Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
playground:playground [2020/08/03 17:18] – new w/ ssl peter-stadlerplayground:playground [2024/08/06 19:36] – testando mguima
Line 1: Line 1:
 ====== PlayGround ====== ====== PlayGround ======
-~~NOTOC~~ 
  
-<WRAP info> +====== Bootlogs ====== 
-The playground is for experimenting. Play around as you like!\\ +==== OEM bootlog ==== 
-This page is for playing around and experimenting only, and can be deleted any time, therefore don't put anything here that shall last long time.\\ +<WRAP bootlog
-Use the [[inbox:start|Inbox]] to create new pages that are WIP, but shall find a permanent place in the wiki once they are considered finished. +<nowiki
- +... TBD ... 
-Add your content below the line and **leave this note in place.** +</nowiki
-</WRAP> +</WRAP>\\
- +
----- +
- +
-====== Nginx webserver====== +
- +
- +
- +
-[[http://wiki.nginx.org/|Nginx]] +
-is a high-performance HTTP/S server with other functions as well. +
-It is a perfect candidate to run on OpenWrt due to the performance and memory +
-handling. +
-**NB:** At this time (2020-07-21), the configuration described below is contained in the master, but not in the current release (19.07). +
- +
- +
- +
- +
- +
-===== Install ===== +
- +
- +
- +
-We can install Nginx with SSL (using libopenssl) by: +
-<code> opkg update && opkg install nginx-ssl </code> +
- +
-Of course there will be port issues if we installed +
-[[docs:guide-user:luci:luci.essentials|LuCI]] +
-before or after Nginx, since the standard LuCI package installs +
-[[docs:guide-user:services:webserver:uhttpd|uHTTPd]], +
-which also wants to claim port 80 (and port 443 for HTTPS). +
-So configuring and/or portforwarding may be neccessary. +
-There are ways to run +
-[[docs:guide-user:luci:luci.essentials#configuration|LuCI with Nginx]] +
-but that is not coverd here. +
-For a quick fix, just change the uhttpd port to something else in +
-''/etc/config/uhttpd''+
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
-===== Configuration ===== +
-/* Created by the following bash script that includes the source of some files: +
- * https://github.com/openwrt/packages/net/nginx-util/files/README.sh +
- */ +
- +
- +
- +
-The official Documentation contains a +
-[[https://docs.nginx.com/nginx/admin-guide/|Admin Guide]]. +
-Here we will look at some often used configuration parts and how we handle them +
-at OpenWrt. +
-At different places there are references to the official +
-[[https://docs.nginx.com/nginx/technical-specs/|Technical Specs]] +
-for further reading. +
- +
-**tl;dr:** When starting Nginx by ''/etc/init.d/nginx'', it creates its main +
-configuration dynamically based on a minimal template and the +
-[[docs:guide-user:base-system:uci|🡒UCI]] configuration. +
- +
-The UCI ''/etc/config/nginx'' contains initially: +
-| ''config server '_lan''' | Default server for the LAN, which includes all ''/etc/nginx/conf.d/*.locations''. | +
-| ''config server '_redirect2ssl''' | Redirects inexistent URLs to HTTPS (installed only for Nginx with SSL). | +
- +
-It enables also the ''/etc/nginx/conf.d/'' directory for further configuration: +
-| ''/etc/nginx/conf.d/$NAME.conf'' | Is included in the main configuration. It is prioritized over a UCI ''config server '$NAME' ''. | +
-| ''/etc/nginx/conf.d/$NAME.locations'' | Is include in the ''_lan'' server and can be re-used for others, too. | +
-| ''/etc/nginx/restrict_locally'' | Is include in the ''_lan'' server and allows only accesses from LAN. | +
- +
-Setup configuration (for a server ''$NAME''): +
-| ''nginx-util [add_ssl|del_ssl] $NAME''  | Add/remove a self-signed certificate and corresponding directives. | +
-| ''uci set nginx.$NAME.access_log='logd openwrt''' | Writes accesses to Openwrt’s [[docs:guide-user:base-system:log.essentials|🡒logd]]. | +
