[plug] Help with nginx configuration file
Chris Caston
chris at caston.id.au
Sun Aug 23 12:11:38 AWST 2020
I am starting to think that I should start again from scratch (wiser this
time) and use ldap-account manager.
https://www.ldap-account-manager.org/static/doc/manual/apbs08.html
which should I do first?
* install openldap and ldap account manager configured for nginx
OR
* install gitlab
I could point the www A resource record to another server entirely.
The problem I had with phpldapadmin is that after installing it up gitlab
would not install.
I am thinking I be safest to install gitlab then install openldap and ldap
account manager and configure for nginx
On Sun, Aug 23, 2020 at 11:41 AM Chris Caston <chris at caston.id.au> wrote:
> I have set up a basic wireframe for a place-holder site and css, js and
> images folder under /var/www/html so this comes up instead of the default
> nginx site.
>
> In case anyone wonders what this is for it's a combination of TAFE and my
> own projects. It isn't for a client. The gitlab is for Javascript apps.
>
> Yes I understand I should try to keep things in different servers or at
> least docker images and I will as the infrastructure grows.
>
> Part of the problem is that phpldapadmin uses apache2 but default and I
> had to look for extra instructions to get it working with nginx.
> Is there an alternative graphical interface for openldap that works nicely
> with nginx?
>
> best regards,
>
> Chris
>
>
>
>
> On Sun, Aug 23, 2020 at 10:43 AM Chris Caston <chris at caston.id.au> wrote:
>
>> I have run
>>
>> sudo apt install certbot python3-certbot-nginx
>>
>> then
>> certbot --nginx -d gitlab.themarketplace.space
>>
>> nginx: [error] invalid PID number "" in "/run/nginx.pid"
>>
>> the pid file was empty
>>
>> I rebooted the vps and now I have a healthy pid.
>>
>> I ran certbot --nginx -d gitlab.themarketplace.space again and selected option 1. (reinstall existing certificate)
>>
>> and then option 2 ( Redirect all requests to https)
>> >" - Congratulations! Your certificate and chain have been saved"
>>
>> going to http://www.themarketplace.space takes me to https://gitlab.themarketplace.space which only shows the default nginx page.
>>
>> I have now done:
>>
>>
>> certbot --nginx -d gitlab.themarketplace.space -d www.themarketplace.space -d ldap.themarketplace.space
>>
>> then I did option E (expand and replace existing certificate)
>>
>> then option 2 (redirect to HTTPS)
>>
>> Now http://ldap.themarketplace.space/ seems to hold it's own and go to https://ldap.themarketplace.space/
>>
>> but http://www.themarketplace.space/ goes to https://gitlab.themarketplace.space/
>>
>> Is there some way to fix this or should I just start again in a different order?
>> >"This file will automatically load configuration files provided by other
>> # applications, such as Drupal or Wordpress. These applications will be made
>> # available underneath a path with that package name, such as /drupal8."
>>
>>
>> Is this salvageable or should I start again with a clean Ubuntu install?
>>
>>
>>
>> ```
>> cat /etc/nginx/sites-available/default
>> ##
>> # You should look at the following URL's in order to grasp a solid understanding
>> # of Nginx configuration files in order to fully unleash the power of Nginx.
>> # https://www.nginx.com/resources/wiki/start/
>> # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
>> # https://wiki.debian.org/Nginx/DirectoryStructure
>> #
>> # In most cases, administrators will remove this file from sites-enabled/ and
>> # leave it as reference inside of sites-available where it will continue to be
>> # updated by the nginx packaging team.
>> #
>> # This file will automatically load configuration files provided by other
>> # applications, such as Drupal or Wordpress. These applications will be made
>> # available underneath a path with that package name, such as /drupal8.
>> #
>> # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
>> ##
>>
>> # Default server configuration
>> #
>> server {
>> listen 80 default_server;
>> listen [::]:80 default_server;
>>
>> # SSL configuration
>> #
>> # listen 443 ssl default_server;
>> # listen [::]:443 ssl default_server;
>> #
>> # Note: You should disable gzip for SSL traffic.
