zcluff
By:
zcluff

Nginx + php + Wordpress trying to download .DMS file on http, browsing to site on https is fine.

June 27, 2017 1.1k views
Nginx WordPress PHP Ubuntu

nginx config:

# You may add here your
# server {
#       ...
# }
# statements for each of your virtual hosts to this file

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

server {

        root /var/www/beautifuldisaster.group;
        index index.php index.html index.htm;
        listen 443 ssl http2;
        listen   [::]:443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/beautifuldisaster.group/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/beautifuldisaster.group/privkey.pem;
        ssl_protocols  TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
        # Make site accessible from http://localhost/
        server_name beautifuldisaster.group www.beautifuldisaster.group;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
#                try_files $uri $uri/ =404;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        try_files $uri $uri/ /index.php?$args;
        }

        # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
        #location /RequestDenied {
        #       proxy_pass http://127.0.0.1:8080;    
        #}

        location ~ /.well-known {
                allow all;
        }

        #error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page 500 502 503 504 /50x.html;
        #location = /50x.html {
        #       root /usr/share/nginx/html;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
           location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#       listen 8000;
#       listen somename:8080;
#       server_name somename alias another.alias;
#       root html;
#       index index.html index.htm;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}


# HTTPS server
#
#server {
#       listen 443;
#       server_name localhost;
#
#       root html;
#       index index.html index.htm;
#
#       ssl on;
#       ssl_certificate cert.pem;
#       ssl_certificate_key cert.key;
#
#       ssl_session_timeout 5m;
#
#       ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#       ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
#       ssl_prefer_server_ciphers on;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}


server {
        listen 80;
        server_name beautifuldisaster.group www.beautifuldisaster.group;
        return 301 https://$host$request_uri;
}

browsing to the site using https loads the site fine in any browser, using http downloads a DMS file instead of loading the site. I just read that http2 only works for port 443 and I accidentally enabled it for port 80 for over 24 hours. is this just a matter of telling people to browse to the site using https for x amount of time for the browser cache to expire or to clear browsing data?

4 Answers

Hi @zcluff

Let's clean up the config, so it's easier to read by removing the comments.
This should work. Replace your config with this and then run the following commands:

sudo service nginx configtest

sudo service nginx restart
server {
  server_name beautifuldisaster.group www.beautifuldisaster.group;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  root /var/www/beautifuldisaster.group;

  ssl_certificate /etc/letsencrypt/live/beautifuldisaster.group/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/beautifuldisaster.group/privkey.pem;
  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/dhparams.pem;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_stapling on;
  ssl_stapling_verify on;
  add_header Strict-Transport-Security max-age=15768000;

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ /.well-known {
    allow all;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  }

  location ~ /\.ht {
    deny all;
  }
}

server {
  server_name beautifuldisaster.group www.beautifuldisaster.group;
  listen 80;
  listen [::]:80;
  return 301 https://$server_name$request_uri;
}
  • Replaced the config file, tested ok and restarted. Now it's giving me a 403. replaced the file with the original because this is somewhat important to keep running.

    edit: Copied the original back and it's working as intended (redirecting to https. waiting to talk to someone with the problem to confirm it's fixed)

    • @zcluff
      Can you post the last 30 lines from the error log?

      tail -30 /var/log/nginx/error.log
      
      • @hanzen. log is just "conflicting server name "beautifuldisaster.group" but there's

        2017/06/27 02:17:21 [error] 16630#16630: *4 directory index of "/var/www/beautifuldisaster.group/" is forbidden, client: myLocalIP, server: beautifuldisaster.group, request: "GET / HTTP/2.0", host: "beautifuldisaster.group"
        2017/06/27 02:17:31 [error] 16630#16630: *4 directory index of "/var/www/beautifuldisaster.group/" is forbidden, client: myLocalIP server: beautifuldisaster.group, request: "GET / HTTP/2.0", host: "beautifuldisaster.group"

        • @zcluff

          There you go. You have multiple configurations that contains the same server_name on the same port.
          Run this to list the config files:

          ls -ls /etc/nginx/sites-enabled/
          

          And make sure you have no server-blocks in the file /etc/nginx/nginx.conf that mentions beautifuldisaster.group - if you do, please post your entire nginx.conf and I'll clean it up.

