Blog

NGINX : How to configure SSL server + etherpad within subdirectory


 

you wil find below a working NGINX configuration in order to run Spip but also etherpad-lite with restricted access in subdirectory

 

Pre-requisite :

OS = Debian > Install NGINX obviously :)

+

installation of Etherpad-lite \o/

Create a new virtual host (server block) in NGINX

nano or vim  /etc/nginx/sites-available/myNGO.org

then adapt this config below according to your own domain and items \m/

Note that location of etherpad subdirectory is also password restricted through htpasswd and you will need to follow this howto

server {
        listen 80;
        server_name myNGO.org;
	if ($request_method = POST) {
		return 307 https://www.myNGO.org$request_uri;
	}
        return 301 https://www.myNGO.org$request_uri;
}

server {
	listen 80;
	server_name www.myNGO.org;
	if ($request_method = POST) {
		return 307 https://$host$request_uri;
	}
	rewrite ^ https://$host$request_uri? permanent;
}

server {
	listen 443;
	server_name wwww.myNGO.org;
	access_log /var/log/nginx/myNGO.org.access.log;	
	log_format cache '***$time_local '
                     '$upstream_cache_status '
                     'Cache-Control: $upstream_http_cache_control '
                     'Expires: $upstream_http_expires '
                     '"$request" ($status) '
                     '"$http_user_agent" ';
	access_log  /var/log/nginx/cache.log cache;
	client_max_body_size 15m;

        root /var/www/spip;
        index index.php index.html index.htm;

	ssl on;

	ssl_certificate /etc/ssl/certs/www.myNGO.org.crt;
	ssl_certificate_key /etc/ssl/private/myNGO.org.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;	
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
        EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
        EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
	add_header Strict-Transport-Security max-age=15552000;
	
	location ~^/(tmp|config)/{
		return 403;
	}

	location ~* \.(jpg|jpeg|gif|css|png|js|ico|swf|mp3|pdf)(/?)$ {
		expires        1w;
		add_header  Cache-Control public;
		rewrite ^/(.*)/$ /$1 last;
		gzip_static on;
		log_not_found off;
	}

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/html;
        }

	location / {
		# standard files
		rewrite ^/([^/]*)robots\.txt$    /spip.php?page=robots.txt    last;
		rewrite ^/([^/]*)favicon\.ico$   /spip.php?page=favicon.ico   last;
		rewrite ^/([^/]*)sitemap\.xml$   /spip.php?page=sitemap.xml   last;
		rewrite ^/([^/]*)mobile\.html$    /spip.php?page=mobile_uk   last;

		try_files $uri $uri/ /spip.php?q=$uri&$args;
		gzip_static on;
	}

	location ~ \.php$ {
		include fastcgi_params;

		# Where to send the php data
		#fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;


		set $ecrire 0;
                if ($uri ~ ^/ecrire.*) {
                        set $ecrire 1;
                }

                # I want to activate cache
                fastcgi_cache myNGOdotorg;
                fastcgi_cache_valid 302 5m;
                fastcgi_cache_valid 404 0;
                fastcgi_cache_bypass $cookie_spip_session $ecrire;

		# Since we're caching for 30 minuts, keep the browser away for that time
		expires 30m;
	}

		location ~ ^/$ {
		
		# We will play with lang. Mapping is done in /etc/nginx/conf.d/lang.conf
		# We do not want redirect POST because we gonna lose data and it sucks.
		if ($request_method = GET)
		{
			return 307 $scheme://$host/$lang/;
		}
	}

# etherpadlite section on port 9001 with nginx proxy

		location ^~ /pad {
			auth_basic            "Restricted";
    			auth_basic_user_file  /var/www/etherpad-lite/.htpasswd;
			rewrite /pad/(.*) /$1 break;
			proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
			rewrite ^/pad$ /pad/ permanent; 
			proxy_pass http://localhost:9001/;
			proxy_redirect / /pad/;
			proxy_set_header Host $host;
			proxy_buffering off;
			proxy_set_header Upgrade $http_upgrade;
            		proxy_set_header Connection $connection_upgrade;
		    }


}

		# we're in the http context here
		map $http_upgrade $connection_upgrade {
		  default upgrade;
		  ''      close;
		}

then activate by creating symlink to  /etc/nginx/sites-enabled/

ln -s /etc/nginx/sites-available/myNGO.org /etc/nginx/sites-enabled/
service nginx reload

 

Comments are closed.