Index.php being downloaded: Wordpress, Nginx


#1

When I try to go to my website and go to “murphygames.com” my index.php file is being downloaded instead of activated.
When I go to “www.murphygames.com” I get a “Welcome to Nginx”.
My website is using Wordpress.

This is my /etc/nginx/conf.d/default.conf

server {
listen 80;
server_name localhost;

#charset koi8-r;
#access_log  /var/log/nginx/log/host.access.log  main;

location / {
    autoindex on;
    autoindex_exact_size off;
    root   /var/www/html;
    index  index.php index.html index.htm;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#    proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
    root           html;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    include        fastcgi_params;
}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#    deny  all;
#}

}

This is my /etc/nginx/conf.d/ssl.conf

server {
listen 443 http2 ssl;

    server_name murphygames.com www.murphygames.com;

    ssl_certificate /etc/letsencrypt/live/murphygames.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/murphygames.com/privkey.pem;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    location ~ /.well-known {
            allow all;
    }

    # The rest of your server block
    root /var/www/html;
    index index.php index.html index.htm;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

}

Anyone know why this is happening? :slight_smile:


#2

The location ~ \.php$ block isn’t present in your SSL configuration.


#3

I edited my ssl.conf, it now looks like this:

server {
listen 443 http2 ssl;

    server_name murphygames.com www.murphygames.com;

    ssl_certificate /etc/letsencrypt/live/murphygames.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/murphygames.com/privkey.pem;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    location ~ /.well-known {
            allow all;
    }

    # The rest of your server block
    root /var/www/html;
    index index.php index.html index.htm;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
    include         /etc/nginx/fastcgi_params;
    if (-f $request_filename) {
    fastcgi_pass   127.0.0.1:9000;
    }
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    }

}

Now I get an error establishing database connection


#4

Yeah, you got that for non-HTTPS too, before you corrected things with HTTPS. But that’s probably a WordPress thing. :slight_smile:

HTTPS seems to work nicely tho: https://dev.ssllabs.com/ssltest/analyze.html?d=murphygames.com&hideResults=on&latest


#5

My www.murphygames.com still gets a “Welcome to nginx” though.


#6

Ideally, your ssl.conf is exactly the same as your default.conf, but with the SSL directives added.

Personally, I don’t know much about nginx, so I can’t help you with that I’m afraid. Perhaps some other people from the forum might :slight_smile:


#7

Ok thank you :slight_smile:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.