Nginx Debian 9

Discussion in 'Installation/Configuration' started by mmdollar, Jun 21, 2017.

  1. mmdollar

    mmdollar Member

    Hello everyone so I tried the new tutorial to install ISPConfig3 on Debian Stretch (9) I used this guide the only difference is that I installed Nginx rather than Apache2. When I try to deploy ISPConfig3 I am getting this error while the installation is running:
    Code:
    PHP Warning:  symlink(): No such file or directory in /tmp/ispconfig3-stable-3.1-e313d006f6b7ea0d26bc9c1c11643c6b79b36a3f/install/lib/installer_base.lib.php on line 2116
    This is on both stable and testing versions of ISPConfig3.

    Any idea what I am doing wrong? I cannot access the web interface of ISPConfig3 it gives me "Connection Refused" (UFW is installed but it's disabled so I can configure it from ISPConfig3). In Nginx dir I can see the vhost of ISPConfig3 (and apps too) in sites-avaible, but there is no dir sites-enabled. If anyone has a solution or direction, please share :) .
     
    Last edited: Jun 21, 2017
  2. mmdollar

    mmdollar Member

    Bellow is the htf_report.txt:
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.1dev
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.0.19-1
    
    ##### PORT CHECK #####
    
    [WARN] Port 8080 (ISPConfig) seems NOT to be listening
    [WARN] Port 8081 (ISPConfig Apps) seems NOT to be listening
    [WARN] Port 443 (Webserver SSL) seems NOT to be listening
    [WARN] Port 22 (SSH server) seems NOT to be listening
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
            Unknown process (nginx:) (PID 23446)
    [INFO] I found the following mail server(s):
            Postfix (PID 30314)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 30363)
    [INFO] I found the following imap server(s):
            Dovecot (PID 30363)
    [INFO] I found the following ftp server(s):
            PureFTP (PID 30417)
    
    ##### LISTENING PORTS #####
    (only           ()
    Local           (Address)
    [localhost]:10026               (30344/amavisd-new)
    [anywhere]:3306         (30105/mysqld)
    [localhost]:10027               (30314/master)
    [anywhere]:587          (30314/master)
    [localhost]:11211               (11395/memcached)
    [anywhere]:110          (30363/dovecot)
    [anywhere]:143          (30363/dovecot)
    [anywhere]:111          (510/rpcbind)
    [anywhere]:80           (23446/nginx:)
    [anywhere]:465          (30314/master)
    ***.***.***.***:53              (30425/named)
    [localhost]:53          (30425/named)
    [anywhere]:21           (30417/pure-ftpd)
    [localhost]:953         (30425/named)
    [anywhere]:25           (30314/master)
    [anywhere]:993          (30363/dovecot)
    [anywhere]:995          (30363/dovecot)
    [anywhere]:1252         (537/sshd)
    [localhost]:10023               (945/postgrey)
    [localhost]:10024               (30344/amavisd-new)
    [localhost]:10025               (30314/master)
    *:*:*:*::*:10026                (30344/amavisd-new)
    *:*:*:*::*:587          (30314/master)
    [localhost]10           (30363/dovecot)
    [localhost]43           (30363/dovecot)
    [localhost]11           (510/rpcbind)
    *:*:*:*::*:465          (30314/master)
    *:*:*:*::*:53           (30425/named)
    *:*:*:*::*:21           (30417/pure-ftpd)
    *:*:*:*::*:953          (30425/named)
    *:*:*:*::*:25           (30314/master)
    *:*:*:*::*:993          (30363/dovecot)
    *:*:*:*::*:995          (30363/dovecot)
    [localhost]252          (537/sshd)
    *:*:*:*::*:10023                (945/postgrey)
    *:*:*:*::*:10024                (30344/amavisd-new)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25
    f2b-dovecot  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 110,995,143,993,587,465,4190
    f2b-pure-ftpd  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 21
    f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain f2b-dovecot (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain f2b-postfix-sasl (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain f2b-pure-ftpd (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    I installed Nginx directly from:
    Code:
    deb http://nginx.org/packages/debian/ stretch nginx
    deb-src http://nginx.org/packages/debian/ stretch nginx
    default config file from nginx (/etc/nginx/conf.d/default.conf) after installing:
    Code:
    server {
        listen       80;
        server_name  localhost;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/log/host.access.log  main;
    
        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
    
        #error_page  404              /404.html;
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
    
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
    I will understand if nginx is not supported atm and will wait for a fix and will just install apache2 as the guide says, I am asking if there is a simple fix or I am doing something wrong in the process.
     
    Last edited: Jun 21, 2017
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Nginx has not been tested yet, otherwise, there would a tutorial for that. Besides that, you used the wrong nginx packages, use the ones from Debian and not nginx.org. The nginx.org packages run under a different user with different config files, so they won't work on Debian 8 as well.
     
  4. mmdollar

    mmdollar Member

    I was running Debian 8 with packages from Nginx not Debian and it was working fine. It seems I will wait for you guys.
     
