Hi you all,
I'm trying to improve the reverse proxy's virtual hosts' configuration
files of my company,
but I'm facing an issue that I can't understand:
In the "location / " block I inserted these lines
location ~*
^.+\.(eot|otf|woff|woff2|ttf|rss|atom|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
{
access_log off; log_not_found off; expires max;
}
and everythings fine,
==> /var/log/nginx/MYSITEcom.access.log <==
172.18.0.1 - - [26/Feb/2024:08:36:44 +0000] "GET
/wp-content/themes/MYSITE/images/back-numbers.png HTTP/1.1" 200 264666
"https://www.MYSITE.com/wp-content/themes/MYSITE/css/style.css?ver=5.6.1"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/122.0.0.0 Safari/537.36"
it doesn's log the gets to these extentions and so on but when I put the
following line,
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
the site changes aspect and logs are filles with "no such file or directory"
==> /var/log/nginx/MYSITE.com.error.log <==
2024/02/26 08:34:46 [error] 107#107: *336 open()
"/etc/nginx/html/wp-content/themes/MYSITE/webfonts/Roboto-Regular.ttf"
failed (2: No such file or directory), client: 172.18.0.1, server:
www.MYSITE.com, request: "GET
/wp-content/themes/MYSITE/webfonts/Roboto-Regular.ttf HTTP/1.1", host:
"www.MYSITE.com", referrer:
"https://www.MYSITE.com/wp-content/themes/MYSITE/css/style.css?ver=5.6.1"
It looks like it changes, some way, the root directory, but being
reverse proxies I didn't set it up.
here below you can fine the virtual host conf file.
thanks in advance for every suggestion
Rob
##################
## plain http
##################
server {
listen80;
server_name MYSITE.com;
return301 https://www.$server_name$request_uri;
}
server {
listen80;
server_name www.MYSITE.com;
return301 https://$server_name$request_uri;
}
## cyphered https
##################
##################
server {
# SRV NAME
listen443 ssl;
server_name MYSITE.com;
return301 https://www.$server_name$request_uri;
# TLS
ssl_certificate /etc/ssl/websites/www.MYSITE.com/www.MYSITE.com.crt;
# --> ricordati di appendere il bundle nel crt <--
ssl_certificate_key /etc/ssl/websites/www.MYSITE.com/www.MYSITE.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
}
server {
# SRV NAME
listen443 ssl;
server_name www.MYSITE.com;
# TLS
ssl_certificate /etc/ssl/websites/www.MYSITE.com/www.MYSITE.com.crt;
# --> ricordati di appendere il bundle nel crt <--
ssl_certificate_key /etc/ssl/websites/www.MYSITE.com/www.MYSITE.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/MYSITE.com.access.log;
error_log /var/log/nginx/MYSITE.com.error.log;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Security Headers
fastcgi_hide_header X-Powered-By;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header Cache-Control 'no-store, no-cache';
# config to enable HSTS(HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains"always;
add_header Content-Security-Policy "script-src 'self' *.youtube.com
maps.gstatic.com *.googleapis.com *.google-analytics.com
cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src
'self' *.youtube.com assets.zendesk.com *.facebook.com
s-static.ak.facebook.com tautt.zendesk.com; object-src 'self';
default-src 'self'; frame-ancestors 'self'; form-action 'self'";
# header and cache expiration
expires epoch;
# security
#Autenticazioneauth_basic "Authentication required";
#Autenticazioneauth_basic_user_file /etc/nginx/.htpasswd;
location / {
proxy_pass https://MYSITE.portals:97/ ; # in caso di redirect su URI !=
# si disabilita il proxy_ssl_verify
# include proxy_params;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
proxy_ssl_verify off; # disabilitato perchè non in possesso della CA..pem
proxy_ssl_trusted_certificate
/etc/ssl/websites/MYSITE.com/MYSITE.com.ca-bundle;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_name $proxy_host;
##########################
#
# THESE BLOCKS WORK FINE
#
##########################
# Directives to send expires headers and turn off 404 error logging.
location ~*
^.+\.(eot|otf|woff|woff2|ttf|rss|atom|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
{
access_log off; log_not_found off; expires max;
}
location ~* \.(?:cgi|shtml|phtml|php)$ {
add_header Cache-Control "public";
client_max_body_size 0;
chunked_transfer_encoding on;
}
##########################
#
# THESE BLOCKS BREAK ALL
#
##########################
# # Media: images, icons, video, audio send expires headers
# location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$ {
# expires 1M;
# access_log off;
# add_header Cache-Control "public";
# }
# Web fonts send expires headers
# location ~* \.(?:eot|otf|ttf|woff|woff2)$ {
# expires 3M;
# access_log off;
# add_header Cache-Control "public";
# }
# # HTML send expires headers.
# location ~* \.(html)$ {
# expires 7d;
# access_log off;
# add_header Cache-Control "public";
# }
# Browser caching of static assets.
# location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
# expires 7d;
# add_header Cache-Control "public, no-transform";
# }
# CSS and Javascript send expires headers.
# location ~* \.(?:css|js)$ {
# expires 1y;
# access_log off;
# add_header Cache-Control "public";
# }
}
# Enable Gzip compression in NGNIX.
gzip on;
gzip_disable "msie6";
gzip_static on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 512;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript
application/x-javascript text/xml application/xml application/rss+xml
text/javascript image/svg+xml font/truetype application/x-font-ttf
text/x-component font/opentype application/vnd.ms-fontobject;
location ~ [^/]\.php(/|$){
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# include the fastcgi_param setting
include fastcgi_params;
# SCRIPT_FILENAME parameter is used for PHP FPM determining
# the script name. If it is not set in fastcgi_params file,
# i.e. /etc/nginx/fastcgi_params or in the parent contexts,
# please comment off following line:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
location ~ \wp-login.php$ {
allow 192.168.0.0/16;
deny all;
include fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/appname.sock;
}
include fastcgi.conf;
fastcgi_intercept_errors on;
#fastcgi_pass unix:/var/run/appname.sock;
}
location = /robots.txt {
add_header Content-Type text/plain;
return200 "User-agent: *\nDisallow: /\n";
}
}
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
