Archive | Nginx

Disable Basic Auth For Virtual Path On Plesk

By admin on February 16, 2018 in Apache, Nginx, Plesk

In a recent case we needed to allow request to a particular virtual URL path on a site that was password protected with HTTP Basic Auth. The site was hosted on a Linux server with Plesk, nginx and Apache. Typically this problem is solved by adding a “Satisfy Any” to the .htaccess in the directory that you want to remove authentication. But this does not work if the path is virtual instead of a physical directory path. Additionally we needed to allow access for a list of IP addresses. We tried an number of different solutions and ended up with the following:

Step 1 – The HTTP Basic Auth and IP access controls are configured in the .htaccess file like this:

# basic auth
AuthName "Authorized Only"
AuthType Basic
# password file is maintained from Plesk
AuthUserFile /var/www/vhosts/system/stage.acme.com/pd/d..httpdocs@donotremove
require valid-user

# set an environment variable if there is an AUTH_OVERRIDE header
SetEnvIf AUTH_OVERRIDE ^true AUTH_REQUEST

# set IP controls
order deny,allow
deny from all
allow from 1.1.1.1
allow from 2.2.2.2
# allow request if the environment variable is set
allow from env=AUTH_REQUEST

# require either Basic Auth or IP controls
Satisfy Any

# basic auth

AuthName "Authorized Only"

AuthType Basic

# password file is maintained from Plesk

AuthUserFile /var/www/vhosts/system/stage.acme.com/pd/d..httpdocs@donotremove

require valid-user

# set an environment variable if there is an AUTH_OVERRIDE header

SetEnvIf AUTH_OVERRIDE ^true AUTH_REQUEST

# set IP controls

order deny,allow

deny from all

allow from 1.1.1.1

allow from 2.2.2.2

# allow request if the environment variable is set

allow from env=AUTH_REQUEST

# require either Basic Auth or IP controls

Satisfy Any

Step 2 – In Plesk under:

Subscriptions -> stage.acme.com -> Apache & nginx settings -> Additional nginx directives

1	Subscriptions -> stage.acme.com -> Apache & nginx settings -> Additional nginx directives

Add the following block:

location ~ /excluded/path {
  proxy_set_header AUTH_OVERRIDE true;
  proxy_pass http://x.x.x.x:7080;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Accel-Internal /internal-nginx-static-location;
  access_log on;
}

location ~ /excluded/path {

proxy_set_header AUTH_OVERRIDE true;

proxy_pass http://x.x.x.x:7080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Accel-Internal /internal-nginx-static-location;

access_log on;

}

where “/excluded/path” is the virtual URL to be allowed access and “x.x.x.x” is the IP address assigned to the site.

When a request comes is received, nginx looks for the path and adds the AUTH_OVERRIDE header. Then the request is passed to Apache which processes the .htaccess file. The AUTH_OVERRIDE header is converted to an “AUTH_REQUEST” environment variable and allow without authentication by the “allow from env=” rule.

There may be better ways to accomplish this solution but this is one that we successfully implemented.

Mixing Basic Auth And IP Access Controls

By admin on February 10, 2016 in Apache, Nginx

In some cases you might want to require HTTP Basic authentication to a site but allow specific IP addresses to skip the username/password. For Apache this can be configured with:

Order deny,allow
Deny from all
AuthType Basic
AuthUserFile .htpass
AuthName "Protected Area"
require valid-user
allow from x.x.x.x
allow from y.y.y.y
Satisfy Any

Order deny,allow

Deny from all

AuthType Basic

AuthUserFile .htpass

AuthName "Protected Area"

require valid-user

allow from x.x.x.x

allow from y.y.y.y

Satisfy Any

For nginx the configuration is:

satisfy any;
allow x.x.x.x;
allow y.y.y.y;
deny all;
auth_basic "Protected Area";
auth_basic_user_file .htpass;

satisfy any;

allow x.x.x.x;

allow y.y.y.y;

deny all;

auth_basic "Protected Area";

auth_basic_user_file .htpass;

Plesk 12.5 Protected Directories Break Nginx/PHP-FPM

By admin on November 27, 2015 in Nginx, Plesk

On Plesk 12.5, when using PHP-FPM with Nginx there’s a problem with the way protected directories are implemented. Each protected directory creates a “location” block in the Nginx config that proxies to Apache. So protected directories are implemented in Apache only. Nginx just passes through to Apache. This is not a great design choice in our opinion. Instead protected directories should be implemented directly in Nginx.