  5. mmdollar

    mmdollar Member

    Well, it seems Nginx (1.10.3) is working with ISPConfig3 (3.1.4) when you use Debian 9 packages, just letting everyone know. The only difference I made is that I installed Nginx and configured PHP-FPM and then continued to follow the guide up until the roundcube install. I needed to install it without the dependencies (it needed apache2 to be installed in order to have roundcube). When I am done with roundcube I will post info how to do it if anyone is interested. Well for now I have a problem with Let's Encrypt with creating certs but not using them, when I click on the button "Let's Encrypt" it checks SSL also and uses that. If I uncheck it, "Let's Encrypt" get unchecked too.
     
    Last edited: Jun 24, 2017
  6. mmdollar

    mmdollar Member

    I checked ssl dir for the client and here it is I am having a "-le" at my keys folder? There is another thread over here, maybe we are having the same problem? Anyway here is a screenshot:
    [​IMG]
    I tried to delete the client/website and do it again, but I am hitting the same problem.
     
    Last edited: Jun 25, 2017
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    This means that the Letsencrypt cert generation worked correctly. It has already been explained in the other thread you linked to that the certs must be named with -le in the filename when you use Letsencrypt and ISPConfig uses this filename in the nginx vhost file.

    if the ssl cert file paths in the vhost file does not have -le inside, then you might use a custom nginx vhost template which has not been adapted for recent ISPConfig versions yet.
     
  8. mmdollar

    mmdollar Member

    Ok..I am kinda ashamed but the problem was that I needed to first create the website and after that I need to edit it and click on "Let's Encrypt" to work. Not sure if this is correct, but before I was doing them at the same time and it was working. As always thank you @till for the help.

    Hahah, now I need to figure out why when I enter quota on a website it still says unlimited (I am using RAID10+LVM)
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    That's indeed a problem that we need to address. The website has to exist to get an LE cert as LE tries to reach the site and at the same time: to enable SSL in nginx, the ssl cert has to exist already. At the moment, the SSL cert creation step is always before we write the site. Either we have to write the vhost file twice and restart nginx in this process so that the vhost exists without SSL before LE is called or we will have to at least disable the LE checkbox during initial site creation so that the user can enable it only when the site exists already.
     
  10. mmdollar

    mmdollar Member

    When I enter "repquota -avug" in the terminal to see if there is a hard limit on the websites:
    Code:
    *** Report for user quotas on device /dev/mapper/data-root
    Block grace time: 7days; Inode grace time: 7days
                            Block limits                File limits
    User            used    soft    hard  grace    used  soft  hard  grace
    ----------------------------------------------------------------------
    root      -- 1747560       0       0          90224     0     0
    daemon    --      52       0       0              1     0     0
    dollar    --      36       0       0              9     0     0
    mysql     --       0       0       0              5     0     0
    clamav    --       4       0       0              1     0     0
    debian-spamd --      56       0       0             14     0     0
    bind      --       4       0       0              1     0     0
    getmail   --       8       0       0              2     0     0
    ispconfig --   33976       0       0           6889     0     0
    web1      --       0 819200000 819201024              0     0     0
    web2      --       0 15360000 15361024              0     0     0
    web3      --       0 1024000 1025024              0     0     0
    
    Statistics:
    Total blocks: 8
    Data blocks: 1
    Entries: 12
    Used average: 12.000000
    
    *** Report for group quotas on device /dev/mapper/data-root
    Block grace time: 7days; Inode grace time: 7days
                            Block limits                File limits
    Group           used    soft    hard  grace    used  soft  hard  grace
    ----------------------------------------------------------------------
    root      -- 1746340       0       0          90116     0     0
    daemon    --      56       0       0              2     0     0
    adm       --       4       0       0              1     0     0
    tty       --      44       0       0              2     0     0
    mail      --     160       0       0              5     0     0
    www-data  --       8       0       0              2     0     0
    shadow    --     140       0       0              5     0     0
    staff     --     124       0       0             35     0     0
    crontab   --      40       0       0              1     0     0
    Debian-exim --       4       0       0              1     0     0
    messagebus --      44       0       0              1     0     0
    mlocate   --      40       0       0              1     0     0
    ssh       --     352       0       0              1     0     0
    dollar    --      36       0       0              9     0     0
    mysql     --       0       0       0              5     0     0
    ssl-cert  --       8       0       0              2     0     0
    postfix   --     120       0       0             30     0     0
    postdrop  --      40       0       0              2     0     0
    dovecot   --      16       0       0              3     0     0
    debian-spamd --      56       0       0             14     0     0
    bind      --      68       0       0             14     0     0
    ispconfig --   33996       0       0           6894     0     0
    
    Statistics:
    Total blocks: 10
    Data blocks: 2
    Entries: 22
    Used average: 11.000000
    I am kinda confused why are they showed at mount point "/" when the website is located at /var/www (I have a LVM partition mounted at /var). Do I need to add errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 on /dev/mapper/data-var--data?

