Глючит Nginx OcStore 2.3 (Странная проблема)

fduw · July 9, 2019

Поставил OcStore 2.3 на Nginx.

Конфиги:

Nginx.conf

Спойлер

user  nginx;
worker_processes 2;
# Number of file descriptors used for Nginx.
worker_rlimit_nofile 200000;
worker_priority -3;


# error_log /var/log/nginx/error.log crit;
error_log /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;

events {
    worker_connections  2048;
     # The effective method, used on Linux 2.6+, optmized to serve many clients with each thread.
    use epoll;
         # Accept as many connections as possible, after nginx gets notification about a new connection.
    multi_accept on;
}


http {
    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;


    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log off;
     # Only log critical errors.

    #  # Buffer log writes to speed up IO.
    # access_log /var/log/nginx/access.log main buffer=16k;


     # Caches information about open FDs, freqently accessed files.
    open_file_cache max=150000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

     # Don't buffer data-sends (disable Nagle algorithm).
    tcp_nodelay on;
    sendfile        on;
    tcp_nopush     on;

    server_tokens   off;
    types_hash_max_size 2048;

     # Timeout for keep-alive connections. Server will close connections after this time.
    keepalive_timeout 30;
     # Number of requests a client can make over the keep-alive connection.
    keepalive_requests 1000;


     # Send the client a "request timed out" if the body is not loaded by this time.
    client_body_timeout 10;
    client_header_timeout 15;


    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size  8m;
    large_client_header_buffers 2 1k;
    client_body_temp_path client_body_temp;

     # Allow the server to close the connection after a client stops responding.
    reset_timedout_connection on;

     # If the client stops reading data, free up the stale client connection after this much time.
    send_timeout 2;

    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    fastcgi_connect_timeout 300;

    include /etc/nginx/conf.d/*.conf;


    # proxy_cache_path /dev/ngx_cache levels=1:2 keys_zone=all:32m max_size=1g;
    # fastcgi_cache_path /dev/ngx_cache/fpm levels=1:2 keys_zone=fcgi:32m max_size=1g;
    # fastcgi_cache_key "$scheme$request_method$host$request_uri";
}

Для сайта:

Спойлер

server {
    listen ip:80;

    server_name site.com www.site.com;

    # redirect http to https www
    return 301 https://site.com$request_uri;
}

server {
    listen ip:443 ssl http2;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_certificate /etc/letsencrypt/livesite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

    server_name www.site.comm;

    # root /var/www/site.com/public/;
    # index index.php;

    # redirect https non-www to https www
    return 301 https://site.com$request_uri;
}


server {
    listen 81.90.181.177:443 ssl http2 default_server;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

    ssl_certificate /usr/local/letsencrypt/live-ecdsa/site.comm/chain.pem;
    ssl_certificate_key /usr/local/letsencrypt/live-ecdsa/site.com/key-256r1.pem;

     # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_stapling_file /etc/letsencrypt/live/site.com/ca-certs.pem;
    # ssl_trusted_certificate /etc/letsencrypt/live/site.com/chain.pem;
    ssl_trusted_certificate /usr/local/letsencrypt/live-ecdsa/site.com/letmp/0000_chain.pem;

    ssl_ciphers "ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:+MEDIUM:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL";
    ssl_prefer_server_ciphers on;


     ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;


    # Diffi Helman
    ssl_dhparam /etc/letsencrypt/live/site.com/dhparam.pem;

    #Enable OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org;
    resolver 127.0.0.1;

