Глючит Nginx OcStore 2.3 (Странная проблема)

[fduw]

Поставил OcStore 2.3 на Nginx.

Конфиги:

Nginx.conf

Спойлер

user  nginx;
worker_processes 2;
# Number of file descriptors used for Nginx.
worker_rlimit_nofile 200000;
worker_priority -3;


# error_log /var/log/nginx/error.log crit;
error_log /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;

events {
    worker_connections  2048;
     # The effective method, used on Linux 2.6+, optmized to serve many clients with each thread.
    use epoll;
         # Accept as many connections as possible, after nginx gets notification about a new connection.
    multi_accept on;
}


http {
    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;


    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log off;
     # Only log critical errors.

    #  # Buffer log writes to speed up IO.
    # access_log /var/log/nginx/access.log main buffer=16k;


     # Caches information about open FDs, freqently accessed files.
    open_file_cache max=150000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

     # Don't buffer data-sends (disable Nagle algorithm).
    tcp_nodelay on;
    sendfile        on;
    tcp_nopush     on;

    server_tokens   off;
    types_hash_max_size 2048;

     # Timeout for keep-alive connections. Server will close connections after this time.
    keepalive_timeout 30;
     # Number of requests a client can make over the keep-alive connection.
    keepalive_requests 1000;


     # Send the client a "request timed out" if the body is not loaded by this time.
    client_body_timeout 10;
    client_header_timeout 15;


    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size  8m;
    large_client_header_buffers 2 1k;
    client_body_temp_path client_body_temp;

     # Allow the server to close the connection after a client stops responding.
    reset_timedout_connection on;

     # If the client stops reading data, free up the stale client connection after this much time.
    send_timeout 2;

    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    fastcgi_connect_timeout 300;

    include /etc/nginx/conf.d/*.conf;


    # proxy_cache_path /dev/ngx_cache levels=1:2 keys_zone=all:32m max_size=1g;
    # fastcgi_cache_path /dev/ngx_cache/fpm levels=1:2 keys_zone=fcgi:32m max_size=1g;
    # fastcgi_cache_key "$scheme$request_method$host$request_uri";
}

 

 

Для сайта:

Спойлер

server {
    listen ip:80;

    server_name site.com www.site.com;

    # redirect http to https www
    return 301 https://site.com$request_uri;
}

server {
    listen ip:443 ssl http2;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_certificate /etc/letsencrypt/livesite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

    server_name www.site.comm;

    # root /var/www/site.com/public/;
    # index index.php;

    # redirect https non-www to https www
    return 301 https://site.com$request_uri;
}


server {
    listen 81.90.181.177:443 ssl http2 default_server;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

    ssl_certificate /usr/local/letsencrypt/live-ecdsa/site.comm/chain.pem;
    ssl_certificate_key /usr/local/letsencrypt/live-ecdsa/site.com/key-256r1.pem;

     # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_stapling_file /etc/letsencrypt/live/site.com/ca-certs.pem;
    # ssl_trusted_certificate /etc/letsencrypt/live/site.com/chain.pem;
    ssl_trusted_certificate /usr/local/letsencrypt/live-ecdsa/site.com/letmp/0000_chain.pem;

    ssl_ciphers "ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:+MEDIUM:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL";
    ssl_prefer_server_ciphers on;


     ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;


    # Diffi Helman
    ssl_dhparam /etc/letsencrypt/live/site.com/dhparam.pem;

    #Enable OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org;
    resolver 127.0.0.1;

