What cause the error for this http/https wordpress configuration file?

Server NGINX
1

I can not open any link except http://example.com/readme.txt with
following
server block.

Any tips?

server {
listen 80 default_server; ## listen for ipv4; this line is
default
and implied
listen [::]:80 default_server ipv6only=on; ## listen for ipv6
server_name example.com www.example.com *.example.com;

return 301 https://$server_name$request_uri;

#}

Server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
keepalive_timeout 70;

    #ssl on;
    ssl_certificate /etc/nginx/cert/example.com-unified.crt;
    ssl_certificate_key /etc/nginx/cert/example.com.key;

    server_name  example.com www.example.com *.example.com;
    server_name_in_redirect off;

    charset utf-8;
    root  /usr/share/nginx/html/example.com;

    access_log /home/wwwlogs/example.com.access.log;
    error_log /home/wwwlogs/example.com.error.log;

   if ($http_host != "www.example.com") {
             rewrite ^ https://www.example.com$request_uri

permanent;
}

    index index.php index.html index.htm;

    #fastcgi_cache start
    set $skip_cache 0;

    # POST requests and urls with a query string should always go to

PHP
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != “”) {
set $skip_cache 1;
}

    # Don't cache uris containing the following segments
    if ($request_uri ~*

“(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(index)?.xml|[a-z0-9-]±sitemap([0-9]+)?.xml)”)
{
set $skip_cache 1;
}

    # Don't use the cache for logged in users or recent commenters
    if ($http_cookie ~*

“comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in”)
{
set $skip_cache 1;
}

    location / {
        # try files in the specified order
            try_files $uri $uri/ /index.php?$args /index.html;
    }

    # pass the PHP scripts to FastCGI server listening on

127.0.0.1:9000
#
location ~ .(php|php5)?$ {
# include snippets/fastcgi-php.conf;
#
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;

        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;  #DEBUG
        include /etc/nginx/fastcgi_params;
        # use upstream hhvm/php
        fastcgi_pass php;
        fastcgi_cache_methods GET HEAD; # Only GET and HEAD methods

apply
fastcgi_cache_bypass $skip_cache; #apply the “$skip_cache”
variable
fastcgi_no_cache $skip_cache;

        fastcgi_cache WORDPRESS;
        fastcgi_cache_valid 200 301 302 60m;

        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME

$document_root$fastcgi_script_name;
# send bad requests to 404
fastcgi_intercept_errors on;

    }


    location ~ /purge(/.*) {
        fastcgi_cache_purge WORDPRESS

“$scheme$request_method$host$1”;
}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
           deny all;
    }

    location ~*

^.+.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|flv|ico)$
{
access_log off; log_not_found off; expires max;
}

    location ~ .*\.(js|css)?$ {
            expires 7d;
            }

    location = /robots.txt {
        access_log off; log_not_found off;
        }

    # Make sure files with the following extensions do not get

loaded by
nginx because nginx would display the source code, and these files can
contain PASSWORDS!
#
location ~*
.(engine|inc|info|install|make|module|profile|test|po|sh|.sql|theme|tpl(.php)?|xtmpl)$|^(..|Entries.*|Repository|Root|Tag|Template)$|.php_
{
deny all;
}

    location ~ /\. { deny  all; access_log off; log_not_found off; }


    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
          root /usr/share/nginx/html;
    }

    sysguard on;
    sysguard_load load=1.8 action=/loadlimit;
    sysguard_mem swapratio=90% action=/swaplimit;

    location /loadlimit {
        return 503;
        }

    location /swaplimit {
        return 503;
        }

    if ( $query_string ~* ".*[\;'\<\>].*" ){
            return 404;
    }

}

Posted at Nginx Forum:

2

I can not open any link except http://example.com/readme.txt with
following
server block.
Any tips?

How did you come up with such configuration in first place?