>> # See: https://bugs.debian.org/773332
>> #
>> # Read up on ssl_ciphers to ensure a secure configuration.
>> # See: https://bugs.debian.org/765782
>> #
>> # Self signed certs generated by the ssl-cert package
>> # Don't use them in a production server!
>> #
>> # include snippets/snakeoil.conf;
>>
>> root /var/www/html;
>>
>> # Add index.php to the list if you are using PHP
>> index index.html index.htm index.nginx-debian.html;
>>
>> server_name _;
>>
>> location / {
>> # First attempt to serve request as file, then
>> # as directory, then fall back to displaying a 404.
>> try_files $uri $uri/ =404;
>> }
>>
>> # pass PHP scripts to FastCGI server
>> #
>> #location ~ \.php$ {
>> # include snippets/fastcgi-php.conf;
>> #
>> # # With php-fpm (or other unix sockets):
>> # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
>> # # With php-cgi (or other tcp sockets):
>> # fastcgi_pass 127.0.0.1:9000;
>> #}
>>
>> # deny access to .htaccess files, if Apache's document root
>> # concurs with nginx's one
>> #
>> #location ~ /\.ht {
>> # deny all;
>> #}
>> }
>>
>>
>> # Virtual Host configuration for example.com
>> #
>> # You can move that to a different file under sites-available/ and symlink that
>> # to sites-enabled/ to enable it.
>> #
>> #server {
>> # listen 80;
>> # listen [::]:80;
>> #
>> # server_name example.com;
>> #
>> # root /var/www/example.com;
>> # index index.html;
>> #
>> # location / {
>> # try_files $uri $uri/ =404;
>> # }
>> #}
>>
>> server {
>>
>> # SSL configuration
>> #
>> # listen 443 ssl default_server;
>> # listen [::]:443 ssl default_server;
>> #
>> # Note: You should disable gzip for SSL traffic.
>> # See: https://bugs.debian.org/773332
>> #
>> # Read up on ssl_ciphers to ensure a secure configuration.
>> # See: https://bugs.debian.org/765782
>> #
>> # Self signed certs generated by the ssl-cert package
>> # Don't use them in a production server!
>> #
>> # include snippets/snakeoil.conf;
>>
>> root /var/www/html;
>>
>> # Add index.php to the list if you are using PHP
>> index index.html index.htm index.nginx-debian.html;
>> server_name gitlab.themarketplace.space; # managed by Certbot
>>
>>
>> location / {
>> # First attempt to serve request as file, then
>> # as directory, then fall back to displaying a 404.
>> try_files $uri $uri/ =404;
>> }
>>
>> # pass PHP scripts to FastCGI server
>> #
>> #location ~ \.php$ {
>> # include snippets/fastcgi-php.conf;
>> #
>> # # With php-fpm (or other unix sockets):
>> # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
>> # # With php-cgi (or other tcp sockets):
>> # fastcgi_pass 127.0.0.1:9000;
>> #}
>>
>> # deny access to .htaccess files, if Apache's document root
>> # concurs with nginx's one
>> #
>> #location ~ /\.ht {
>> # deny all;
>> #}
>>
>>
>> listen [::]:443 ssl ipv6only=on; # managed by Certbot
>> listen 443 ssl; # managed by Certbot
>> ssl_certificate /etc/letsencrypt/live/www.themarketplace.space/fullchain.pem; # managed by Certbot
>> ssl_certificate_key /etc/letsencrypt/live/www.themarketplace.space/privkey.pem; # managed by Certbot
>> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>>
>>
>> }
>> server {
>> if ($host = gitlab.themarketplace.space) {
>> return 301 https://$host$request_uri;
>> } # managed by Certbot
>>
>>
>> listen 80 ;
>> listen [::]:80 ;
>> server_name gitlab.themarketplace.space;
>> return 404; # managed by Certbot
>>
>>
>> }
>> server {
>>
>> # SSL configuration
>> #
>> # listen 443 ssl default_server;
>> # listen [::]:443 ssl default_server;
>> #
>> # Note: You should disable gzip for SSL traffic.
