Altering Nginx default configuration, and site templates.

Discussion in 'Installation/Configuration' started by Plutocrat, Jan 27, 2016.

  1. Plutocrat

    Plutocrat New Member

    Hi,
    I've been running ispconfig for a year or so now, and have managed to solve most of my problems through reading the forums and documentation so far. This is a general question about best practices of altering the default configuration of nginx and virtual hosts.
    I have a few improvements over the default nginx configuration, which I want to apply to all sites. I was wondering what the best way of doing this was.
    If this was a standalone server, I'd be happily modifying /etc/nginx.conf and /etc/nginx/sites-enabled. However I'm unclear about what files ispconfig controls, and therefore asking what the best way of modifying them is.

    Snippets:

    All the sites on my installation run Wordpress, and I have a bunch of nginx security directives that I want to include. I know about 'snippets'. However the problem with my rules is that they need to be higher up the configuration file, rather than appended to the end, so when I use snippets they don't work.

    Master vhost config:

    I located the master vhost config file at /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
    I was able to successfully alter that to include a file at /etc/nginx/wp-security.conf with all my changes in. However I've noticed that the changes don't stick. I'm pretty sure that that file is update whenever there is an upgrade of ispconfig. Are there any other circumstances under which this file might get overwritten?
    For now I've written a script to alert me if this file reverts back to a version without my changes, which runs once a day. Obviously this is a bit of a kludge, so I'd like to do it properly. What is the best way of making a change to nginx_vhost.conf.master stick? Is there an override mechanism? (eg a file placed in a certain place would automatically be included in all vhosts, like my system now currently does) If not, perhaps one of these would be useful in the future?

    nginx.conf
    I recently used ispconfig_LetsEncrypt and noticed that this included a couple of lines in the /etc/nginx.conf. file (the 'well-known-hosts' mime type directive), as is required. This presumably is also at risk of being overwritten. Usually when upgrading nginx (on Debian etc) you are given the choice to upgrade this file or not. The default is NOT, and I obviously would pick that. Does Ispconfig make any changes to nginx.conf too, or is that safe to modify, so that changes to that file, would presumably affect all vhosts running on that server.
    (Or am I wrong in that assumption?)

    /etc/nginx/conf.d/*.conf
    In theory any file placed in this directory with the conf extension will be included in the main nginx.conf, after its included all the /etc/nginx/sites-enabled/ files. In practice I haven't been able to get this to work. Would this be a better way of modifying server-wide configuration? Is there a trick to making it work?
    The directive I tested with was server_tokens Off;, which is easy to test for. I'd also like to use some add_header directives. If anyone has sucessfully got those to work serverwide from a conf file in the conf-d directory, I'd love to hear how you did it.

    So there we have the options. What are people using? What is safest? Hoping to promote some discussion here.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Snippets never need to be higher in the nginx config. You probably did not use the ###merge### and ###delete### statements in ISPConfig to add your code in the right sections of the configuration file or to replace default directives.

    Like with all ispconfig template files, manually altered versions have to be put into /usr/local/ispconfig/server/conf-custom/
     
  3. Plutocrat

    Plutocrat New Member

    Thanks Till. This is exactly what I needed. I'm sure I'll figure it out from here.
     

Share This Page