Fix Problem Using Nginx and Apache Both for Magento 2

Apache2magento-2.1nginxserver-setup

I am trying to use nginx as static web server front and apache processing the back end for Magento. but magento is showing me this error: Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider.

Here is my website.conf for Nginx

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

#   root /var/www/website.com/html;
#   index index.php index.html index.htm index.nginx-debian.html;

    server_name website.com www.website.com;

        set $MAGE_ROOT /var/www/website.com/html;
        set $MAGE_MODE developer;

root $MAGE_ROOT/pub;

    index index.php;
    autoindex off;
    charset off;

    location /setup {
        root $MAGE_ROOT;
        location ~ ^/setup/index.php {
            fastcgi_pass   fastcgi_backend;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        location ~ ^/setup/(?!pub/). {
            deny all;
        }

        location ~ ^/setup/pub/ {
            add_header X-Frame-Options "SAMEORIGIN";
        }
    }

    location /update {
        root $MAGE_ROOT;

        location ~ ^/update/index.php {
            fastcgi_split_path_info ^(/update/index.php)(/.+)$;
            fastcgi_pass   fastcgi_backend;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            fastcgi_param  PATH_INFO        $fastcgi_path_info;
            include        fastcgi_params;
        }

        # deny everything but index.php
        location ~ ^/update/(?!pub/). {
            deny all;
        }

        location ~ ^/update/pub/ {
            add_header X-Frame-Options "SAMEORIGIN";
        }
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location /pub {
        location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
            deny all;
        }
        alias $MAGE_ROOT/pub;
        add_header X-Frame-Options "SAMEORIGIN";
    }

 location /static/ {
    if ($MAGE_MODE = "production") {
      expires max;
    }

    # Remove signature of the static files that is used to overcome the browser cache
    location ~ ^/static/version {
      rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last;
    }

    location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
      add_header Cache-Control "public";
      add_header X-Frame-Options "SAMEORIGIN";
      expires +1y;

      if (!-f $request_filename) {
        rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
      }
    }

    location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
      add_header Cache-Control "no-store";
      add_header X-Frame-Options "SAMEORIGIN";
      expires off;

      if (!-f $request_filename) {
         rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
      }
    }

    if (!-f $request_filename) {
      rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
    }

    add_header X-Frame-Options "SAMEORIGIN";
  }

    location /media/ {
        try_files $uri $uri/ /get.php?$args;

        location ~ ^/media/theme_customization/.*\.xml {
            deny all;
        }

        location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
            add_header Cache-Control "public";
            add_header X-Frame-Options "SAMEORIGIN";
            expires +1y;
            try_files $uri $uri/ /get.php?$args;
        }
        location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
            add_header Cache-Control "no-store";
            add_header X-Frame-Options "SAMEORIGIN";
            expires    off;
            try_files $uri $uri/ /get.php?$args;
        }
        add_header X-Frame-Options "SAMEORIGIN";
    }

    location /media/customer/ {
        deny all;
    }

    location /media/downloadable/ {
        deny all;
    }

    location /media/import/ {
        deny all;
    }

    location ~ cron\.php {
        deny all;
    }

    location ~ (index|get|static|report|404|503|phpinfo)\.php$ {
        try_files $uri =404;
        fastcgi_pass   fastcgi_backend;

        fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
        fastcgi_param  PHP_VALUE "memory_limit=1024M \n max_execution_time=18000";
        fastcgi_read_timeout 600s;
        fastcgi_connect_timeout 600s;
        fastcgi_param  MAGE_MODE $MAGE_MODE;

        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

       location ~ /\.ht {
                deny all;
        }

                location ~ \.php$ {      
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
         }

}

upstream fastcgi_backend {
    # socket
    # server unix:/var/run/php5-fpm.sock;
   server   unix:/var/run/php/php7.0-fpm.sock;
    # use tcp connection
    #  server  127.0.0.1:9000;

}

Here is my website.conf for apache

<VirtualHost 127.0.0.1:8080>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/website.com/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost> 
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Now I am trying to open phpinfo.php so I create new php file in the pub folder. Now whenever I tried to open website.com/phpinfo.php in browser it starts to download it.

What wrong I'm doing here?

Please help!

