How to Host Multiple Sites Using NGINX
Using domain name: yourdomain.com
yourdomain.com
$ sudo letsencrypt certonly -a webroot --webroot-path=/var/www/yourdomain.com/html -d yourdomain.com -d www.yourdomain.com$ sudo nano /etc/nginx/snippets/ssl-yourdomain.com.confssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;subdomain1.yourdomain.com
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/subdomain1.yourdomain.com/html -d subdomain1.yourdomain.comsudo nano /etc/nginx/snippets/ssl-subdomain1.yourdomain.com.confssl_certificate /etc/letsencrypt/live/subdomain1.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain1.yourdomain.com/privkey.pem;subdomain2.yourdomain.com
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/subdomain2.yourdomain.com/html -d subdomain2.yourdomain.comsudo nano /etc/nginx/snippets/ssl-subdomain2.yourdomain.com.confssl_certificate /etc/letsencrypt/live/subdomain2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain2.yourdomain.com/privkey.pem;nginx server block (includes wordpress config which can be deleted or modified for subdomain1 and subdomain2 [Nextcloud] block)
server {
listen 80;
listen [::]:80;
root /var/www/yourdomain.com/html;
index index.php index.html;
server_name yourdomain.com www.yourdomain.com;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-yourdomain.com.conf;
include snippets/ssl-params.conf;
set $skip_cache 0;
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
autoindex off;
location ~ /purge(/.*) {
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
}
location ~* ^.+\.(flv|pdf|avi|mov|mp3|wmv|m4v|webm|aac|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 60m;
include fastcgi_params;
}
location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
internal;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location = /wp-config.php {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
deny all;
}
location ~ /.well-known {
allow all;
}
location ~ /\.(ht|svn)? {
deny all;
}
}
server {
listen 80;
listen [::]:80;
root /var/www/subdomain1.yourdomain.com/html;
index index.php index.html;
server_name subdomain1.yourdomain.com;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-subdomain1.yourdomain.com.conf;
include snippets/ssl-params.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 60m;
include fastcgi_params;
}
location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
internal;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location = /wp-config.php {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
deny all;
}
location ~ /.well-known {
allow all;
}
location ~ /\.(ht|svn)? {
deny all;
}
}
server {
listen 80;
listen [::]:80;
root /var/www/subdomain2.yourdomain.com/html;
index index.php index.html;
server_name subdomain2.yourdomain.googulife.com;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-subdomain2.yourdomain.com.conf;
include snippets/ssl-params.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 60m;
include fastcgi_params;
}
location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
internal;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location = /wp-config.php {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
deny all;
}
location ~ /.well-known {
allow all;
}
location ~ /\.(ht|svn)? {
deny all;
}
}modified nginx server block:
server {
listen 80;
listen [::]:80;
root /var/www/yourdomain.com/html;
index index.php index.html;
server_name yourdomain.com www.yourdomain.com;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-yourdomain.com.conf;
include snippets/ssl-params.conf;
set $skip_cache 0;
if ($request_method = POST) {
set $skip_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
autoindex off;
location ~ /purge(/.*) {
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
}
location ~* ^.+\.(flv|pdf|avi|mov|mp3|wmv|m4v|webm|aac|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 60m;
include fastcgi_params;
}
location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
internal;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location = /wp-config.php {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
deny all;
}
location ~ /.well-known {
allow all;
}
location ~ /\.(ht|svn)? {
deny all;
}
}
server {
listen 80;
listen [::]:80;
root /var/www/subdomain1.yourdomain.com/html;
index index.php index.html;
server_name subdomain1.yourdomain.com;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-subdomain1.yourdomain.com.conf;
include snippets/ssl-params.conf;
add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log /var/log/nginx/nextcloud.access.log;
error_log /var/log/nginx/nextcloud.error.log;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 512M;
fastcgi_buffers 64 4K;
gzip off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
}
location ~ /\.ht {
deny all;
}
}
server {
listen 80;
listen [::]:80;
root /var/www/subdomain2.yourdomain.com/html;
index index.php index.html;
server_name subdomain2.yourdomain.com;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-subdomain2.yourdomain.com.conf;
include snippets/ssl-params.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 60m;
include fastcgi_params;
}
location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
internal;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
location = /wp-config.php {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
deny all;
}
location ~ /.well-known {
allow all;
}
location ~ /\.(ht|svn)? {
deny all;
}
}For referene:
Propagation Checker
https://syscoding.com/network/propagation/
ERROR: ACCESS FORBIDDEN
Along with the modification of ‘www.conf' described below, I just had to edit one line in the nextcloud (nc.googulife.com) server block. Around line 149, change:
fastcgi_split_path_info ^(.+\.php)(/.+)$;to
fastcgi_split_path_info ^(.+\.php)(/.*)$;Note that the only modification is changing the ‘ + ‘ to ‘ * ‘. Verified through official nextcloud nginx config sample here: https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html
regex: https://en.wikipedia.org/wiki/Regular_expression
Google search: nginx nextcloud access forbidden
https://help.nextcloud.com/t/access-denied-on-nginx/2956
For security reasons I have uncommented the line:security.limit_extensions = .php in /etc/php-fpm.d/www.conf