i'm switching from apache to nginx and i am not yet ready to remove apache files such as .htaccess
therefore i want to deny access to them.
i know this is how:
location ~ /\.ht { deny all; }
BUT how to do it GLOBALLY? that is, for ALL server blocks (vhosts) at once.
i'm hoping to have it as a single directive under the main /etc/nginx/nginx.conf like so:
http {
# STUFF
server {
listen 80;
server_name _;
# STUFF
location ~ /\.ht {
deny all;
}
}
}
i tried the configuration above and reloaded nginx, but i am still able to download .htaccess file
after researching and experimenting...
yes... the only apparent way is to have an included conf file in each and every server block.
INCLUDED CONF FILE CONTENTS (potentially located at /etc/nginx/default.d/default.conf... up to you)
location ~ /\.ht {
deny all;
}
ENABLED SITE CONF FILE (potentially located at /etc/nginx/sites-enabled/domain.com.conf)
server {
# STUFF
include /path/to/included/file.conf
# (example) include /etc/nginx/default.d/default.conf
}
it's not as desirable to me, but it is efficient and logical
all the directives in "default.conf" should be coded just like any include (as if it is inline with the content)
in other words... you wouldn't use server {...} in the content of default.conf since it's being included inside a server block already
Related
I am currently running two webservers on the same machine, one using Django through Gunicorn, which is my original site, the other which acts as the online shop using the same domain, this one using Nestjs (Nodejs).
Both servers have an /admin path with the original being at example.com/admin and the other I am wanting to be at example.com/store/admin. However whenever I enter the second URL into my browser (i.e example.com/store/admin) it returns the other admin page, example.com/admin (without the /store prefix).
Here is the config snippet I believe needs reworking:
server {
server_name example.com www.example.com;
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
location /store {
proxy_pass http://127.0.0.1:3000/;
}
location = /store/admin {
proxy_pass http://127.0.0.1:3000/admin/;
}
...
}
I have tried a fair few combinations of the /store and /store/admin location blocks but just can't seem to get it to direct me to the store's server admin site. It works on my local development machine when testing using the nodejs server. Going to http://example.com/store returns what I expect to see from the Nestjs server.
The docs states that:
... To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. ...
So you need only two location blocks:
The first :
location / {
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
And the other with the rewrite:
location /store {
rewrite ^/store(.*) $1 break;
proxy_pass http://127.0.0.1:3000;
}
This means it will rewrite every URL starts with /store and remove it from the URL before passing to the upstream. and this also includes the /admin, since it is the same.
Also note there is no suffix / at the end of the proxy_pass - which instruct NGINX to take the user supplied URI.
I've a mp4 download site. Some websites are using my site's feed, that's why I am loosing my limited Bandwidth.
I've used the following code to restrict access to my mp4 files from third-party referers.
location ~* .*\.mp4 {
valid_referers sitexxx.com *.sitexxx.com;
if ($invalid_referer) {
return 403;
}
mp4;
}
This works well for HTTP sites (e.g. http://www.example.com), but doesn't work at all with HTTPS sites (e.g. https://example.blogspot.com). Why is that and how can I block those?
1: I guess it doesn't specify server port. you can try it.
references:http://nginx.org/en/docs/http/ngx_http_referer_module.html#valid_referers
server {
# error_log /var/log/nginx/vhost-error_log warn;
listen 11.111.1:80;
server_name xxxx.com www.xxxx.com;
log_not_found off;
root /home/xxxx/public_html;
location / {
# enable MP4 streaming
location ~* .*\.mp4 {
valid_referers ~xxxx ~www.xxxx.com;
if ($invalid_referer) {
return 403;
}
mp4;
}
}
}
my code is this, I tried to put the ~ but also did not work, it seems that the problem is aimed at identifying the refer in the logs, the requests are not listed reference.
I have a small embedded Linux device running Nginx. I can connect to it over the network and access the endpoints on a PC in Chrome or Firefox. My default page contains an HTML tag that points to "loading.jpeg", which is on the device at /tmp/nginx/loading.jpeg. I can type in the browser: http://192.168.0.4/loading.jpeg and see my image. I can also visit the endpoint that renders html and see my image rendered properly.
Now I want to be able to visit the root page: http://192.168.0.4/ in a browser and redirect that to my default page that should render the html and show the image. The problem is that if I set a page for the default "/" location, my webserver root directive pointing to /tmp/nginx no longer works. So I get my page displayed, but the loading.jpeg image is not found. I've tried redirecting the root request to my default page, but that also breaks the webserver root.
