Help with fixing my nginx config.file

Sallymelek

Hi,
How's your day going?

Firstly, Thanks for providing this platform.

I need help with my Nginx config file, where I'm learning these stuff now because my server was created by my friend. (currently, where he is inaccessible and that's I'm trying tackle this stuff myself)

After getting my site tested on securityheaders.com (the results are below) after I was like let me input these headers into the config file. So I inserted the headers into the config file, after testing it with sudo nginx -t , it showed there was a duplicate, so I removed the headers in inputted and test it again, it showed the same duplicate thing.

So yesterday research for a couple of hours, I had no luck, so that’s I requested help, Also when get my site scanned on migratetoflarum it shows the “multiple urls” I assume its a problem with config file.

i assume these are header codes for the security headers

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer";
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

and my Nginx config file.

So i need help fixing the Nginx conf file error and add the security headers.

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}
}
http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        add_header X-Frame-Options SAMEORIGIN;


        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE, TLSv1 TLSv1.1
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        ##
        # Gzip Settings
        ##

        gzip on;

        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 9;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/html text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
        gzip_disable  "MSIE [1-6]\.(?!.*SV1)";

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }

phenomlab

Sallymelek anything useful from the log file here /var/log/nginx/error.log ? Also, have to specified the headers in any of the included config files ?

Sallymelek

phenomlab Once again thank you very much.

Okay I get it but also confused at the same time

How do I add this snippet to Flarum conf file or nginx config.file ?
What do you mean with you’ll need to replace the listen 80 block you have with this I see that i need to replace <ip address> with the server's ip address how about the 80 value?

Is the following the access_log and error_log location?

Sallymelek
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

Sallymelek

phenomlab

Sallymelek Start by removing the extra "{" from the conf file

events {
        worker_connections 768;
        # multi_accept on;
}
}

Should be

events {
        worker_connections 768;
        # multi_accept on;
}

Save the config file, then restart NGINX

Sallymelek

thanks but i recieving this after sudo nginx -t

phenomlab

Sallymelek can you post the content of the above please rather than a screenshot ?

Sallymelek

phenomlab im sorry

nginx: [warn] duplicate MIME type "text/html" in /etc/nginx/nginx.conf:57
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/flarum.conf:52
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

phenomlab

Sallymelek thanks. This isn't anything that is going to stop nginx from working, but nonetheless, it's referring to the SSL config in your Flarum nginx configuration.

You appear to have text/html specified twice in your config. The second entry will be ignored, but you should remove it. Are you using a text editor with the conf file that supports line numbers ? This will make it much easier to spot errors as the log file will show the line number where the error occurs.

Sallymelek

phenomlab

I normally copy and paste config file to HTML editor

Wondering what should i remove?

phenomlab

Sallymelek can you comment out this line
gzip_types text/plain text/html text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;

Let me know if the error concerning the duplicate goes away

Sallymelek

thanks, the duplicate goes away now, however now there's the "SSL" thing

phenomlab

root@forum:~# sudo nano /etc/nginx/nginx.conf
root@forum:~# sudo nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/flarum.conf:52
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

phenomlab

Sallymelek can you post your Flarum conf file ?

Sallymelek

phenomlab what do I need do to output the Flarum conf file

phenomlab

Sallymelek try sudo nano /etc/nginx/sites-enabled/flarum.conf

Sallymelek

phenomlab thanks

server {

  listen [::]:80;
  listen 80;

  server_name forum.blank.net;
  return 301 https://$host$request_uri;
  root /var/www/flarum/public;

  index index.php;

  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location ~* \.php$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    include fastcgi_params;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }

        location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
        expires 365d;
        }


}

server {

        listen 443;

        server_name forum.blank.net;
        root /var/www/flarum/public;

        index index.php;

        location / {
                try_files $uri $uri/ /index.php?$query_string;
                }

        location ~* \.php$ {
                fastcgi_pass unix:/run/php/php7.4-fpm.sock;
                include fastcgi_params;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                }


        ssl on;
        ssl_certificate /etc/nginx/ssl/forum_acehsc_net.pem;
        ssl_certificate_key /etc/nginx/ssl/forum_blank_net.key;
        ssl_prefer_server_ciphers on;
        ssl_buffer_size 4k;
        ssl_ecdh_curve auto;

        ## OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 valid=300s;
        resolver_timeout 5s;
        ssl_trusted_certificate /etc/nginx/ssl/forum_blank_net.pem;

        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;

        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        add_header Content-Security-Policy "upgrade-insecure-requests" always;

        ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;


        location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
        expires 365d;
        }

}

phenomlab

Sallymelek Edit your listen statement as below. Change

listen 443; to listen 443 ssl;

delete ssl on;

check nginx -t again.

Let me know if this works ?

Sallymelek

phenomlab many thanks received the "test is successful"

root@forum:~# sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@forum:~#

also wondering, im getting the following problem when i run my forum on https://lab.migratetoflarum.com/

Multiple urls
This Flarum is accepting connections via multiple urls which will result in an invalid config.url value being used for some of them. This will also impact your search engine ranking by creating duplicate content. Setup redirects so only the url defined in your config.php (https://forum.blank.net) can be used to access the forum to fix it.

phenomlab

Sallymelek looks like it's responding on both www and non-www connections. Can you post the output of

curl -I https://yourdomainurl.com and curl -I https://www.yourdomainurl.com

Obviously, "yourdomainurl.com" is the actual URL of your forum.

Sallymelek

Thanks for being this annoying.

After inserting the code, ran a test on https://lab.migratetoflarum.com/

receiving the same issue Sallymelek

yes i also cleared the cache too

Sallymelek

root@forum:~# curl -I https://forum.blank.net

Command 'curl' not found, did you mean:

  command 'curl' from deb curl (7.68.0-1ubuntu2.4)

Try: apt install <deb name>

root@forum:~# curl -I https://www.forum.blank.net
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 28 Dec 2020 21:18:04 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-CSRF-Token: yIUQUaAfcu3mjzWEbE86bVLyTNxbA2Ko0yviHQuA
Set-Cookie: flarum_session=61rvjoOcBFJStmbtMA3Y02E4VvMwMW0dOJJKmPvf; Path=/; Exp                                                                                                                                                             ires=Mon, 28 Dec 2020 23:18:04 GMT; Max-Age=7200; Secure; HttpOnly; SameSite=Lax
Strict-Transport-Security: max-age=31536000; includeSubdomains;
Content-Security-Policy: upgrade-insecure-requests

phenomlab

Sallymelek and the non-www ?

Sallymelek

phenomlab sorry about that i thought i attached it

root@forum:~# curl -I https://forum.blank.net
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 29 Dec 2020 00:08:40 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-CSRF-Token: pJwDodyakguHnZXJKyt7mouphF3Q2ikmVQmSVXgn
Set-Cookie: flarum_session=8KD9dMrGRUJfyKY82MaWne9xkom8KbbgH9kYvuMc; Path=/; Expires=Tue, 29 Dec 2020 02:08:40 GMT; Max-Age=7200; Secure; HttpOnly; SameSite=Lax
Strict-Transport-Security: max-age=31536000; includeSubdomains;
Content-Security-Policy: upgrade-insecure-requests