Failed authorization procedure. colony47.de


#1

Hi,

I ran this commando:

letsencrypt certonly --webroot -w /var/www/letsencrypt -d colony47.de --rsa-key-size 4096

Like last time and I’m using nginx, as you can see from the output:

Failed authorization procedure. colony47.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://colony47.de/.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I: "

404 Not Found

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: colony47.de
Type: unauthorized
Detail: Invalid response from http://colony47.de/.well-known/acme-
challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I: "

404 Not Found

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I don’t get it were it hangs, last time it was working like a charm. It’s true, …/.well-known is empty, but I think I didn’t touched it since last time.

My letsencrypt.nginx.conf:

server {
listen 81;
server_name 127.0.0.1;

location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
}

Rights on ./.well-known:

drwxr-xr-x 2 root root 4,0K Feb 9 23:22 .well-known

Keys are stored here:

ls /etc/letsencrypt/live/colony47.de/
cert.pem chain.pem fullchain.pem privkey.pem

Thanks for any help!


#2

I’m concerned that your location directive might be mapping http://colony47.de/.well-known/acme-challenge/ to /var/www/letsencrypt instead of to /var/www/letsencrypt/.well-known/acme-challenge. The latter is what Certbot will expect when given -w /var/www/letsencrypt.


#3

Sorry, I don’t get it. I changed location to /var/www/letsencrypt/.well-known/acme-challenge, but nothing changed (reloaded nginx afterwards).
What exactly should I change?

This

location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt/;
}

should be good.


#4

That Nginx virtual host is listening on port 81. Let’s Encrypt will connect to port 80, the standard HTTP port.

Does whatever is listening on port 80 forward requests to the server on port 81, with an appropriate Host header? Or does it have an equivalent configuration?

Edit: What’s your architecture and setup? What’s the rest of Nginx’s configuration? What was in Nginx’s error.log?


#5

The complete server is set up from this tutorial:

Nginx itself is configured as reverse proxy, getting everything on port 80 and redirects it to what is called, so my blog, nextcloud and letsencrypt. Encryption works fine, so letsencrypt seems to work, so does the other sites. Http gets redirected to https.

Error log:

tail -f /var/log/nginx/error.log
2017/02/10 00:41:11 [error] 18755#18755: *27867 open() “/usr/share/nginx/html/.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I” failed (2: No such file or directory), client: 17.133.9.229, server: colony47.de, request: “GET /.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I HTTP/1.1”, host: "colony47.de"
2017/02/10 00:41:11 [error] 18755#18755: *27868 open() “/usr/share/nginx/html/.well-known/acme-” failed (2: No such file or directory), client: 17.133.9.229, server: colony47.de, request: “GET /.well-known/acme- HTTP/1.1”, host: "colony47.de"
2017/02/10 00:45:33 [error] 18755#18755: *27883 open() “/usr/share/nginx/html/.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I” failed (2: No such file or directory), client: 52.200.43.245, server: colony47.de, request: “HEAD /.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I HTTP/2.0”, host: "colony47.de"
2017/02/10 00:45:33 [error] 18755#18755: *27884 open() “/usr/share/nginx/html/.well-known/acme-” failed (2: No such file or directory), client: 52.200.43.245, server: colony47.de, request: “HEAD /.well-known/acme- HTTP/2.0”, host: "colony47.de"
2017/02/10 00:49:19 [error] 18755#18755: *27918 open() “/usr/share/nginx/html/.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I” failed (2: No such file or directory), client: 17.133.7.185, server: colony47.de, request: “GET /.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I HTTP/1.1”, host: "colony47.de"
2017/02/10 00:49:20 [error] 18755#18755: *27919 open() “/usr/share/nginx/html/.well-known/acme-” failed (2: No such file or directory), client: 17.133.7.185, server: colony47.de, request: “GET /.well-known/acme- HTTP/1.1”, host: "colony47.de"
2017/02/10 00:56:44 [error] 18756#18756: *28220 open() “/usr/share/nginx/html/.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I” failed (2: No such file or directory), client: 17.133.9.239, server: colony47.de, request: “GET /.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I HTTP/1.1”, host: "colony47.de"
2017/02/10 00:56:45 [error] 18756#18756: *28221 open() “/usr/share/nginx/html/.well-known/acme-” failed (2: No such file or directory), client: 17.133.9.239, server: colony47.de, request: “GET /.well-known/acme- HTTP/1.1”, host: "colony47.de"
2017/02/10 00:58:17 [error] 18756#18756: *28316 open() “/usr/share/nginx/html/.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I” failed (2: No such file or directory), client: 17.133.9.229, server: colony47.de, request: “GET /.well-known/acme-challenge/-kgh-Y7tv2N7lrw5n1PHM3KuClb3WQLN0xhumJ68e1I HTTP/1.1”, host: "colony47.de"
2017/02/10 00:58:17 [error] 18756#18756: *28317 open() “/usr/share/nginx/html/.well-known/acme-” failed (2: No such file or directory), client: 17.133.9.229, server: colony47.de, request: “GET /.well-known/acme- HTTP/1.1”, host: “colony47.de


