How To Setup Subdomains & LetsEncrypt On NGINX

How to Host Multiple Sites Using NGINX

Using domain name: yourdomain.com


yourdomain.com

$ sudo letsencrypt certonly -a webroot --webroot-path=/var/www/yourdomain.com/html -d yourdomain.com -d www.yourdomain.com
$ sudo nano /etc/nginx/snippets/ssl-yourdomain.com.conf
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

subdomain1.yourdomain.com

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/subdomain1.yourdomain.com/html -d subdomain1.yourdomain.com
sudo nano /etc/nginx/snippets/ssl-subdomain1.yourdomain.com.conf
ssl_certificate /etc/letsencrypt/live/subdomain1.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain1.yourdomain.com/privkey.pem;

subdomain2.yourdomain.com

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/subdomain2.yourdomain.com/html -d subdomain2.yourdomain.com
sudo nano /etc/nginx/snippets/ssl-subdomain2.yourdomain.com.conf
ssl_certificate /etc/letsencrypt/live/subdomain2.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain2.yourdomain.com/privkey.pem;

nginx server block (includes wordpress config which can be deleted or modified for subdomain1 and subdomain2 [Nextcloud] block)

server {
        listen 80;
        listen [::]:80;

        root /var/www/yourdomain.com/html;
        index index.php index.html;

        server_name yourdomain.com www.yourdomain.com;

		if ($scheme != "https") {
			rewrite ^ https://$host$uri permanent;
		}
		
		listen 443 ssl http2;
        listen [::]:443 ssl http2;
		include snippets/ssl-yourdomain.com.conf;
		include snippets/ssl-params.conf;

		set $skip_cache 0;
        if ($request_method = POST) {
                set $skip_cache 1;
        }
        if ($query_string != "") {
                set $skip_cache 1;
        }
        if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
                set $skip_cache 1;
        }
        if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
                set $skip_cache 1;
        }
		
		autoindex off;
        location ~ /purge(/.*) {
                fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
        }
        location ~* ^.+\.(flv|pdf|avi|mov|mp3|wmv|m4v|webm|aac|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                expires max;
                log_not_found off;
                access_log off;
        }
		
        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid 60m;
                include fastcgi_params;
        }
 
        location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
                internal;
        }

        location = /robots.txt {
                access_log off;
                log_not_found off;
        }

        location = /wp-config.php {
                deny all;
        }

        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
        }

        location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
                deny all;
        }
		
		location ~ /.well-known {
                allow all;
        }

		location ~ /\.(ht|svn)? {
                deny all;
		}

		
}

server {
        listen 80;
        listen [::]:80;

        root /var/www/subdomain1.yourdomain.com/html;
        index index.php index.html;
		server_name subdomain1.yourdomain.com;
        
        if ($scheme != "https") {
			rewrite ^ https://$host$uri permanent;
		}
		
		listen 443 ssl http2;
        listen [::]:443 ssl http2;
		include snippets/ssl-subdomain1.yourdomain.com.conf;
		include snippets/ssl-params.conf;

		location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid 60m;
                include fastcgi_params;
        }
 
        location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
                internal;
        }

        location = /robots.txt {
                access_log off;
                log_not_found off;
        }

        location = /wp-config.php {
                deny all;
        }

        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
        }

        location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
                deny all;
        }

		location ~ /.well-known {
                allow all;
        }

                location ~ /\.(ht|svn)? {
                deny all;
		}
		
}

server {
        listen 80;
        listen [::]:80;

        root /var/www/subdomain2.yourdomain.com/html;
        index index.php index.html;
		server_name subdomain2.yourdomain.googulife.com;
        
        if ($scheme != "https") {
			rewrite ^ https://$host$uri permanent;
		}
		
		listen 443 ssl http2;
        listen [::]:443 ssl http2;
		include snippets/ssl-subdomain2.yourdomain.com.conf;
		include snippets/ssl-params.conf;

		location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid 60m;
                include fastcgi_params;
        }
 
        location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
                internal;
        }

        location = /robots.txt {
                access_log off;
                log_not_found off;
        }

        location = /wp-config.php {
                deny all;
        }

        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
        }

        location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
                deny all;
        }

		location ~ /.well-known {
                allow all;
        }

                location ~ /\.(ht|svn)? {
                deny all;
		}
		
}

modified nginx server block:

server {
        listen 80;
        listen [::]:80;

        root /var/www/yourdomain.com/html;
        index index.php index.html;

        server_name yourdomain.com www.yourdomain.com;

		if ($scheme != "https") {
			rewrite ^ https://$host$uri permanent;
		}
		
		listen 443 ssl http2;
        listen [::]:443 ssl http2;
		include snippets/ssl-yourdomain.com.conf;
		include snippets/ssl-params.conf;

		set $skip_cache 0;
        if ($request_method = POST) {
                set $skip_cache 1;
        }
        if ($query_string != "") {
                set $skip_cache 1;
        }
        if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
                set $skip_cache 1;
        }
        if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
                set $skip_cache 1;
        }
		
		autoindex off;
        location ~ /purge(/.*) {
                fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
        }
        location ~* ^.+\.(flv|pdf|avi|mov|mp3|wmv|m4v|webm|aac|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                expires max;
                log_not_found off;
                access_log off;
        }
		
