Altering Nginx default configuration, and site templates.

Hi,
I've been running ispconfig for a year or so now, and have managed to solve most of my problems through reading the forums and documentation so far. This is a general question about best practices of altering the default configuration of nginx and virtual hosts.
I have a few improvements over the default nginx configuration, which I want to apply to all sites. I was wondering what the best way of doing this was.
If this was a standalone server, I'd be happily modifying /etc/nginx.conf and /etc/nginx/sites-enabled. However I'm unclear about what files ispconfig controls, and therefore asking what the best way of modifying them is.

Snippets:
All the sites on my installation run Wordpress, and I have a bunch of nginx security directives that I want to include. I know about 'snippets'. However the problem with my rules is that they need to be higher up the configuration file, rather than appended to the end, so when I use snippets they don't work.

Master vhost config:
I located the master vhost config file at /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
I was able to successfully alter that to include a file at /etc/nginx/wp-security.conf with all my changes in. However I've noticed that the changes don't stick. I'm pretty sure that that file is update whenever there is an upgrade of ispconfig. Are there any other circumstances under which this file might get overwritten?
For now I've written a script to alert me if this file reverts back to a version without my changes, which runs once a day. Obviously this is a bit of a kludge, so I'd like to do it properly. What is the best way of making a change to nginx_vhost.conf.master stick? Is there an override mechanism? (eg a file placed in a certain place would automatically be included in all vhosts, like my system now currently does) If not, perhaps one of these would be useful in the future?

nginx.conf
I recently used ispconfig_LetsEncrypt and noticed that this included a couple of lines in the /etc/nginx.conf. file (the 'well-known-hosts' mime type directive), as is required. This presumably is also at risk of being overwritten. Usually when upgrading nginx (on Debian etc) you are given the choice to upgrade this file or not. The default is NOT, and I obviously would pick that. Does Ispconfig make any changes to nginx.conf too, or is that safe to modify, so that changes to that file, would presumably affect all vhosts running on that server.
(Or am I wrong in that assumption?)

/etc/nginx/conf.d/*.conf
In theory any file placed in this directory with the conf extension will be included in the main nginx.conf, after its included all the /etc/nginx/sites-enabled/ files. In practice I haven't been able to get this to work. Would this be a better way of modifying server-wide configuration? Is there a trick to making it work?
The directive I tested with was server_tokens Off;, which is easy to test for. I'd also like to use some add_header directives. If anyone has sucessfully got those to work serverwide from a conf file in the conf-d directory, I'd love to hear how you did it.

So there we have the options. What are people using? What is safest? Hoping to promote some discussion here.

 

Thanks Till. This is exactly what I needed. I'm sure I'll figure it out from here.

 

Hi,
sorry for popping up old thread, but may I ask for some help with both, NGINX directives and default INDEX.HTML/.PHP page placeholder?
I placed image.jpeg and index.php in /usr/local/ispconfig/server/conf-custom/index/ folder, but those files do not get copied over or linked to new site uppon creation. Where am I missing the point?

Second problem, how should I add NGINX directive (for Wordpress permalinks) to survive ISPConfig updates? I need to add this:

Code:

location / {
try_files $uri $uri/ /index.php?$args;
}

 

You should create a new thread for a new question.

For your second problem, you should be able to add System -> Directive Snippets to make life a bit easier.

 

As per website / web domain:
Sites > Websites > Web Domain > Option > Nginx Directives

But I think @Richard Foley advise is the best approach so you can simply select it later at the same place.

 

The "Option > Nginx Directives" you mention here are additional, not replacements. Is there a way to have a tick-box saying "ignore server config file for this website" ?
There are two issues we currently encounter:

- We have some web-sites (entire domain names) that require their own NGINX vhost conf files. Managed entirely separate from ISPConfig. They use some nginx snippets that are also under /etc/nginx/ that should not change when we update ispconfig, or when we create or manage sites using ispconfig. Is this possible? Is there some kind of exclusion file we can create with a list of conf files that ISPConfig ignores, while updating its config for sites that are managed by ispconfig?

and, related to that:
- Our users are fine having their LetsEncrypt-certs connected, that is to say, they don't mind having other user's domain names on our server ALL in one certificate, which changes the way we prefer to handle SSL/TLS certs, for postfix, dovecot as well as nginx conf files. We also prefer using cloudflare and DNS for obtaining the cert. It's not hard for us to manage this cert renewal outside of ispconfig, so that's all fine, but...
-> We would still like to have ispconfig managing postfix, dovecot, some nginx websites, and access for users so they can have jails and ftp accounts and so on, outside of the TLS/SSL config.

Are there others using ispconfig for such scenario? If so, did you encounter issues?

We can change the LE-cert file locations globally for postfix and dovecot templates, but thus far we have not succeeded doing that for nginx server conf for sites also fully managed by ispconfig. Separate config gets overwritten or deleted when we update ispconfig. I could not find a way to ignore entire nginx server conf files.

 

No. Not server config. For that the best is, may be, to use conf-custom folder?

 

You mean a custom conf dir for nginx only ? That's indeed a good idea. That way I can run everything separately for the few domains that need special server blocks (without the .well-known stuff etc..) and need not be touched/altered by ispconfig. Thanks for the hint.

Guess I can just set that dir from an include somewhere in the bottom of the main nginx.conf.

 

The original discussion is about nginx directives which are useful on per site basis but without affecting the default nginx config template that is used by the all sites in an ISPConfig web server.

As such, ISPConfig also allow users to customize such config template by copying them to conf-custom folder and modify them there, thus their custom config will be used instead of the default config, for all sites.

For example, to customize nginx master config template in ISPConfig, one may want to (1) check conf/ folder inside /usr/local/ispconfig/server, (2) find nginx_vhost.conf.master, (3) copy it to conf-custom/ folder (create it first if it doesn't exist) and finally (4) start customizing it in that target folder.

Upon using resync in ISPConfig panel tool section, all sites will sync to use the customized nginx config template instead of default.

Do check the manual or search online more on how to do that based on what you need.

Exploring is best but also feel free to ask, most preferably by opening your own new thread, and not disturbing or opening old threads, like this.