#6

A standard debugging suggestion in this case is to put a text file in /var/www/letsencrypt/.well-known/acme-challenge/hello.txt and see if you see its contents when visiting http://colony47.de/.well-known/acme-challenge/hello.txt in a web browser or with curl. If you don’t, then you have a mismatch between what you’re telling Certbot to do with -w and what the CA is validating, which is caused by an incorrect web server configuration or an inappropriate choice of -w value. (I suspect that’s the problem here.)


#7

root /usr/share/nginx/html;” is commonly set in the default example configuration files to serve a “Welcome to nginx!” page. Check your vhosts, the request isn’t landing where you think.

nginx -T” can dump your whole configuration, if you have a recent-ish version.


#8

Hi,

ok, I see nginx is looking in the wrong place.

I used

nginx -T | grep root

to find all “document roots”:

nginx -T | grep root
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root /var/www;

In order to be recoginzed by SSL test, there must be an index.hmtl in the server’s root

# Path to the root of your installation
root /var/www/;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_param DOCUMENT_ROOT $document_root;
# Path to the root of your installation
root /var/www/;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $document_root;
root /var/www/office;
root /var/www/letsencrypt/;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $document_root;

I also tested by

nginx -T | grep “/usr/share/nginx/html”

and found nothing. I don’t get it why nginx is still looking in the default place. I checked it, by putting something in the default directory, I can’t reach it, as it should be.

I use ubuntus version of nginx:

nginx -v
nginx version: nginx/1.10.0 (Ubuntu)

as > http://nginx.org/en/security_advisories.html says, there is a security patch available. But I don’t think this is responsible for my problem.

My whole config:

[details=Summary]# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

server_names_hash_max_size 32;

 server_names_hash_bucket_size 64;
# server_name_in_redirect off;

nach Problemen mit dem Bilderupload bei Wordpress eingesetzt:

client_max_body_size 10M;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip off;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

server {
	charset         utf-8;
	location ~ \.php$ {
              fastcgi_pass   localhost:9000;
              include        fastcgi.conf;
	}
}

}

#mail {

# See sample authentication script at:

# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                           mml;
text/plain                            txt;
text/vnd.sun.j2me.app-descriptor      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/vnd.apple.mpegurl         m3u8;
application/vnd.ms-excel              xls;
application/vnd.ms-fontobject         eot;
application/vnd.ms-powerpoint         ppt;
application/vnd.wap.wmlc              wmlc;
application/vnd.google-earth.kml+xml  kml;
application/vnd.google-earth.kmz      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;

}

configuration file /etc/nginx/conf.d/colony47.de.conf:

server {
listen 80 default_server;
server_name colony47.de www.colony47.de;
rewrite ^ https://colony47.de$request_uri permanent;

root /var/www;

location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_redirect off;
}

location / {
# Enforce HTTPS
#return 301 https://$server_addr$request_uri;
# Use this if you always want to redirect to the DynDNS address (no local access).
return 301 https://colony47.de$request_uri;
}
}

server {
listen 443 ssl http2;
server_name colony47.de www.colony47.de;

