Re: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment`
| August 14, 2022 04:46AM |
Registered: 5 years ago Posts: 32 |
Sergey A. Osokin Wrote:
-------------------------------------------------------
Hello Sergey.
Thank you for your reply.
> On Sat, Aug 13, 2022 at 04:01:19AM -0400, petecooper wrote:
> > Hello.
> > I have a single-digit fleet of Ubuntu servers, all running a similar
> > configuration:
> >
> > * Ubuntu 20.04LTS, current kernel via `apt`
> > * Nginx 1.23.1 from source, with 3rd party modules
> > * PHP 8.0 or 8.1 from source
>
> Could you please provide an output of the following command:
>
> % nginx -T
I have included partially inline at the end of this email, but the body is too large to send.
The nginx.conf is available here:
https://github.com/textpattern/server-config/blob/main/live/servers/files/tarzan.textpattern.net/etc/nginx/nginx.conf
…and the `servers-available` blocks are here (they are not inline due to size):
https://github.com/textpattern/server-config/tree/main/live/servers/files/tarzan.textpattern.net/etc/nginx/servers-available
> Also, is there any specific reason to build nginx and php from
> source? Is there a chance to reproduce the issue without any of
> party modules?
The Nginx source compile is to be able to use the 3rd party modules, and the PHP source compile is to ensure compatibility of our open source project with current PHP.
There are currently 6 other servers with an identical Nginx & PHP build, and they are not affected. This server has been running as expected for some months, and I am the sole administrator.
Thank you for your time and attention, I appreciate it greatly.
Best wishes to you.
$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#begin `nginx.conf` at `/etc/nginx/nginx.conf`
load_module /usr/lib/nginx/modules/ndk_http_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
load_module /usr/lib/nginx/modules/ngx_http_cache_purge_module.so;
load_module /usr/lib/nginx/modules/ngx_http_echo_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_image_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_length_hiding_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_memc_module.so;
#load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;
load_module /usr/lib/nginx/modules/ngx_http_redis2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_set_misc_module.so;
#load_module /usr/lib/nginx/modules/ngx_http_srcache_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_vhost_traffic_status_module.so;
load_module /usr/lib/nginx/modules/ngx_http_xslt_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_ipscrub_module.so;
load_module /usr/lib/nginx/modules/ngx_nchan_module.so;
#load_module /usr/lib/nginx/modules/ngx_pagespeed.so;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
pcre_jit on;
pid /var/run/nginx.pid;
user www-data www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
accept_mutex on;
multi_accept on;
worker_connections 65535;
use epoll;
}
http {
#default `log_format` must be declared before `access_log`
log_format ipscrubbed
'$time_iso8601 '
'$msec '
'ips="$remote_addr_ipscrub" '
'rm="$request_method" '
'r="$request" '
'ru="$request_uri" '
'q="$query_string" '
'u="$uri" '
'url="$scheme://$host$request_uri" '
's="$status" '
'rl="$request_length" '
'rt="$request_time" '
'sn="$connection" '
'cr="$connection_requests" '
'ct="$connection_time" '
'bbs="$body_bytes_sent" '
'gzr="$gzip_ratio" '
'ups="$upstream_status" '
'upct="$upstream_connect_time" '
'uprt="$upstream_response_time" '
'uprl="$upstream_response_length" '
'upht="$upstream_header_time" '
'upbr="$upstream_bytes_received" '
'upbs="$upstream_bytes_sent" '
'upcs="$upstream_cache_status" '
'sa="$server_addr" '
'srvp="$server_protocol" '
'tlsp="$ssl_protocol" '
'tlsc="$ssl_cipher" '
'tlscs="$ssl_ciphers" '
'tlsr="$ssl_curves" '
'tlsed="$ssl_early_data" '
'tlssr="$ssl_session_reused" '
'ref="$http_referer" '
'hua="$http_user_agent" '
'hxf="$http_x_forwarded_for"'
;
access_log /mnt/tarzan_logs_01/log/nginx/live/nginx/nginx.access.log ipscrubbed;
autoindex off;
charset UTF-8;
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json
;
client_body_buffer_size 2M;
client_body_timeout 30s;
client_header_buffer_size 4k;
client_max_body_size 128M;
default_type application/octet-stream;
