Altering Nginx default configuration, and site templates.

Discussion in 'Installation/Configuration' started by Plutocrat, Jan 27, 2016.

Thread Status:
Not open for further replies.
  1. Plutocrat

    Plutocrat New Member

    I've been running ispconfig for a year or so now, and have managed to solve most of my problems through reading the forums and documentation so far. This is a general question about best practices of altering the default configuration of nginx and virtual hosts.
    I have a few improvements over the default nginx configuration, which I want to apply to all sites. I was wondering what the best way of doing this was.
    If this was a standalone server, I'd be happily modifying /etc/nginx.conf and /etc/nginx/sites-enabled. However I'm unclear about what files ispconfig controls, and therefore asking what the best way of modifying them is.


    All the sites on my installation run Wordpress, and I have a bunch of nginx security directives that I want to include. I know about 'snippets'. However the problem with my rules is that they need to be higher up the configuration file, rather than appended to the end, so when I use snippets they don't work.

    Master vhost config:

    I located the master vhost config file at /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
    I was able to successfully alter that to include a file at /etc/nginx/wp-security.conf with all my changes in. However I've noticed that the changes don't stick. I'm pretty sure that that file is update whenever there is an upgrade of ispconfig. Are there any other circumstances under which this file might get overwritten?
    For now I've written a script to alert me if this file reverts back to a version without my changes, which runs once a day. Obviously this is a bit of a kludge, so I'd like to do it properly. What is the best way of making a change to nginx_vhost.conf.master stick? Is there an override mechanism? (eg a file placed in a certain place would automatically be included in all vhosts, like my system now currently does) If not, perhaps one of these would be useful in the future?

    I recently used ispconfig_LetsEncrypt and noticed that this included a couple of lines in the /etc/nginx.conf. file (the 'well-known-hosts' mime type directive), as is required. This presumably is also at risk of being overwritten. Usually when upgrading nginx (on Debian etc) you are given the choice to upgrade this file or not. The default is NOT, and I obviously would pick that. Does Ispconfig make any changes to nginx.conf too, or is that safe to modify, so that changes to that file, would presumably affect all vhosts running on that server.
    (Or am I wrong in that assumption?)

    In theory any file placed in this directory with the conf extension will be included in the main nginx.conf, after its included all the /etc/nginx/sites-enabled/ files. In practice I haven't been able to get this to work. Would this be a better way of modifying server-wide configuration? Is there a trick to making it work?
    The directive I tested with was server_tokens Off;, which is easy to test for. I'd also like to use some add_header directives. If anyone has sucessfully got those to work serverwide from a conf file in the conf-d directory, I'd love to hear how you did it.

    So there we have the options. What are people using? What is safest? Hoping to promote some discussion here.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Snippets never need to be higher in the nginx config. You probably did not use the ##merge## and ##delete## statements in ISPConfig to add your code in the right sections of the configuration file or to replace default directives.

    Like with all ispconfig template files, manually altered versions have to be put into /usr/local/ispconfig/server/conf-custom/
  3. Plutocrat

    Plutocrat New Member

    Thanks Till. This is exactly what I needed. I'm sure I'll figure it out from here.
  4. labsy

    labsy Member

    sorry for popping up old thread, but may I ask for some help with both, NGINX directives and default INDEX.HTML/.PHP page placeholder?
    I placed image.jpeg and index.php in /usr/local/ispconfig/server/conf-custom/index/ folder, but those files do not get copied over or linked to new site uppon creation. Where am I missing the point?

    Second problem, how should I add NGINX directive (for Wordpress permalinks) to survive ISPConfig updates? I need to add this:
    location / {
    try_files $uri $uri/ /index.php?$args;
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    There is a misunderstanding on what this folder is for, you can only put files there with the same name of an ispconfig template file, files with other file endings or additional files as you did can not be put there.
    Richard Foley likes this.
  6. Richard Foley

    Richard Foley Member

    You should create a new thread for a new question.