Configure SSL

ssl on;

Certificates used

ssl_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/colony47.de/privkey.pem;

Not using TLSv1 will break:

Android <= 4.4.40

IE <= 10

IE mobile <=10

Removing TLSv1.1 breaks nothing else!

ssl_protocols TLSv1.2;

100 % Security

    # Low Compatibility 
    # No Android 2 
    # No Java 
    # No IE < 11 (XP) 
    # No Firefox
    # Robust Forward Secrecy 
    #ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';

    # These are the recommended cipher suites from: https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    # Nginx for Modern Browsers (uncomment this when the other ssl_ciphers won't work for you)
    # Grade A (A+ with HSTS at >= 6 Months) 
    # 90 % Security 
    # Medium Compatibility 
    # No Java 6 (No DH parameters > 1024 bits) 
    # No IE on XP 
    # Robust Forward Secrecy 
    #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';  

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Specifies a curve for ECDHE ciphers. 
    # Remarks: This won't work on Chrome 53 (ERR_SSL_OBSOLETE_CIPHER)
    #ssl_ecdh_curve secp521r1;

    # Slightly lower security, but will work on
    # - Chrome 53
    # - Windows phones before 8.1 Update 1 
    ssl_ecdh_curve secp384r1; 

    # Server should determine the ciphers, not the client

ssl_prefer_server_ciphers on;

OCSP Stapling

fetch OCSP records from URL in ssl_certificate and cache them

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/colony47.de/fullchain.pem;

SSL session handling

ssl_session_timeout 24h;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

Add headers to serve security related headers

HSTS (ngx_http_headers_module is required)

In order to be recoginzed by SSL test, there must be an index.hmtl in the server’s root

add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;
add_header X-Content-Type-Options nosniff;

Usually this should be “DENY”, but when hosting sites using frames, it has to be “SAMEORIGIN”

add_header X-Frame-Options “SAMEORIGIN”;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

#################################################

rock solid, nicht ändern

#################################################

location ^~ /nextcloud {
# Set max. size of a request (important for uploads to nextcloud)
client_max_body_size 1G;
# Besides the timeout values have to be raised in nginx’ owncloud config, these values have to be raised for the proxy as well
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:82;
proxy_redirect off;
}

##################################################

#################################################

Blog config

#################################################

location = / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_pass https://colony47.de/blog/;

deny all;

}

#################################################

location ^~ /blog {

proxy_pass http://127.0.0.1:8080;

	proxy_pass http://127.0.0.1:84;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #optional

proxy_set_header X-Forwarded-Proto $scheme; #optional

	proxy_redirect off;

Werte mussten angepasst werden s.o. nextcloud

	proxy_connect_timeout 300;
            proxy_send_timeout 300;
            proxy_read_timeout 300;
            send_timeout 300;

}

###################################################################

bee config

###################################################################

#location ^~ /bee {

proxy_pass http://127.0.0.1:8080;

proxy_pass http://127.0.0.1:85;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #optional

proxy_set_header X-Forwarded-Proto $scheme; #optional

proxy_redirect off;

Werte mussten angepasst werden s.o. nextcloud

proxy_connect_timeout 300;

proxy_send_timeout 300;

proxy_read_timeout 300;

send_timeout 300;

#}

}

configuration file /etc/nginx/conf.d/colony47.de_blog.conf:

#upstream php-handler {

server unix:/run/php/php7.0-fpm.sock;

#}

server {
listen 84;
server_name 127.0.0.1;