Best Answer

first your nginx is not configured as frontend cache/proxy server. you have 2 \.php$ blocks, one for php-fpm upstream and one for apache backend.

then probably apache is not configured to process php.

your best option is to use nginx as proxy cache + php-fpm servers loop. remove apache.

or

Listen 80

Instead you’ll need to tell apache to listen on a specific IP (you can have multiple Listen lines for multiple IPs)

Listen 192.170.2.1:80

When you change Apache to listen on specific interfaces some VirtualHost may fail to load if they are listening on specific IPs themselves. The address option in only applies when the main server is listening on all interfaces (or an alias of such). If you do not have an IP Listed in your tag, then you do not need to worry bout this. Otherwise make sure to remove the addr:port from the VirtualHost tag.

Make sure to update the NameVirtualHost directive in Apache for name-based virtual hosts.

Once you have apache configured to listen on a specific set of IPs you can do the same with nginx.

server { listen 192.170.2.2:80; ... }

Now that both servers are bound to specific IPs, both can then be started up on port 80. From there you would simply point the IP of the domain to the server you wish to use. In the case of WHM/Cpanel you can either manually configure the DNS entry for the domain going to nginx in WHM, or you can use your own DNS such as with your registrar to point the domain to the specific IP. Using the latter may break your mail/ftp etc configurations if the DNS entries are not duplicated correctly.

Though normally if you are setting up Nginx side-by-side with apache, you’ll have your domain configurations separate from the rest of the system. The above paragraph only applies if the domain you are using has already been added by cpanel/whm and you wish to have it served by nginx exclusively. [Scroll down for PHP considerations]

Apache behind Nginx

If you are using a control panel based hosting such as cpanel/whm, this method is not advised. Most of the servers configuration is handled automatically in those cases, and making manual changes will likely lead to problems (plus you won’t get support from the control panel makers or your hosting provider in most cases).

Using Nginx as the primary frontend webserver can increase performance regardless if you choose to keep Apache running on the system. One of Nginx’s greatest advantage is how well it serves static content. It does so much more efficiently than Apache, and with very little cost to memory or processing. So placing Nginx in front will remove that burdern off Apache, leaving it to concentrate on dynamic request or special scenarios.

This method is also popular for those who don’t want to use PHP via fastcgi, or install a separate php-fpm process.

First thing that needs to be done is to change the interface apache listens on:

Listen 127.0.0.1:8080

Above we bind Apache to the localhost on an alternate port, since only Nginx on the same machine will be communicating with Apache.

Note: Since Nginx needs to access the same files that Apache serves, you need to make sure that Nginx is setup to run as the same user as apache, or to make sure that the Nginx’s selected user:group has permission to read the web documents. Often times the webroot is owned by nobody or www-data and Nginx likewise can be setup to run as those users

Then in Nginx listening on port 80 (either on all interfaces such as 0.0.0.0 or to specific IPs, your choice) we would need to configure Nginx to serve the same content. Take for example this virtual host in an apache configuration:

DocumentRoot "/usr/local/www/mydomain.com" ServerName mydomain.com ServerAlias www.mydomain.com CustomLog /var/log/httpd/mydomain_access.log common ErrorLog /var/log/httpd/mydomain_error.log ... In Nginx the equivalent server configuration would be:

server { root /usr/local/www/mydomain.com; server_name mydomain.com www.mydomain.com;

  # by default logs are stored in nginx's log folder
  # it can be changed to a full path such as /var/log/...
  access_log logs/mydomain_access.log;
  error_log logs/mydomain_error.log;
  ...

}

The above would serve all static content from the same location, however PHP will simply come back as PHP source. For this we need to send any PHP requests back to Apache.

server { root /usr/local/www/mydomain.com; server_name mydomain.com www.mydomain.com;

  access_log logs/mydomain_access.log;
  error_log logs/mydomain_error.log;

  location / { 
        # this is the location block for the document root of this vhost
  } 

  location ~ \.php {
        # this block will catch any requests with a .php extension
        # normally in this block data would be passed to a FastCGI process

        # these two lines tell Apache the actual IP of the client being forwarded
        # Apache requires mod_proxy (http://bit.ly/mod_proxy) for these to work
        # Most Apache 2.0+ servers have mod_proxy configured already

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;

