error running shared postrotate script
Ever since upgrading to 1.8.0 I get the following report from Cron: /etc/cron.daily/logrotate: error: error running shared postrotate script for '/var/log/nginx/*.log ' error: error running shared postrotate script for '/var/ www.example.com/logs/*.log ' run-parts: /etc/cron.daily/logrotate exited with return code 1 Contents of /etc/logrotate.d/nginx: /var/log/nginx/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 0640 www-data adm sharedscripts prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript postrotate invoke-rc.d nginx rotate /dev/null 21 endscript } /var/www/example.com/logs/*.log { daily missingok rotate 36500 compress delaycompress notifempty create 0640 www-data adm sharedscripts prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript postrotate invoke-rc.d nginx rotate /dev/null 21 endscript } Their are numerous .../example.com/... directories in the config file, but I have had this configuration for ages, and the update to 1.8.0 did not attempt to make any changes to this file. There is a bug report (dated 2015-05-01) at Launchpad that appears identical to my issue: https://bugs.launchpad.net/nginx/+bug/1450770 Are there any workarounds or configuration changes to correct this issue? Thanks! Paul System configuration: Ubuntu 12.0.4.5 LTS (GNU/Linux 3.2.0-82-virtual x86_64) Nginx installed from PPA https://launchpad.net/~nginx/+archive/ubuntu/stable # nginx -V built with OpenSSL 1.0.1 14 Mar 2012 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.8.0/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.8.0/debian/modules/ngx_http_substitutions_filter_module ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Just looking for guide to understand query strings
My logs have been inundated with hits at example.com/?anything, though in the actual logs 'anything' is a very long string of characters. Log entry: GET /?anything HTTP/1.1 200 581 - Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko (note there is no location for 'anything') I didn't even know this was possible. I'm still not sure what nginx is doing when it processes this request. If someone could help me out, even just point me to a good explanation of what is happening, that would be great. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Service restart testing nginx.conf
It seems like way back in the olden days, when I restarted nginx ('sudo service nginx restart'), if there was a configuration issue in nginx.conf, I would get a warning telling me such and, IIRC, nginx would boot using the last known valid configuration. It doesn't seem to happen that way any more. Did I unknowingly change a configuration setting, or was there a change to nginx? Thanks! Paul ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Maintenance mode for all but my ip
Did you try putting 'allow your ip address;' above 'return...' line in if block? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Passing / denying PHP requests
Hi Francis, and again thanks for your help in this matter. I would have responded sooner but the day I was planning to resolve this issue I had an unseasonably long power outage. On Wed, Oct 23, 2013 at 11:41 AM, Francis Daly fran...@daoine.org wrote: On Wed, Oct 23, 2013 at 11:32:33AM -0700, Paul N. Pace wrote: On Wed, Oct 23, 2013 at 9:49 AM, Francis Daly fran...@daoine.org wrote: Hi there, location ~ php$ { deny all; } does not deny access to any php files, even when nested in location ^~ /installdirectory/ {}. The previous configuration location ~* installdirectory/.*\.php$ { deny all; } did block access to all php files. The .*\. - is that why one works and the other doesn't? I suspect not. What location lines do you have in the appropriate server{} block in your config file? hese are the location directives that would apply to the /forums/ directory, the /installdirectory/ of the server block that I'm currently working on. This is an installation of Vanilla, but I'm trying to come up with a general template that I can apply to other packages (not a template as in one single file, but a way to apply directives to each package I use): server { location = /forums/index.php { include global-configs/php.conf; fastcgi_split_path_info ^(.+\.php)(.*)$; } location ^~ forums/ { location ~ php$ { deny all;} } #location ~* forums/.*\.php$ { #deny all; #} location ~* ^/forums/uploads/.*.(html|htm|shtml|php)$ { types { } default_type text/plain; } location /forums/ { try_files $uri $uri/ @forum; location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ { return 404; } } location @forum { rewrite ^/forums/(.+)$ /forums/index.php?p=$1 last; } } What one request do you make? From that, which one location{} block is used to handle this one request? http://nginx.org/r/location for how the one location{} is chosen to handle a request. I read through the nginx.org explanation of the location directive, but it isn't helping me with understanding how to build the deny statement. Do whatever it takes to have these requests handled in a known location{} block. Put the config you want inside that block. Do you mean that I should single out each php file and create a location block to deny access the file? If you enable the debug log, you will see lots of output, but it will tell you exactly which block is used, if it isn't clear from the location documentation. I navigated to /forums/login.php. Here seems to be the pertinent part of error.log: 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: forums/ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: / 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: phpmyadmin/ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: forums 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: / 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: index.php 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ /\. 