# Add headers to serve security related headers
# Use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
proxy_set_header X-Content-Type-Options nosniff;
proxy_set_header X-Frame-Options "SAMEORIGIN";
proxy_set_header X-XSS-Protection "1; mode=block";
proxy_set_header X-Robots-Tag none;
proxy_set_header X-Download-Options noopen;
proxy_set_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /var/www/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /blog/public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /blog/public.php?service=host-meta-json last;

location = /.well-known/carddav { return 301 $scheme://$host/owncloud/remote.php/dav; }

location = /.well-known/caldav { return 301 $scheme://$host/owncloud/remote.php/dav; }

location /.well-known/acme-challenge { }

location ^~ /blog {

    # set max upload size
    client_max_body_size 1G;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    # Gzip wurde für eine schnellere Webseite angeschaltet, laut Wiki erst interessant, wenn mehrere Server die Seite ausliefern
#gzip off;
    gzip on;
    
# Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

error_page 403 /blog/core/templates/403.php;

error_page 404 /blog/core/templates/404.php;

    location /blog {
        rewrite ^ /blog/index.php$uri;
    }

location ~ ^/blog/(?:build|tests|config|lib|3rdparty|templates|data)/ {

deny all;

}

location ~ ^/blog/(?:.|autotest|occ|issue|indie|db_|console) {

deny all;

}

    #location ~ ^/blog/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
location ~ \.php(?:$|/) {	


        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;

 # Important: disable HTTPS, otherwise no log in will be possible!
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_param front_controller_active true;

###############################################################################

        fastcgi_pass unix:/run/php/php7.0-fpm.sock;

###############################################################################

        fastcgi_intercept_errors on;

        # Raise timeout values.
 # This is especially important when the ownCloud setup runs into timeouts (504 gateway errors)
 fastcgi_read_timeout 300;
 fastcgi_send_timeout 300;
 fastcgi_connect_timeout 300;
 
        # Pass PHP variables directly to PHP.
        # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.
 # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others.
        fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/dev/urandom

upload_max_filesize = 1G
post_max_size = 1G
max_execution_time = 3600";

        # Make sure that the real IP of the remote host is passed to PHP.
        fastcgi_param REMOTE_ADDR $http_x_real_ip;
    }

location ~ ^/blog/(?:updater|ocs-provider)(?:$|/) {

try_files $uri/ =404;

index index.php;

}

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /blog/index.php$uri$is_args$args;
        #proxy_set_header Cache-Control "public, max-age=7200";
proxy_set_header Cache-Control "public, max-age=604800";
#neues Alter definiert, für mehr Speed (Sekunden = 1 Woche)
        # Add headers to serve security related headers
        # Again use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
        proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        proxy_set_header X-Content-Type-Options nosniff;
        proxy_set_header X-Frame-Options "SAMEORIGIN";
        proxy_set_header X-XSS-Protection "1; mode=block";
        proxy_set_header X-Robots-Tag none;
        proxy_set_header X-Download-Options noopen;
        proxy_set_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /blog/index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;

# die beiden Option wurde eingeführt um die Seite durch längere Cache Zeiten zu beschleunigen: 
# http://technumero.com/internet/how-to-leverage-browser-caching-wordpress/3213
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}

location ~* \.(pdf)$ {
expires 90d;
}

    }
}

}

configuration file /etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

configuration file /etc/nginx/conf.d/colony47.de_nextcloud.conf:

upstream php-handler {
server unix:/run/php/php7.0-fpm.sock;
}

server {
listen 82;
server_name 127.0.0.1;

# Add headers to serve security related headers
# Use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
proxy_set_header X-Content-Type-Options nosniff;
proxy_set_header X-Frame-Options "SAMEORIGIN";
proxy_set_header X-XSS-Protection "1; mode=block";
proxy_set_header X-Robots-Tag none;
proxy_set_header X-Download-Options noopen;
proxy_set_header X-Permitted-Cross-Domain-Policies none;

# Path to the root of your installation
root /var/www/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; }
location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; }

location /.well-known/acme-challenge { }

location ^~ /nextcloud {

    # set max upload size
    client_max_body_size 1G;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /nextcloud/core/templates/403.php;
    error_page 404 /nextcloud/core/templates/404.php;

    location /nextcloud {
        rewrite ^ /nextcloud/index.php$uri;
    }

    location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }

    location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;

 # Important: disable HTTPS, otherwise no log in will be possible!
        #fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;