-| ''uci set nginx.$NAME.error_log='logd' '' | Writes errors to Openwrt’s [[docs:guide-user:base-system:log.essentials|🡒logd]]. | +
-| ''uci [set|add_list] nginx.$NAME.key='value' '' | Becomes a ''key value;'' directive if the //key// does not start with //uci_//. | +
-| ''uci set nginx.$NAME=[disable|server]'' |Disable/enable inclusion in the dynamic conf.| +
-| ''uci set nginx.global.uci_enable=false'' | Use a custom ''/etc/nginx/nginx.conf'' rather than a dynamic conf. | +
- +
- +
- +
-==== Basic ==== +
-/* Created by the following bash script that includes the source of some files: +
- * https://github.com/openwrt/packages/net/nginx-util/files/README.sh +
- */ +
- +
- +
-We modify the configuration by changing servers saved in the UCI configuration +
-at ''/etc/config/nginx'' and/or by creating different configuration files in the +
-''/etc/nginx/conf.d/'' directory. +
-These files use the file extensions ''.locations'' and ''.conf'' (plus ''.crt'' +
-and ''.key'' for Nginx with SSL).(( +
-We can disable a single configuration file by giving it another extension, e.g., +
-by adding ''.disabled''.)) +
-For the new configuration to take effect, we must reload it by: +
- +
-<code bash>service nginx reload</code+
- +
-For OpenWrt we use a special initial configuration, which is explained in the +
-section [[#openwrt_s_defaults|🡓OpenWrt’s Defaults]]. +
-So, we can make a site available at a specific URL in the **LAN** by creating a +
-''.locations'' file in the directory ''/etc/nginx/conf.d/''. +
-Such a file consists just of some +
-[[https://nginx.org/en/docs/http/ngx_http_core_module.html#location| +
-location blocks]]. +
-Under the latter link, you can find also the official documentation for all +
-available directives of the HTTP core of Nginx. +
-Look for //location// in the Context list. +
- +
-The following example provides a simple template, see at the end for +
-different [[#locations_for_apps|🡓Locations for Apps]]((look for +
-[[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages +
-+extension%3Alocations&type=Code&ref=advsearch&l=&l=| +
-other packages using a .locations file]], too.)): +
- +
-<code nginx /etc/nginx/conf.d/example.locations> +
-location /ex/am/ple { +
- access_log off; # default: not logging accesses. +
- # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout). +
- # error_log stderr; # default: logging to logd (init forwards stderr). +
- error_log /dev/null; # disable error logging after config file is read. +
- # (state path of a file for access_log/error_log to the file instead.) +
- index index.html; +
-+
-# location /eg/static { … } +
-</code> +
- +
-All location blocks in all ''.locations'' files must use different URLs, +
-since they are all included in the ''_lan'' server that is part of the +
-[[#openwrt_s_defaults|🡓OpenWrt’s Defaults]].(( +
-We reserve the ''location /'' for making LuCI available under the root URL, +
-e.g. [[http://192.168.1.1/|192.168.1.1/]]. +
-All other sites shouldn’t use the root ''location /'' without suffix.)) +
-We should use the root URL for other sites than LuCI only on **other** domain +
-names, e.g. we could make a site available at //www.example.com///+
-In order to do that, we create [[#new_server_parts|🡓New Server Parts]] for all +
-domain names. +
-For Nginx with SSL we can also activate SSL thereby, see +
-[[#ssl_server_parts|🡓SSL Server Parts]]. +
-We use such server parts also for publishing sites to the internet (WAN) +
-instead of making them available just locally (in the LAN). +
- +
-Via ''/etc/nginx/conf.d/*.conf'' files we can add directives to the //http// part of +
-the configuration. +
-If you would change the configuration ''uci.conf.template'' +
-instead, it is not updated to new package's versions anymore. +
-Although it is not recommended, you can also disable the whole UCI config and +
-create your own ''/etc/nginx/nginx.conf''; then invoke: +
- +
-<code bash>uci set nginx.global.uci_enable=false</code> +