    The hard limits are there for web[1-3] and are correct. But when I enter in the ISPConfig3 interface (as admin and client) it shows unlimited and no used space:
    [​IMG]
    This is my fstab file:
    Code:
    # <file system> <mount point>   <type>  <options>       <dump>  <pass>
    /dev/mapper/data-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
    # /boot was on /dev/md0 during installation
    UUID=39e6390c-ed04-4514-b813-cb4f9d8c9a96 /boot           ext4    defaults        0       2
    /dev/mapper/data-var--data /var            ext4    defaults        0       2
    /dev/mapper/data-swap none            swap    sw              0       0
    /var/log/ispconfig/httpd/cloud.domain.eu /var/www/clients/client1/web1/log    none    bind,nobootwait    0 0
    /var/log/ispconfig/httpd/domain.eu /var/www/clients/client1/web2/log    none    bind,nobootwait    0 0
    /var/log/ispconfig/httpd/dev.domain.eu /var/www/clients/client2/web3/log    none    bind,nobootwait    0 0
     
    Last edited: Jun 25, 2017
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Quota needs to be enabled for the partition that holds the websites. The quota view in ISPConfig is not real-time, it might be that it needs a bit more time to get updated.
     
  12. mmdollar

    mmdollar Member

    Now it's working. my fstab looks like this (I removed usrquota options from / to /var):
    Code:
    # <file system> <mount point>   <type>  <options>       <dump>  <pass>
    /dev/mapper/data-root /               ext4    errors=remount-ro 0       1
    # /boot was on /dev/md0 during installation
    UUID=39e6390c-ed04-4514-b813-cb4f9d8c9a96 /boot           ext4    defaults        0       2
    /dev/mapper/data-var--data /var            ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0        0       2
    /dev/mapper/data-swap none            swap    sw              0       0
    /var/log/ispconfig/httpd/cloud.domain.eu /var/www/clients/client1/web1/log    none    bind,nobootwait    0 0
    /var/log/ispconfig/httpd/domain.eu /var/www/clients/client1/web2/log    none    bind,nobootwait    0 0
    /var/log/ispconfig/httpd/dev.domain.eu /var/www/clients/client2/web3/log    none    bind,nobootwait    0 0
    
    Only 1 thing bothers me is that when I enter "quotacheck -avugm" it gives me:
    Code:
    quotacheck: Scanning /dev/mapper/data-root [/] done
    quotacheck: Checked 8839 directories and 88324 files
    quotacheck: Quota for users is enabled on mountpoint /var so quotacheck might damage the file.
    Please turn quotas off or use -f to force checking.
    It tries to scan / even tough I removed quota on / with this command:
    Code:
    quotaoff -v /
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe you have to reboot the server?
     
  14. mmdollar

    mmdollar Member

    I just did, I ran the command again and now it only gives me:
    Code:
    quotacheck: Quota for users is enabled on mountpoint /var so quotacheck might damage the file.
    Please turn quotas off or use -f to force checking.
    Maybe now it is ok? Do do I need to somehow delete the quota files which were left maybe on / because of my missconfiguration?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    That should be fine now. Most likely you can delete the quota files in / now, but haven had that case yet.
     
  16. mmdollar

    mmdollar Member

    Well I wont touch them since everything is fine now, so on the topic I can safely say that nginx works with the new version of ISPConfig3 with tested software:
    Roundcube (installed ispconfig plugin, the only problem I have is I cannot access settings in roundcube when I login. Maybe I missconfigured? Used guide from here.)
    NextCloud (works fine, except for some nginx header options, but that is not from ISPConfig I think.)
    phpMyAdmin (no problems here)
    bind (works line a charm)
    MariaDB (works)
    WordPress (again no problems)
    mdadm monitor (working)
    fail2ban & ufw (no problems)

    And the last thing...I wanted to change the certificates of ISPConfig3 interface, I manually edited 000-ispconfig.vhost and changed ssl_certificate & ssl_certificate_key to letsencrypt ones. After restarting nginx crashes with this error:
    Code:
    nginx: [emerg] duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/000-ispconfig.vhost-1:3
    Line 3 is: listen [::]:443 ipv6only=on;
    When I comment it so it wont load, the web server starts but with 1 error:
    Code:
     nginx: [warn] conflicting server name "_" on 0.0.0.0:443, ignored
    I tried to use the ISPConfig update script to reconfigure the webserver but nothing changed. ISPConfig interface is running on port 443. Everything is working regarding my websites, but I am curious what I did wrong again :D.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Di not edit that file, your changes will be removed automatically on next update. Use symlinks instead. see e.g. here: https://www.howtoforge.com/communit...ntrol-panel-with-lets-encrypt-free-ssl.75554/

    You must have added the same vhost with server name '_' twice in the nginx config.
     
  18. mmdollar

    mmdollar Member

    Thanks @till I had no idea you can do it in this fancy way with symlinks, I did them for ISPConfig interface, postfix & dovecot. I encountered a slight problem, with multiserver setup and slave DNS. I had a domain signed with DNSSEC but decided to add another slave dns, I deleted the keys and the domain and added the domain again, but after that DNSSEC options are not there I assume you guys are working on it from the thread here. I tried to play with it and generate and sign my domain and it works (I think the slave does not get the keys), but when I add e subdomain or in general tweak the dns ISPConfig overwrites my changes (which is normal), I saw some workarounds to make a script when there are DNS changes to add the .signed, but I prefer to wait.
     

Share This Page