Closed schel4ok closed 3 years ago
It is included. It's not actually possible to build nginx without that module.
then why this conf gives me 500 Internal Server Error when I try to access from LAN2 ?
allow 192.168.1.0/24; # allow anyone in LAN1
allow 192.168.2.0/24; # allow anyone in LAN2
deny all; # drop rest of the world
and when I check what is included I cannot find ngx_http_access_module in the list
# nginx -V
nginx version: nginx/1.19.5
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.5/debian/debuild-base/nginx-1.19.5=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
The module is always built, so it's not something that can be disabled or enabled via configure line while building nginx.
Please show the full configuration and error logs from your installation after such a request results in 500.
Here is extract from docker-compose
nginx: # frontend
container_name: nginx
build:
context: ./nginx
depends_on:
- php
environment:
TZ: ${WORKSPACE_TIMEZONE}
working_dir: /var/www
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf # основной конфиг
- ./nginx/conf.d:/etc/nginx/conf.d # папка с конфигами сайтов
- ./nginx/logs:/var/log/nginx/ # папка с логами
- ${PROJECTS}:/var/www # папка с сайтами
- ${SSL_CERT_PROJECT1}:/etc/ssl/private/project1.ru
- ${SSL_CERT_PROJECT2}:/etc/ssl/private/project2.ru
ports:
- 85:80
- 450:443
restart: always
networks:
- internal
nginx Dockerfile
FROM nginx:alpine
RUN addgroup -g 1014 -S http && adduser -u 1014 -D -S -G http http
# 1014 is id of my http user on host machine
RUN mkdir -p /etc/ssl/private/project1.ru \
&& mkdir -p /etc/ssl/private/project2.ru \
&& chown -R http:http /etc/ssl/private
WORKDIR /var/www
Output file nginx -T
is quite long, so I better put extracts here.
In main nginx.conf
file I changed only 2 things:
1) change user from nginx to http
2) uncomment gzip on;
in http context.
#user nginx;
user http;
...
http {
...
gzip on;
...
}
In conf.d directory I have few conf files for each webservice. Here is the one host, which I have problems with access
# configuration file /etc/nginx/conf.d/server.conf:
server {
listen 80 default;
server_name server.lan mydns.ext www.mydns.ext;
root /var/www/mydns.ext;
# redirect http://www.domain.ru -> http://domain.ru
if ($host ~* "^www\.(.*)$") {
return 301 $scheme://$1$request_uri;
}
error_log /var/log/nginx/mydns.error.log;
access_log /var/log/nginx/mydns.access.log combined if=$loggable;
location ~ ^/adminer(/.*$|$) {
allow 192.168.1.0/24; # allow anyone in LAN1
allow 192.168.2.0/24; # allow anyone in LAN2
deny all; # drop rest of the world
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/html/index.php; # this is the important part
fastcgi_pass adminer:9000; # host and port goes here
}
}
Here is the error after try to access adminer if allow and deny rules uncommented.
192.168.142.1 - - [21/Dec/2020:20:49:42 +0300] "GET /adminer HTTP/1.1" 500 579 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
192.168.142.1 - - [21/Dec/2020:20:49:43 +0300] "GET /favicon.ico HTTP/1.1" 500 579 "http://server.lan/adminer" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
Nginx has local IP address in docker 192.168.142.3 and gateway 192.168.142.1 (this info I got from portainer) Host machine where docker installed has IP address in 192.168.1.0/24 (LAN1) and PC from where I try to access adminer has IP address in 192.168.2.0/24 (LAN2). LAN1 and LAN2 connected using VPN.
What's in /var/log/nginx/mydns.error.log for those requests?
mydns.access.log
192.168.142.1 - - [22/Dec/2020:19:09:44 +0300] "GET /adminer HTTP/1.1" 500 579 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
192.168.142.1 - - [22/Dec/2020:19:09:44 +0300] "GET /favicon.ico HTTP/1.1" 500 579 "http://server.lan/adminer" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
mydns.error.log
2020/12/22 19:09:44 [error] 199#199: *15046 access forbidden by rule, client: 192.168.142.1, server: server.lan, request: "GET /adminer HTTP/1.1", host: "server.lan"
2020/12/22 19:09:44 [error] 199#199: *15046 could not find named location "@error_page", client: 192.168.142.1, server: server.lan, request: "GET /adminer HTTP/1.1", host: "server.lan"
2020/12/22 19:09:44 [error] 199#199: *15047 open() "/var/www/mydns.ext/favicon.ico" failed (2: No such file or directory), client: 192.168.142.1, server: server.lan, request: "GET /favicon.ico HTTP/1.1", host: "server.lan", referrer: "http://server.lan/adminer"
2020/12/22 19:09:44 [error] 199#199: *15047 could not find named location "@error_page", client: 192.168.142.1, server: server.lan, request: "GET /favicon.ico HTTP/1.1", host: "server.lan", referrer: "http://server.lan/adminer"
As you can see, error_page is triggered for 403 (access forbidden) and 404 (file not found).
As you don't have a proper location defined for it (although specified in error_page which must be somewhere in your configuration that you didnt post), nginx issues a 500s. Fix that and you'll get proper responses.
I have this in http context, which I believe should be applied to all hosts
error_page 400 401 402 403 404 405 406 407 408 500 501 502 503 504 505 @error_page;
You don't have a @error_page location.
If I delete that string, then I see 403 Forbidden on web page and access forbidden in the log
2020/12/22 21:40:05 [error] 229#229: *15194 access forbidden by rule, client: 192.168.142.1, server: server.lan, request: "GET /adminer HTTP/1.1", host: "server.lan"
I checked that it happens only when deny all
is uncommented in my configuration.
But I cannot understand why this rule blocks access to me, because I am in LAN and I have allow rule before deny.
also if I do docker-compose exec "nginx" ls /etc/nginx/modules
then I see this list
ngx_http_geoip_module-debug.so ngx_http_xslt_filter_module-debug.so
ngx_http_geoip_module.so ngx_http_xslt_filter_module.so
ngx_http_image_filter_module-debug.so ngx_stream_geoip_module-debug.so
ngx_http_image_filter_module.so ngx_stream_geoip_module.so
ngx_http_js_module-debug.so ngx_stream_js_module-debug.so
ngx_http_js_module.so ngx_stream_js_module.so
500 is not "blocking access", it's a misconfiguration of a server. With error_page 400... @error_page;
, you're telling nginx to internally redirect to @error_page location when deny event happens. Since this location is not available in your configuration, nginx errors out. See http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page for more details.
Regarding as to why this rule blocks you, your logs suggest that you're coming from 192.168.142.1, and not 192.168.1.0 or 192.168.2.0. You need to check your network settings & NATs to figure out why this happens.
I need ngx_http_access_module, but it is not included in docker nginx:latest. How I can install it? No instruction about it on docker hub. And here I found few issues about external modules, but no clear solution.