Edit: I tried to use bbcode here to make my post more readable, but it seems not to work...
Hey,
The Owncloud Guys suggested to post about my problem here, because i experience some error when working with nginx and fastcgi.
On my owncloud installation, nginx's error log is spammed by the following error:
[code]
"FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: MY IP, server: MY DOMAIN, request: "GET /core/img/actions/history.svg HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "MY HOSTNAME/DOMAIN", referrer: "MY DOMAIN"
[/code]
The path after "GET" varies between the above and: "GET /core/img/actions/settings.svg", "GET /settings/img/users.svg" and multiple other .svg files. Sometimes, there is even a .php file in it, but most of the time it is an .svg.
Everything works fine, and the error does only occur when accessing OC with my browser, not when i try to sync it with FolderSync on my Android phone. I even could not observe the error when syncing with the Windows client...so it seems to be a problem with web access. I can browse the web interface, but certrain buttons are missing. And of course, the error quickly fills up my log.
My config looks as following: (Note, Owncloud is installed in a subdirectory, /srv/www/owncloud)
[code]
upstream php-handler {
server unix:/var/run/php5-fpm.sock;
}
server {
listen MY IP:4433 ssl;
server_name MY DOMAIN;
ssl_certificate /etc/ssl/owncloud/owncloud_full.crt;
ssl_certificate_key /etc/ssl/owncloud/owncloud.key;
ssl_dhparam /etc/ssl/owncloud/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/owncloud/comodo_full_chain.pem;
resolver DNS SERVERS valid=300s;
resolver_timeout 10s;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_trusted_certificate /etc/ssl/owncloud/comodo_full_chain.pem;
resolver 95.129.51.51 80.244.244.244 valid=300s;
resolver_timeout 10s;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers *LIST OF SECURE CIPHERS*;
ssl_session_timeout 10m;
ssl_session_cache off;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ticketkey;
# Add headers to serve security related headers
add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload' always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Path to the root of your installation
root /srv/www;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location / {
#include /etc/nginx/naxsi.rules;
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
## This is for naxsi ##
# location /RequestDenied {
# return 418;
# }
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}
[/code]
So as you can see, this is the nginx config taken from the 8.2 documentation with SSL modifications. It is rated A+ on Qualys and everything works fine...but my error log is filled quickly by the "primary script unknown" error.
I've searched until page 4 on google (which means that i am truly desparate ;)), but i could not find a solution to my problem. Most of the times, some people suggested to move the "root" directive out of the location folder etc, but this is the case in my config...
Nginx seems to pass the wrong location to php5-fpm, becauxe php always looks into /srv/www/FILE and not into /srv/www/owncloud/FILE...
I would be glad if anybody had an idea to solve my problem...thank you in advance!
Hey,
The Owncloud Guys suggested to post about my problem here, because i experience some error when working with nginx and fastcgi.
On my owncloud installation, nginx's error log is spammed by the following error:
[code]
"FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: MY IP, server: MY DOMAIN, request: "GET /core/img/actions/history.svg HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "MY HOSTNAME/DOMAIN", referrer: "MY DOMAIN"
[/code]
The path after "GET" varies between the above and: "GET /core/img/actions/settings.svg", "GET /settings/img/users.svg" and multiple other .svg files. Sometimes, there is even a .php file in it, but most of the time it is an .svg.
Everything works fine, and the error does only occur when accessing OC with my browser, not when i try to sync it with FolderSync on my Android phone. I even could not observe the error when syncing with the Windows client...so it seems to be a problem with web access. I can browse the web interface, but certrain buttons are missing. And of course, the error quickly fills up my log.
My config looks as following: (Note, Owncloud is installed in a subdirectory, /srv/www/owncloud)
[code]
upstream php-handler {
server unix:/var/run/php5-fpm.sock;
}
server {
listen MY IP:4433 ssl;
server_name MY DOMAIN;
ssl_certificate /etc/ssl/owncloud/owncloud_full.crt;
ssl_certificate_key /etc/ssl/owncloud/owncloud.key;
ssl_dhparam /etc/ssl/owncloud/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/owncloud/comodo_full_chain.pem;
resolver DNS SERVERS valid=300s;
resolver_timeout 10s;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_trusted_certificate /etc/ssl/owncloud/comodo_full_chain.pem;
resolver 95.129.51.51 80.244.244.244 valid=300s;
resolver_timeout 10s;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers *LIST OF SECURE CIPHERS*;
ssl_session_timeout 10m;
ssl_session_cache off;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ticketkey;
# Add headers to serve security related headers
add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload' always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Path to the root of your installation
root /srv/www;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location / {
#include /etc/nginx/naxsi.rules;
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
## This is for naxsi ##
# location /RequestDenied {
# return 418;
# }
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}
[/code]
So as you can see, this is the nginx config taken from the 8.2 documentation with SSL modifications. It is rated A+ on Qualys and everything works fine...but my error log is filled quickly by the "primary script unknown" error.
I've searched until page 4 on google (which means that i am truly desparate ;)), but i could not find a solution to my problem. Most of the times, some people suggested to move the "root" directive out of the location folder etc, but this is the case in my config...
Nginx seems to pass the wrong location to php5-fpm, becauxe php always looks into /srv/www/FILE and not into /srv/www/owncloud/FILE...
I would be glad if anybody had an idea to solve my problem...thank you in advance!