Answer the question
In order to leave comments, you need to log in
B
B
Berkutman2019-09-14 19:13:51
Berkutman, 2019-09-14 19:13:51
How to configure nginx front end apache2 (Drupal 8, Moodle) correctly?
There is a web server on Debian 10 , PHP Version 7.3.4-2 , DBMS 5.5.5-10.3.17-MariaDB-0+deb10u1 , Apache/2.4.38 (Debian) , Nginx 1.14.2 and mod_rpaf 0.8.4 module for forwarding the client address to the server
At the moment, two web sites will be running on this server, one based on Drupal 8, the other based on moodle 3.7.2
D8 - example.com
Moodle 3.7.2 - moodle.example.com After reading
I decided to make nginx front end apache2 + mod_rpaf
The configuration is as follows
Apache2:
/etc/apache2/apache2.conf
замена
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
на
LogFormat "%v:%p %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined/etc/apache2/ports.conf
Listen 127.0.0.1:81<VirtualHost 127.0.0.1:81>
ServerName example.com
ServerAlias www.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/example_com/web
<Directory /var/www/example_com/web>
Options FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example_com_error.log
CustomLog ${APACHE_LOG_DIR}/example_com_access.log vhost_combined
ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/example_com/web"
</VirtualHost><VirtualHost 127.0.0.1:81>
ServerName moodle.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/moodle_example_com/web
<Directory /var/www/moodle_example_com/web>
Options FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/moodle_example_com_error.log
CustomLog ${APACHE_LOG_DIR}/moodle_example_com_access.log vhost_combined
ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/moodle_example_com/web"
</VirtualHost>/etc/apache2/mods-available/rpaf.conf
<IfModule rpaf_module>
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 ::1
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
RPAF_ForbidIfNotProxy Off
RPAF_Header X-Forwarded-For
</IfModule>Nginx:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/example_com/web;
index index.php index.html index.htm;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:81;
proxy_redirect on;
set_real_ip_from 1.2.3.4;
real_ip_recursive on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
}
location ~ /\.ht {
deny all;
}
location ~* \.(ico|docx|doc|xls|xlsx|rar|zip|jpg|jpeg|txt|xml|pdf|gif|png|css|js|html)$ {
root /var/www/example_com/web;
}
ssl_certificate /etc/nginx/ssl/example_com.crt;
ssl_certificate_key /etc/nginx/ssl/example_com.key;
}server {
listen 80;
listen [::]:80;
server_name moodle.example.com;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/moodle_example_com/web;
index index.php;
server_name moodle.example.com;
location / {
proxy_pass http://127.0.0.1:81;
proxy_redirect on;
set_real_ip_from 1.2.3.4;
real_ip_recursive on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_header Set-Cookie;
}
ssl_certificate /etc/nginx/ssl/moodle_example_com.crt;
ssl_certificate_key /etc/nginx/ssl/moodle_example_com.key;
}No errors, web sites work.
But there is one problem that I did not understand how to solve.
The thought is as follows: D8
has the CAS Server plugin, Moodle has the CAS Auth plugin .
2019/09/14 20:33:28 [error] 10802#10802: *105 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 1.2.3.4, server: moodle.example.com, request: "GET /login/index.php?authCASattras=CAS&ticket=ST-qXn8UiwEbFsYpX0nobVmGMS-ZARMGrXcm3Hbo7_uj2s HTTP/2.0", upstream: "http://127.0.0.1:81/login/index.php?authCASattras=CAS&ticket=ST-qXn8UiwEbFsYpX0nobVmGMS-ZARMGrXcm3Hbo7_uj2s", host: "moodle.example.com", referrer: "https://example.com/cas/login?service=https%3A%2F%2Fmoodle.example.com%2Flogin%2Findex.php%3FauthCASattras%3DCAS"What I did, I created a site on a hosting (which is not my server) called it d8.example.com (Drupal 8) and md.example.com (Moodle 3.7.2)
It turns out:
On my server, the sites are example.com and moodle .example.com
Hosted - d8.example.com and md.example.com
Made d8.example.com CAS Server , md.example.com and example.com and moodle.example.com CAS client
I logged into all three sites under the user CAS Server which is on d8.example.com
Next, I did example.com CAS Server , md.exemple.com and d8.example.com and moodle.example.com
Authorization passed both on md.exemple.com and on d8. example.com , moodle.example.com got that error.