error_log /mnt/tarzan_logs_01/log/nginx/live/nginx/nginx.error.log warn;
fastcgi_cache_path /var/cache/nginx/fastcgi levels=1:1 keys_zone=fastcgi-cache:16m max_size=256m inactive=1d;
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 1024;
gzip_proxied any;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml
;
gzip_vary on;
include /etc/nginx/mime.types;
keepalive_timeout 30s;
large_client_header_buffers 8 16k;
length_hiding on;
length_hiding_max 1024;
limit_conn_zone $binary_remote_addr zone=conPerIp:5m;
limit_req_zone $binary_remote_addr zone=reqPerMin1:60m rate=1r/m;
limit_req_zone $binary_remote_addr zone=reqPerMin5:60m rate=5r/m;
limit_req_zone $binary_remote_addr zone=reqPerMin10:60m rate=10r/m;
limit_req_zone $binary_remote_addr zone=reqPerMin20:60m rate=20r/m;
limit_req_zone $binary_remote_addr zone=reqPerSec1:5m rate=1r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec5:5m rate=5r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec10:5m rate=10r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec20:5m rate=20r/s;
log_format content-security-policy '';
log_format iplogged
'$time_iso8601 '
'$msec '
'ip="$remote_addr" '
'rm="$request_method" '
'r="$request" '
'ru="$request_uri" '
'q="$query_string" '
'u="$uri" '
'url="$scheme://$host$request_uri" '
's="$status" '
'rl="$request_length" '
'rt="$request_time" '
'sn="$connection" '
'cr="$connection_requests" '
'ct="$connection_time" '
'bbs="$body_bytes_sent" '
'gzr="$gzip_ratio" '
'ups="$upstream_status" '
'upct="$upstream_connect_time" '
'uprt="$upstream_response_time" '
'uprl="$upstream_response_length" '
'upht="$upstream_header_time" '
'upbr="$upstream_bytes_received" '
'upbs="$upstream_bytes_sent" '
'upcs="$upstream_cache_status" '
'sa="$server_addr" '
'srvp="$server_protocol" '
'tlsp="$ssl_protocol" '
'tlsc="$ssl_cipher" '
'tlscs="$ssl_ciphers" '
'tlsr="$ssl_curves" '
'tlsed="$ssl_early_data" '
'tlssr="$ssl_session_reused" '
'ref="$http_referer" '
'hua="$http_user_agent" '
'hxf="$http_x_forwarded_for"'
;
log_format netdata-web_log '';
log_format network-error '';
log_format permissions-policy '';
log_not_found off;
map_hash_bucket_size 128;
max_ranges 8;
more_clear_headers Server;
msie_padding off;
proxy_ssl_protocols TLSv1.3 TLSv1.2;
request_pool_size 8k;
reset_timedout_connection on;
resolver 1.1.1.1 9.9.9.9 [2606:4700:4700::1111] [2620:fe::fe] valid=30s;
resolver_timeout 5s;
sendfile on;
send_timeout 15s;
#server_names_hash_bucket_size 128;
#server_names_hash_max_size 1024;
server_tokens off;
ssl_buffer_size 4k;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /etc/nginx/certs/dhparam4096-openssl.pem;
ssl_ecdh_curve 'prime256v1:secp384r1:secp521r1';
#ssl_ocsp on;
#ssl_ocsp_cache shared:OCSP:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 6h;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /opt/certs/mozilla-cacert.pem;
#ssl_verify_client on;
#ssl_verify_depth 2;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
variables_hash_bucket_size 512;
vhost_traffic_status_zone;
#last but not least
include /etc/nginx/includes/deny/10-global-deny.conf;
include /etc/nginx/includes/deny/20-undefined-server-deny.conf;
include /etc/nginx/includes/monitoring/*.conf;
include /etc/nginx/servers-enabled/*.conf;
include /etc/nginx/streams-enabled/*.conf;
}
#end `nginx.conf`
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/includes/deny/10-global-deny.conf:
#begin `10-global-deny.conf` server block at `/etc/nginx/includes/deny/10-global-deny.conf`
#deny all; #here be dragons
#deny 192.0.2.1; #example for a single IPv4 address
#deny 192.0.2.0/24; #example for an IPv4 CIDR block
#deny 2001:db8::1; #example for a single IPv6 address
#deny 2001:db8::/32; #example for an IPv6 CIDR block
#end `10-global-deny.conf` server block
# configuration file /etc/nginx/includes/deny/20-undefined-server-deny.conf:
#begin `20-undefined-server-deny.conf` server block at `/etc/nginx/includes/deny/20-undefined-server-deny.conf`
server {
access_log /mnt/tarzan_logs_01/log/nginx/live/undefined-server-deny/undefined-server-deny.access.log iplogged;
error_log /mnt/tarzan_logs_01/log/nginx/live/undefined-server-deny/undefined-server-deny.error.log warn;
limit_req zone=reqPerMin5;
listen [::]:80 default_server;
listen 80 default_server;