          • here's the output of ls -ls:

            8 -rw-r--r-- 1 root root 4517 Jun  3 04:12 alice
            8 -rw-r--r-- 1 root root 4389 Jun 27 02:18 beautifuldisaster.group
            0 lrwxrwxrwx 1 root root   34 May 28 22:38 default -> /etc/nginx/sites-available/default
            8 -rw-r--r-- 1 root root 4437 Jun  3 04:12 figment
            8 -rw-r--r-- 1 root root 4355 Jun  3 04:11 figuringout.life
            4 -rw-r--r-- 1 root root  869 Jun  2 18:03 netdata
            8 -rw-r--r-- 1 root root 4450 Jun  3 04:12 processing
            8 -rw-r--r-- 1 root root 4429 Jun 24 18:51 rutabaga2020.us
            8 -rw-r--r-- 1 root root 4450 Jun  3 04:23 zoesworld
            8 -rw-r--r-- 1 root root 4306 Jun  3 04:13 zoeyrae.me
            

            Here's nginx.conf (It should be default minus me adding servernameshashbucketsize)

            root@www:~# cat /etc/nginx/nginx.conf 
            user www-data;
            worker_processes auto;
            pid /run/nginx.pid;
            include /etc/nginx/modules-enabled/*.conf;
            
            events {
                    worker_connections 768;
                    # multi_accept on;
            }
            
            http {
            
                    ##
                    # Basic Settings
                    ##
                    server_names_hash_bucket_size 128;
                    sendfile on;
                    tcp_nopush on;
                    tcp_nodelay on;
                    keepalive_timeout 65;
                    types_hash_max_size 2048;
                    # server_tokens off;
            
                    # server_names_hash_bucket_size 64;
                    # server_name_in_redirect off;
            
                    include /etc/nginx/mime.types;
                    default_type application/octet-stream;
            
                    ##
                    # SSL Settings
                    ##
            
                    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
                    ssl_prefer_server_ciphers on;
            
                    ##
                    # Logging Settings
                    ##
            
                    access_log /var/log/nginx/access.log;
                    error_log /var/log/nginx/error.log;
            
                    ##
                    # Gzip Settings
                    ##
            
                    gzip on;
                    gzip_disable "msie6";
            
                    # gzip_vary on;
                    # gzip_proxied any;
                    # gzip_comp_level 6;
                    # gzip_buffers 16 8k;
                    # gzip_http_version 1.1;
                    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
            
                    ##
                    # Virtual Host Configs
                    ##
            
                    include /etc/nginx/conf.d/*.conf;
                    include /etc/nginx/sites-enabled/*;
            }
            
            
            #mail {
            #       # See sample authentication script at:
            #       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
            # 
            #       # auth_http localhost/auth.php;
            #       # pop3_capabilities "TOP" "USER";
            #       # imap_capabilities "IMAP4rev1" "UIDPLUS";
            # 
            #       server {
            #               listen     localhost:110;
            #               protocol   pop3;
            #               proxy      on;
            #       }
            # 
            #       server {
            #               listen     localhost:143;
            #               protocol   imap;
            #               proxy      on;
            #       }
            #}
            

@zcluff Starting a new thread, since it was getting a little narrow.
Can you make sure there is nothing in any of other configuration files (specially default) that has anything to do with beautifuldisaster.group.
You can run this command to find files+line that contains beautifuldisaster.group:

grep -rn "beautifuldisaster.group" /etc/nginx/

every file in /etc/nginx/sites-enabled/ that doesn't have a suffex (.group, .life, .us) is a subdomain of beautifuldisaster.group, and a bunch use the same SSL certificate as beautifuldaster.group (probably not the best idea and may be the problem.)

