_etag != "") {
add_header Etag $upstream_http_etag;
}
internal;
}

location ~ [^/]*\.php$ {
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass_header Etag;
}
Click to expand...

First part will going into my SSL conf domain
so this part:
Code:
location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow MY IP;
        deny all;
    }
will become this:
Code:
location /internal_data/ {
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        internal;
     }
But this part
Code:
location ~ [^/]*\.php$ {
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass_header Etag;
}
Should be added into (nginx) staticfiles.conf?

eva2000 · Feb 2, 2016

don't need add_header for
Code:
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
in /internal_data as it's an internal; set so general web public won't be accessing that

edit your /usr/local/nginx/conf/php.conf includes via cmd shortcut phpinc or if you copied /usr/local/nginx/conf/php.conf to a new file to include in your vhosts i.e. wordpress setups

eva2000 · Feb 2, 2016

You can find all your php.conf include copies via grep for open_basedir

Code:

grep -rl 'open_basedir' /usr/local/nginx/conf/*

Code:

grep -rl 'open_basedir' /usr/local/nginx/conf/*
/usr/local/nginx/conf/php-pool2.conf
/usr/local/nginx/conf/php-pool3.conf
/usr/local/nginx/conf/php-pool4.conf
/usr/local/nginx/conf/php-pool5.conf
/usr/local/nginx/conf/php.conf
/usr/local/nginx/conf/phpalt.conf
/usr/local/nginx/conf/phpssl.conf

Sunka · Feb 2, 2016

eva2000 said: ↑

edit your /usr/local/nginx/conf/php.conf includes via cmd shortcut phpinc or if you copied /usr/local/nginx/conf/php.conf to a new file to include in your vhosts i.e. wordpress setups
Click to expand...

so this ((nginx) php.conf) part:
Code:
location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
to this:
Code:
location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    try_files $fastcgi_script_name =404;
    include fastcgi.conf;
    fastcgi_pass_header Etag;
}
eva2000 said: ↑
don't need add_header for
Code:
add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
in /internal_data as it's an internal; set so general web public won't be accessing that
Click to expand...
Don't needed at all, or not needed add_header part?

I am lost again

eva2000 · Feb 2, 2016

yup and yup

eva2000 · Feb 2, 2016

oh you don't need this part for centmin mod as it's all in php.conf already
Code:
include fastcgi.conf;

Sunka · Feb 2, 2016

And if I see right, "}" is extra

So it will be this (just two last rows):

Code:

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    try_files $fastcgi_script_name =404;
    fastcgi_pass_header Etag;

And another code for domain.conf I do not need? I need just two new rows in code above?

Code:

add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;

eva2000 · Feb 2, 2016

Sunka said: ↑

try_files $fastcgi_script_name =404;
Click to expand...

not sure if that is needed since this already exists
Code:
try_files $uri =404;

Sunka · Feb 2, 2016

Ok, then just one change (last row)

Code:

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    fastcgi_pass_header Etag;

What about second code change in internal data in domain.conf

Code:

location ^~ /internal_data/ {
        if ($upstream_http_etag != "") {
            add_header Etag $upstream_http_etag;
        }
        internal;
    }

Sunka · Feb 2, 2016

Sorry for wrong thread postings, have many tabs opened at the moment

eva2000 · Feb 2, 2016

should be good for both

Sunka · Feb 2, 2016

eva2000 said: ↑

should be good for both
Click to expand...

Sorry, I do not understand

eva2000 · Feb 2, 2016

Sunka said: ↑

Sorry, I do not understand
Click to expand...

What you posted at https://community.centminmod.com/posts/25342/ should be good

Sunka · Feb 2, 2016

But second part was a question.
Should I change also domain.conf and somehow add/merge below code, or not?
Code:
location ^~ /internal_data/ {
        if ($upstream_http_etag != "") {
            add_header Etag $upstream_http_etag;
        }
        internal;
    }
Btw, this is link to github

eva2000 · Feb 2, 2016

just saying that syntax looks correct, whether you use it, merge it or alter your existing version is up to you as I no idea what that/your trying to do with that code heh

eva2000 · Feb 2, 2016

oh if it's XAR - Attachment | XenForo Community then just follow that instructed outline
Code:
location ^~ /internal_data/ {
  add_header Etag $upstream_http_etag;
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;
  internal;
}

eva2000 · Feb 2, 2016

ah reading up on XAR Attachment addon seems won't benefit me at all as I use bd Attachment addon already XAR - Attachment | Page 2 | XenForo Community

@Xon quote

If you have [bd] Attachment Store, then this addon doesn't do anything.

If you configure [bd] Attachment Store to store in the public /data you lose the permission checks this addon permits but have equivalent performance (php isn't involved in downloading the file.
Click to expand...

Sunka · Feb 2, 2016

I do not know too..
I asked Yoskaldyr, Xon and you Eva2000, and with help from all of you I can not do that correct way.

It is not XAR - attahment mode, because Yoskaldyr addon (beside rest) also has this part integrated, and I have to have installed that addon because another two addons from Yoskaldyr. So, his addon (beside rest) do same thing like Xon's addon, but it will be unlogical to have installed two addons with same purpose.
I just can not understand how to integrate that 2 codes.

cmf_core/toc.md at master · Yoskaldyr/cmf_core · GitHub

OK, for first part it is just 1 line into nginx php, but another part is going inot domain.conf, but all I can do from my level of knowledge is to integrate this
Code:
location ^~ /internal_data/ {
        if ($upstream_http_etag != "") {
            add_header Etag $upstream_http_etag;
        }
        internal;
    }
into this:
Code:
location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow 46.101.130.248;
        deny all;
    }
and will become this on the end
Code:
location ^~ /internal_data/ {
        if ($upstream_http_etag != "") {
            add_header Etag $upstream_http_etag;
        }
        internal;
    }
Deleted stuff is this:
Code:
location /internal_data/ {
allow 127.0.0.1;
allow 46.101.130.248;
deny all;

eva2000 · Feb 2, 2016

just

Code:

location ^~ /internal_data/ {
        if ($upstream_http_etag != "") {
            add_header Etag $upstream_http_etag;
        }
        internal;
    }

Sunka · Feb 2, 2016

Conclusion...

from this suggested part of code I will use only one row:

Code:

location ~ [^/]*\.php$ {
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass_header Etag;
}

In (nginx) php.conf add just that one row (last in code)

Code:

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    fastcgi_pass_header Etag;

-------------------------------------------------------------------

And regarding second suggested code:

Code:

location ^~ /internal_data/ {
        if ($upstream_http_etag != "") {
            add_header Etag $upstream_http_etag;
        }
        internal;

I just put it into SSL domain.conf

Replacing this code:

Code:

location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow MY IP;
        deny all;
    }

Log in / Register

Forums

Join the community today

Xenforo X-Accel-Redirect Nginx Configuration help for Xenforo

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

.

Log in / Register

Useful Searches

Join the community today

Xenforo X-Accel-Redirect Nginx Configuration help for Xenforo

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

.