    # 0-RTT
    ssl_early_data on;
    proxy_set_header Early-Data $ssl_early_data;

    # Optimize session cache
    keepalive_timeout 40;
    ssl_session_cache   shared:SSL:40m;
    ssl_session_timeout 24h;

     # Enable session tickets
    ssl_session_tickets on;

    # set_cookie_flag HttpOnly secure;

    server_name site.com;

    error_log /var/www/site.com/logs/error.log;

    root /var/www/site.com/public/;
    index index.php;

    location = /sitemap.xml {   rewrite ^(.*)$ /index.php?route=feed/google_sitemap last;}

    location = /googlebase.xml {    rewrite ^(.*)$ /index.php?route=feed/google_base last;}

	location ~* (\.tpl|.twig|\.ini|\.log|(?<!robots)\.txt) {    deny all;}

	location /system {  rewrite ^/system/storage/(.*) /index.php?route=error/not_found last;}

	location ~* \/\.git {   deny all;}

	location ~* \/image.+(\.php) {  deny all;}

	location ~* \.(js|css|png|jpg|jpeg|gif|ico|webp)$ {
		expires 181d;
		log_not_found off;
	}


    location = /favicon.ico {
		log_not_found off;
		access_log off;
	}


    location /admin { index index.php; }

    location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

    location ~ /\. {
        access_log off;
        log_not_found off;
        deny all;
    }

    location / {
        if (!-e $request_filename) {
            rewrite ^/(.*)$ /index.php?_route_=$1 last;
        }
    }


    # location / {    try_files $uri $uri/ @opencart;}

    # location @opencart {    rewrite ^/(.+)$ /index.php?_route_=$1 last;}

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass  unix:/var/opt/remi/php71/run/php-fpm/php71-fpm-www.sock;
        # fastcgi_pass php-fpm;
        fastcgi_index index.php;
        # include fastcgi_params;
        include /etc/nginx/fastcgi.conf;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_buffer_size 128k;
        fastcgi_buffers 256 16k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_keep_conn on;
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_param REDIRECT_STATUS 200;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_intercept_errors on;
        fastcgi_ignore_client_abort off;
        fastcgi_connect_timeout 60;


        add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report img-src * 'self' data: blob: https:; default-src 'self' https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://s.ytimg.com https://www.youtube.com https://site.com https://*.googleapis.com https://*.gstatic.com https://*.gravatar.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval';" always;
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Access-Control-Allow-Origin "https://site.com";
        add_header Referrer-Policy "origin-when-cross-origin" always;

         # Включаем HTTP Public Key Pinning Extension
        add_header Public-Key-Pins 'pin-sha256="ab+RseLsjKtlCtTfY1Gguz2+z2o19q8xZ7Yb8jKpuLs="; max-age=1512000';

         # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
    }
         # gzip
        gzip on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 9;
        gzip_min_length 10240;
        gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
        gzip_disable "msie6";

        # brotli
        brotli on;
        brotli_comp_level 11;
        brotli_types text/xml image/svg+xml application/x-font-ttf image/vnd.microsoft.icon application/x-font-opentype application/json font/eot application/vnd.ms-fontobject application/javascript font/otf application/xml application/xhtml+xml text/javascript  application/x-javascript text/plain application/x-font-truetype application/xml+rss image/x-icon font/opentype text/css image/x-win-bitmap;
}
# fastcgi_cache phpcache; # The name of the cache key-zone to use
# fastcgi_cache_valid 200 30m; # What to cache: 'Code 200' responses, for half an hour
# fastcgi_cache_methods GET HEAD; # What to cache: only GET and HEAD requests (not POST)
# fastcgi_cache_path /dev/ngx_cache levels=1:2 keys_zone=phpcache:100m inactive=60m;
# fastcgi_cache_key "$scheme$request_method$host$request_uri";

Ставлю чистый OcStore 2.3

После установки появилась проблема.

Не могу зайти в админку!

Пишу правильные данные.

И на сайте не могу переключить язык.

Какая то хрень блокирует отправку или получение Post запроса. Либо что еще.

Firewall отключал.

OcStore 3 работает без проблем.

В php-fpm, nginx ошибок нет

Когда пытаюсь восстановить пароль от админки пишет

maillog

postfix/sendmail[3637]: fatal: parameter inet_interfaces: no local interface found for ::1

Куда копать?