/etc/nginx/sites-enabled/zoesworld:26:         ssl_certificate /etc/letsencrypt/live/zoesworld.beautifuldisaster.group/fullchain.pem;
/etc/nginx/sites-enabled/zoesworld:27:         ssl_certificate_key /etc/letsencrypt/live/zoesworld.beautifuldisaster.group/privkey.pem;
/etc/nginx/sites-enabled/zoesworld:38:        server_name zoesworld.beautifuldisaster.group www.zoesworld.beautifuldisaster.group;
/etc/nginx/sites-enabled/zoesworld:128:       server_name zoesworld.beautifuldisaster.group www.zoesworld.beautifuldisaster.group;
/etc/nginx/sites-enabled/figment:26:        ssl_certificate /etc/letsencrypt/live/www.figment.beautifuldisaster.group/fullchain.pem;
/etc/nginx/sites-enabled/figment:27:        ssl_certificate_key /etc/letsencrypt/live/www.figment.beautifuldisaster.group/privkey.pem;
/etc/nginx/sites-enabled/figment:38:        server_name www.figment.beautifuldisaster.group figment.beautifuldisaster.group;
/etc/nginx/sites-enabled/figment:128:        server_name figment.beautifuldisaster.group www.figment.beautifuldisaster.group;
/etc/nginx/sites-enabled/netdata:10:         ssl_certificate /etc/letsencrypt/live/netdata.beautifuldisaster.group/fullchain.pem;
/etc/nginx/sites-enabled/netdata:11:    ssl_certificate_key /etc/letsencrypt/live/netdata.beautifuldisaster.group/privkey.pem;
/etc/nginx/sites-enabled/netdata:13:    server_name netdata.beautifuldisaster.group;
/etc/nginx/sites-enabled/beautifuldisaster.group:22:        root /var/www/beautifuldisaster.group;
/etc/nginx/sites-enabled/beautifuldisaster.group:26:        ssl_certificate /etc/letsencrypt/live/beautifuldisaster.group/fullchain.pem;
/etc/nginx/sites-enabled/beautifuldisaster.group:27:        ssl_certificate_key /etc/letsencrypt/live/beautifuldisaster.group/privkey.pem;
/etc/nginx/sites-enabled/beautifuldisaster.group:38:        server_name beautifuldisaster.group www.beautifuldisaster.group;
/etc/nginx/sites-enabled/beautifuldisaster.group:128:        server_name beautifuldisaster.group www.beautifuldisaster.group;
/etc/nginx/sites-enabled/alice:26:        ssl_certificate /etc/letsencrypt/live/goingdowntherabbithole.beautifuldisaster.group/fullchain.pem;
/etc/nginx/sites-enabled/alice:27:        ssl_certificate_key /etc/letsencrypt/live/goingdowntherabbithole.beautifuldisaster.group/privkey.pem;
/etc/nginx/sites-enabled/alice:38:        server_name goingdowntherabbithole.beautifuldisaster.group www.goingdowntherabbithole.beautifuldisaster.group;
/etc/nginx/sites-enabled/alice:128:        server_name goingdowntherabbithole.beautifuldisaster.group www.goingdowntherabbithole.beautifuldisaster.group;
/etc/nginx/sites-enabled/processing:26:        ssl_certificate /etc/letsencrypt/live/processing.beautifuldisaster.group/fullchain.pem;
/etc/nginx/sites-enabled/processing:27:        ssl_certificate_key /etc/letsencrypt/live/processing.beautifuldisaster.group/privkey.pem;
/etc/nginx/sites-enabled/processing:38:        server_name processing.beautifuldisaster.group www.processing.beautifuldisaster.group;
/etc/nginx/sites-enabled/processing:128:        server_name processing.beautifuldisaster.group www.processing.beautifuldisaster.group;
  • @zcluff Okay, this makes no sense then.