return 444;
server_name _;
}
#end `20-undefined-server-deny.conf` server block
# configuration file /etc/nginx/includes/monitoring/heartbeat.conf:
#begin `heartbeat.conf` server block at `/etc/nginx/includes/monitoring/heartbeat.conf`
server {#hostname, http -> https redirect
access_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.access.log ipscrubbed;
add_header Content-Security-Policy 'default-src \'none\'' always;
add_header Permissions-Policy default-src=()' always;
add_header Referrer-Policy "strict-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
error_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.error.log warn;
index index.html;
limit_req zone=reqPerSec5;
listen [::]:80;
listen 80;
return 301 https://$host$request_uri;
root /var/www/heartbeat/live/;
server_name tarzan.textpattern.net;
location ^~ /.well-known/ {
allow all;
default_type "text/plain";
root /var/www/heartbeat/_well-known/;
try_files $uri/ $uri =404;
}
location ~ /\. {
deny all;
limit_req zone=reqPerSec1;
}
location /favicon.ico {
access_log off;
log_not_found off;
}
location /robots.txt {
access_log off;
limit_req zone=reqPerSec1;
log_not_found off;
}
location / {
index index.html;
limit_except GET HEAD POST {
deny all;
}
try_files $uri $uri/ =404;
}
location ~ ^.+\.php(?:/.*)?$ {
return 502;
}
}
server {#hostname, https
access_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.access.log ipscrubbed;
set $consecpol_heartbeat '';
set $consecpol_heartbeat '${consecpol_heartbeat}base-uri \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}connect-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}default-src \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}font-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}frame-ancestors \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}frame-src \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}img-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}manifest-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}media-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}object-src \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}script-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}style-src \'self\';';
add_header Content-Security-Policy $consecpol_heartbeat always;
set $perpol_heartbeat '';
set $perpol_heartbeat '${perpol_heartbeat}camera=(),';
set $perpol_heartbeat '${perpol_heartbeat}fullscreen=(self),';
set $perpol_heartbeat '${perpol_heartbeat}geolocation=(),';
set $perpol_heartbeat '${perpol_heartbeat}gyroscope=(),';
set $perpol_heartbeat '${perpol_heartbeat}magnetometer=(),';
set $perpol_heartbeat '${perpol_heartbeat}microphone=(),';
set $perpol_heartbeat '${perpol_heartbeat}midi=(),';
set $perpol_heartbeat '${perpol_heartbeat}notifications=(self),';
set $perpol_heartbeat '${perpol_heartbeat}payment=(),';
set $perpol_heartbeat '${perpol_heartbeat}push=(self),';
set $perpol_heartbeat '${perpol_heartbeat}speaker=(),';
set $perpol_heartbeat '${perpol_heartbeat}sync-xhr=(self),';
set $perpol_heartbeat '${perpol_heartbeat}usb=(),';
set $perpol_heartbeat '${perpol_heartbeat}vibrate=()'; #no trailing comma
add_header Permissions-Policy $perpol_heartbeat always;
add_header Referrer-Policy "strict-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
error_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.error.log warn;
index index.html;
listen [::]:443 http2 ssl;
listen 443 http2 ssl;
root /var/www/heartbeat/live/;
server_name tarzan.textpattern.net;
ssl_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
ssl_certificate_key /etc/certbot/live/tarzan.textpattern.net/privkey.pem;
ssl_trusted_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
location ^~ /.well-known/ {
allow all;
default_type "text/plain";
root /var/www/heartbeat/_well-known/;
try_files $uri/ $uri =404;
}
location /favicon.ico {
access_log off;
log_not_found off;
}
location /robots.txt {
access_log off;
log_not_found off;
}
location ~ /\. {
deny all;
}
location / {
index index.html;
limit_except GET HEAD POST {
deny all;
}
try_files $uri $uri/ =404;
}
location ~ ^.+\.php(?:/.*)?$ {
return 502;
}
}
#end `heartbeat.conf` server block
# configuration file /etc/nginx/includes/monitoring/netdata.conf:
#begin `netdata` server block at `/etc/nginx/includes/monitoring/netdata.conf`