Second what exact response you get when opening something else (besides
the
readme.txt) and what does the access/error log contain for particular
request - it should indicate the reason you can’t open the particular
url -
depending on the response/http status it might be different thing (you
have
quite many location/deny blocks also 3rd party modules which could block
the
requests, the php backend might not be correctly configured (or just
down)
etc).

If unsure what the resulting config actually does I would start with a
more
simple version (bare server{} just with a php backend definition).

I mean a lot of your current configuration doesn’t make sense or is
redundant.

Just for example you have:

if ($request_method = POST) {
set $skip_cache 1;
}

and then:
fastcgi_cache_bypass $skip_cache;
fastcgi_cache_methods GET HEAD;

Where fastcgi_cache_methods default value allready is only GET and HEAD
therefore the particular if() is not necessary nor the cache_methods
setting
itself.

rr

3

Reinis,

Great thanks for the your tips. Here is the update.

This is for a wordpress blog, with http and https access. We dont need
to
redirect http traffic to https. In addition, I want to access it either
by
http: //example.com, http: //www.example.com, https: //example.com, or
https: //www.example.com

There are several problems caused by the following configuration.

  1. http:// www.example.com/fold1/readme.php will be redirected to
    https://
    fold1/readme.php

  2. https: //example.com/fold1/readme.php will be redirected to https:
    //fold1/readme.php

  3. https: //www.example.com/fold1/readme.php was loaded over HTTPS, but
    requested an insecure script ‘http:
    //www.example.com/fold1/js/user-profile.min.js?ver=4.3’. This request
    has
    been blocked; the content must be served over HTTPS.
    readme.php:1 Mixed Content: The page at ‘https:
    //www.example.com/fold1/readme.php’ was loaded over HTTPS, but requested
    an
    insecure script ‘http:
    //www.example.com/fold1/js/language-chooser.min.js?ver=4.3’. This
    request
    has been blocked; the content must be served over HTTPS.

.

server {
        listen 80 default_server; ## listen for ipv4; this line is

default and implied
listen [::]:80 default_server ipv6only=on; ## listen for
ipv6
server_name example.com www.example.com *.example.com;
# return 301 https://$server_name$request_uri;
#}
#
Server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
keepalive_timeout 70;

        #ssl on;
        ssl_certificate /etc/nginx/cert/example.com-unified.crt;
        ssl_certificate_key /etc/nginx/cert/example.com.key;

        server_name  example.com www.example.com *.example.com;
        server_name_in_redirect off;

        charset utf-8;
        root  /usr/share/nginx/html/example.com;

        access_log /home/wwwlogs/example.com.access.log;
        error_log /home/wwwlogs/example.com.error.log;

       #if ($http_host != "www.example.com") {
       #          rewrite ^ https://www.example.com$request_uri

permanent;
#}

        index index.php index.html index.htm;

        #fastcgi_cache start
        set $skip_cache 0;

        # POST requests and urls with a query string should always

go to
PHP
# fastcgi_cache_methods default value allready is only GET
and
HEAD
#if ($request_method = POST) {
# set $skip_cache 1;
#}
if ($query_string != “”) {
set $skip_cache 1;
}

        # Don't cache uris containing the following segments
        if ($request_uri ~*

“(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(index)?.xml|[a-z0-9-]±sitemap([0-9]+)?.xml)”)
{
set $skip_cache 1;
}

        # Don't use the cache for logged in users or recent

commenters
if ($http_cookie ~*
“comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in”)
{
set $skip_cache 1;
}

        location / {
            # try files in the specified order
                try_files $uri $uri/ /index.php?$args /index.html;
        }

        # pass the PHP scripts to FastCGI server listening on

127.0.0.1:9000
#
location ~ .(php|php5)?$ {
# include snippets/fastcgi-php.conf;
#
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;