One of the side effects of the 12.5 implementation is that inside protected directories Apache handles PHP even if you have the domain configured to use Nginx with PHP-FPM. This is especially problematic if you have the entire site password protected. The “location /” block takes precedence over the “location *.php” block so the entire sites ends up using Apache instead going directly to PHP-FPM.

To get around this problem I do the following in Plesk:

Create a protected directory for “/protected”. Add users as needed.
On the “Apache & nginx Settings” screen, add the following to the “Additional nginx directives” field:

auth_basic "Restricted"; auth_basic_user_file /var/www/vhosts/system/acme.com/pd/d..httpdocs@protected;

1
2

auth_basic "Restricted";
auth_basic_user_file /var/www/vhosts/system/acme.com/pd/d..httpdocs@protected;
In your .htaccess file add:

AuthType Basic AuthUserFile "/var/www/vhosts/system/acme.com/pd/d..httpdocs@protected" Require valid-user

1
2
3

AuthType Basic
AuthUserFile "/var/www/vhosts/system/acme.com/pd/d..httpdocs@protected"
Require valid-user

The last step is important because we need both Apache and Nginx to enforce the protected directory.

MariaDB on CentOS 7 – “Error in accept: Too many open files”

By admin on August 28, 2015 in CentOS, MariaDB, Nginx

By default is seems the soft and hard open files limits on MariaDB in CentOS 7 are 1024 and 4096 respectfully. You can see these limits by first getting the process ID:

cat /var/run/mariadb/mariadb.pid

1	cat /var/run/mariadb/mariadb.pid

And then looking at the limits in the proc filesystem:

cat /proc/XXXXX/limits

1	cat /proc/XXXXX/limits

You’ll see something like this:

[root@web1 ~]# cat /proc/7688/limits
Limit                     Soft Limit           Hard Limit           Units
Max cpu time              unlimited            unlimited            seconds
Max file size             unlimited            unlimited            bytes
Max data size             unlimited            unlimited            bytes
Max stack size            8388608              unlimited            bytes
Max core file size        0                    unlimited            bytes
Max resident set          unlimited            unlimited            bytes
Max processes             31209                31209                processes
Max open files            1024                 4096                 files
Max locked memory         65536                65536                bytes
Max address space         unlimited            unlimited            bytes
Max file locks            unlimited            unlimited            locks
Max pending signals       31209                31209                signals
Max msgqueue size         819200               819200               bytes
Max nice priority         0                    0
Max realtime priority     0                    0
Max realtime timeout      unlimited            unlimited            us

[root@web1 ~]# cat /proc/7688/limits

Limit Soft Limit Hard Limit Units

Max cpu time unlimited unlimited seconds

Max file size unlimited unlimited bytes

Max data size unlimited unlimited bytes

Max stack size 8388608 unlimited bytes

Max core file size 0 unlimited bytes

Max resident set unlimited unlimited bytes

Max processes 31209 31209 processes

Max open files 1024 4096 files

Max locked memory 65536 65536 bytes

Max address space unlimited unlimited bytes

Max file locks unlimited unlimited locks

Max pending signals 31209 31209 signals

Max msgqueue size 819200 819200 bytes

Max nice priority 0 0

Max realtime priority 0 0

Max realtime timeout unlimited unlimited us

Notice the numbers for “Max open files”.