upstream netdata-socket {
keepalive 60;
server unix:/run/netdata/netdata.sock;
}
server {#netdata hostname, https
access_log off;
set $consecpol_netdata '';
set $consecpol_netdata '${consecpol_netdata}connect-src https://api.github.com https://registry.my-netdata.io \'self\';';
set $consecpol_netdata '${consecpol_netdata}default-src \'none\';';
set $consecpol_netdata '${consecpol_netdata}font-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}frame-ancestors \'self\';';
set $consecpol_netdata '${consecpol_netdata}frame-src \'none\';';
set $consecpol_netdata '${consecpol_netdata}img-src data: \'self\';';
set $consecpol_netdata '${consecpol_netdata}manifest-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}media-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}object-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}script-src \'self\' \'unsafe-inline\';';
set $consecpol_netdata '${consecpol_netdata}style-src \'self\' \'unsafe-inline\';';
add_header Content-Security-Policy $consecpol_netdata;
set $perpol_netdata '';
set $perpol_netdata '${perpol_netdata}camera=(),';
set $perpol_netdata '${perpol_netdata}fullscreen=(self),';
set $perpol_netdata '${perpol_netdata}geolocation=(),';
set $perpol_netdata '${perpol_netdata}gyroscope=(),';
set $perpol_netdata '${perpol_netdata}magnetometer=(),';
set $perpol_netdata '${perpol_netdata}microphone=(),';
set $perpol_netdata '${perpol_netdata}midi=(),';
set $perpol_netdata '${perpol_netdata}notifications=(self),';
set $perpol_netdata '${perpol_netdata}payment=(),';
set $perpol_netdata '${perpol_netdata}push=(self),';
set $perpol_netdata '${perpol_netdata}speaker=(),';
set $perpol_netdata '${perpol_netdata}sync-xhr=(self),';
set $perpol_netdata '${perpol_netdata}vibrate=()'; #no trailing comma
add_header Permissions-Policy $perpol_netdata;
add_header Referrer-Policy strict-origin;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
error_log /mnt/tarzan_logs_01/log/nginx/live/netdata/netdata@tarzan.textpattern.net.error.log warn;
listen [::]:909 http2 ssl;
listen 909 http2 ssl;
server_name tarzan.textpattern.net;
ssl_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
ssl_certificate_key /etc/certbot/live/tarzan.textpattern.net/privkey.pem;
ssl_trusted_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
location / {
limit_except GET HEAD POST {
deny all;
}
auth_basic "Authentication";
auth_basic_user_file /etc/nginx/auth/passwd-netdata;
proxy_http_version 1.1;
proxy_pass http://netdata-socket;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_store off;
}
location = /favicon.ico {
log_not_found off;
}
}
#end `netdata` server block
# configuration file /etc/nginx/includes/monitoring/nginx-stubstatus.conf:
#begin `nginx-stubstatus.conf` server block at `/etc/nginx/includes/monitoring/nginx-stubstatus.conf`
server {#Nginx `stub_status`, IPv4 and IPv6 localhost, http
allow 127.0.0.1;
allow ::1;
deny all;
listen 127.0.0.1:81;
listen [::1]:81;
location /stub_status {
access_log off;
stub_status on;
}
}
#end `nginx-stubstatus.conf` server block
# configuration file /etc/nginx/includes/monitoring/php-fpm80-socket.conf:
#begin `php-fpm80-socket.conf` at `/etc/nginx/includes/monitoring/php-fpm80-socket.conf`
server {#localhost, PHP FastCGI
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
index index.html;
length_hiding off;
listen [::]:880;
listen 880;
root /var/www/php-fpm/live/;
location / {
index index.html;
}
location ~ ^.+\.php(?:/.*)?$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php-fpm80.sock;
include fastcgi_params;
}
}
#end `php-fpm80-socket.conf`
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/includes/monitoring/php-fpm80-status.conf:
#begin `php-fpm80-status.conf` at `/etc/nginx/includes/monitoring/php-fpm80-status.conf`
server {#PHP-FPM 8.0 status, IPv4 and IPv6 localhost, http
allow 127.0.0.1;
allow ::1;
deny all;
listen 127.0.0.1:980;
listen [::1]:980;
server_name _;
location /php-fpm80-status {
access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php-fpm80.sock;
include fastcgi_params;
}
}
#end `php-fpm80-status.conf`
-------------------------------------------------------
Hello Sergey.
Thank you for your reply.
> On Sat, Aug 13, 2022 at 04:01:19AM -0400, petecooper wrote:
> > Hello.