How can I render a default webpage for Nginx, while also having my webserver root honored? Thank you.
This does not work ( webserver root is broken - though expected default webpage is shown ):
location / {
default_type text/html;
content_by_lua_file /sbin/http/serve_stream.lua;
## The streaming endpoint
location /streaming {
default_type text/html;
content_by_lua_file /sbin/http/serve_stream.lua;
}
Here is my current nginx.conf without a redirect:
## Setup server to handle URI requests
server {
# Setup the root
root /tmp/nginx;
## Port
listen 80; ## Default HTTP
## Android phones from Ice Cream Sandwich will try and get a response from
server_name
clients3.google.com
clients.l.google.com
connectivitycheck.android.com
apple.com
captive.apple.com;
## We want to allow POSTing URI's with filenames with extensions in them
## and nginx does not have a "NOT MATCH" location rule - so we catch all
## and then selectively disable ones we don't want and proxy pass the rest
location / {
# For Android - Captive Portal
location /generate_204 {
return 204;
}
# For iOS - CaptivePortal
if ($http_user_agent ~* (CaptiveNetworkSupport) ) {
return 200;
}
## Raw WebSocket
location /ws {
lua_socket_log_errors off;
lua_check_client_abort on;
default_type text/html;
content_by_lua_file /sbin/http/websocket.lua;
}
## The streaming endpoint
location /streaming {
default_type text/html;
content_by_lua_file /sbin/http/serve_stream.lua;
}
## We can have file extensions in POSTing of /blahendpoints for filesystem
## control HTTP commands
location ~ "\.(txt|bin)$" {
...
}
}
}
There are a number of solutions. An exact match location block with a rewrite ... last is quite efficient:
location = / {
rewrite ^ /some.html last;
}
See this document for more.
I'm converting this htaccess file htaccess file
to nginx using
http://winginx.com/ru/htaccess
but don't understand where i should paste result. I have created
include file
include /etc/nginx/myfile
and pasted file there but when i'm reloading (restarting) Nginx it Fails.
Could you help me?
I suspect these apache .htaccess converters do not fully utilize the unique features of nginx. I would recommend trying something like this:
server {
listen 80 default_server;
server_name _;
root /var/www/example.com;
index index.php;
# if the file or directory doesn't exist, serve /index.php
try_files $uri $uri/ /index.php;
# if the request is exactly /sitemax.xml, serve sitemap_xml.php
location = /sitemax.xml {
try_files /modules/sitemap/sitemap_xml.php =404;
}
# hide regex location in a prefix location to avoid confusion
# introduced by multiple regex locations
location /pages-print {
location ~ ^/pages-print(\d+) {
try_files /modules/pages/print.php?page=$1 =404;
}
}
}
I have found solution. I tried paste result from the convertor to nginx.conf and it was mistake. I, instead created file in /etc/nginx/ and named it htac.rules (i think it doesn't matter of how you'll name it).
Then i opened file etc/nginx/sites-enabled/default and in location / inserted include /etc/nginx/htac.rules
so.
in htac.rules i inserted converting result without location / {...}
and, yeah. It solved my problem.
Thanks everyone for helping me.
I inherited a node.js project and I am very new to the platform/language.
The application I inherited is in development so it is a work in progress. In its current state it runs off port 7576 so you access it this way: server_ip:7576
I've been tasked with putting this "prototype" on a live server so my boss can show it to investors etc. But I have to password protect it.
So what I did is I got it running on the live server. And then I made it use a nginx vhost like this:
server {
listen 80;
auth_basic "Restricted";
auth_basic_user_file /usr/ssl/htpasswd;
access_log /etc/nginx/logs/access/wip.mydomain.com.access.log;
error_log /etc/nginx/logs/error/wip.mydomain.com.error.log;
server_name wip.mydomain.com;
location / {
proxy_pass http://127.0.0.1:7576;
root /var/app;
expires 30d;
#uncomment this is you want to name an index file:
#index index.php index.html;
access_log off;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|pdf|txt|tar|wav|bmp|rtf|js|flv|swf|html|htm)$ {
root /var/app/public;
}
}
`
This got the job done, I can now access my app by going to wip.mydomain.com
And I can easily password protect it via nginx.
My problem is the app is still accessible via the ip:port and I don't know how to prevent that.
Any help is appreciated.
Thanks
In your node javascript code, you need to explicitly bind to the loopback IP:
server.listen(7576, '127.0.0.1');
(You are looking for a call to .listen(<port>) to fix. The variable may be called app or something else though).
Any IP address starting with 127. is a loopback address that can only be accessed within a single machine (doesn't actually use the network).