- +
- +
- +
-==== New Server Parts ==== +
-/* Created by the following bash script that includes the source of some files: +
- * https://github.com/openwrt/packages/net/nginx-util/files/README.sh +
- */ +
- +
- +
-For making the router reachable from the WAN at a registered domain name, +
-it is not enough to give the name server the internet IP address of the router +
-(maybe updated automatically by a +
-[[docs:guide-user:services:ddns:client|🡒DDNS Client]]). +
-We also need to set up virtual hosting for this domain name by creating an +
-appropriate server section in ''/etc/config/nginx'' +
-(or in a ''/etc/nginx/conf.d/*.conf'' file, which cannot be changed using UCI). +
-All such parts are included in the main configuration of OpenWrt +
-([[#openwrt_s_defaults|🡓OpenWrt’s Defaults]]). +
- +
-In the server part, we state the domain as +
-[[https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name| +
-server_name]]. +
-The link points to the same document as for the location blocks in the +
-[[#basic|🡑Basic Configuration]]: the official documentation for all available +
-directives of the HTTP core of Nginx. +
-This time look for //server// in the Context list, too. +
-The server part should also contain similar location blocks as +
-++before.| +
-We can re-include a ''.locations'' file that is included in the server part for +
-the LAN by default. +
-Then the site is reachable under the same path at both domains, e.g., by +
-http://192.168.1.1/ex/am/ple as well as by http://example.com/ex/am/ple. +
-++ +
- +
-The [[#openwrt_s_defaults|🡓OpenWrt’s Defaults]] has a +
-''config server '_lan' '' containing a server part that listens on all +
-addresses, acts as //default_server// and allows connections from LAN only +
-(by including the file ''restrict_locally'' with //allow/deny// directives, cf. +
-the official documentation on +
-[[https://nginx.org/en/docs/http/ngx_http_access_module.html|limiting access]]). +
-For making another domain name accessible to all addresses, the corresponding +
-server part should listen on port //80// and contain the FQDN as //server_name//, +
-cf. the official documentation on +
-[[https://nginx.org/en/docs/http/request_processing.html|request_processing]]. +
- +
-We can add directives to a server in the UCI configuration by invoking +
-''uci [set|add_list] nginx.example_com.key=value''+
-If the //key// is not starting with //uci_//, it becomes a ''key value;'' +
-++directive.| +
-Although the UCI config does not support nesting like Nginx, we can add a whole +
-block as //value//+
-++ +
- +
-We cannot use dots in a //key// name other than in the //value//+
-In the following example we replace the dot in //example.com// by an +
-underscore for the UCI name of the server, but not for Nginx's //server_name//: +
- +
-<code bash> +
-uci add nginx server && +
-uci rename nginx.@server[-1]=example_com && +
-uci add_list nginx.example_com.listen='80' && +
-uci add_list nginx.example_com.listen='[::]:80' && +
-uci set nginx.example_com.server_name='example.com' && +
-uci add_list nginx.example_com.include='conf.d/example.com.locations' +
-# uci add_list nginx.example_com.location='/ { … }' # root location for this server. +
-</code> +
- +
-We can disable respective re-enable this server again by: +
- +
-<code bash> +
-uci set nginx.example_com=disable # respective: uci set nginx.example_com=server +
-</code> +
- +
-These changes are made in the RAM (and can be used until a reboot), we can save +
-them permanently by: +
- +
-<code bash>uci commit nginx</code> +
- +
-For creating a similar ''/etc/nginx/conf.d/example.com.conf'', we can adopt the +
-following: +
- +
-<code nginx /etc/nginx/conf.d/example.com.conf> +
-server { +
- listen 80; +
- listen [::]:80; +
- server_name example.com; +
- include 'conf.d/example.com.locations'; +
- # location / { … } # root location for this server. +