> > I have a single-digit fleet of Ubuntu servers, all running a similar
> > configuration:
> >
> > * Ubuntu 20.04LTS, current kernel via `apt`
> > * Nginx 1.23.1 from source, with 3rd party modules
> > * PHP 8.0 or 8.1 from source
>
> Could you please provide an output of the following command:
>
> % nginx -T
I have included partially inline at the end of this email, but the body is too large to send.
The nginx.conf is available here:
https://github.com/textpattern/server-config/blob/main/live/servers/files/tarzan.textpattern.net/etc/nginx/nginx.conf
…and the `servers-available` blocks are here (they are not inline due to size):
https://github.com/textpattern/server-config/tree/main/live/servers/files/tarzan.textpattern.net/etc/nginx/servers-available
> Also, is there any specific reason to build nginx and php from
> source? Is there a chance to reproduce the issue without any of
> party modules?
The Nginx source compile is to be able to use the 3rd party modules, and the PHP source compile is to ensure compatibility of our open source project with current PHP.
There are currently 6 other servers with an identical Nginx & PHP build, and they are not affected. This server has been running as expected for some months, and I am the sole administrator.
Thank you for your time and attention, I appreciate it greatly.
Best wishes to you.
$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#begin `nginx.conf` at `/etc/nginx/nginx.conf`
load_module /usr/lib/nginx/modules/ndk_http_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
load_module /usr/lib/nginx/modules/ngx_http_cache_purge_module.so;
load_module /usr/lib/nginx/modules/ngx_http_echo_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_image_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_length_hiding_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_memc_module.so;
#load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;
load_module /usr/lib/nginx/modules/ngx_http_redis2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_set_misc_module.so;
#load_module /usr/lib/nginx/modules/ngx_http_srcache_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_vhost_traffic_status_module.so;
load_module /usr/lib/nginx/modules/ngx_http_xslt_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_ipscrub_module.so;
load_module /usr/lib/nginx/modules/ngx_nchan_module.so;
#load_module /usr/lib/nginx/modules/ngx_pagespeed.so;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
pcre_jit on;
pid /var/run/nginx.pid;
user www-data www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
accept_mutex on;
multi_accept on;
worker_connections 65535;
use epoll;
}
http {
#default `log_format` must be declared before `access_log`
log_format ipscrubbed
'$time_iso8601 '
'$msec '
'ips="$remote_addr_ipscrub" '
'rm="$request_method" '
'r="$request" '
'ru="$request_uri" '
'q="$query_string" '
'u="$uri" '
'url="$scheme://$host$request_uri" '
's="$status" '
'rl="$request_length" '
'rt="$request_time" '
'sn="$connection" '
'cr="$connection_requests" '
'ct="$connection_time" '
'bbs="$body_bytes_sent" '
'gzr="$gzip_ratio" '
'ups="$upstream_status" '
'upct="$upstream_connect_time" '
'uprt="$upstream_response_time" '
'uprl="$upstream_response_length" '
'upht="$upstream_header_time" '
'upbr="$upstream_bytes_received" '
'upbs="$upstream_bytes_sent" '
'upcs="$upstream_cache_status" '
'sa="$server_addr" '
'srvp="$server_protocol" '
'tlsp="$ssl_protocol" '
'tlsc="$ssl_cipher" '
'tlscs="$ssl_ciphers" '
'tlsr="$ssl_curves" '
'tlsed="$ssl_early_data" '
'tlssr="$ssl_session_reused" '
'ref="$http_referer" '
'hua="$http_user_agent" '
'hxf="$http_x_forwarded_for"'
;
access_log /mnt/tarzan_logs_01/log/nginx/live/nginx/nginx.access.log ipscrubbed;
autoindex off;
charset UTF-8;
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json
;
client_body_buffer_size 2M;
client_body_timeout 30s;
client_header_buffer_size 4k;
client_max_body_size 128M;
default_type application/octet-stream;
error_log /mnt/tarzan_logs_01/log/nginx/live/nginx/nginx.error.log warn;
fastcgi_cache_path /var/cache/nginx/fastcgi levels=1:1 keys_zone=fastcgi-cache:16m max_size=256m inactive=1d;
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 1024;
gzip_proxied any;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml
;
gzip_vary on;
include /etc/nginx/mime.types;
keepalive_timeout 30s;
large_client_header_buffers 8 16k;
length_hiding on;
length_hiding_max 1024;
limit_conn_zone $binary_remote_addr zone=conPerIp:5m;
limit_req_zone $binary_remote_addr zone=reqPerMin1:60m rate=1r/m;
limit_req_zone $binary_remote_addr zone=reqPerMin5:60m rate=5r/m;
limit_req_zone $binary_remote_addr zone=reqPerMin10:60m rate=10r/m;
limit_req_zone $binary_remote_addr zone=reqPerMin20:60m rate=20r/m;
limit_req_zone $binary_remote_addr zone=reqPerSec1:5m rate=1r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec5:5m rate=5r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec10:5m rate=10r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec20:5m rate=20r/s;
log_format content-security-policy '';
log_format iplogged
'$time_iso8601 '
'$msec '
'ip="$remote_addr" '
'rm="$request_method" '
'r="$request" '
'ru="$request_uri" '
'q="$query_string" '
'u="$uri" '
'url="$scheme://$host$request_uri" '
's="$status" '
'rl="$request_length" '
'rt="$request_time" '
'sn="$connection" '
'cr="$connection_requests" '
'ct="$connection_time" '
'bbs="$body_bytes_sent" '
'gzr="$gzip_ratio" '
'ups="$upstream_status" '
'upct="$upstream_connect_time" '
'uprt="$upstream_response_time" '
'uprl="$upstream_response_length" '
'upht="$upstream_header_time" '
'upbr="$upstream_bytes_received" '
'upbs="$upstream_bytes_sent" '
'upcs="$upstream_cache_status" '
'sa="$server_addr" '
'srvp="$server_protocol" '
'tlsp="$ssl_protocol" '
'tlsc="$ssl_cipher" '
'tlscs="$ssl_ciphers" '
'tlsr="$ssl_curves" '
'tlsed="$ssl_early_data" '
'tlssr="$ssl_session_reused" '
'ref="$http_referer" '
'hua="$http_user_agent" '
'hxf="$http_x_forwarded_for"'
;
log_format netdata-web_log '';
log_format network-error '';
log_format permissions-policy '';
log_not_found off;
map_hash_bucket_size 128;
max_ranges 8;
more_clear_headers Server;
msie_padding off;
proxy_ssl_protocols TLSv1.3 TLSv1.2;
request_pool_size 8k;
reset_timedout_connection on;
resolver 1.1.1.1 9.9.9.9 [2606:4700:4700::1111] [2620:fe::fe] valid=30s;
resolver_timeout 5s;
sendfile on;
send_timeout 15s;
#server_names_hash_bucket_size 128;
#server_names_hash_max_size 1024;
server_tokens off;
ssl_buffer_size 4k;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_dhparam /etc/nginx/certs/dhparam4096-openssl.pem;
ssl_ecdh_curve 'prime256v1:secp384r1:secp521r1';
#ssl_ocsp on;
#ssl_ocsp_cache shared:OCSP:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 6h;
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /opt/certs/mozilla-cacert.pem;
#ssl_verify_client on;
#ssl_verify_depth 2;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
variables_hash_max_size 2048;
variables_hash_bucket_size 512;
vhost_traffic_status_zone;
#last but not least
include /etc/nginx/includes/deny/10-global-deny.conf;
include /etc/nginx/includes/deny/20-undefined-server-deny.conf;
include /etc/nginx/includes/monitoring/*.conf;
include /etc/nginx/servers-enabled/*.conf;
include /etc/nginx/streams-enabled/*.conf;
}
#end `nginx.conf`
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/includes/deny/10-global-deny.conf:
#begin `10-global-deny.conf` server block at `/etc/nginx/includes/deny/10-global-deny.conf`
#deny all; #here be dragons
#deny 192.0.2.1; #example for a single IPv4 address
#deny 192.0.2.0/24; #example for an IPv4 CIDR block
#deny 2001:db8::1; #example for a single IPv6 address
#deny 2001:db8::/32; #example for an IPv6 CIDR block
#end `10-global-deny.conf` server block
# configuration file /etc/nginx/includes/deny/20-undefined-server-deny.conf:
#begin `20-undefined-server-deny.conf` server block at `/etc/nginx/includes/deny/20-undefined-server-deny.conf`
server {
access_log /mnt/tarzan_logs_01/log/nginx/live/undefined-server-deny/undefined-server-deny.access.log iplogged;
error_log /mnt/tarzan_logs_01/log/nginx/live/undefined-server-deny/undefined-server-deny.error.log warn;
limit_req zone=reqPerMin5;
listen [::]:80 default_server;
listen 80 default_server;
return 444;
server_name _;
}
#end `20-undefined-server-deny.conf` server block
# configuration file /etc/nginx/includes/monitoring/heartbeat.conf:
#begin `heartbeat.conf` server block at `/etc/nginx/includes/monitoring/heartbeat.conf`
server {#hostname, http -> https redirect