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ ~$ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ piwik/config/ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ piwik/core/ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ (piwik/index|piwik/piwik|piwik/js/index)\.php$ 2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ ^/forums/uploads/.*.(html|htm|shtml|php)$ 2013/10/25 21:39:19 [debug] 2771#0: *1 using configuration /forums/ I'm not sure which location block is /forums/. The login.php file is served as a downloadable file. Thanks! Paul ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Passing / denying PHP requests
Hello- I am trying to allow only the PHP files required for a given PHP package to function correctly, then deny access to all other PHP files to prevent people from snooping on the site's configuration. I have created the location block, but I'm not so good with regular expressions and the block is assembled mostly through copy paste. location /installdirectory/ { # from nginx pitfalls page location ~* (installdirectory/file_a|installdirectory/file_b|installdirectory/file_c)\.php$ { include global-configs/php.conf; } location ~* installdirectory/.*\.php$ { deny all; } } If someone can let me know if I am at least on the right track, I would appreciate it. Thanks! Paul ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [DOC] Guide to Nginx + SSL + SPDY
Dear Mr. or Ms. mex, Could you please contact me paulnp...@gmail.com regarding this very useful guide you have created? I have some specific questions and I would also like to help out, if I can. Thanks! Paul On Thu, Sep 12, 2013 at 11:36 AM, mex nginx-fo...@nginx.us wrote: Hi Valentin, In your section about BREACH requirements: correct(ed) thanx mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,242672,242818#msg-242818 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [DOC] Guide to Nginx + SSL + SPDY
We had a discussion on this list recently about using gzip in the SSL block. On Aug 17 Igor Sysoev wrote: You have to split the dual mode server section into two server server sections and set gzip off SSL-enabled on. There is no way to disable gzip in dual mode server section, but if you really worry about security in general the server sections should be different. On Sun, Sep 8, 2013 at 10:50 AM, mex nginx-fo...@nginx.us wrote: hi list, i recently had to dig deeper into nginx + ssl-setup and came up with a short documentation on how to setup and run nginx as SSL-Gateway/Offload, including SPDY. beside basic configuration this guide covers HSTS-Headers, Perfect Forward Secrecy(PFS) and the latest and greatest ssl-based attacks like CRIME, BEAST, and Lucky Thirteen. Link: http://www.mare-system.de/blog/page/1378546400/ the reason for this 321th guide to nginx+ssl: i did not found any valid source that covers all aspects, including spdy and hsts, so i made this collection and will keep it updated. comments and critics appreciated regards, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,242672,242672#msg-242672 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: How to turn off gzip compression for SSL traffic
Igor said: You have to split the dual mode server section into two server server sections and set gzip off SSL-enabled on. There is no way to disable gzip in dual mode server section, but if you really worry about security in general the server sections should be different. Adie said: This is why Igor recommends you to split the server config for SSL and non-SSL, and put 'gzip on' only at the non-SSL one. So I can be clear, I have 'gzip_vary on' in my http block and in subsequent HTTPS blocks (I separate HTTP from HTTPS) I have 'gzip_vary' off. Am I doing it right? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: How to turn off gzip compression for SSL traffic
On Sun, Aug 18, 2013 at 12:31 PM, Paul N. Pace paulnp...@gmail.com wrote: Igor said: You have to split the dual mode server section into two server server sections and set gzip off SSL-enabled on. There is no way to disable gzip in dual mode server section, but if you really worry about security in general the server sections should be different. Adie said: This is why Igor recommends you to split the server config for SSL and non-SSL, and put 'gzip on' only at the non-SSL one. So I can be clear, I have 'gzip_vary on' in my http block and in subsequent HTTPS blocks (I separate HTTP from HTTPS) I have 'gzip_vary' off. Am I doing it right? 'gzip_vary' was supposed to be 'gzip' ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Update nginx with Ubuntu PPA