    # 0-RTT
    ssl_early_data on;
    proxy_set_header Early-Data $ssl_early_data;

    # Optimize session cache
    keepalive_timeout 40;
    ssl_session_cache   shared:SSL:40m;
    ssl_session_timeout 24h;

     # Enable session tickets
    ssl_session_tickets on;

    # set_cookie_flag HttpOnly secure;

    server_name site.com;

    error_log /var/www/site.com/logs/error.log;

    root /var/www/site.com/public/;
    index index.php;

    location = /sitemap.xml {   rewrite ^(.*)$ /index.php?route=feed/google_sitemap last;}

    location = /googlebase.xml {    rewrite ^(.*)$ /index.php?route=feed/google_base last;}

	location ~* (\.tpl|.twig|\.ini|\.log|(?<!robots)\.txt) {    deny all;}

	location /system {  rewrite ^/system/storage/(.*) /index.php?route=error/not_found last;}

	location ~* \/\.git {   deny all;}

	location ~* \/image.+(\.php) {  deny all;}

	location ~* \.(js|css|png|jpg|jpeg|gif|ico|webp)$ {
		expires 181d;
		log_not_found off;
	}


    location = /favicon.ico {
		log_not_found off;
		access_log off;
	}


    location /admin { index index.php; }

    location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

    location ~ /\. {
        access_log off;
        log_not_found off;
        deny all;
    }

    location / {
        if (!-e $request_filename) {
            rewrite ^/(.*)$ /index.php?_route_=$1 last;
        }
    }


    # location / {    try_files $uri $uri/ @opencart;}

    # location @opencart {    rewrite ^/(.+)$ /index.php?_route_=$1 last;}

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass  unix:/var/opt/remi/php71/run/php-fpm/php71-fpm-www.sock;
        # fastcgi_pass php-fpm;
        fastcgi_index index.php;
        # include fastcgi_params;
        include /etc/nginx/fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 16k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_keep_conn on;
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_param REDIRECT_STATUS 200;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_intercept_errors on;
        fastcgi_ignore_client_abort off;
        fastcgi_connect_timeout 60;


        add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report img-src * 'self' data: blob: https:; default-src 'self' https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://s.ytimg.com https://www.youtube.com https://site.com https://*.googleapis.com https://*.gstatic.com https://*.gravatar.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval';" always;
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Access-Control-Allow-Origin "https://site.com";
        add_header Referrer-Policy "origin-when-cross-origin" always;

         # Включаем HTTP Public Key Pinning Extension
        add_header Public-Key-Pins 'pin-sha256="ab+RseLsjKtlCtTfY1Gguz2+z2o19q8xZ7Yb8jKpuLs="; max-age=1512000';

         # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
    }
         # gzip
        gzip on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 9;
        gzip_min_length 10240;
        gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
        gzip_disable "msie6";

        # brotli
        brotli on;
        brotli_comp_level 11;
        brotli_types text/xml image/svg+xml application/x-font-ttf image/vnd.microsoft.icon application/x-font-opentype application/json font/eot application/vnd.ms-fontobject application/javascript font/otf application/xml application/xhtml+xml text/javascript  application/x-javascript text/plain application/x-font-truetype application/xml+rss image/x-icon font/opentype text/css image/x-win-bitmap;
}
# fastcgi_cache phpcache; # The name of the cache key-zone to use
# fastcgi_cache_valid 200 30m; # What to cache: 'Code 200' responses, for half an hour
# fastcgi_cache_methods GET HEAD; # What to cache: only GET and HEAD requests (not POST)
# fastcgi_cache_path /dev/ngx_cache levels=1:2 keys_zone=phpcache:100m inactive=60m;
# fastcgi_cache_key "$scheme$request_method$host$request_uri";

 

 

Ставлю чистый OcStore 2.3

 

После установки появилась проблема.

 

Не могу зайти в админку!

 

Пишу правильные данные.

И на сайте не могу переключить язык.

 

Какая то хрень блокирует отправку или получение Post запроса. Либо что еще.

Firewall отключал.

 

OcStore 3 работает без проблем.

 

В php-fpm, nginx ошибок нет

 

 

Когда пытаюсь восстановить пароль от админки пишет

maillog

postfix/sendmail[3637]: fatal: parameter inet_interfaces: no local interface found for ::1

Куда копать?