access_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.access.log ipscrubbed;
add_header Content-Security-Policy 'default-src \'none\'' always;
add_header Permissions-Policy default-src=()' always;
add_header Referrer-Policy "strict-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
error_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.error.log warn;
index index.html;
limit_req zone=reqPerSec5;
listen [::]:80;
listen 80;
return 301 https://$host$request_uri;
root /var/www/heartbeat/live/;
server_name tarzan.textpattern.net;
location ^~ /.well-known/ {
allow all;
default_type "text/plain";
root /var/www/heartbeat/_well-known/;
try_files $uri/ $uri =404;
}
location ~ /\. {
deny all;
limit_req zone=reqPerSec1;
}
location /favicon.ico {
access_log off;
log_not_found off;
}
location /robots.txt {
access_log off;
limit_req zone=reqPerSec1;
log_not_found off;
}
location / {
index index.html;
limit_except GET HEAD POST {
deny all;
}
try_files $uri $uri/ =404;
}
location ~ ^.+\.php(?:/.*)?$ {
return 502;
}
}
server {#hostname, https
access_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.access.log ipscrubbed;
set $consecpol_heartbeat '';
set $consecpol_heartbeat '${consecpol_heartbeat}base-uri \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}connect-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}default-src \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}font-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}frame-ancestors \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}frame-src \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}img-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}manifest-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}media-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}object-src \'none\';';
set $consecpol_heartbeat '${consecpol_heartbeat}script-src \'self\';';
set $consecpol_heartbeat '${consecpol_heartbeat}style-src \'self\';';
add_header Content-Security-Policy $consecpol_heartbeat always;
set $perpol_heartbeat '';
set $perpol_heartbeat '${perpol_heartbeat}camera=(),';
set $perpol_heartbeat '${perpol_heartbeat}fullscreen=(self),';
set $perpol_heartbeat '${perpol_heartbeat}geolocation=(),';
set $perpol_heartbeat '${perpol_heartbeat}gyroscope=(),';
set $perpol_heartbeat '${perpol_heartbeat}magnetometer=(),';
set $perpol_heartbeat '${perpol_heartbeat}microphone=(),';
set $perpol_heartbeat '${perpol_heartbeat}midi=(),';
set $perpol_heartbeat '${perpol_heartbeat}notifications=(self),';
set $perpol_heartbeat '${perpol_heartbeat}payment=(),';
set $perpol_heartbeat '${perpol_heartbeat}push=(self),';
set $perpol_heartbeat '${perpol_heartbeat}speaker=(),';
set $perpol_heartbeat '${perpol_heartbeat}sync-xhr=(self),';
set $perpol_heartbeat '${perpol_heartbeat}usb=(),';
set $perpol_heartbeat '${perpol_heartbeat}vibrate=()'; #no trailing comma
add_header Permissions-Policy $perpol_heartbeat always;
add_header Referrer-Policy "strict-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
error_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.error.log warn;
index index.html;
listen [::]:443 http2 ssl;
listen 443 http2 ssl;
root /var/www/heartbeat/live/;
server_name tarzan.textpattern.net;
ssl_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
ssl_certificate_key /etc/certbot/live/tarzan.textpattern.net/privkey.pem;
ssl_trusted_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
location ^~ /.well-known/ {
allow all;
default_type "text/plain";
root /var/www/heartbeat/_well-known/;
try_files $uri/ $uri =404;
}
location /favicon.ico {
access_log off;
log_not_found off;
}
location /robots.txt {
access_log off;
log_not_found off;
}
location ~ /\. {
deny all;
}
location / {
index index.html;
limit_except GET HEAD POST {
deny all;
}
try_files $uri $uri/ =404;
}
location ~ ^.+\.php(?:/.*)?$ {
return 502;
}
}
#end `heartbeat.conf` server block
# configuration file /etc/nginx/includes/monitoring/netdata.conf:
#begin `netdata` server block at `/etc/nginx/includes/monitoring/netdata.conf`
upstream netdata-socket {
keepalive 60;
server unix:/run/netdata/netdata.sock;
}
server {#netdata hostname, https
access_log off;
set $consecpol_netdata '';
set $consecpol_netdata '${consecpol_netdata}connect-src https://api.github.com https://registry.my-netdata.io \'self\';';