On Thu, Jul 25, 2013 at 10:29 AM, Valentin V. Bartenev vb...@nginx.com wrote: On Tuesday 23 July 2013 12:24:38 JackB wrote: openletter Wrote: --- If you are using the apt-get upgrade or aptitude upgrade commands, the service will be restarted for you. This might be a little off topic, but how can one upgrade nginx on ubuntu with the official ppa via apt without having a restart of nginx but an upgrade instead? (/etc/init.d/nginx upgrade) Please note, there is no official ppa. Official nginx repositories for Ubuntu (and other Linux ditros) are here: http://nginx.org/en/linux_packages.html wbr, Valentin V. Bartenev Yes, there is no official PPA. The PPA I and many others use is unofficial, but seems to be well maintained (thanks for that, whoever you are). Someone wanting to use the same unofficial repository may execute the following: add-apt-repository ppa:nginx/stable apt-get update apt-get install nginx If you want to use the devel version, then replace ppa:nginx/stable with ppa:nginx/development If you don't have add-apt-repository, then apt-get install python-software-properties. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Update nginx with Ubuntu PPA
On Mon, Jul 22, 2013 at 10:13 AM, howard chen howac...@gmail.com wrote: I am upgrading nginx to latest 1.4.1 using PPA. repository. 1. After install, do I need to restart it manually, or it is restarted automatically? 2. Is reload enough for the nginx upgrade? Or do I need to restart or stop/start? If you are using the apt-get upgrade or aptitude upgrade commands, the service will be restarted for you. You may want to run sudo nginx -t to check for errors. Thanks. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Hosting multiple domains
Thank you Steve for nginx -t, and Sajan was correct, I had a syntax error in a server block. However, while I was troubleshooting I noticed my log files getting rather huge. I keep the access_log and error_log files in the directories for each site. How can I keep these log files to a reasonable size without losing the data? (I use Piwik to analyze access logs, so I don't want to lose any data). Thanks! On Sat, Jun 15, 2013 at 8:04 PM, Steve Holdoway st...@greengecko.co.nz wrote: Hello! On Sat, 2013-06-15 at 19:39 -0700, Paul N. Pace wrote: I have a server that I set up to run several domains from and it has worked great and without issue for about 6 months. I have another server that I had set up and was only running one domain from it and I just added a second domain. For some reason, this second server does not want to serve two domains, and I can find no substantial differences in the configuration files (nginx.conf and sites-available files). On both servers I put a symlink in the sites-enabled folder to the corresponding sites-available file. On the second, problematic server, when creating a symlink to the second site and restarting nginx, testing the second domain only brings up the first domain. Rebooting the server disables both domains and the server appears unresponsive, except that I can SSH into it. Then removing the symlink to the second domain and restarting nginx returns the server to serving the one domain as it has been doing. The first server is running nginx 1.5.0 and the second server is running nginx 1.4.1. What should I be looking at to resolve this issue? Without seeing the config files/error logs, it's difficult to find the problem. However, I can confirm that both name and IP address based hosting works perfectly. nginx -t may well help identify incorrect config files. Note there is some precedence in the listen 80 / listen ip:80 statements which might be causing the problem. Steve -- Steve Holdoway BSc(Hons) MNZCS http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Hosting multiple domains
I have a server that I set up to run several domains from and it has worked great and without issue for about 6 months. I have another server that I had set up and was only running one domain from it and I just added a second domain. For some reason, this second server does not want to serve two domains, and I can find no substantial differences in the configuration files (nginx.conf and sites-available files). On both servers I put a symlink in the sites-enabled folder to the corresponding sites-available file. On the second, problematic server, when creating a symlink to the second site and restarting nginx, testing the second domain only brings up the first domain. Rebooting the server disables both domains and the server appears unresponsive, except that I can SSH into it. Then removing the symlink to the second domain and restarting nginx returns the server to serving the one domain as it has been doing. The first server is running nginx 1.5.0 and the second server is running nginx 1.4.1. What should I be looking at to resolve this issue? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: your mail