 

Ос Oracle 7.6, NGINX 1.17.1(Не стабильная)

Змінено 9 липня 2019 користувачем fduw

[100napb]

10 hours ago, fduw said:

client_body_buffer_size 10K; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 2 1k; client_body_temp_path client_body_temp;

 

10 hours ago, fduw said:

fastcgi_buffers 8 16k; fastcgi_buffer_size 32k;

 

Просто бросилось в глаза... попробуйте для начала закомментировать вот эти параметры - будут работать значения по умолчанию. Особенно напрягает large_client_header_buffers 2 1k; который почему-то такой же как и client_header_buffer_size. 1кб - это обычно маловато.

 

10 hours ago, fduw said:

#Enable OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org; resolver 127.0.0.1;

 

почему ресолвер вдруг локальный стал? обычно ж внешний dns ставят, типа 8.8.8.8

 

 

[fduw]

2 часа назад, 100napb сказал:

 

 

Просто бросилось в глаза... попробуйте для начала закомментировать вот эти параметры - будут работать значения по умолчанию. Особенно напрягает large_client_header_buffers 2 1k; который почему-то такой же как и client_header_buffer_size. 1кб - это обычно маловато.

 

 

почему ресолвер вдруг локальный стал? обычно ж внешний dns ставят, типа 8.8.8.8

 

 

Спойлер

FastCGI sent in stderr: "PHP message: PHP Warning:  SessionHandler::read(): open(/var/opt/remi/php71/lib/php/session/sess_jnn0bn6dchkvl1i2ancedn2ijs, O_RDWR) failed: Permission denied (13) in /var/www/site.ru/public/system/library/session/native.php on line 17
PHP message: PHP Warning:  session_start(): Failed to read session data: user (path: /var/opt/remi/php71/lib/php/session) in /var/www/site.ru/public/system/library/session.php on line 30
PHP message: PHP Warning:  SessionHandler::create_sid(): Session is not active in /var/www/site.ru/public/system/library/session/native.php on line 5" while reading response header from upstream, client: 84.18.121.182, server: site.ru, request: "POST /install/index.php?route=common/column_left/language HTTP/1.1", upstream: "fastcgi://unix:/var/opt/remi/php71/run/php-fpm/php71-fpm-www.sock:", host: "site.ru", referrer: "http://site.ru/install/index.php?route=install/step_1"

 

Оказалось проблема в сессиях.

Дал права для nginx'а

chown -R nginx:nginx /var/opt/remi/php71/lib/php/session

Только не понял почему для OcStore 3 таких проблем не было

[100napb]

19 hours ago, fduw said:

  Reveal hidden contents

FastCGI sent in stderr: "PHP message: PHP Warning:  SessionHandler::read(): open(/var/opt/remi/php71/lib/php/session/sess_jnn0bn6dchkvl1i2ancedn2ijs, O_RDWR) failed: Permission denied (13) in /var/www/site.ru/public/system/library/session/native.php on line 17
PHP message: PHP Warning:  session_start(): Failed to read session data: user (path: /var/opt/remi/php71/lib/php/session) in /var/www/site.ru/public/system/library/session.php on line 30
PHP message: PHP Warning:  SessionHandler::create_sid(): Session is not active in /var/www/site.ru/public/system/library/session/native.php on line 5" while reading response header from upstream, client: 84.18.121.182, server: site.ru, request: "POST /install/index.php?route=common/column_left/language HTTP/1.1", upstream: "fastcgi://unix:/var/opt/remi/php71/run/php-fpm/php71-fpm-www.sock:", host: "site.ru", referrer: "http://site.ru/install/index.php?route=install/step_1"

 

Оказалось проблема в сессиях.

Дал права для nginx'а

chown -R nginx:nginx /var/opt/remi/php71/lib/php/session

Только не понял почему для OcStore 3 таких проблем не было

хорошо то, что хорошо кончается

 

В ОС3 из-коробки сессии хранятся в БД, в то время как в прошлых версия были файловыми.