NGINX NGINX Trac 3rd Party Modules Security Advisories CHANGES OpenResty ngx_lua Tengine 在线学习资源 NGINX 开发从入门到精通 NGINX Modules ngx_echo
这是一个创建于 2069 天前的主题,其中的信息可能已经有所发展或是发生改变。
文件权限什么的该检查的我都检查了
https://s2.ax1x.com/2020/02/13/1LqrVA.png
tail -f /var/log/nginx/error.log 看上去没错误
nginx.conf
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
#gzip on;
charset utf-8;
include /etc/nginx/conf.d/*.conf;
}
nextcloud.conf
upstream php-handler {
server unix:/run/php-fpm/fpm.sock;
}
server {
listen 80;
server_name localhost;
# enforce https
# return 301 https://$server_name:443$request_uri;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# NOTE: some settings below might be redundant
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location /.well-known/acme-challenge { }
location ^~ /nextcloud {
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/Javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_pass unix:/run/php-fpm/fpm.sock;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended
# to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read
# into this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
}
https://s2.ax1x.com/2020/02/13/1LqrVA.png
tail -f /var/log/nginx/error.log 看上去没错误
nginx.conf
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
#gzip on;
charset utf-8;
include /etc/nginx/conf.d/*.conf;
}
nextcloud.conf
upstream php-handler {
server unix:/run/php-fpm/fpm.sock;
}
server {
listen 80;
server_name localhost;
# enforce https
# return 301 https://$server_name:443$request_uri;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# NOTE: some settings below might be redundant
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location /.well-known/acme-challenge { }
location ^~ /nextcloud {
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/Javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_pass unix:/run/php-fpm/fpm.sock;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended
# to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read
# into this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
}
19 条回复 2020-02-14 20:29:10 +08:00
 | 1 V69EX 2020-02-13 20:04:46 +08:00 如果所有的可能都排除了,那么,最大的可能就是 SELinux 的策略配置了…… |
 | 3 MeteorCat 2020-02-13 20:16:13 +08:00 via Android 是不是 session 用户有问题,检查是不是 yum/apt 安装 php-fpm 的用户组是不是 apache,而你的 nginx 没有修改 session 权限 |
 | 4 station OP @MeteorCat user = nginx ; RPM: Keep a group allowed to write in log dir. group = nginx ; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on ; a specific port; ; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on ; a specific port; ; 'port' - to listen on a TCP socket to all addresses ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. listen = /run/php-fpm/fpm.sock ; Set listen(2) backlog. ; Default Value: 511 ;listen.backlog = 511 ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = nginx listen.group = nginx listen.mode = 0660 |
| 6 station OP |
| 7 MeteorCat 2020-02-13 20:48:05 +08:00 via Android @station 默认 session 目录看看权限组,在 /var/lib/php/session |
| 8 station OP |
 | 10 dilu 2020-02-14 09:15:42 +08:00 1. 确认关闭 SeLinux 2. 确认 nginx 的运行用户 3. 确认 php-fpm 的运行用户要跟 nginx 一直 4. 确认代码目录真是存在切存在 index.php 并且文件属于上面两条的用户或者用户组 5. 确认 sock 文件存在并且上面的用户能 read 6. server 换成 unix:///run/php-fpm/fpm.sock; 7. 还是不行请贴一下 debug 下面的 error_log 你这是在安装 nextcloud 我以前搞过 没遇到你这个问题 |
 | 11 encro 2020-02-14 09:35:58 +08:00 1,通过 ps 查看 php-fpm 进程的配置文件; 2,查看 php-fpm 配置文件,开启 fpm 的 access 和 error 日志; 3,重启 fpm,用 ps 看看是否运行成功; 4,查看 fpm 日志,是否有请求过来,没有的话,修改监听方式为端口试试; 一般就楼上的问题: 1,关闭 SeLinux ; 2,nginx,fpm,代码,sock 文件,log 目录所属用户一致; 3,server 换成 unix:///run/php-fpm/fpm.sock; |