        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid 60m;
                include fastcgi_params;
        }
 
        location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
                internal;
        }

        location = /robots.txt {
                access_log off;
                log_not_found off;
        }

        location = /wp-config.php {
                deny all;
        }

        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
        }

        location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
                deny all;
        }
		
		location ~ /.well-known {
                allow all;
        }

		location ~ /\.(ht|svn)? {
                deny all;
		}

		
}

server {
        listen 80;
        listen [::]:80;

        root /var/www/subdomain1.yourdomain.com/html;
        index index.php index.html;
		server_name subdomain1.yourdomain.com;
		
		if ($scheme != "https") {
			rewrite ^ https://$host$uri permanent;
		}
		
		listen 443 ssl http2;
        listen [::]:443 ssl http2;
		include snippets/ssl-subdomain1.yourdomain.com.conf;
		include snippets/ssl-params.conf;

		add_header Strict-Transport-Security "max-age=15768000; preload;";
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;

		access_log  /var/log/nginx/nextcloud.access.log;
		error_log   /var/log/nginx/nextcloud.error.log;

		location = /robots.txt {
			allow all;
			log_not_found off;
			access_log off;
		}

		location = /.well-known/carddav { 
			return 301 $scheme://$host/remote.php/dav; 
		}
		location = /.well-known/caldav { 
			return 301 $scheme://$host/remote.php/dav; 
		}

		client_max_body_size 512M;
		fastcgi_buffers 64 4K;
		gzip off;

		error_page 403 /core/templates/403.php;
		error_page 404 /core/templates/404.php;

		location / {
			rewrite ^ /index.php$uri;
		}

		location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
			deny all;
		}

		location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
			deny all;
		}

		location ~^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
			include fastcgi_params;
			fastcgi_split_path_info ^(.+\.php)(/.*)$;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param PATH_INFO $fastcgi_path_info;
			fastcgi_param HTTPS on;
			#Avoid sending the security headers twice
			fastcgi_param modHeadersAvailable true;
			fastcgi_param front_controller_active true;
			fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
			fastcgi_intercept_errors on;
			fastcgi_request_buffering off;
		}

		location ~ ^/(?:updater|ocs-provider)(?:$|/) {
			try_files $uri/ =404;
			index index.php;
		}

		location ~* \.(?:css|js)$ {
			try_files $uri /index.php$uri$is_args$args;
			add_header Cache-Control "public, max-age=7200";
			add_header X-Content-Type-Options nosniff;
			add_header X-Frame-Options "SAMEORIGIN";
			add_header X-XSS-Protection "1; mode=block";
			add_header X-Robots-Tag none;
			add_header X-Download-Options noopen;
			add_header X-Permitted-Cross-Domain-Policies none;
			# Optional: Don't log access to assets
			access_log off;
		}

		location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
			try_files $uri /index.php$uri$is_args$args;
			access_log off;
		}

		location ~ /\.ht {
			deny all;
		}
	
}

server {
        listen 80;
        listen [::]:80;

        root /var/www/subdomain2.yourdomain.com/html;
        index index.php index.html;
		server_name subdomain2.yourdomain.com;
		
		if ($scheme != "https") {
			rewrite ^ https://$host$uri permanent;
		}
		
		listen 443 ssl http2;
        listen [::]:443 ssl http2;
		include snippets/ssl-subdomain2.yourdomain.com.conf;
		include snippets/ssl-params.conf;

		location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid 60m;
                include fastcgi_params;
        }
 
        location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
                internal;
        }

        location = /robots.txt {
                access_log off;
                log_not_found off;
        }

        location = /wp-config.php {
                deny all;
        }

        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
        }

        location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
                deny all;
        }

		location ~ /.well-known {
                allow all;
        }

                location ~ /\.(ht|svn)? {
                deny all;
		}
		
}

For referene:

Propagation Checker
https://syscoding.com/network/propagation/

ERROR: ACCESS FORBIDDEN

Along with the modification of ‘www.conf’ described below, I just had to edit one line in the nextcloud (nc.googulife.com) server block. Around line 149, change:

fastcgi_split_path_info ^(.+\.php)(/.+)$;

to

fastcgi_split_path_info ^(.+\.php)(/.*)$;

Note that the only modification is changing the ‘ + ‘ to ‘ * ‘. Verified through official nextcloud nginx config sample here: https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html

regex: https://en.wikipedia.org/wiki/Regular_expression

Google search: nginx nextcloud access forbidden

https://help.nextcloud.com/t/access-denied-on-nginx/2956

For security reasons I have uncommented the line:security.limit_extensions = .php in /etc/php-fpm.d/www.conf

http://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.