    If you run this command, you should get a warning about the conflicting names

    sudo service nginx configtest
    

    And please post the 30 lines from the error log, since something must be hidden there, but it would be so much easier if you play around with this, when people are not using the sites (late at night or in the weekends):

    tail -30 /var/log/nginx/error.log
    

    The configuration I posted will work for WordPress unless there's something wrong with the access rights of the files or some plugin in WordPress is misbehaving.

    • I keep trying to post the log but it's being rejected as spam.

      the only other information is repeating

      2017/06/27 02:16:07 [warn] 16595#16595: conflicting server name "beautifuldisaster.group" on [::]:443, ignored
      2017/06/27 02:16:07 [warn] 16595#16595: conflicting server name "www.beautifuldisaster.group" on [::]:443, ignored
      2017/06/27 02:16:07 [warn] 16595#16595: conflicting server name "beautifuldisaster.group" on 0.0.0.0:80, ignored
      2017/06/27 02:16:07 [warn] 16595#16595: conflicting server name "www.beautifuldisaster.group" on 0.0.0.0:80, ignored

@zcluff
Okay, I'm not sure where your site is actually located. Can you please confirm that the directory is /var/www/beautifuldisaster.group ?
When there's time to play around, then get back to me (or post a new question to find other people willing to help), because it's almost impossible working with configuration files that we cannot play around with. And I have no idea why it's saying conflicting server name, so my only guess would be that you have a lingering configuration file somewhere, so we might need to cleanup/redo the configuration for each site.

  • here's the ls from /var/www:

    root@www:~# ls /var/www
    alice  beautifuldisaster.group  figment  figuringout.life  html  processing  rutabaga2020.us  zoesworld  zoeyrae.me
    

    There's currently 20 users online who aren't having problems getting to the site. If you're available tomorrow afternoon / evening I'm going to schedule some downtime to dig into this.

    • @zcluff You can try to ping me by using the @ to notify me - I think I'll be online tomorrow evening, but I can't guarantee.

      But it looks like it's working now. When I run this command I'm being redirected to the https site correctly:

      wget -vS -O /dev/null --no-hsts http://beautifuldisaster.group
      
      --2017-06-26 21:41:53--  http://beautifuldisaster.group/
      Resolving beautifuldisaster.group (beautifuldisaster.group)... 45.76.26.71
      Connecting to beautifuldisaster.group (beautifuldisaster.group)|45.76.26.71|:80... connected.
      HTTP request sent, awaiting response... 
        HTTP/1.1 301 Moved Permanently
        Server: nginx/1.10.3 (Ubuntu)
        Date: Tue, 27 Jun 2017 03:41:54 GMT
        Content-Type: text/html
        Content-Length: 194
        Connection: keep-alive
        Location: https://beautifuldisaster.group/
      Location: https://beautifuldisaster.group/ [following]
      --2017-06-26 21:41:53--  https://beautifuldisaster.group/
      Connecting to beautifuldisaster.group (beautifuldisaster.group)|45.76.26.71|:443... connected.
      HTTP request sent, awaiting response... 
        HTTP/1.1 200 OK
        Server: nginx/1.10.3 (Ubuntu)
        Date: Tue, 27 Jun 2017 03:41:55 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
        Set-Cookie: PHPSESSID=32cfb9mrctls57talm53r668t5; path=/
        Expires: Thu, 19 Nov 1981 08:52:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate
        Pragma: no-cache
        Set-Cookie: wfvt_2655324868=5951d40323948; expires=Tue, 27-Jun-2017 04:11:55 GMT; Max-Age=1800; path=/; HttpOnly
        Link: <https://beautifuldisaster.group/wp-json/>; rel="https://api.w.org/"
        Link: <https://wp.me/P8GMW7-43>; rel=shortlink
        Strict-Transport-Security: max-age=15768000
      Length: unspecified [text/html]
      
Have another answer? Share your knowledge.