nginx throws many errors

TMaddox asked:

I have a fresh installation of a nginx server running nextcloud with letsencrypt. I thought I configured everything correctly, but now I thought I could check my logs and voila I got a bunch of errors, which I can´t figure out how to fix 🙁

I already tried to modify my XYZ.com.conf, but it didn´t work.

Any help is appreciated.

2018/05/04 19:22:09 [error] 4243#4243: ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/letsencrypt/live/XYZ.com/fullchain.pem"
2018/05/04 19:22:40 [error] 4244#4244: *87 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:22:41 [error] 4244#4244: *87 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:23:05 [error] 4243#4243: *94 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:23:05 [error] 4243#4243: *94 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:23:36 [error] 4243#4243: *101 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:23:36 [error] 4243#4243: *101 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:24:08 [error] 4243#4243: *108 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:24:08 [error] 4243#4243: *108 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:24:40 [error] 4244#4244: *119 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:24:40 [error] 4244#4244: *119 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:25:12 [error] 4244#4244: *126 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:25:12 [error] 4244#4244: *126 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:25:44 [error] 4243#4243: *136 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:25:45 [error] 4243#4243: *136 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:26:16 [error] 4243#4243: *143 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:26:16 [error] 4243#4243: *143 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:26:48 [error] 4243#4243: *150 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:26:48 [error] 4243#4243: *150 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:27:20 [error] 4243#4243: *154 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:27:20 [error] 4243#4243: *154 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:27:52 [error] 4243#4243: *158 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:27:52 [error] 4243#4243: *158 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:28:24 [error] 4243#4243: *162 open() "/etc/nginx/html/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /status.php HTTP/1.1", host: "XYZ.com"
2018/05/04 19:28:24 [error] 4243#4243: *162 open() "/etc/nginx/html/owncloud/status.php" failed (2: No such file or directory), client: XXX.XXX.XXX.XXX, server: XYZ.com, request: "GET /owncloud/status.php HTTP/1.1", host: "XYZ.com"

EDIT:

XYZ.com.conf

server {
    listen 80 default_server;
    server_name XYZ.com www.XYZ.com;

    root /var/www;

    location ^~ /.well-known/acme-challenge {
        proxy_pass http://127.0.0.1:81;
        proxy_redirect off;
    }       
    location / {
        # Enforce HTTPS
        # Use this if you always want to redirect to the DynDNS address (no local access).
        return 301 https://$server_name$request_uri;

        # Use this if you also want to access the server by local IP:
        #return 301 https://$server_addr$request_uri;
    }       
}

server {
    listen 443 ssl http2;
    server_name XYZ.com www.XYZ.com;

    #
    # Configure SSL
    #
    ssl on;

    # Certificates used
    ssl_certificate /etc/letsencrypt/live/XYZ.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/XYZ.com/privkey.pem;

    # Not using TLSv1 will break:
    #   Android <= 4.4.40
    #   IE <= 10
    #   IE mobile <=10
    # Removing TLSv1.1 breaks nothing else!
    ssl_protocols TLSv1.2;

    # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # Specifies a curve for ECDHE ciphers.
    # High security, but will not work with Chrome:
    #ssl_ecdh_curve secp521r1;  
    # Works with Windows (Mobile), but not with Android (DavDroid):
    #ssl_ecdh_curve secp384r1;
    # Works with Android (DavDroid):
    ssl_ecdh_curve prime256v1; 

    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/XYZ.com/fullchain.pem;
    resolver XYZ.com;

    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    #
    # Add headers to serve security related headers
    #  
    # HSTS (ngx_http_headers_module is required)
    # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    # Usually this should be "DENY", but when hosting sites using frames, it has to be "SAMEORIGIN"
    add_header Referrer-Policy "same-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    location = / {
        # Disable access to the web root, the Nextcloud subdir should be used instead.
        #deny all;

        # If you want to be able to access the cloud using the webroot only, use the following command instead:
        rewrite ^ /nextcloud;
    }   

    #
    # Nextcloud
    #
    location = /favicon.ico {
        log_not_found off;
    }

    location ^~ /nextcloud {
        # Set max. size of a request (important for uploads to Nextcloud)
        client_max_body_size 10G;
        # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_max_temp_file_size 1024m;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:82;
        proxy_redirect off;
    }   
}

XYZ.com_letsencrypt.conf

server {
    listen 127.0.0.1:81;
    server_name 127.0.0.1;  

    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }
}

XYZ.com_nextcloud.conf

upstream php-handler {
    server unix:/run/php/php7.0-fpm.sock;
}

server {
    listen 82;
    server_name 127.0.0.1;

    # Add headers to serve security related headers
    # Use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
    proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; always;";
    proxy_set_header X-Content-Type-Options "nosniff; always;";
    proxy_set_header X-XSS-Protection "1; mode=block; always;";
    proxy_set_header X-Robots-Tag none;
    proxy_set_header X-Download-Options noopen;
    proxy_set_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /var/www/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

    location = /.well-known/carddav { 
        return 301 $scheme://$host/nextcloud/remote.php/dav; 
    }

    location = /.well-known/caldav { 
        return 301 $scheme://$host/nextcloud/remote.php/dav; 
    }

    location /.well-known/acme-challenge { }

    location ^~ /nextcloud {
        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;

        location /nextcloud {
            rewrite ^ /nextcloud/index.php$uri;
        }

        location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }

        location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }

        location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
            include fastcgi_params;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            #Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;

            # Raise timeout values.
            # This is especially important when the Nextcloud setup runs into timeouts (504 gateway errors)
            fastcgi_read_timeout 600;
            fastcgi_send_timeout 600;
            fastcgi_connect_timeout 600;
            fastcgi_request_buffering off;

            # Pass PHP variables directly to PHP.
            # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.
        # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others.
            fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/mnt/raid/data:/dev/urandom:/proc/meminfo
                upload_max_filesize = 10G
                post_max_size = 10G
                max_execution_time = 3600
                output_buffering = off";

            # Make sure that the real IP of the remote host is passed to PHP.
            fastcgi_param REMOTE_ADDR $http_x_real_ip;
        }

        location ~ ^/nextloud/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }

        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~* \.(?:css|js)$ {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
            proxy_set_header Cache-Control "public, max-age=7200";
            # Add headers to serve security related headers
            # Again use 'proxy_set_header' (not 'add_header') as the headers have to be passed through a proxy.
            proxy_set_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
            proxy_set_header X-Content-Type-Options nosniff;
            #proxy_set_header X-Frame-Options "SAMEORIGIN";
            proxy_set_header X-XSS-Protection "1; mode=block";
            proxy_set_header X-Robots-Tag none;
            proxy_set_header X-Download-Options noopen;
            proxy_set_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }

        location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
            try_files $uri /nextcloud/index.php$uri$is_args$args;
            # Optional: Don't log access to other assets
            access_log off;
        }
    }
}

My answer:


Your server block is missing a root directive. Thus the bizarre default /etc/nginx/html is used. Add the missing root directive.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.