On Thu, May 2, 2013 at 1:21 PM, Francis Daly fran...@daoine.org wrote: On Thu, May 02, 2013 at 01:05:29PM -0700, Paul N. Pace wrote: Hi there, Other than that, I tried to follow both guides to the letter. When I go to http://lists.example.com I get redirected to http://lists.example.com/mailman/listinfo (on Chrome and FF, but not IE) and I get a 400 Bad Request Request Header Or Cookie Too Large. Different redirection per client is unexpected. I'm guessing that the browser cache wasn't cleared? It's frequently simplest to test using curl to see exactly what response is sent. I did try clearing cache and cookies as well as opening the site on a device that had never opened it (my BlackBerry) and received the same error. Curl just states moved permanently as per the changes put in the sites-available file (see below). Any ideas on where to start looking? Your nginx.conf almost certainly does a proxy_pass to the web server that actually runs mailman. I suggest you confirm that mailman is installed and working correctly on that web server -- if it isn't, nginx won't help. How to do this other than viewing the mailman page? If the 400 error comes from nginx, there should be something in the logs to indicate the nature of the problem. Strangely, the logs do not state any errors. This is the server block I added to sites-available file (mostly) as per the nginx wiki. Was I supposed to add this to the nginx.conf file? server { listen [::]:80; server_name lists.example.com; root /usr/lib; access_log /var/www/example.com/logs/access.log; error_log /var/www/example.com/logs/error.log; location = / { rewrite ^ /mailman/listinfo permanent; } location / { rewrite ^ /mailman$uri?$args; } location = /mailman/ { rewrite ^ /mailman/listinfo permanent; } location /mailman/ { include proxy_params; proxy_pass http://127.0.0.1/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } location /cgi-bin { rewrite ^/cgi-bin(.*)$ $1 permanent; } location /images/mailman { alias /var/lib/mailman/icons; } location /pipermail { alias /var/lib/mailman/archives/public; autoindex on; } } f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx 1.4 problem
On Wed, May 1, 2013 at 2:07 PM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Wed, May 01, 2013 at 11:17:10AM -0700, Alder Network wrote: Just for clarity, I want to be listening on both IPv4 and IPv6 on the same port. You have to write listen 80; listen [::]:80; to listen on both IPv4 and IPv6. Doesn't that require ipv6only=on? listen 80; listen [::]:80 ipv6only=on; On Wed, May 1, 2013 at 11:00 AM, Alder Network aldernetw...@gmail.comwrote: netstat -pln shows the server is waiting on that port. Yes, I have been using in server section listen [::]:80; What is supposed to be for IPV4 now? I'll go over the changelist later, Thanks, - Alder On Wed, May 1, 2013 at 10:40 AM, Maxim Dounin mdou...@mdounin.ru wrote: Hello! On Wed, May 01, 2013 at 10:13:34AM -0700, Alder Network wrote: Tried to upgrade to just-released Nginx1.4. TCP 3-way hand-shake aborted by server's ACK+RST packet, but netstat shows server is listening on that port. Any config has been changed since Nginx 1.2 to 1.4 in this regard? There are lots of changes in 1.4.0 compared to 1.2.x, see http://nginx.org/en/CHANGES-1.4. In this particular case I would recommend checking if nginx is listening on the port, the address, and the protocol in question. Note that since 1.3.4 ipv6only listen option is on by default, and if you have listen [::]:80; in your config, it no longer implies IPv4 addresses regardless of your OS settings. -- Maxim Dounin http://nginx.org/en/donation.html ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -- Maxim Dounin http://nginx.org/en/donation.html ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Online Jobs and Entertainment
Speaking of which, what do you guys use for a spam filter? I've been thinking about setting up mailman. I'm surprised at how little spam I've seen here given how popular nginx is. (I realize this gem came from a forum post). --Original Message-- From: Rickey Sender: nginx-boun...@nginx.org To: nginx@nginx.org ReplyTo: nginx@nginx.org Subject: Online Jobs and Entertainment Sent: Apr 29, 2013 9:44 AM http://kholyar.blogspot.com/ Open It And Enjoy :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,238720,238720#msg-238720 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Why does nginx work at the server IP address only with default root location?
I have set up a server on Rackspace using Ubuntu 12.04 and the nginx stable PPA. Using the default root location of /usr/share/nginx/html the index.html file is displayed when I call the public IP address of the server. If I change the root location to my own /var/www/example.com/public the index.html file is not displayed. Output of ll on /var/www/example.com/public: drwxrwsr-x 2 www-data www-data 4096 Apr 21 04:13 ./ drwxrwsr-x 7 www-data www-data 4096 Apr 21 03:55 ../ -rw-rw-r-- 1 www-data www-data 624 Apr 21 04:17 index.html This is the only change I make and I get the failure, but I don't expect it. What am I doing wrong? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Why does nginx work at the server IP address only with default root location?
Steve, you are a Linux genius, and I am but a humble plebe, forever in your debt. On Sun, Apr 21, 2013 at 1:09 PM, Steve Holdoway st...@greengecko.co.nz wrote: At a guess, /var or /var/www isn't readable by www-data Steve On 22/04/2013, at 7:50 AM, Paul N. Pace paulnp...@gmail.com wrote: I have set up a server on Rackspace using Ubuntu 12.04 and the nginx stable PPA. Using the default root location of /usr/share/nginx/html the index.html file is displayed when I call the public IP address of the server. If I change the root location to my own /var/www/example.com/public the index.html file is not displayed. Output of ll on /var/www/example.com/public: drwxrwsr-x 2 www-data www-data 4096 Apr 21 04:13 ./ drwxrwsr-x 7 www-data www-data 4096 Apr 21 03:55 ../ -rw-rw-r-- 1 www-data www-data 624 Apr 21 04:17 index.html This is the only change I make and I get the failure, but I don't expect it. What am I doing wrong? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx