Installation | Maintenance | Beyond Lino
Our nginx cheat sheet¶
- .conf¶
- nginx.conf¶
An nginx config file. All config files are in /etc/nginx/sites-available
and must be named with the suffix .conf.
To actually activate them, you must also create a symbolic link to each of them
in /etc/nginx/sites-enabled. This Debian-specific convention is okay for
us. It has the advantage that we can easily disable individual sites or do
temporary magics.
Our additional convention is to name them xxx.conf, where xxx matches the subdomain they serve.
Static websites¶
The main website serves at two subdomains www.example.com and example.com.
When somebody types just example.com (without www) in their browser, we
permanently redirect them to the canonical www.example.com. Here is a template
for a typical www.conf file:
server {
server_name www.example.com example.com;
if ($host = example.com) { return 301 https://www.$host$request_uri; }
root /path/to/www;
index index.html;
listen 80;
}
For additional subdomains the .conf file is even shorter:
server {
server_name foo.example.com;
root /path/to/foo;
index index.html;
listen 80;
}
How to add a new subdomain¶
You have already a website foo.example.com and now want to have another website bar.example.com:
$ sudo nano /etc/nginx/sites-available/bar.conf
Paste content from above templates and edit as needed:
$ sudo su
# cd /etc/nginx/sites-enabled
# ln -s /etc/nginx/sites-available/bar.conf .
# service nginx restart
# certbot --nginx -d bar.example.com
Note that the first filename given to ln -s should be the full path.
Invalid HTTP_HOST header¶
Problem: A new production server is sending lots of emails to ADMINS
saying [mysite] ERROR (EXTERNAL IP): Invalid HTTP_HOST header: ‘12.123.234.56’.
You may need to add ‘12.123.234.56’ to ALLOWED_HOSTS.
Explanation: there are robots called IP port scanners, both legitimate and suspicious, that try to get an answer from every IP address. The problem comes when nginx lets them pass though until Lino. Lino should not get bothered with such requests. But Lino is getting bothered because we haven’t defined any default server. These requests have no Host header.
The solution (found here) is to define a
default server in your prod.conf file. Something like this:
server {
listen 80 default_server;
listen 443 default_server ssl;
server_name "12.123.234.56";
ssl_certificate /etc/letsencrypt/live/bar.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/bar.example.com/privkey.pem; # managed by Certbot
return 444;
}