>> # See: https://bugs.debian.org/773332
>> #
>> # Read up on ssl_ciphers to ensure a secure configuration.
>> # See: https://bugs.debian.org/765782
>> #
>> # Self signed certs generated by the ssl-cert package
>> # Don't use them in a production server!
>> #
>> # include snippets/snakeoil.conf;
>>
>> root /var/www/html;
>>
>> # Add index.php to the list if you are using PHP
>> index index.html index.htm index.nginx-debian.html;
>> server_name ldap.themarketplace.space www.themarketplace.space; # managed by Certbot
>>
>>
>> location / {
>> # First attempt to serve request as file, then
>> # as directory, then fall back to displaying a 404.
>> try_files $uri $uri/ =404;
>> }
>>
>> # pass PHP scripts to FastCGI server
>> #
>> #location ~ \.php$ {
>> # include snippets/fastcgi-php.conf;
>> #
>> # # With php-fpm (or other unix sockets):
>> # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
>> # # With php-cgi (or other tcp sockets):
>> # fastcgi_pass 127.0.0.1:9000;
>> #}
>>
>> # deny access to .htaccess files, if Apache's document root
>> # concurs with nginx's one
>> #
>> #location ~ /\.ht {
>> # deny all;
>> #}
>>
>>
>> listen [::]:443 ssl; # managed by Certbot
>> listen 443 ssl; # managed by Certbot
>> ssl_certificate /etc/letsencrypt/live/www.themarketplace.space/fullchain.pem; # managed by Certbot
>> ssl_certificate_key /etc/letsencrypt/live/www.themarketplace.space/privkey.pem; # managed by Certbot
>> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>>
>>
>>
>> }
>> server {
>> if ($host = ldap.themarketplace.space) {
>> return 301 https://$host$request_uri;
>> } # managed by Certbot
>>
>>
>> if ($host = www.themarketplace.space) {
>> return 301 https://$host$request_uri;
>> } # managed by Certbot
>>
>>
>> listen 80 ;
>> listen [::]:80 ;
>> server_name ldap.themarketplace.space www.themarketplace.space;
>> return 404; # managed by Certbot
>> ```
>>
>>
>> On Sun, Aug 23, 2020 at 10:03 AM Chris Caston <chris at caston.id.au> wrote:
>>
>>>
>>> I made a backup of the nginx etc folder.
>>>
>>> After I did the following gitlab completed the install:
>>>
>>> sudo apt-get purge nginx nginx-common nginx-full
>>>
>>> and
>>> sudo apt-get install nginx
>>>
>>> going to http://www.themarketplace.space takes me to:
>>>
>>> https://gitlab.themarketplace.space/
>>>
>>> with a set password screen. The first time I did this it didn't work and I had to set the password through a command line console.
>>>
>>> also going to https://ldap.themarketplace.space/phpldapadmin/ takes me back to gitlab so as predicted my phpldapadmin setup is broken.
>>>
>>> I should mention I am getting the invalid (self-signed cert) warnings through all of this. I am looking at the sites-available default site and to
>>> be honest I don't even know it has been configured for gitlab. /var/www/html still contains: index.nginx-debian.html
>>>
>>> What am I missing?
>>>
>>>
>>> Here is the nginx configuration:
>>>
>>> ```
>>> cat /etc/nginx/sites-available/default
>>> ##
>>> # You should look at the following URL's in order to grasp a solid understanding
>>> # of Nginx configuration files in order to fully unleash the power of Nginx.