-+
-</code> +
- +
- +
- +
-==== SSL Server Parts ==== +
-/* Created by the following bash script that includes the source of some files: +
- * https://github.com/openwrt/packages/net/nginx-util/files/README.sh +
- */ +
- +
- +
-We can enable HTTPS for a domain if Nginx is installed with SSL support. +
-We need a SSL certificate as well as its key and add them by the directives +
-//ssl_certificate// respective //ssl_certificate_key// to the server part of the +
-domain. +
-The rest of the configuration is similar as for general +
-[[#new_server_parts|🡑New Server Parts]]. +
-We only have to adjust the listen directives by adding the //ssl// parameter and +
-changing the port from //80// to //443//. +
-See the official documentation for +
-[[https://nginx.org/en/docs/http/configuring_https_servers.html| +
-configuring HTTPS servers]], too. +
- +
-The official documentation of the SSL module contains an +
-[[https://nginx.org/en/docs/http/ngx_http_ssl_module.html#example| +
-example]] with some optimizations. +
-We can extend an existing UCI server section similarly, e.g., for the above +
-''config server 'example_com' '' we invoke: +
- +
-<code bash> +
-# Instead of 'del_list' the listen* entries, we could use '443 ssl' beforehand. +
-uci del_list nginx.example_com.listen='80' && +
-uci del_list nginx.example_com.listen='[::]:80' && +
-uci add_list nginx.example_com.listen='443 ssl' && +
-uci add_list nginx.example_com.listen='[::]:443 ssl' && +
-uci set nginx.example_com.ssl_certificate='/etc/nginx/conf.d/example.com.crt' && +
-uci set nginx.example_com.ssl_certificate_key='/etc/nginx/conf.d/example.com.key' && +
-uci set nginx.example_com.ssl_session_cache='shared:SSL:32k' && +
-uci set nginx.example_com.ssl_session_timeout='64m' && +
-uci commit nginx +
-</code> +
- +
-For making the server in ''/etc/nginx/conf.d/example.com.conf'' available +
-via SSL, we can make similar changes there. +
- +
-The following command creates a **self-signed** SSL certificate and changes the +
-corresponding configuration: +
- +
-<code bash>nginx-util add_ssl example_com</code> +
- +
-  - If a ''conf.d/example_com.conf'' file exists, it    adds //ssl_*// directives and changes the listen directives for the server.    Else it does that for the UCI server like in the example above. +
-  - Then, it checks if there is a certificate with key for the given name    that is valid for at least 13 months or tries to create a self-signed one. +
-  - When cron is activated, it installs a cron job for renewing the self-signed    certificate every year if needed, too. We can activate cron by:     <code bash>service cron enable && service cron start</code> +
- +
-This can be undone by invoking: +
- +
-<code bash>nginx-util del_ssl example_com</code> +
- +
-For creating a certificate and its key signed by Let’s Encrypt we can use +
-[[https://github.com/ndilieto/uacme|uacme]] or +
-[[https://github.com/Neilpang/acme.sh|acme.sh]], which are installed by: +
- +
-<code bash> +
-opkg update && opkg install uacme #or: acme #and for LuCI: luci-app-acme +
-</code> +
- +
-[[#openwrt_s_defaults|🡓OpenWrt’s Defaults]] include a UCI server for the LAN: +
-''config server '_lan' ''. It has //ssl_*// directives prepared for a +
-self-signed SSL certificate((Let’s Encrypt (and other CAs) cannot sign +
-certificates of a **local** server.)) +
-that is created on the first start of Nginx. +
-Furthermore, there is also a UCI server named ''_redirect2ssl'' that redirects +
-all HTTP requests for inexistent URLs to HTTPS. +
- +
- +
- +
-==== OpenWrt’s Defaults ==== +
-/* Created by the following bash script that includes the source of some files: +
- * https://github.com/openwrt/packages/net/nginx-util/files/README.sh +
- */ +
- +
- +
-Since Nginx is compiled with these presets, we can pretend that the main +
-configuration will always contain the following directives +