If you run into problems with MariaDB failing and you see errors like this in the log:

[ERROR] Error in accept: Too many open files

1	[ERROR] Error in accept: Too many open files

Then you need to increase the open files limits by editing:

/usr/lib/systemd/system/mariadb.service

1	/usr/lib/systemd/system/mariadb.service

and adding this line:

LimitNOFILE=infinity

1	LimitNOFILE=infinity

to the “[Service]” section. Then reload the systemctl daemon:

systemctl daemon-reload

1	systemctl daemon-reload

and restart the MariaDB service:

/sbin/service mariadb restart

1	/sbin/service mariadb restart

Now the limit will be increased. For example:

[root@web1 ~]# cat /proc/9910/limits
Limit                     Soft Limit           Hard Limit           Units
Max cpu time              unlimited            unlimited            seconds
Max file size             unlimited            unlimited            bytes
Max data size             unlimited            unlimited            bytes
Max stack size            8388608              unlimited            bytes
Max core file size        0                    unlimited            bytes
Max resident set          unlimited            unlimited            bytes
Max processes             31209                31209                processes
Max open files            65536                65536                files
Max locked memory         65536                65536                bytes
Max address space         unlimited            unlimited            bytes
Max file locks            unlimited            unlimited            locks
Max pending signals       31209                31209                signals
Max msgqueue size         819200               819200               bytes
Max nice priority         0                    0
Max realtime priority     0                    0
Max realtime timeout      unlimited            unlimited            us

[root@web1 ~]# cat /proc/9910/limits

Limit Soft Limit Hard Limit Units

Max cpu time unlimited unlimited seconds

Max file size unlimited unlimited bytes

Max data size unlimited unlimited bytes

Max stack size 8388608 unlimited bytes

Max core file size 0 unlimited bytes

Max resident set unlimited unlimited bytes

Max processes 31209 31209 processes

Max open files 65536 65536 files

Max locked memory 65536 65536 bytes

Max address space unlimited unlimited bytes

Max file locks unlimited unlimited locks

Max pending signals 31209 31209 signals

Max msgqueue size 819200 819200 bytes

Max nice priority 0 0

Max realtime priority 0 0

Max realtime timeout unlimited unlimited us

UPDATE: We’ve seen similar problems with nginx. The solution is similar … increase the limits for the nginx service.

UPDATE: As noted by Bastiaan Welmers in the comments, it better to copy the service control file then to edit:

cp /usr/lib/systemd/system/mariadb.service /etc/systemd/system/

1	cp /usr/lib/systemd/system/mariadb.service /etc/systemd/system/

UPDATE:

As describe here:

https://docs.fedoraproject.org/en-US/quick-docs/systemd-understanding-and-administering/#_modifying_existing_systemd_services

Create an override file with:

systemctl edit mariadb.service

1	systemctl edit mariadb.service

or:

/etc/systemd/system/mariadb.service.d/override.conf

1	/etc/systemd/system/mariadb.service.d/override.conf

Put the modified settings in the override file:

[Service]
LimitNOFILE=infinity

1 2	[Service] LimitNOFILE=infinity

Reload systemd config:

systemctl --system daemon-reload

1	systemctl --system daemon-reload

And restart mariadb:

systemctl restart mariadb.service

1	systemctl restart mariadb.service

UPDATE:

On server with Plesk, view the current open files limit with:

egrep "open files" /proc/$(cat `plesk db -Ne "show variables like 'pid_file'" | awk '{print $2}'`)/limits

1	egrep "open files" /proc/$(cat `plesk db -Ne "show variables like 'pid_file'" \| awk '{print $2}'`)/limits

Force HTTP On Nginx

By admin on August 20, 2015 in Nginx

Simple configuration line to redirect HTTPS requests to HTTP:

if ($https = "on") {
    return 301 http://acme.com$request_uri;
}

if ($https = "on") {

return 301 http://acme.com$request_uri;

}

← Previous 1 2 3 … 5 Next →

Need help immediately?

$100/hour
Satisfaction Guaranteed

Top Nav

Navigation