vhost .conf template

Discussion in 'ISPConfig 3 Priority Support' started by shiroko, Nov 21, 2014.

  1. shiroko

    shiroko New Member HowtoForge Supporter

    Hi there,

    I use ISPConfig with nginx webserver with pagespeed compiled. Everything runs smooth when you want to use a simple http vhost without wordpress, magento, prestashop or subfolders / subdomains. Otherwise it requires additional "tuning" in order to get websites working.

    Recently I had to use a website with wordpress installed on a non-root folder, I added my custom nginx directives for SEO friendly URLS and PageSpeed tuning.

    Everything is nicely added at bottom of the vhost conf files and works perfectly.

    Lately I had to add a SSL cert to get a little boost in SEO ranking from google for using a HTTPS protocole on my website.

    What I found is that ISPConfig adds by default in same server {} block both HTTP && HTTPS configuration, which is not the best practice as stated oin nginx website. Even /etc/nginx/sites-available/default shows 2 separate server blocks, one for each protocole (HTTP && HTTPS).

    The problem I ran into is when I want to force SSL on that particular vhost, I get a "too many redirects error"

    Here is my vhost .conf file :

    Code:
    server {
    	listen *:80;
        	listen *:443 ssl;
    
    	ssl on;
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        	ssl_certificate /var/www/clients/client2/web1/ssl/domain.tld.crt;
        	ssl_certificate_key /var/www/clients/client2/web1/ssl/domain.tld.key;
    
    	# Disables all weak ciphers
    	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    	ssl_prefer_server_ciphers on;
    		
    	# redirect to https if accessed with http
    	error_page 497 https://$host:8080$request_uri;
    
        	server_name domain.tld www.domain.tld;
    
            root   /var/www/domain.tld/web;
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
            location ~ \.shtml$ {
                ssi on;
            }
    
    
            error_page 400 /error/400.html;
            error_page 401 /error/401.html;
            error_page 403 /error/403.html;
            error_page 404 /error/404.html;
            error_page 405 /error/405.html;
            error_page 500 /error/500.html;
            error_page 502 /error/502.html;
            error_page 503 /error/503.html;
            recursive_error_pages on;
            location = /error/400.html {
    
                internal;
            }
            location = /error/401.html {
    
                internal;
            }
            location = /error/403.html {
    
                internal;
            }
            location = /error/404.html {
    
                internal;
            }
            location = /error/405.html {
    
                internal;
            }
            location = /error/500.html {
    
                internal;
            }
            location = /error/502.html {
    
                internal;
            }
            location = /error/503.html {
    
                internal;
            }
    
            error_log /var/log/ispconfig/httpd/domain.tld/error.log;
            access_log /var/log/ispconfig/httpd/domain.tld/access.log combined;
    
            location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client2/web1/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
                try_files /8861c6a67e54f5712a3f7875c91adaf9.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
            location /cgi-bin/ {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                root /var/www/clients/client2/web1;
                gzip off;
                fastcgi_pass  unix:/var/run/fcgiwrap.socket;
                fastcgi_index index.cgi;
                fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    
    
            	pagespeed on;
    
            	pagespeed RewriteLevel PassThrough;
            	pagespeed EnableFilters inline_css,inline_javascript,combine_css,extend_cache,rewrite_images;
            	pagespeed EnableFilters rewrite_css,rewrite_javascript;
            	pagespeed EnableFilters add_head,inline_import_to_link;
    	
    [B][COLOR="SandyBrown"]	#location / {
    	#	rewrite ^ https://$server_name$request_uri permanent;
    	#}
    
    	# rewrite     ^   https://$server_name$request_uri? permanent;
    	# return 301 https://domain.tld$request_uri;
    
    [/COLOR][/B]
    
            location /blog {
            		try_files $uri $uri/ /blog/index.php?$args;
            }
    	rewrite /wp-admin$ $scheme://$host$uri/ permanent;
            location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                	add_header "" "";
            }
            location ~ "^/ngx_pagespeed_static/" {
            }
            location ~ "^/ngx_pagespeed_beacon$" {
            }
            location /ngx_pagespeed_statistics {
            		allow 127.0.0.1; deny all;
            }
            location /ngx_pagespeed_global_statistics {
            		allow 127.0.0.1; deny all;
            }
            location /ngx_pagespeed_message {
            		allow 127.0.0.1; deny all;
            }
            location ~* \.(jpg|jpeg|png|gif|ico|css|js|ttf|otf|svg|webp)$ {
            		expires 365d;
            }
    
    
    }
    Now I have no idea, how to setup a proper vhost template to match best nging practice and to have by default all possible rewrite rules and stuff for every scenario : prestashop on root or non-root folder, wp same thing, etc etc.

    Does anybody managed to get such a file ?

    Thanks in advance for help !

    Regards
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig vhost template is absolutely fine and works flawlessly on thousands of nginx servers, also one of the biggest commercial nginx hosters from germany uses this template for all his sites, so you can rest assurred that it is fine the way it is. Forced https redirects work fine as well, I use these on my own servers for quite some time.

    So you can do a different kind of setup if you like, but its unlikely that this will fix your redirect loop as thats not caused by the kind of ssl vhost setup that we use. The vhost template contains <tmpl_if ....> statements to write different config for different conditions. So if you want to have two server {} statements, duplicate the existing one in the nginx_vhost.conf.master file and wrap the second instance into

    <tmpl_if name='ssl_enabled'>
    ...
    </tmpl_if>

    statement. and remove all sl related settings from the first instance.

    As you refer to best practices above, it is best practice to put a cms in the web directory of the site on a ispconfig server. So do not put it into a sub folder of the web dir.
     
    Last edited: Nov 21, 2014
  3. shiroko

    shiroko New Member HowtoForge Supporter

    I didn't say it doesn't work and I'm one of your supporters.

    I just say it requires lot of tuning and would be more easyer for unskilled ppl like me if the default template was a bit more "complete" to match major possible cases of use.

    Could you please tell me what is wrong with my vhost conf file ?

    Or even share your vhost conf file ? I believe you don't setup manually every vhost for every new customer you host in order to allow them use prestashop, wp, magento etc...

    btw, I can pay for such file as it would be much cost efficient than posting on forum.

    Regards
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can get my vhost file easily.

    1) Login to ispconfig, go to the sites module.
    2) Create a new site there, enter the domain name and enable ssl, go to the ssl tab and create a new ssl cert and click save.
    3) wait 60 seconds, then take a look at the folder /etc/nginx/sites-available/, there you find the exct file that I use.

    This file works fine for all cms systems listed here https://timmehosting.de/cms-shop-kompatibilitaet-mit-nginx plus xenforo and invisopn power board (and many more but I do not have a complete list at hand). I never needed to adjust the base template on a server.

    For th optional nice url features of the different cms systems, you can find various snipptes in the URL I posted above.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    One thing I missed, here is a correct https reqwrite, your rewrite must make a loop as you missed to add the condition to rewrite only on http connects. Your code rewrites https to https as well, so this must loop.

    Code:
    if ($scheme != "https") {
      rewrite ^ https://www.yourdomain.tld$request_uri? permanent;
    }
     
  6. shiroko

    shiroko New Member HowtoForge Supporter

    THAT DID THE JOB ! omg I would never think of if statement !!!!

    Thank you till !
     

Share This Page