-(though we can overwrite them): +
- +
-<code nginx> +
-pid "/var/run/nginx.pid"; +
-lock_file "/var/lock/nginx.lock"; +
-error_log "stderr"; +
-proxy_temp_path "/var/lib/nginx/proxy"; +
-client_body_temp_path "/var/lib/nginx/body"; +
-fastcgi_temp_path "/var/lib/nginx/fastcgi";</code> +
- +
-When starting or reloading the Nginx service, the ''/etc/init.d/nginx'' script +
-sets also the following directives +
-(so we cannot change them in the used configuration file): +
- +
-<code nginx> +
-daemon off; # procd expects services to run in the foreground +
-</code> +
- +
-Then, it creates the main configuration ''uci.conf'' +
-dynamically from the template: +
- +
-<file nginx /etc/nginx/uci.conf.template> +
-# Consider using UCI or creating files in /etc/nginx/conf.d/ for configuration. +
-# Parsing UCI configuration is skipped if uci set nginx.global.uci_enable=false +
-# For details see: https://openwrt.org/docs/guide-user/services/webserver/nginx +
- +
-worker_processes auto; +
- +
-user root; +
- +
-events {} +
- +
-http { +
- access_log off; +
- log_format openwrt +
- '$request_method $scheme://$host$request_uri => $status' +
- ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; +
- +
- include mime.types; +
- default_type application/octet-stream; +
- sendfile on; +
- +
- client_max_body_size 128M; +
- large_client_header_buffers 2 1k; +
- +
- gzip on; +
- gzip_vary on; +
- gzip_proxied any; +
- +
- root /www; +
- +
- #UCI_HTTP_CONFIG +
- include conf.d/*.conf; +
-}</file> +
- +
-So, the access log is turned off by default and we can look at the error log +
-by ''logread'', as Nginx’s init script forwards stderr and stdout to the +
-[[docs:guide-user:base-system:log.essentials|🡒runtime log]]. +
-We can set the //error_log// and //access_log// to files, where the log +
-messages are forwarded to instead (after the configuration is read). +
-And for redirecting the access log of a //server// or //location// to the logd, +
-too, we insert the following directive in the corresponding block: +
- +
-<code nginx> access_log /proc/self/fd/1 openwrt;</code> +
- +
-If we setup a server through UCI, we can use the options //error_log// and/or +
-//access_log// with the path +
-++'logd'.| +
-When initializing the Nginx service, this special path is replaced by //stderr// +
-respective ///proc/self/fd/1// (which are forwarded to the runtime log). +
-++ +
- +
-For creating the configuration from the template shown above, the init.d script +
-replaces the comment ''#UCI_HTTP_CONFIG'' by all UCI servers. +
-For each server section in the the UCI configuration, it basically copies all +
-options into a Nginx //server { … }// part, in detail: +
-  * Options starting with ''uci_'' are skipped. Currently there is only  the ''option uci_manage_ssl=…'' in ++usage.| It is set to  //'self-signed'// when invoking ''nginx-util add_ssl …'' Then the corresponding certificate is re-newed if it is about to expire.  All those certificates are checked on the initialization of the Nginx service  and if Cron is available, it is deployed for checking them annually, too.++ +
-  * All other lists or options of the form ''key='value' '' are written  one-to-one as ''key value;'' directives to the configuration file.  Just the path //logd// has a special meaning for the logging directives  (described in the previous paragraph). +
- +
-The init.d script of Nginx uses the //nginx-util// for creating +
-the configuration file +
-++in RAM.| +
-The main configuration ''/etc/nginx/uci.conf'' is a symbolic link to this place +
-(it is a dead link if the Nginx service is not running). +
-++ +
- +
-We could use a custom configuration created at ''/etc/nginx/nginx.conf'' instead of the +
-dynamic configuration, too.(( +
-For using a custom configuration at ''/etc/nginx/nginx.conf'', we execute +
-<code bash>uci set nginx.global.uci_enable='false' </code> +