>>> # https://www.nginx.com/resources/wiki/start/
>>> # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
>>> # https://wiki.debian.org/Nginx/DirectoryStructure
>>> #
>>> # In most cases, administrators will remove this file from sites-enabled/ and
>>> # leave it as reference inside of sites-available where it will continue to be
>>> # updated by the nginx packaging team.
>>> #
>>> # This file will automatically load configuration files provided by other
>>> # applications, such as Drupal or Wordpress. These applications will be made
>>> # available underneath a path with that package name, such as /drupal8.
>>> #
>>> # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
>>> ##
>>>
>>> # Default server configuration
>>> #
>>> server {
>>> listen 80 default_server;
>>> listen [::]:80 default_server;
>>>
>>> # SSL configuration
>>> #
>>> # listen 443 ssl default_server;
>>> # listen [::]:443 ssl default_server;
>>> #
>>> # Note: You should disable gzip for SSL traffic.
>>> # See: https://bugs.debian.org/773332
>>> #
>>> # Read up on ssl_ciphers to ensure a secure configuration.
>>> # See: https://bugs.debian.org/765782
>>> #
>>> # Self signed certs generated by the ssl-cert package
>>> # Don't use them in a production server!
>>> #
>>> # include snippets/snakeoil.conf;
>>>
>>> root /var/www/html;
>>>
>>> # Add index.php to the list if you are using PHP
>>> index index.html index.htm index.nginx-debian.html;
>>>
>>> server_name _;
>>>
>>> location / {
>>> # First attempt to serve request as file, then
>>> # as directory, then fall back to displaying a 404.
>>> try_files $uri $uri/ =404;
>>> }
>>>
>>> # pass PHP scripts to FastCGI server
>>> #
>>> #location ~ \.php$ {
>>> # include snippets/fastcgi-php.conf;
>>> #
>>> # # With php-fpm (or other unix sockets):
>>> # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
>>> # # With php-cgi (or other tcp sockets):
>>> # fastcgi_pass 127.0.0.1:9000;
>>> #}
>>>
>>> # deny access to .htaccess files, if Apache's document root
>>> # concurs with nginx's one
>>> #
>>> #location ~ /\.ht {
>>> # deny all;
>>> #}
>>> }
>>>
>>>
>>> # Virtual Host configuration for example.com
>>> #
>>> # You can move that to a different file under sites-available/ and symlink that
>>> # to sites-enabled/ to enable it.
>>> #
>>> #server {
>>> # listen 80;
>>> # listen [::]:80;
>>> #
>>> # server_name example.com;
>>> #
>>> # root /var/www/example.com;
>>> # index index.html;
>>> #
>>> # location / {
>>> # try_files $uri $uri/ =404;
>>> # }
>>> #}
>>> ```
>>>
>>>
>>>
>>>
>>> On Sun, Aug 23, 2020 at 9:16 AM Chris Caston <chris at caston.id.au> wrote:
>>>
>>>> I am making a snapshot of the place my VPS it at now with the broken
>>>> gitlab install.
>>>> I am considering going back to a default gninx configuration and
>>>> setting up gitlab again. I had it working on a previous build before I
>>>> decided to start again and openldap for auth. Even though it will break the
>>>> phpLDAPadmin setup I can compare the /etc/nginx/sites-available/default
>>>> files to work out how to make a hybrid.
>>>>
>>>> On Sat, Aug 22, 2020 at 4:06 PM Chris Caston <chris at caston.id.au>
>>>> wrote:
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I have installed Ubuntu 20.04 with openldap, nginx and phpLDAPadmin
>>>>> with SSL and basic http auth. This part is working fine but next I want to
>>>>> install gitlab.
>>>>>
>>>>> It errors out with:
>>>>>
>>>>> ```
>>>>> There was an error running gitlab-ctl reconfigure:
>>>>>
>>>>> letsencrypt_certificate[gitlab.themarketplace.space]
>>>>> ``` *snipped*
>>>>>
>>>>> I'm a bit uncertain as to how my nginx configuration should be set.