Where I screwed up with the configuration, as I understood from the error, he is trying to send a request from 127.0.0.1:81 to the external address moodle.example.com.
How can this be cured? Redirect?
1 answer(s)
@Berkutman
Better yet, put a web face so that they are available
brainycp
vestacp
ispconfig3
bitrix-vm (muzzle console)
V
Viktor Taran, 2019-09-14 @Berkutman
Here you have a working config for port 80 stupidly hit too much.
At the same time, Apache can be almost any one, since the main thing is to prox and what is behind is no longer important.
Also, you do not need to use the domain in the back, and 127.0.0.1 is enough, since there will still be parsed by the headers and not by the domain in the proxy.
real nginx
server {
######################################################################
## Server configuration
######################################################################
listen *:443 ssl http2;
server_name 5job.ru www.5job.ru ;
root /var/www/5job.ru/web;
######################################################################
## Enable gzip for proxied requests and static files
######################################################################
# Enable gzip for proxied requests and static files
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_http_version 1.1;
gzip_types application/javascript application/json text/css text/xml;
gzip_comp_level 4;
######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.1;
add_header Strict-Transport-Security "max-age=15768000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_certificate /var/www/clients/client26/web28/ssl/5job.ru-le.crt;
ssl_certificate_key /var/www/clients/client26/web28/ssl/5job.ru-le.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
######################################################################
## Log configuration
######################################################################
#Все логи отключены
error_log /dev/null crit;
access_log off;
######################################################################
## 555 Еrror requires password password
######################################################################
# Дев сайты закрыты htpass login:dev pass:dev (второй кусок ниже)
error_page 555 = @pass;
location @pass {
auth_basic "Unauthorized";
auth_basic_user_file /var/www/dev_htpasswd;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Errors send to apache2
######################################################################
# у апача своих алиасов куча, а так же некоторая статика отдается
# средствамси php, по этому все ошибки обрабатывать только apache2
error_page 401 403 404 405 500 502 503 = @fallback;
location @fallback {
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Locations configuration
######################################################################
#Отключаем логирование ошибок No such file or directory
## Disable .htaccess files
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
##
location = /favicon.ico {
log_not_found off;
access_log off;
}
##
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
##
######################################################################
# сервисы на сайте phpmyadmin почта и letxencrypt
location /phpmyadmin/ {
deny all;
# поставить пароль на phpmyadmin
return 555;
root /usr/share/phpmyadmin/;
}
##
location /webmail/ {
rewrite ^/(.*)$ https://$http_host:8080/$1 permanent;
}
# letsencrypt
location /.well-known/acme-challenge/ {
alias /usr/local/ispconfig/interface/acme/;
default_type text/plain;
}
# static content
# Отдаем статику напрямую с nginx
location ~* ^.+\.(jpg|jpeg|svg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$ {
root /var/www/5job.ru/web;
access_log off;
expires 30d;
gzip_static on;
}
# default location
location / {
index index.php index.html index.htm;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
######################################################################
## Dev site Protection Requests in location /
######################################################################
# Дабы дев сайты не индексировались поисковиками, принудительно
# Ставим пароли на них, все что начинается с dev,old. или домен ks03
if ($http_host ~* "^(dev|old|www.old|www.dev)\..*\..{2,8}$"){
return 555;
}
if ($http_host ~* "^.*\.ks03\.ru$"){
return 555;
}
proxy_set_header X-Forwarded-Proto https;
include /etc/nginx/locations.d/*.conf;
}
}Better yet, put a web face so that they are available
brainycp
vestacp
ispconfig3
bitrix-vm (muzzle console)
Similar questions
V
VicTHOR2020-08-28 09:53:05
What needs to be fixed so that php-fpm looks for the correct path?
2Reply
R
W
C
J
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question