-Then the rest of the UCI config is ignored and init.d will not create the main +
-configuration dynamically from the template anymore. +
-For Nginx with SSL invoking +
-''nginx-util [add_ssl|del_ssl] $FQDN'' +
-will still try to change a server in ''conf.d/$FQDN.conf'' +
-(this is less reliable than for a UCI config as it uses regular expressions, not +
-a complete parser for the Nginx configuration).)) +
-This is not encouraged since you cannot setup servers using UCI anymore. +
-Rather, we can put custom configuration parts to ''.conf'' files in the +
-''/etc/nginx/conf.d/'' directory. +
-The main configuration pulls in all ''conf.d/*.conf'' files +
-into the //http {…}// block behind the created UCI servers. +
- +
-The initial UCI config is enabled and contains a server section for the LAN: +
- +
-<file nginx /etc/config/nginx> +
- +
-config main global +
- option uci_enable 'true' +
- +
-config server '_lan' +
- list listen '443 ssl default_server' +
- list listen '[::]:443 ssl default_server' +
- option server_name '_lan' +
- list include 'restrict_locally' +
- list include 'conf.d/*.locations' +
- option uci_manage_ssl 'self-signed' +
- option ssl_certificate '/etc/nginx/conf.d/_lan.crt' +
- option ssl_certificate_key '/etc/nginx/conf.d/_lan.key' +
- option ssl_session_cache 'shared:SSL:32k' +
- option ssl_session_timeout '64m' +
- option access_log 'off; # logd openwrt' +
- +
-config server '_redirect2ssl' +
- list listen '80' +
- list listen '[::]:80' +
- option server_name '_redirect2ssl' +
- option return '302 https://$host$request_uri'</file> +
- +
-The LAN server pulls in all ''.locations'' files from the directory +
-''/etc/nginx/conf.d/''+
-We can install the location parts of different sites there (see +
-[[#basic|🡑Basic Configuration]]) and re-include them into other servers. +
-This is needed especially for making them available to the WAN +
-([[#new_server_parts|🡑New Server Parts]]). +
-The LAN server becomes the //default_server// for all addresses on port //80// +
-and restricts the access to local addresses by including: +
-<file nginx /etc/nginx/restrict_locally> +
- allow ::1; +
- allow fc00::/7; +
- allow fec0::/10; +
- allow fe80::/10; +
- allow 127.0.0.0/8; +
- allow 10.0.0.0/8; +
- allow 172.16.0.0/12; +
- allow 192.168.0.0/16; +
- allow 169.254.0.0/16; +
- deny all;</file> +
- +
- +
-=== Additional Defaults for OpenWrt if Nginx is installed with SSL support === +
- +
-When Nginx is installed with SSL support, the //default_server// for the LAN +
-listens on port //443// instead (but still on all addresses restricted locally). +
-Additionally there is a server section that redirects requests for an inexistent +
-''server_name'' from HTTP to HTTPS. It acts as //default_server// if there is +
-++no other|; it uses an invalid name for that, more in the official +
-documentation on +
-[[https://nginx.org/en/docs/http/request_processing.html|request_processing]] +
-++. +
- +
-When starting or reloading the Nginx service, the init.d looks which UCI servers +
-have set ''option uci_manage_ssl 'self-signed' '', e.g., the LAN server. +
-For all those servers it checks if there is a certificate that is still valid +
-for 13 months or (re-)creates a self-signed one. +
-If there is any such server, it installs also a cron job that checks the +
-corresponding certificates once a year. +
-The option ''uci_manage_ssl'' is set to //'self-signed'// respectively removed +
-from a UCI server named ''example_com'' by the following +
-(see [[#ssl_server_parts|🡑SSL Server Parts]], too): +
- +
-<code bash> +
-nginx-util add_ssl example_com # respectively: nginx-util del_ssl example_com +
-</code> +
- +
- +
- +
-==== PHP with FastCGI ==== +
- +
- +
-Install [[https://www.php.net/manual/en/install.unix.commandline.php|PHP]] +
-using FastCGI: +
-<code> opkg update && opkg install php7-fastcgi</code> +
- +
