/etc/systemd/system/nginx.service.d/override.conf and
/usr/lib/systemd/system/nginx.service don't exist
/etc/nginx/nginx.conf below
user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 16384;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
types_hash_max_size 2048;
fastcgi_read_timeout 1800;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
index index.php index.html index.htm;
log_format main_ext
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length"
'
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main_ext;
error_log /var/log/nginx/error.log warn;
gzip on;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
gzip_comp_level 4;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 200;
gzip_buffers 16 8k;
gzip_http_version 1.0;
gzip_proxied expired no-cache no-store private auth;
gzip_types
text/css
text/plain
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
application/rss+xml
application/atom_xml;
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
fastcgi_cache_path /var/lib/nginx/fastcgi/keventajat-fi levels=1:2
keys_zone=keventajat-fi:10m inactive=24h max_size=372m use_temp_path=off;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_valid 200 301 302 24h;
fastcgi_cache_valid 404 1m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie Vary;
fastcgi_cache_background_update on;
fastcgi_cache_revalidate on;
limit_req_zone $binary_remote_addr zone=wplogin:5m rate=1r/s;
limit_req_zone $binary_remote_addr zone=magsearch:5m rate=15r/m;
send_timeout 60s;
client_max_body_size 64m;
client_body_timeout 60s;
client_body_buffer_size 128K;
client_header_timeout 30s;
client_header_buffer_size 1k;
keepalive_timeout 15s;
keepalive_requests 100000;
proxy_connect_timeout 30;
proxy_send_timeout 300;
proxy_read_timeout 300;
resolver 127.0.0.53 valid=30s;
resolver_timeout 10s;
upstream php56 {
server unix:/run/php/php5.6-fpm.sock max_fails=20 fail_timeout=60;
}
upstream php74 {
server unix:/run/php/php7.4-fpm.sock max_fails=20 fail_timeout=60;
}
upstream graphql {
server 127.0.0.1:3000;
}
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 120m;
ssl_session_tickets on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
map $uri $no_slash_uri {
~^/(?<no_slash>.*)$ $no_slash;
}
}
Sergey A. Osokin Wrote:
-------------------------------------------------------
> Looks good to me.
>
> I'd like to request more files:
> - /etc/systemd/system/nginx.service.d/override.conf
> - /usr/lib/systemd/system/nginx.service
> - /etc/nginx/nginx.conf
>
> Thanks.
>
> On Tue, Jun 08, 2021 at 06:02:29PM -0400, hgv wrote:
> > Yes, certainly.
> >
> > drwxr-xr-x root root /etc
> > drwxr-xr-x root root /etc/ssl
> > drwxr-x--- root ssl-cert /etc/ssl/private
> >
> >
> > Sergey A. Osokin Wrote:
> > -------------------------------------------------------
> > > Hi,
> > >
> > > Could you check and show permissions on /etc/ssl/private,
> /etc/ssl,
> > > and /etc directories.
> > >
> > > Thanks.
> > >
> > > --
> > > Sergey
> > >
> > > On Tue, Jun 08, 2021 at 03:57:59PM -0400, hgv wrote:
> > > > Hi Sergey,
> > > >
> > > > Adding www-data user to ssl-cert group doesn't help.
> > > >
> > > > root@k2# usermod -a -G ssl-cert www-data
> > > >
> > > > root@k2# getent group ssl-cert
> > > > ssl-cert:x:112:postgres,www-data
> > > >
> > > >
> > > > Sergey A. Osokin Wrote:
> > > > -------------------------------------------------------
> > > > > Hi there,
> > > > >
> > > > > hope you're doing well.
> > > > >
> > > > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster
> > > wrote:
> > > > > > I wonder what can cause these weird error log entries? The
> log
> > > > > entries indicate a PID which doesn’t exist. Does nginx launch
> some
> > > > > temporary process when it starts?
> > > > > >
> > > > > > Nginx 1.21.0 on Ubuntu 20.04.
> > > > > >
> > > > > > root@k2:~# systemctl restart nginx
> > > > > >
> > > > > > root@k2:~# tail /var/log/nginx/error.log
> > > > > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user"
> directive
> > > > > makes sense only if the master process runs with super-user
> > > > > privileges, ignored in /etc/nginx/nginx.conf:21
> > > > > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load
> > > certificate
> > > > > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file()
> failed
> > > > > (SSL: error:0200100D:system library:fopen:Permission
> > > > > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r')
> > > > > error:2006D002:BIO routines:BIO_new_file:system lib)
> > > > >
> > > > > Seems like an attempt to start nginx without root privileges.
> > > > >
> > > > > > root@k2:~# ls -lh /etc/ssl/private/ |grep selfsigned
> > > > > > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12
> > > nginx-selfsigned.key
> > > > > >
> > > > > > root@k2:~# cat /etc/nginx/nginx.conf |grep ^user
> > > > > > user www-data;
> > > > > >
> > > > > > root@k2:~# ps -auxw |grep nginx
> > > > > > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25
>
> > > 0:00
> > > > > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
> > > > > > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25
>
> > > 0:05
> > > > > nginx: worker process
> > > > > > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25
>
> > > 0:00
> > > > > nginx: worker process
> > > > > > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25
>
> > > 0:00
> > > > > nginx: cache manager process
> > > > >
> > > > > Could you check `www-data' user permission, and add, if
> necessary,
> > > to
> > > > > the `ssl-cert' group.
> > > > >
> > > > > --
> > > > > Sergey Osokin
> > > > > _______________________________________________
> > > > > nginx mailing list
> > > > > nginx@nginx.org
> > > > > http://mailman.nginx.org/mailman/listinfo/nginx
> > > >
> > > > Posted at Nginx Forum:
> > > https://forum.nginx.org/read.php?2,291799,291801#msg-291801
> > > >
> > > > _______________________________________________
> > > > nginx mailing list
> > > > nginx@nginx.org
> > > > http://mailman.nginx.org/mailman/listinfo/nginx
> > > _______________________________________________
> > > nginx mailing list
> > > nginx@nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> > Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,291799,291803#msg-291803
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,291799,291812#msg-291812
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
