Portál AbcLinuxu, 8. května 2025 02:46
[root@vps html]# cat /etc/nginx/sites-available/00-default-ssl.conf # # Note: This file must be loaded before other virtual host config files, # # HTTPS server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; root /var/www/html/; index index.php index.html; include /etc/nginx/templates/misc.tmpl; include /etc/nginx/templates/ssl.tmpl; include /etc/nginx/templates/iredadmin.tmpl; # include /etc/nginx/templates/roundcube.tmpl; include /etc/nginx/templates/sogo.tmpl; include /etc/nginx/templates/netdata.tmpl; include /etc/nginx/templates/php-catchall.tmpl; include /etc/nginx/templates/stub_status.tmpl; include /etc/nginx/templates/nextcloud.tmpl; include /etc/nginx/templates/web.tmpl; }[root@vps html]# cat /etc/nginx/templates/misc.tmpl # Allow access to '^/.well-known/' location ~ ^/.well-known/ { allow all; access_log off; log_not_found off; autoindex off; #root /var/www/html; } # Deny all attempts to access hidden files such as .htaccess. location ~ /\. { deny all; } # Handling noisy messages location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } [root@vps html]# cat /etc/nginx/templates/ssl.tmpl ssl_protocols TLSv1.2 TLSv1.3; # Fix 'The Logjam Attack'. ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH; ssl_prefer_server_ciphers on; ssl_dhparam /etc/pki/tls/dh2048_param.pem; # Greatly improve the performance of keep-alive connections over SSL. # With this enabled, client is not necessary to do a full SSL-handshake for # every request, thus saving time and cpu-resources. ssl_session_cache shared:SSL:10m; # To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to # ssl cert/key used below, so that we can manage this config file with Ansible. # # For example: # # rm -f /etc/pki/tls/private/iRedMail.key # rm -f /etc/pki/tls/certs/iRedMail.crt # ln -s /etc/letsencrypt/live/domain/privkey.pem /etc/pki/tls/private/iRedMail.key # ln -s /etc/letsencrypt/live/domain/fullchain.pem /etc/pki/tls/certs/iRedMail.crt # # To request free "Let's Encrypt" cert, please check our tutorial: # https://docs.iredmail.org/letsencrypt.html ssl_certificate /etc/pki/tls/certs/iRedMail.crt; ssl_certificate_key /etc/pki/tls/private/iRedMail.key;[root@vps html]# cat /etc/nginx/templates/iredadmin.tmpl # Settings for iRedAdmin. # static files under /iredadmin/static location ~ ^/iredadmin/static/(.*) { alias /opt/www/iredadmin/static/$1; } # Python scripts location ~ ^/iredadmin(.*) { rewrite ^/iredadmin(/.*)$ $1 break; include /etc/nginx/templates/hsts.tmpl; include uwsgi_params; uwsgi_pass 127.0.0.1:7791; uwsgi_param UWSGI_CHDIR /opt/www/iredadmin; uwsgi_param UWSGI_SCRIPT iredadmin; uwsgi_param SCRIPT_NAME /iredadmin; # Access control #allow 127.0.0.1; #allow 192.168.1.10; #allow 192.168.1.0/24; #deny all; } # iRedAdmin: redirect /iredadmin to /iredadmin/ location = /iredadmin { rewrite ^ /iredadmin/; } # Handle newsletter-style subscription/unsubscription supported in iRedAdmin-Pro. location ~ ^/newsletter/ { rewrite /newsletter/(.*) /iredadmin/newsletter/$1 last; }[root@vps html]# cat /etc/nginx/templates/sogo.tmpl # Settings for SOGo Groupware # SOGo location ~ ^/sogo { rewrite ^ https://$host/SOGo; } location ~ ^/SOGO { rewrite ^ https://$host/SOGo; } # Redirect /mail to /SOGo location ~ ^/mail { rewrite ^ https://$host/SOGo; } # For Mac OS X and iOS devices. rewrite ^/.well-known/caldav /SOGo/dav permanent; rewrite ^/.well-known/carddav /SOGo/dav permanent; rewrite ^/principals /SOGo/dav permanent; location ^~ /SOGo { include /etc/nginx/templates/hsts.tmpl; proxy_pass http://127.0.0.1:20000; # forward user's IP address proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; # always use https proxy_set_header x-webobjects-server-port $server_port; proxy_set_header x-webobjects-server-name $host; proxy_set_header x-webobjects-server-url https://$host; proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_busy_buffers_size 64k; proxy_buffers 8 64k; proxy_buffer_size 64k; } location ^~ /Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; proxy_connect_timeout 3540; proxy_send_timeout 3540; proxy_read_timeout 3540; proxy_busy_buffers_size 64k; proxy_buffers 8 64k; proxy_buffer_size 64k; } location ^~ /SOGo/Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; proxy_connect_timeout 3540; proxy_send_timeout 3540; proxy_read_timeout 3540; proxy_busy_buffers_size 64k; proxy_buffers 8 64k; proxy_buffer_size 64k; } location /SOGo.woa/WebServerResources/ { alias /usr/lib64/GNUstep/SOGo/WebServerResources/; expires max; } location /SOGo/WebServerResources/ { alias /usr/lib64/GNUstep/SOGo/WebServerResources/; expires max; } location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ { alias /usr/lib64/GNUstep/SOGo/$1.SOGo/Resources/$2; expires max; }[root@vps html]# cat /etc/nginx/templates/netdata.tmpl # Running netdata as a subfolder to an existing virtual host # FYI: https://github.com/firehol/netdata/wiki/Running-behind-nginx location = /netdata { return 301 /netdata/; } location ~ /netdata/(? ndpath .*) { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; proxy_pass http://127.0.0.1:19999/$ndpath$is_args$args; gzip on; gzip_proxied any; gzip_types *; auth_basic "Authentication Required"; auth_basic_user_file /etc/nginx/netdata.users; }[root@vps html]# cat /etc/nginx/templates/php-catchall.tmpl # Normal PHP scripts location ~ \.php$ { include /etc/nginx/templates/fastcgi_php.tmpl; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; }[root@vps html]# cat /etc/nginx/templates/stub_status.tmpl location = /stub_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location = /status { include fastcgi_params; fastcgi_pass php_workers; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; access_log off; allow 127.0.0.1; deny all; }[root@vps html]# cat /etc/nginx/templates/nextcloud.tmpl location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; } location /.well-known/acme-challenge { } location ^~ /nextcloud { # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location /nextcloud { rewrite ^ /nextcloud/index.php$request_uri; } location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/nextcloud\/(?:updater|ocs-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /nextcloud/index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended # to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read # into this topic first. # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; # Optional: Don't log access to assets access_log off; } location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /nextcloud/index.php$request_uri; # Optional: Don't log access to other assets access_log off; } }[root@vps html]# cat /etc/nginx/conf-available/php_fpm.conf upstream php_workers { server 127.0.0.1:9999; } upstream php-handler { server 127.0.0.1:9000; # server unix:/var/run/php/php7.4-fpm.sock; }2022/04/06 11:48:31 [error] 183326#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx.xx, server: _, request: "GET /web/index.php HTTP/2.0", upstream: "fastcgi://127.0.0.1:9999", host: "xxxxxxx.xx"
Řešení dotazu:
upstream php_workers {
server 127.0.0.1:9999;
}
upstream php-handler {
server 127.0.0.1:9000;
# server unix:/var/run/php/php7.4-fpm.sock;
}
Kdepak, ten běží.