-In the Nginx configuration we can include the file +
-[[https://github.com/nginx/nginx/blob/master/conf/fastcgi_params| +
-fastcgi_params]], which is installed by default. +
-We create a ''.location'' file like the following, see  +
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages+fastcgi_pass +
-+extension%3Alocations+extension%3Aconf&type=Code| +
-other packages using fastcgi_pass]] +
-and Nginx's Wiki has a  +
-[[https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/+
-PHP FastCGI Example]], too: +
-<code nginx /etc/nginx/conf.d/php.locations> +
-location ~ [^/]\.php$ { +
-    #error_log /dev/null; +
-    fastcgi_connect_timeout 300s; +
-    fastcgi_read_timeout 300s; +
-    fastcgi_send_timeout 300s; +
-    fastcgi_buffer_size 32k; +
-    fastcgi_buffers 4 32k; +
-    fastcgi_busy_buffers_size 32k; +
-    fastcgi_temp_file_write_size 32k; +
-    client_header_timeout 10s; +
-    client_body_timeout 10s; +
-    send_timeout 60s; # default, increase if experiencing a lot of timeouts. +
-    output_buffers 1 32k; +
-    fastcgi_index index.php; +
-    include fastcgi_params; +
-    fastcgi_param HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerability. +
-    if (-f ) { +
-            # Only throw it at PHP-FPM if file exists (prevents PHP exploits). +
-            fastcgi_pass    127.0.0.1:1026;  # or: unix:/var/run/php-fpm.sock; +
-    } +
-+
-</code> +
- +
-<code ini /etc/php.ini> +
-doc_root = "YOUR/DOCUMENT/ROOT" +
-cgi.force_redirect = 1 +
-cgi.redirect_status_env = "yes"; +
-</code> +
- +
- +
- +
-==== uWSGI ==== +
- +
- +
-Install [[https://uwsgi-docs.readthedocs.io/en/latest/|uWSGI]] and needed plugins: +
-<code>opkg update && opkg install uwsgi # and the plugin(s) used. </code> +
- +
-In the Nginx configuration we can include the file +
-[[https://github.com/nginx/nginx/blob/master/conf/uwsgi_params| +
-uwsgi_params]], which is installed by default. +
-We create a ''.location'' file like the following, see also +
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages+uwsgi_pass +
-+extension%3Alocations+extension%3Aconf&type=Code| +
-other packages using uwsgi_pass]] +
-and the +
-[[https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html| +
-uWSGI documentation for Nginx]], too: +
-<code nginx /etc/nginx/conf.d/mysite.locations> +
-location /mysite { +
-    # error_log /dev/null; +
-    include  /etc/nginx/uwsgi_params; +
-    uwsgi_pass unix:///var/run/mysite.socket; +
-    # for CGI (like in LuCI): +
-    # uwsgi_param SERVER_ADDR $server_addr; +
-    # uwsgi_modifier1 9; +
-+
-</code> +
- +
-For uWSGI, we create a configuration handling the application like the following, see  +
-[[https://github.com/search?q=repo%3Aopenwrt%2Fpackages+[uwsgi] +
-+extension%3Aini&type=Code| +
-other packages using uWSGI]], too: +
-<code ini /etc/uwsgi/vassals/mysite.ini> +
-[uwsgi] +
-strict = true +
-; adjust the needed plugins, path, name, user and socket for the application: +
-plugin =  +
-chdir = /path/to/app +
-mount = /mysite=app +
-; or use cgi = /mysite=/path/or/executable +
-uid = user +
-gid = nogroup +
-chmod-socket = 660 +
-chown-socket = user:nogroup +
-; Nginx runs as nouser:nogroup +
-if-not-env = UWSGI_EMPEROR_FD +
-socket = /var/run/mysite.socket +
-vacuum = true +
-; cheap = true +
-end-if = +
-disable-logging = true +
-log-format=%(method) %(uri) => return %(status) (%(rsize) bytes in %(msecs) ms) +
-manage-script-name = true +
-thunder-lock = true +
-enable-threads = true +
-threads = 3 +
-master = true +
-; processes = 3 +
-; cheaper-algo = spare +
-; cheaper = 1 +
-; cheaper-initial = 1 +
-; cheaper-step = 1 +
-; lazy-apps = true +
-; harakiri = 60 +
-; idle = 360 +
-</code>+
  
 +====== Bootlogs ======
 +=== OpenWRT bootlog ===
 +== System bootlog ==
 +<WRAP bootlog>
 +<nowiki>
 +... TBD ...
 +</nowiki>
 +</WRAP>\\
  
  • Last modified: 2024/11/11 21:03
  • by signoretnt