        # this next line adds the Host header so that apache knows which vHost to serve
        # the $host variable is automatically set to the hostname Nginx is responding to

        proxy_set_header Host $host;

        # And now we pass back to apache
        # if you're using a side-by-side configuration the IP can be changed to
        # apache's bound IP at port 80 such as http://192.170.2.1:80

        proxy_pass http://127.0.0.1:8080;
  }

   # if you don't like seeing all the errors for missing favicon.ico in root
   location = /favicon.ico { access_log off; log_not_found off; }

   # if you don't like seeing errors for a missing robots.txt in root
   location = /robots.txt { access_log off; log_not_found off; }

   # this will prevent files like .htaccess .htpassword .secret etc from being served
   # You can remove the log directives if you wish to
   # log any attempts at a client trying to access a hidden file
   location ~ /\. { deny all; access_log off; log_not_found off; }

} In the case of rewriting (mod_rewrite) with apache behind nginx you can use an incredibly simple directive called try_files. Here’s the same code as above, but when changes made so that any files or folder not found by nginx gets passed to apache for processing (useful for situations like WordPress, or .htaccess based rewrites when the file or folder is not caught by Nginx)

server { root /usr/local/www/mydomain.com; server_name mydomain.com www.mydomain.com;

  access_log logs/mydomain_access.log;
  error_log logs/mydomain_error.log;

  location / { 
        # try_files attempts to serve a file or folder, until it reaches the fallback at the end
        try_files $uri $uri/ @backend;
  } 

  location @backend {
        # essentially the same as passing php requests back to apache

        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:8080;
  }
  # ... The rest is the same as the configuration above ...

} With the above configuration, any file or folder that exists will be served by Nginx (the php block will catch files ending in .php), otherwise it will be passed back to apache on the backend.

In some cases you may wish for everything to be passed to Apache unless otherwise specified, in which case you would have a configuration such as this:

server { root /usr/local/www/mydomain.com; server_name mydomain.com www.mydomain.com;

  access_log logs/mydomain_access.log;
  error_log logs/mydomain_error.log;

  location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $host;

        proxy_pass http://127.0.0.1:8080;
  }

  # Example 1 - Specify a folder and it's content
  # To serve everything under /css from Nginx-only
  location /css { }

  # Example 2 - Specify a RegEx pattern such as file extensions
  # Serve certain files directly from Nginx
  location ~* ^.+\.(jpg|jpeg|gif|png|css|zip|pdf|txt|js|flv|swf|html|htm)$
  {
        # this will basically match any file of the above extensions
        # course if the file does not exist you'll see an Nginx error page as opposed
        # to apache's own error page. 
  }

} Personally I prefer to leave Nginx to handle everything, and specify exactly what needs to be passed back to Apache. But the last configuration above would more accurately allow .htaccess to function during almost-every request since almost everything gets passed back to apache. The css folder or any files found by the other location block would be served directly by nginx regardless if there’s an .htaccess file there, since only Apache processes .ht* files.

PHP Considerations If you are not familiar with Nginx, then it should be noted that Nginx does not have a PHP module like apache’s mod_php, instead you either need to build PHP with FPM (ie: php-fpm/fastcgi), or you need to pass the request to something that can handle PHP.

In the case of using Nginx with Apache you essentially have two choices:

1) Compile and Install PHP-FPM, thus running a seperate PHP process to be used by Nginx. This option is usually good if you want to keep the two webserver configurations separated from each other, that way any changes to one won’t affect the other. But of course it adds additional memory usage to the system.

2) Utilize Apache’s mod_php. This option is ideal when you will be passing data to apache as a backend. Even in a side-by-side scenario, you can utilize mod_php by proxying any php request to Apache’s IP. But in the side-by-side scenario you have to make sure that Apache is also configured to serve the same virtualhost that Nginx is requesting.

Speed-wise both methods are about the same when PHP is configured with the same set of options on both. Which option you choose depends solely on your needs. Another article that may be of interest in relations to this one would be Nginx as a Proxy to your Blog, which can be just as easily utilized on a single server (especially if you get multiple IP ranges like I do).

Best Answer

Related Solutions

Magento – Magento Admin Nginx 404

Magento – Apache 2.4 + Ngnix ? For Magento CE 1.9

or

Related Topic