In response to Axigen Forum question :-)
Hi,
Without knowing the problem involved, or if there is an Axigen configuration involved, I have shown below a basic nginx.conf configuration I use on any site. (Some modifications likely needed for your situation such as domain name and root directory.)
This indicates I have a web directory and content for the domain name as well as an Axigen installation. If installing a paid SSL it means you do not have to go through another process of installing Let's Encrypt with the certbot command. But, I have shown Let's Encrypt in the example. I don't know if this helps, but happy to show the basic nginx.conf that I use. I add more features of course. The main thing is to see if there is an error on the Nginx side of things. I have nginx version 1.27. You probably know, you test the config with the command nginx -t
If using Let's Encrypt, you have to install with certbot by first removing the stanza for port 443 and the line under port 80 for ```
return 301 ........
```
After the installation works, you put those back. (Just mentioning in case)
-------------------------------------------------------
# Should be the same directories on Debian but you can check, e.g. nginx -t or find the directories is any errors
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_names_hash_bucket_size 64;
client_max_body_size 50M;
include /etc/nginx/conf.d/*.conf;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_timeout 10m;
add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self';";
# I used the following with WordPress but have not tested with Axigen:
# add_header X-Xss-Protection "1; mode=block" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=()";
# add_header Clear-Site-Data "*";
server {
listen 80;
listen [::]:80;
# USER YOUR OWN DOMAIN NAME of course
server_name mydomain.com www.mydomain.com;
return 301 https://mydomain.com$request_uri;
# WE ASSUME THE ROOT WEBSITE DIRECTORY is /var/www/html but it can be anything (however Linux soft links tend not to work)
root /var/www/html;
index index.php index.html index.htm;
# Stop anyone trying to access the site via the IP address
set $test 0;
if ( $host != "mydomain.com" ){
set $test 1;
}
if ( $host != "www.mydomain.com" ){
set $test 1$test;
}
if ( $test = 11 ){
return 444; #CONNECTION CLOSED WITHOUT RESPONSE
}
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
# SECURITY : Zero day Exploit Protection
try_files $uri =404;
# ENABLE : Enable PHP, listen fpm sock
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# CHECK YOUR php-fpm.d or php8.3-fpm.d directory (or whatever version) for the actual sock name used in www.conf
# and that nginx is used and not apache in the same file
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
# if you have a robots.txt file
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Assuming you have error .html files - you should have error files with some sort of content anyway
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# end port 80
}
# start 443
server {
listen 443 ssl;
listen [::]:443 ssl;
# In current nginx version we have http2 on this separate line:
http2 on;
server_name mydomain.com;
root /var/www/html;
# server_tokens off;
# IN THIS EXAMPLE WE HAVE /etc/letsencrypt FOR THE SSL CERTIFICATE
# It can be a purchased SSL like /etc/ssl/certs and /etc/ssl/private/...
# We assume the SSL certificates are correctly added to Axigen and configured
ssl_certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/mydomain.com/live/privkey.pem";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
# Again, reduce hacker traffic
if ( $host != "mydomain.com" ){
return 444; #CONNECTION CLOSED WITHOUT RESPONSE
}
# Add expires headers for better performance tool ratings
location ~* .(?:ico|css|js|gif|jpe?g|png|jpg|woff2|eot|ttf|svg|woff)$ {
expires 30d;
add_header Pragma "public";
add_header Cache-Control "public";
}
# no use of memcached in this basic configuration:
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
# SECURITY : Zero day Exploit Protection
try_files $uri =404;
# ENABLE : Enable PHP, listen fpm sock
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Again, use the correct sock as shown in www.conf file
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
# Again, assuming you have a robots.txt file - not necessary though but typically used with WordPress installations
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
try_files $uri /index.php?$args;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# end port 443
}
# end nginx.conf
}