| 12 station OP @dilu 1 .确认已关闭 selinux 2. nginx 和 php-fpm 的运行用户确认一致 3. nextcloud 的文件夹确实存在于 /var/www 目录下,且用户与用户组为 nginx 4. sock 文件存在,权限正确 5. server 换成 unix:///run/php-fpm/fpm.sock; 结果一样的 2020/02/14 04:51:01 [notice] 1632#1632: start worker processes 2020/02/14 04:51:01 [notice] 1632#1632: start worker process 1633 2020/02/14 04:51:01 [notice] 1632#1632: start worker process 1634 2020/02/14 04:51:05 [notice] 1633#1633: *1 "^" matches "/nextcloud", client: 192.168.1.238, server: localhost, request: "GET /nextcloud HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 rewritten data: "/nextcloud/index.php", args: "", client: 192.168.1.238, server: localhost, request: "GET /nextcloud HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 "^" matches "/nextcloud/", client: 192.168.1.238, server: localhost, request: "GET /nextcloud/ HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 rewritten data: "/nextcloud/index.php", args: "", client: 192.168.1.238, server: localhost, request: "GET /nextcloud/ HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 "^" matches "/nextcloud", client: 192.168.1.238, server: localhost, request: "GET /nextcloud HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 rewritten data: "/nextcloud/index.php", args: "", client: 192.168.1.238, server: localhost, request: "GET /nextcloud HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 "^" matches "/nextcloud/", client: 192.168.1.238, server: localhost, request: "GET /nextcloud/ HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:05 [notice] 1633#1633: *1 rewritten data: "/nextcloud/index.php", args: "", client: 192.168.1.238, server: localhost, request: "GET /nextcloud/ HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:06 [notice] 1633#1633: *1 "^" matches "/nextcloud", client: 192.168.1.238, server: localhost, request: "GET /nextcloud HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:06 [notice] 1633#1633: *1 rewritten data: "/nextcloud/index.php", args: "", client: 192.168.1.238, server: localhost, request: "GET /nextcloud HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:06 [notice] 1633#1633: *1 "^" matches "/nextcloud/", client: 192.168.1.238, server: localhost, request: "GET /nextcloud/ HTTP/1.1", host: "192.168.1.157" 2020/02/14 04:51:06 [notice] 1633#1633: *1 rewritten data: "/nextcloud/index.php", args: "", client: 192.168.1.238, server: localhost, request: "GET /nextcloud/ HTTP/1.1", host: "192.168.1.157" |
| 13 station OP @encro - - 14/Feb/2020:04:45:19 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 61.445 4096 81.37% - - 14/Feb/2020:04:45:47 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 5.365 2048 0.00% - - 14/Feb/2020:04:45:47 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 4.944 2048 0.00% - - 14/Feb/2020:04:45:47 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 4.700 2048 0.00% - - 14/Feb/2020:04:51:05 -0500 "GET /nextcloud/index.php" 302 /var/www/nextcloud/index.php 1.014 2048 0.00% - - 14/Feb/2020:04:51:05 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 3.086 2048 324.04% - - 14/Feb/2020:04:51:05 -0500 "GET /nextcloud/index.php" 302 /var/www/nextcloud/index.php 0.341 2048 0.00% - - 14/Feb/2020:04:51:05 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 2.090 2048 0.00% - - 14/Feb/2020:04:51:06 -0500 "GET /nextcloud/index.php" 302 /var/www/nextcloud/index.php 0.343 2048 0.00% - - 14/Feb/2020:04:51:06 -0500 "GET /nextcloud/index.php" 500 /var/www/nextcloud/index.php 4.010 2048 0.00% |
| 14 station OP @encro [14-Feb-2020 04:32:54] NOTICE: fpm is running, pid 919 [14-Feb-2020 04:32:54] NOTICE: ready to handle connections [14-Feb-2020 04:32:54] NOTICE: systemd monitor interval set to 10000ms [14-Feb-2020 04:43:39] NOTICE: Terminating ... [14-Feb-2020 04:43:39] NOTICE: exiting, bye-bye! [14-Feb-2020 04:43:39] NOTICE: fpm is running, pid 1607 [14-Feb-2020 04:43:39] NOTICE: ready to handle connections [14-Feb-2020 04:43:39] NOTICE: systemd monitor interval set to 10000ms |
 | 16 msg7086 2020-02-14 18:05:40 +08:00 500 错误不就是连上了么…… |
| 17 encro 2020-02-14 18:26:40 +08:00 500 应用程序错误, 你开启 fpm 的 access log 看下。 开启 php.ini 的 display_error=ON,error_reporting=E_ALL 将 index.php 改为 <?php echo 'hello';exit; 测试 如果不是很会环境配置的话,建议用宝塔吧。 |
| 18 station OP |
| 19 encro 2020-02-14 20:29:10 +08:00 @station php-fpm.conf 还有一个 access log 默认是不开启的 php_flag[display_errors] = on php_admin_value[error_log] = /var/log/php-fpm/www-error.log php_admin_flag[log_errors] = on access.log string Access log 文件。 默认值:不设置 access.format string access log 的格式。 默认值: "%R - %u %t \"%m %r\" %s" access.log = log/$pool.access.log #每一个请求的访问日志,默认是关闭的。 access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" #设定访问日志的格式。 [php-fpm 配置详解]( https://juejin.im/entry/5870bc8961ff4b005c3c47ec) |
Select Language