Ос Oracle 7.6, NGINX 1.17.1(Не стабильная)

Edited July 9, 2019 by fduw

100napb · July 10, 2019

10 hours ago, fduw said:

client_body_buffer_size 10K; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 2 1k; client_body_temp_path client_body_temp;

10 hours ago, fduw said:

fastcgi_buffers 8 16k; fastcgi_buffer_size 32k;

Просто бросилось в глаза... попробуйте для начала закомментировать вот эти параметры - будут работать значения по умолчанию. Особенно напрягает large_client_header_buffers 2 1k; который почему-то такой же как и client_header_buffer_size. 1кб - это обычно маловато.

10 hours ago, fduw said:

#Enable OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org; resolver 127.0.0.1;

почему ресолвер вдруг локальный стал? обычно ж внешний dns ставят, типа 8.8.8.8

fduw · July 10, 2019

2 часа назад, 100napb сказал:

Просто бросилось в глаза... попробуйте для начала закомментировать вот эти параметры - будут работать значения по умолчанию. Особенно напрягает large_client_header_buffers 2 1k; который почему-то такой же как и client_header_buffer_size. 1кб - это обычно маловато.

почему ресолвер вдруг локальный стал? обычно ж внешний dns ставят, типа 8.8.8.8

Спойлер

FastCGI sent in stderr: "PHP message: PHP Warning:  SessionHandler::read(): open(/var/opt/remi/php71/lib/php/session/sess_jnn0bn6dchkvl1i2ancedn2ijs, O_RDWR) failed: Permission denied (13) in /var/www/site.ru/public/system/library/session/native.php on line 17
PHP message: PHP Warning:  session_start(): Failed to read session data: user (path: /var/opt/remi/php71/lib/php/session) in /var/www/site.ru/public/system/library/session.php on line 30
PHP message: PHP Warning:  SessionHandler::create_sid(): Session is not active in /var/www/site.ru/public/system/library/session/native.php on line 5" while reading response header from upstream, client: 84.18.121.182, server: site.ru, request: "POST /install/index.php?route=common/column_left/language HTTP/1.1", upstream: "fastcgi://unix:/var/opt/remi/php71/run/php-fpm/php71-fpm-www.sock:", host: "site.ru", referrer: "http://site.ru/install/index.php?route=install/step_1"

Оказалось проблема в сессиях.

Дал права для nginx'а

chown -R nginx:nginx /var/opt/remi/php71/lib/php/session

Только не понял почему для OcStore 3 таких проблем не было

100napb · July 11, 2019

19 hours ago, fduw said:

Reveal hidden contents


FastCGI sent in stderr: "PHP message: PHP Warning:  SessionHandler::read(): open(/var/opt/remi/php71/lib/php/session/sess_jnn0bn6dchkvl1i2ancedn2ijs, O_RDWR) failed: Permission denied (13) in /var/www/site.ru/public/system/library/session/native.php on line 17
PHP message: PHP Warning:  session_start(): Failed to read session data: user (path: /var/opt/remi/php71/lib/php/session) in /var/www/site.ru/public/system/library/session.php on line 30
PHP message: PHP Warning:  SessionHandler::create_sid(): Session is not active in /var/www/site.ru/public/system/library/session/native.php on line 5" while reading response header from upstream, client: 84.18.121.182, server: site.ru, request: "POST /install/index.php?route=common/column_left/language HTTP/1.1", upstream: "fastcgi://unix:/var/opt/remi/php71/run/php-fpm/php71-fpm-www.sock:", host: "site.ru", referrer: "http://site.ru/install/index.php?route=install/step_1"

Оказалось проблема в сессиях.

Дал права для nginx'а

chown -R nginx:nginx /var/opt/remi/php71/lib/php/session

Только не понял почему для OcStore 3 таких проблем не было

хорошо то, что хорошо кончается

В ОС3 из-коробки сессии хранятся в БД, в то время как в прошлых версия были файловыми.

Глючит Nginx OcStore 2.3 (Странная проблема)

Recommended Posts

fduw 0

Share this post

Link to post

Share on other sites

100napb 96

Share this post

Link to post

Share on other sites

fduw 0

Share this post

Link to post

Share on other sites

100napb 96

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Similar Content

Recently Browsing 0 members

Меню покупок

Important Information