[root@vps ~]# systemctl status php-fpm.service
● php-fpm.service - The PHP FastCGI Process Manager
Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-04-06 10:35:33 CEST; 5h 36min ago
Main PID: 179534 (php-fpm)
Status: "Processes active: 0, idle: 6, Requests: 869, slow: 0, Traffic: 0req/sec"
Tasks: 7 (limit: 24932)
Memory: 115.6M
CGroup: /system.slice/php-fpm.service
├─179534 php-fpm: master process (/etc/php-fpm.conf)
├─190997 php-fpm: pool inet
├─191040 php-fpm: pool inet
├─191044 php-fpm: pool inet
├─191083 php-fpm: pool inet
├─191087 php-fpm: pool inet
└─191616 php-fpm: pool inet
Apr 06 14:16:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 179539 exited with code 0 after 13250.376719 seconds from start
Apr 06 14:16:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 191040 started
Apr 06 14:16:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 179538 exited with code 0 after 13280.381147 seconds from start
Apr 06 14:16:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 191044 started
Apr 06 14:17:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 179536 exited with code 0 after 13310.377432 seconds from start
Apr 06 14:17:23 vps php-fpm[179534]: [NOTICE] [pool inet] child 191083 started
Apr 06 14:17:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 179537 exited with code 0 after 13340.382813 seconds from start
Apr 06 14:17:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 191087 started
Apr 06 14:28:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 179596 exited with code 0 after 13966.336811 seconds from start
Apr 06 14:28:53 vps php-fpm[179534]: [NOTICE] [pool inet] child 191616 started
telnet 127.0.0.1 9999 curl 'http://127.0.0.1:9999/'Ten port je divný, přijde mi, že log nedpovídá konfiguraci. Vidím ho jen u
php_workers, které se použije jen u location = /status. Funguje správně reloadování?
sudo nginx -tZmění se port v logu, pokud ho změníš u
php_workers?
[root@vps ~]# ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 5 127.0.0.1:20000 0.0.0.0:* users:(("sogod",pid=1469,fd=4),("sogod",pid=1468,fd=4),("sogod",pid=1467,fd=4),("sogod",pid=1466,fd=4),("sogod",pid=1465,fd=4),("sogod",pid=1464,fd=4),("sogod",pid=1463,fd=4),("sogod",pid=1462,fd=4),("sogod",pid=1461,fd=4),("sogod",pid=1460,fd=4),("sogod",pid=1433,fd=4))
LISTEN 0 5 127.0.0.1:7777 0.0.0.0:* users:(("python3",pid=1505,fd=6))
LISTEN 0 128 0.0.0.0:993 0.0.0.0:* users:(("dovecot",pid=1134,fd=50))
LISTEN 0 5 127.0.0.1:7778 0.0.0.0:* users:(("python3",pid=1505,fd=7))
LISTEN 0 5 127.0.0.1:7779 0.0.0.0:* users:(("python3",pid=1505,fd=8))
LISTEN 0 100 0.0.0.0:995 0.0.0.0:* users:(("dovecot",pid=1134,fd=30))
LISTEN 0 128 127.0.0.1:9000 0.0.0.0:* users:(("php-fpm",pid=270596,fd=12),("php-fpm",pid=269997,fd=12),("php-fpm",pid=269983,fd=12),("php-fpm",pid=269949,fd=12),("php-fpm",pid=269904,fd=12),("php-fpm",pid=269865,fd=12),("php-fpm",pid=269449,fd=12),("php-fpm",pid=179534,fd=9))
LISTEN 0 128 127.0.0.1:10024 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=7),("/usr/sbin/amavi",pid=1671,fd=7),("/usr/sbin/amavi",pid=1670,fd=7),("/usr/sbin/amavi",pid=1669,fd=7),("/usr/sbin/amavi",pid=1494,fd=7))
LISTEN 0 100 127.0.0.1:10025 0.0.0.0:* users:(("master",pid=1512,fd=121))
LISTEN 0 128 127.0.0.1:10026 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=8),("/usr/sbin/amavi",pid=1671,fd=8),("/usr/sbin/amavi",pid=1670,fd=8),("/usr/sbin/amavi",pid=1669,fd=8),("/usr/sbin/amavi",pid=1494,fd=8))
LISTEN 0 100 0.0.0.0:587 0.0.0.0:* users:(("master",pid=1512,fd=104))