            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;  #DEBUG
            include /etc/nginx/fastcgi_params;
            # use upstream hhvm/php
            fastcgi_pass php;
            # fastcgi_cache_methods GET HEAD; # Only GET and HEAD

methods apply
fastcgi_cache_bypass $skip_cache; #apply the
“$skip_cache”
variable
fastcgi_no_cache $skip_cache;

            fastcgi_cache WORDPRESS;
            fastcgi_cache_valid 200 301 302 60m;

            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME

$document_root$fastcgi_script_name;
# send bad requests to 404
fastcgi_intercept_errors on;

        }


        location ~ /purge(/.*) {
            fastcgi_cache_purge WORDPRESS

“$scheme$request_method$host$1”;
}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
               deny all;
        }

        location ~*

^.+.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|flv|ico)$
{
access_log off; log_not_found off; expires max;
}

        location ~ .*\.(js|css)?$ {
                expires 7d;
                }

        location = /robots.txt {
            access_log off; log_not_found off;
            }

        # Make sure files with the following extensions do not get

loaded by nginx because nginx would display the source code, and these
files
can contain PASSWORDS!
#
location ~*
.(engine|inc|info|install|make|module|profile|test|po|sh|.sql|theme|tpl(.php)?|xtmpl)$|^(..|Entries.*|Repository|Root|Tag|Template)$|.php_
{
deny all;
}

        location ~ /\. { deny  all; access_log off; log_not_found

off;
}

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
              root /usr/share/nginx/html;
        }

        sysguard on;
        sysguard_load load=1.8 action=/loadlimit;
        sysguard_mem swapratio=90% action=/swaplimit;

        location /loadlimit {
            return 503;
            }

        location /swaplimit {
            return 503;
            }

        if ( $query_string ~* ".*[\;'\<\>].*" ){
                return 404;
        }

}

####### Following are the logs ########
example.com server access log:
101.102.224.162 - - [27/Aug/2015:22:30:20 +0000] “GET
//cgi-bin/webcm?getpage=…/html/menus/menu2.html&var:lang=%26%20allcfgconv%20-C%20voip%20-c%20-o%20-%20…/…/…/…/…/var/tmp/voip.cfg%20%2
HTTP/1.1” 500 796 “-” “curl/7.29.0”
101.102.210.246 - - [27/Aug/2015:23:27:27 +0000] “GET /fold1/readme.php
HTTP/1.1” 200 3065 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2403.107
Safari/537.36”
101.102.210.246 - - [27/Aug/2015:23:27:28 +0000] “GET /fold1/readme.php
HTTP/1.1” 200 3065 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2403.107
Safari/537.36”

nginx main error log:
#lots of “ignore long locked inactive cache entry” errors like follows:
2015/08/27 22:01:04 [alert] 22603#0: ignore long locked inactive cache
entry
1054513b79bde8beb8798358f09d0:

There is no example.com server error log generated

Posted at Nginx Forum:

4

We dont need to redirect http traffic to https. In addition, I want to
access it either by http: //example.com, http: //www.example.com, https:
//example.com, or https: //www.example.com

  1. https: //www.example.com/fold1/readme.php was loaded over HTTPS, but
    requested an insecure script ‘http:
    //www.example.com/fold1/js/user-profile.min.js?ver=4.3’. This request
    has
    been blocked; the content must be served over HTTPS.
    readme.php:1

Since the access log doesn’t show any denied requests this seems as a
WordPress configuration issue (though I’m no WP expert) - I imagine you
have
configured Wordpress with a global URL (in General settings) like
http://www.example.com but that way when you open the https:// version
all
the assets (js/css) in the html source will have the absolute path/url
(you
can check the source for src="http://… ") which by default are being
blocked by browsers (it doesn’t even get to nginx) as non-secure content
and
the page without any css styles or scripts can look empty/broken.

If you don’t want to force the http->https redirect you should either
configure the the WP with relative url or skip the protocol at all (eg
use
just //example.com).

A more lengthy article can be read here

rr