    For your second problem, you should be able to add System -> Directive Snippets to make life a bit easier.

  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As per website / web domain:
    Sites > Websites > Web Domain > Option > Nginx Directives

    But I think @Richard Foley advise is the best approach so you can simply select it later at the same place.
    Richard Foley likes this.
  8. slagroom

    slagroom Member

    The "Option > Nginx Directives" you mention here are additional, not replacements. Is there a way to have a tick-box saying "ignore server config file for this website" ?
    There are two issues we currently encounter:

    - We have some web-sites (entire domain names) that require their own NGINX vhost conf files. Managed entirely separate from ISPConfig. They use some nginx snippets that are also under /etc/nginx/ that should not change when we update ispconfig, or when we create or manage sites using ispconfig. Is this possible? Is there some kind of exclusion file we can create with a list of conf files that ISPConfig ignores, while updating its config for sites that are managed by ispconfig?

    and, related to that:
    - Our users are fine having their LetsEncrypt-certs connected, that is to say, they don't mind having other user's domain names on our server ALL in one certificate, which changes the way we prefer to handle SSL/TLS certs, for postfix, dovecot as well as nginx conf files. We also prefer using cloudflare and DNS for obtaining the cert. It's not hard for us to manage this cert renewal outside of ispconfig, so that's all fine, but...
    -> We would still like to have ispconfig managing postfix, dovecot, some nginx websites, and access for users so they can have jails and ftp accounts and so on, outside of the TLS/SSL config.

    Are there others using ispconfig for such scenario? If so, did you encounter issues?

    We can change the LE-cert file locations globally for postfix and dovecot templates, but thus far we have not succeeded doing that for nginx server conf for sites also fully managed by ispconfig. Separate config gets overwritten or deleted when we update ispconfig. I could not find a way to ignore entire nginx server conf files.
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    No. Not server config. For that the best is, may be, to use conf-custom folder?
  10. slagroom

    slagroom Member

    You mean a custom conf dir for nginx only ? That's indeed a good idea. That way I can run everything separately for the few domains that need special server blocks (without the .well-known stuff etc..) and need not be touched/altered by ispconfig. Thanks for the hint.

    Guess I can just set that dir from an include somewhere in the bottom of the main nginx.conf.
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    The original discussion is about nginx directives which are useful on per site basis but without affecting the default nginx config template that is used by the all sites in an ISPConfig web server.

    As such, ISPConfig also allow users to customize such config template by copying them to conf-custom folder and modify them there, thus their custom config will be used instead of the default config, for all sites.

    For example, to customize nginx master config template in ISPConfig, one may want to (1) check conf/ folder inside /usr/local/ispconfig/server, (2) find nginx_vhost.conf.master, (3) copy it to conf-custom/ folder (create it first if it doesn't exist) and finally (4) start customizing it in that target folder.

    Upon using resync in ISPConfig panel tool section, all sites will sync to use the customized nginx config template instead of default.

    Do check the manual or search online more on how to do that based on what you need.

    Exploring is best but also feel free to ask, most preferably by opening your own new thread, and not disturbing or opening old threads, like this.
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    @slagroom as @pyte and @ahrasis have mentioned, please do not revive old threads but start a new one instead of such posts.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    You can also replace and extend the config with that. You can use the ##merge## and ##delete## statements in ISPConfig to add your code in the right sections of the configuration file or to replace default directives. You can find examples here in the forum and also a description on page 150 of the ISPConfig manual.

    If you want to generally alter the vhost template, use conf-custom folder as mentioned.

    As others mentioned, please make a new thread and do not revive such old threads. Posting to such old threads will cause notifications to the original authors to be sent and I guess someone who posted this question in 2016 and got his issue resolved does likely not want to receive emails in 2023 about posts to his already solved problem from many years ago.
    slagroom and Th0m like this.
Thread Status:
Not open for further replies.

Share This Page