LISTEN 0 128 127.0.0.1:10027 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=9),("/usr/sbin/amavi",pid=1671,fd=9),("/usr/sbin/amavi",pid=1670,fd=9),("/usr/sbin/amavi",pid=1669,fd=9),("/usr/sbin/amavi",pid=1494,fd=9))
LISTEN 0 128 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=637,fd=23))
LISTEN 0 100 127.0.0.1:10028 0.0.0.0:* users:(("master",pid=1512,fd=124))
LISTEN 0 128 127.0.0.1:9998 0.0.0.0:* users:(("/usr/sbin/amavi",pid=1672,fd=10),("/usr/sbin/amavi",pid=1671,fd=10),("/usr/sbin/amavi",pid=1670,fd=10),("/usr/sbin/amavi",pid=1669,fd=10),("/usr/sbin/amavi",pid=1494,fd=10))
LISTEN 0 100 0.0.0.0:110 0.0.0.0:* users:(("dovecot",pid=1134,fd=28))
LISTEN 0 100 127.0.0.1:7790 0.0.0.0:* users:(("uwsgi",pid=1431,fd=10),("uwsgi",pid=1430,fd=10),("uwsgi",pid=1429,fd=10),("uwsgi",pid=1428,fd=10),("uwsgi",pid=1427,fd=10),("uwsgi",pid=1049,fd=10))
LISTEN 0 128 0.0.0.0:143 0.0.0.0:* users:(("dovecot",pid=1134,fd=48))
LISTEN 0 100 127.0.0.1:7791 0.0.0.0:* users:(("uwsgi",pid=1478,fd=10),("uwsgi",pid=1477,fd=10),("uwsgi",pid=1476,fd=10),("uwsgi",pid=1475,fd=10),("uwsgi",pid=1474,fd=10),("uwsgi",pid=1061,fd=10))
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=183326,fd=10),("nginx",pid=183325,fd=10))
LISTEN 0 100 0.0.0.0:465 0.0.0.0:* users:(("master",pid=1512,fd=108))
LISTEN 0 128 127.0.0.1:24242 0.0.0.0:* users:(("stats",pid=1411,fd=10),("dovecot",pid=1134,fd=23))
LISTEN 0 100 127.0.0.1:12340 0.0.0.0:* users:(("dovecot",pid=1134,fd=71))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=644,fd=5))
LISTEN 0 100 127.0.0.1:24 0.0.0.0:* users:(("lmtp",pid=1407,fd=9),("lmtp",pid=1406,fd=9),("lmtp",pid=1405,fd=9),("lmtp",pid=1404,fd=9),("lmtp",pid=1397,fd=9),("dovecot",pid=1134,fd=38))
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=1512,fd=16))
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=183326,fd=8),("nginx",pid=183325,fd=8))
LISTEN 0 128 127.0.0.1:8125 0.0.0.0:* users:(("netdata",pid=251411,fd=75))
LISTEN 0 100 127.0.0.1:4190 0.0.0.0:* users:(("dovecot",pid=1134,fd=18))
LISTEN 0 128 127.0.0.1:19999 0.0.0.0:* users:(("netdata",pid=251411,fd=5))
LISTEN 0 128 [::]:993 [::]:* users:(("dovecot",pid=1134,fd=51))
LISTEN 0 100 [::]:995 [::]:* users:(("dovecot",pid=1134,fd=31))
LISTEN 0 128 *:3306 *:* users:(("mysqld",pid=832,fd=24))
LISTEN 0 100 [::]:587 [::]:* users:(("master",pid=1512,fd=105))
LISTEN 0 100 [::]:110 [::]:* users:(("dovecot",pid=1134,fd=29))
LISTEN 0 128 [::]:143 [::]:* users:(("dovecot",pid=1134,fd=49))
LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=183326,fd=11),("nginx",pid=183325,fd=11))
LISTEN 0 100 [::]:465 [::]:* users:(("master",pid=1512,fd=109))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=644,fd=7))
LISTEN 0 100 [::]:25 [::]:* users:(("master",pid=1512,fd=17))
LISTEN 0 128 [::]:443 [::]:* users:(("nginx",pid=183326,fd=9),("nginx",pid=183325,fd=9))
LISTEN 0 128 [::1]:8125 [::]:* users:(("netdata",pid=251411,fd=64))
[root@vps ~]# curl 'http://127.0.0.1:9999/' curl: (7) Failed to connect to 127.0.0.1 port 9999: Connection refused
7.4.2022 13:34
Max | skóre: 72
| blog: Max_Devaine
Pardon, jsem totálně slepý.
V /etc/nginx/conf-enabled/php_fpm.conf změněn port na 9000 a všechno jede
upstream php_workers {
server 127.0.0.1:9000;
}
upstream php-handler {
server 127.0.0.1:9000;
# server unix:/var/run/php/php7.4-fpm.sock;
}
Mocrát děkuji 
7.4.2022 13:35
Max | skóre: 72
| blog: Max_Devaine
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.