>>>>>
>>>>> ```
>>>>> sudo nginx -t
>>>>> nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
>>>>> nginx: configuration file /etc/nginx/nginx.conf test is
>>>>> successful``````
>>>>> certbot --nginx -d gitlab.themarketplace.space
>>>>>
>>>>> IMPORTANT NOTES:
>>>>> - Unable to install the certificate
>>>>> - Congratulations! Your certificate and chain have been saved at:
>>>>> /etc/letsencrypt/live/gitlab.themarketplace.space/fullchain.pem
>>>>> Your key file has been saved at:
>>>>> /etc/letsencrypt/live/gitlab.themarketplace.space/privkey.pem
>>>>> Your cert will expire on 2020-11-20. To obtain a new or tweaked
>>>>> version of this certificate in the future, simply run certbot again
>>>>> with the "certonly" option. To non-interactively renew *all* of
>>>>> your certificates, run "certbot renew"
>>>>> ```
>>>>> I assume that I need to get that working for gitlab will install.
>>>>>
>>>>>
>>>>>
>>>>> ```
>>>>> cat /etc/nginx/sites-available/default
>>>>> server {
>>>>> server_name ldap.themarketplace.space;
>>>>>
>>>>> # document root
>>>>> root /var/www/html;
>>>>> index index.php index.html index.htm;
>>>>>
>>>>> # application: phpldapadmin
>>>>> location /phpldapadmin {
>>>>> auth_basic "Please authenticate:";
>>>>> auth_basic_user_file /etc/apache2/htpasswd;
>>>>> alias /usr/share/phpldapadmin/htdocs;
>>>>> index index.php index.html index.htm;
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> location ~ ^/phpldapadmin/.*\.php$ {
>>>>> root /usr/share;
>>>>> if ($request_filename !~* htdocs) {
>>>>> rewrite ^/phpldapadmin(/.*)?$ /phpldapadmin/htdocs$1;
>>>>> }
>>>>> fastcgi_pass unix:/run/php/php7.4-fpm.sock;
>>>>> fastcgi_index index.php;
>>>>> fastcgi_param SCRIPT_FILENAME $request_filename;
>>>>> include fastcgi_params;
>>>>> }
>>>>>
>>>>> # logging
>>>>> error_log /var/log/nginx/phpldapadmin.error.log;
>>>>> access_log /var/log/nginx/phpldapadmin.access.log;
>>>>>
>>>>> listen 443 ssl; # managed by Certbot
>>>>> ssl_certificate /etc/letsencrypt/live/
>>>>> ldap.themarketplace.space/fullchain.pem; # managed by Certbot
>>>>> ssl_certificate_key /etc/letsencrypt/live/
>>>>> ldap.themarketplace.space/privkey.pem; # managed by Certbot
>>>>> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by
>>>>> Certbot
>>>>> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>>>>>
>>>>> }
>>>>> server {
>>>>> if ($host = ldap.themarketplace.space) {
>>>>> return 301 https://$host$request_uri;
>>>>> } # managed by Certbot
>>>>>
>>>>>
>>>>> server_name ldap.themarketplace.space;
>>>>> listen 80;
>>>>> return 404; # managed by Certbot
>>>>>
>>>>> }```
>>>>> I have four A resource records:
>>>>> ```
>>>>> themarketplace.space A 139.180.171.63
>>>>> gitlab.themarketplace.space A 139.180.171.63
>>>>> ldap.themarketplace.space A 139.180.171.63
>>>>> www.themarketplace.space A 139.180.171.63
>>>>> ```
>>>>> So I'm not sure if my /etc/nginx/sites-available/default should have
>>>>> multiple server blocks each with it's own server_name and exactly what
>>>>> format it needs to be in for gitlab to work.
>>>>>
>>>>> Any help would be much appreciated.
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Chris Caston
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200823/f9fdd023/attachment.html>
More information about the plug
mailing list