set $consecpol_netdata '${consecpol_netdata}default-src \'none\';';
set $consecpol_netdata '${consecpol_netdata}font-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}frame-ancestors \'self\';';
set $consecpol_netdata '${consecpol_netdata}frame-src \'none\';';
set $consecpol_netdata '${consecpol_netdata}img-src data: \'self\';';
set $consecpol_netdata '${consecpol_netdata}manifest-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}media-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}object-src \'self\';';
set $consecpol_netdata '${consecpol_netdata}script-src \'self\' \'unsafe-inline\';';
set $consecpol_netdata '${consecpol_netdata}style-src \'self\' \'unsafe-inline\';';
add_header Content-Security-Policy $consecpol_netdata;
set $perpol_netdata '';
set $perpol_netdata '${perpol_netdata}camera=(),';
set $perpol_netdata '${perpol_netdata}fullscreen=(self),';
set $perpol_netdata '${perpol_netdata}geolocation=(),';
set $perpol_netdata '${perpol_netdata}gyroscope=(),';
set $perpol_netdata '${perpol_netdata}magnetometer=(),';
set $perpol_netdata '${perpol_netdata}microphone=(),';
set $perpol_netdata '${perpol_netdata}midi=(),';
set $perpol_netdata '${perpol_netdata}notifications=(self),';
set $perpol_netdata '${perpol_netdata}payment=(),';
set $perpol_netdata '${perpol_netdata}push=(self),';
set $perpol_netdata '${perpol_netdata}speaker=(),';
set $perpol_netdata '${perpol_netdata}sync-xhr=(self),';
set $perpol_netdata '${perpol_netdata}vibrate=()'; #no trailing comma
add_header Permissions-Policy $perpol_netdata;
add_header Referrer-Policy strict-origin;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
error_log /mnt/tarzan_logs_01/log/nginx/live/netdata/netdata@tarzan.textpattern.net.error.log warn;
listen [::]:909 http2 ssl;
listen 909 http2 ssl;
server_name tarzan.textpattern.net;
ssl_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
ssl_certificate_key /etc/certbot/live/tarzan.textpattern.net/privkey.pem;
ssl_trusted_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem;
location / {
limit_except GET HEAD POST {
deny all;
}
auth_basic "Authentication";
auth_basic_user_file /etc/nginx/auth/passwd-netdata;
proxy_http_version 1.1;
proxy_pass http://netdata-socket;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_store off;
}
location = /favicon.ico {
log_not_found off;
}
}
#end `netdata` server block
# configuration file /etc/nginx/includes/monitoring/nginx-stubstatus.conf:
#begin `nginx-stubstatus.conf` server block at `/etc/nginx/includes/monitoring/nginx-stubstatus.conf`
server {#Nginx `stub_status`, IPv4 and IPv6 localhost, http
allow 127.0.0.1;
allow ::1;
deny all;
listen 127.0.0.1:81;
listen [::1]:81;
location /stub_status {
access_log off;
stub_status on;
}
}
#end `nginx-stubstatus.conf` server block
# configuration file /etc/nginx/includes/monitoring/php-fpm80-socket.conf:
#begin `php-fpm80-socket.conf` at `/etc/nginx/includes/monitoring/php-fpm80-socket.conf`
server {#localhost, PHP FastCGI
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
index index.html;
length_hiding off;
listen [::]:880;
listen 880;
root /var/www/php-fpm/live/;
location / {
index index.html;
}
location ~ ^.+\.php(?:/.*)?$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php-fpm80.sock;
include fastcgi_params;
}
}
#end `php-fpm80-socket.conf`
# configuration file /etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/nginx/includes/monitoring/php-fpm80-status.conf:
#begin `php-fpm80-status.conf` at `/etc/nginx/includes/monitoring/php-fpm80-status.conf`
server {#PHP-FPM 8.0 status, IPv4 and IPv6 localhost, http
allow 127.0.0.1;
allow ::1;
deny all;
listen 127.0.0.1:980;
listen [::1]:980;
server_name _;
location /php-fpm80-status {
access_log off;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php-fpm80.sock;
include fastcgi_params;
}
}
#end `php-fpm80-status.conf`
| Subject | Author | Posted |
|---|---|---|
|
petecooper | August 13, 2022 04:01AM |
|
Sergey A. Osokin | August 13, 2022 09:24AM |
|
petecooper | August 14, 2022 04:46AM |
|
petecooper | August 14, 2022 06:37AM |
|
petecooper | August 16, 2022 05:49AM |
|
Sergey A. Osokin | August 16, 2022 11:12AM |
Sorry, only registered users may post in this forum.
Online Users
Guests:
219
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|