        # Raise timeout values.
 # This is especially important when the ownCloud setup runs into timeouts (504 gateway errors)
 fastcgi_read_timeout 300;
 fastcgi_send_timeout 300;
 fastcgi_connect_timeout 300;
 
        # Pass PHP variables directly to PHP.
        # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.
    # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others.

fastcgi_param PHP_VALUE “open_basedir=/var/www:/tmp/:/var/nextcloud_data:/dev/urandom
upload_max_filesize = 1G
post_max_size = 1G
max_execution_time = 3600”;

        # Make sure that the real IP of the remote host is passed to PHP.
        fastcgi_param REMOTE_ADDR $http_x_real_ip;
    }

    location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /nextcloud/index.php$uri$is_args$args;
        proxy_set_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers
        # Again use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
        proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        proxy_set_header X-Content-Type-Options nosniff;
        proxy_set_header X-Frame-Options "SAMEORIGIN";
        proxy_set_header X-XSS-Protection "1; mode=block";
        proxy_set_header X-Robots-Tag none;
        proxy_set_header X-Download-Options noopen;
        proxy_set_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /nextcloud/index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

}

configuration file /etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

configuration file /etc/nginx/conf.d/colony47.de_office.conf:

server {
listen 83;
server_name 127.0.0.1;

# Add headers to serve security related headers
# Use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.

proxy_set_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;

proxy_set_header X-Content-Type-Options nosniff;

proxy_set_header X-Frame-Options “SAMEORIGIN”;

proxy_set_header X-XSS-Protection “1; mode=block”;

proxy_set_header X-Robots-Tag none;

proxy_set_header X-Download-Options noopen;

proxy_set_header X-Permitted-Cross-Domain-Policies none;

root /var/www/office;

location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav; }

location = /.well-known/caldav { return 301 $scheme://$host/nextcloud/remote.php/dav; }

location /.well-known/acme-challenge { }

static files

location ^~ /loleaflet {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}

WOPI discovery URL

location ^~ /hosting/discovery {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}

websockets, download, presentation and image upload

location ^~ /lool {
proxy_pass https://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $http_host;
}

}

configuration file /etc/nginx/conf.d/nextcloud.colony47.de_letsencrypt.conf:

server {
listen 81;
server_name 127.0.0.1;

location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt/;
}
}

configuration file /etc/nginx/fastcgi.conf:

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

[/details]

Any tips where nginx still got the default path?

PS: Found out there was /var/www/letsencrypt/.well-known/.well-known

so a double well-known (he knows really good as it seems). I deleted the second empty directory. Still don’t work.

I placed something in the textfile https://colony47.de/.well-known/acme-challenge/hello.txt but its unreachable (404).


#9

Found out by using nginx -V, nginx still uses the default pathway when triggered by letsencrypt (importand here is prefix):

nginx -V
nginx version: nginx/1.10.0 (Ubuntu)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt=’-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2’ --with-ld-opt=’-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now’ --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads

As far as I understood it, altering the route is only possible by some site conf.

Luckily registering in the nginx forum doesn’t work today. Fortuna is around me…


#10

Oh, it’s the compiled-in default. I’m surprised.

Still, the solution is to set the correct root directive in the correct server context.


#11

Hey, you was absolut correct!

My solution was setting the root directory a second time. as you can see here

**server { **
listen 80 default_server;
server_name colony47.de www.colony47.de;
rewrite ^ https://colony47.de$request_uri permanent;
root /var/www;

location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_redirect off; }
location / {
# Enforce HTTPS #return 301 https://$server_addr$request_uri;
# Use this if you always want to redirect to the DynDNS address (no local access).
return 301 https://colony47.de$request_uri;
}
}
server { listen 443 ssl http2;
server_name colony47.de www.colony47.de;
root /var/www;

ssl on;

My setup was listening on port 80 and redirected everything to ports 443 for https. The second server part was missing the important root /var/www; feature. So redirecting works now.

Thanks for all your comments and your help! Have a great day!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.