我正在努力为本地测试 VM 上的 Nagios 核心服务器配置 nginx 前端,我希望对其进行试用。
我想我遇到了一段时间的 PHP-FPM 问题,现在已经解决了,至少部分是因为我现在可以在加载站点时看到“Nagios Core”主页。
但是我无法导航到任何子页面,我总是被禁止访问 403。
我可以尝试哪些其他配置想法?
我的 ubuntu 22.04 主机上安装的软件包:
nagios-images/jammy,now 0.9.4 all [installed,automatic]
nagios4-cgi/jammy,now 4.4.6-4 amd64 [installed,automatic]
nagios4-common/jammy,now 4.4.6-4 all [installed,automatic]
nagios4-core/jammy,now 4.4.6-4 amd64 [installed,automatic]
nagios4/jammy,now 4.4.6-4 amd64 [installed]
php-common/jammy,now 2:92ubuntu1 all [installed,automatic]
php8.1-cli/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1-common/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1-fpm/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed]
php8.1-opcache/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1-readline/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 all [installed]
这是我在 /etc/nginx/conf.d/ 目录中加载的主要 nagios.conf 文件(它本身在 /etc/nginx/nginx.conf 文件中指定):
upstream php {
server unix:/var/run/php/php8.1-fpm.sock;
}
upstream fcgiwrap {
server unix:/var/run/fcgiwrap.socket;
}
server {
listen 80;
server_name $HOSTNAME;
return 302 https://$HOSTNAME;
}
server {
listen 443 ssl;
server_name $HOSTNAME;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
access_log /var/log/nginx/nagios.access.log;
error_log /var/log/nginx/nagios.error.log info;
expires 5m;
root /usr/share/nagios4/htdocs;
index index.php index.html;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nagios4/htpasswd.users;
location /stylesheets {
alias /etc/nagios4/stylesheets;
}
location ~ /nagios4/ {
location ~ /(\w*\.cgi)$ {
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nagios4/$1;
fastcgi_pass fcgiwrap;
}
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass php;
include /etc/nginx/snippets/fastcgi-php.conf;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nagios4/htdocs$fastcgi_script_name;
}
# nagiosgraph
location ~ /nagiosgraph/ {
alias /usr/local/nagiosgraph/share/;
location ~ /(\w*\.cgi)$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/nagiosgraph/cgi/$1;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param AUTH_USER $remote_user;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
}
}
这是它调用的 fastcgi 片段:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
~
这是我的主要 nginx.conf 文件:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
client_max_body_size 0;
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
keepalive_timeout 65;
gzip on;
server_tokens off;
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers DEFAULT:!RC4:!DH:!DES:!3DES;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8;
include /etc/nginx/conf.d/*.conf;
}
我一直在尝试各种配置,但到目前为止每次都失败了。
我已经创建了一个填充的基本身份验证文件,并提示输入用户名和密码以通过以下方式匹配:
htpasswd -b -c /etc/nagios4/htpasswd.users nagiosadmin $SOMEPASSWORD
我遵循了nagios core generating error 403 forbidden并尝试将 htpass.users 文件重定位到 /usr/local/nagios/ 并查看 root:nagios 的所有权,但这在这种情况下没有任何区别。
我已经剥离了所有配置并遵循https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/只是为了确保php-fpm正常工作并且它看起来是(主页的响应与指南的响应相符)。
此配置的问题在于 php-fpm 模块的默认配置(/etc/php/8.1/fpm/pool.d/www.conf)是为 www-data 用户配置的。
这个 nginx.conf 指定一个名为“nginx”的用户作为运行用户上下文。
更改 /etc/php/8.1/fpm/pool.d/www.conf 以引用“nginx”代替“www-data”并重新启动 php8.1-fpm 服务(systemctl 重新启动)解决了这个问题。