Page 1 of 1

NGINX Config Example

Posted: Wed Mar 03, 2021 8:10 pm
by MStarM
Hello, I'd like to ask for examples and help with nginx configs. I have not been able to find any information on using nginx as the webserver on the forums or through google searches, however, there are a few posts here of members claiming to be using nginx on CentOS and Raspbian (Buster). I have been using TimeTrex on a Windows Server 2016 virtual machine for some time and I want to integrate it into my Linux Debian 10 server. I do not want to use Apache as I already have configured InvoiceNinja & Kimai to use nginx and mariadb with php7.3 and they all function correctly. I have tried to add TimeTrex to the stack to no avail. When I hit the server address or domain directly for TimeTrex, it does attempt to redirect to the install page which appends this quote to the url, but I'm left with error 404. And, if I remove the last block of the config containing "return 404;" my browser tries to download the index.php file.
/interface/html5/index.php?installer=1&disable_db=1&external_installer=0#!m=Install&a=license&external_installer=0
My System:
Windows 10 Pro
Browser= Firefox 86.0

Server Info:
Linux Debian 10.8 (Buster)
MariaDB 10.3.27
PHP 7.3.27-1
NGINX 1.14.2
TimeTrex 12.6.5

NGINX Config

Code: Select all

# /etc/nginx/sites-available/nginx-timetrex.conf
server {
    listen 30080;

#    server_name timetrex.mstarm.net;

    # Reqwrite - Redirect To HTTPS
#    add_header Strict-Transport-Security max-age=2592000;
#    rewrite ^ https://$server_name$request_uri? permanent;
#}
#server {
    listen 30443 ssl;

    server_name timetrex.mstarm.net;

    ssl_certificate           /etc/ssl/internal/Marte.MStarM.net.crt;
    ssl_certificate_key       /etc/ssl/internal/Marte.MStarM.net.key;
    ssl_protocols             TLSv1.2 TLSv1.3;
#    ssl_ciphers               ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ciphers               'HIGH:AES256+EECDH:AES256+EDH:!aNULL:!MD5';
    ssl_prefer_server_ciphers on;
    ssl_session_timeout       5m;
#    ssl_ecdh_curve            secp384r1;
#    ssl_session_cache         shared:SSL:10m;
#
#    resolver 8.8.8.8 valid=300s;
#    resolver_timeout 5s;
#
#    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
#    add_header X-Frame-Options DENY;
#    add_header X-Content-Type-Options nosniff;
#    add_header X-XSS-Protection "1; mode=block";

    root /var/www/timetrex;
    index index.php;

    access_log off;
    log_not_found off;

    location ~ /\.ht {
        deny all;
    }

    location / {
        try_files $uri /index.php$is_args$args;
    }

    location ~ ^/index\.php(/|$) {
        fastcgi_pass unix:/run/php/php7.3-fpm-timetrex.sock;
#        fastcgi_index index.php;
#        fastcgi_read_timeout 240;
#        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi.conf;
        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/..:/tmp/";
        internal;
    }

    location ~ \.php$ {
        return 404;
    }
}
Notably: I am using PHP-FPM pools with TimeTrex having a newly specified user whom owns all the files in place of 'www-data', this is the same for my other operable apps. Also, I am including my step-by-step reference note, but know that it's very messy since it hasn't proven yet.
Full_Build.txt
(4.31 KiB) Downloaded 252 times
I set the log output in timetrex.php.ini to default, however, there is only an empty directory. I also set prod=FALSE and debug=TRUE. In nginx's error.log contains

Code: Select all

2021/03/03 16:37:14 [error] 11032#11032: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET /interface HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080"
2021/03/03 16:37:14 [error] 11032#11032: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080", referrer: "http://172.16.30.141:30080/interface"
2021/03/03 16:37:16 [error] 11032#11032: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080"
2021/03/03 16:37:17 [error] 11032#11032: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080"
2021/03/03 16:37:18 [error] 11032#11032: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080"
2021/03/03 16:37:18 [error] 11032#11032: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080"
2021/03/03 16:39:46 [error] 11109#11109: *3 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 172.16.30.254, server: timetrex.mstarm.net, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "timetrex.mstarm.net", referrer: "https://timetrex.mstarm.net/interface/install/install.php"
2021/03/03 16:40:05 [error] 11109#11109: *3 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 172.16.30.254, server: timetrex.mstarm.net, request: "GET /interface HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "timetrex.mstarm.net"
2021/03/03 17:02:11 [error] 12331#12331: *2 FastCGI sent in stderr: "PHP message: PHP Warning:  require_once(): open_basedir restriction in effect. File(/var/www/timetrex/includes/global.inc.php) is not within the allowed path(s): (/var/www/timetrex/interface/html5/..:/tmp/) in /var/www/timetrex/interface/html5/index.php on line 40PHP message: PHP Warning:  require_once(/var/www/timetrex/includes/global.inc.php): failed to open stream: Operation not permitted in /var/www/timetrex/interface/html5/index.php on line 40PHP message: PHP Fatal error:  require_once(): Failed opening required '../../includes/global.inc.php' (include_path='.:/usr/share/php') in /var/www/timetrex/interface/html5/index.php on line 40" while reading response header from upstream, client: 172.16.30.254, server: timetrex.mstarm.net, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "timetrex.mstarm.net", referrer: "https://timetrex.mstarm.net/interface/install/install.php"
2021/03/03 18:27:17 [error] 15561#15561: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.10.1, server: timetrex.mstarm.net, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "172.16.30.141:30080", referrer: "http://172.16.30.141:30080/interface/html5/index.php?installer=1&disable_db=1&external_installer=0"
2021/03/03 19:58:48 [error] 18408#18408: *2 FastCGI sent in stderr: "PHP message: PHP Warning:  is_writable(): open_basedir restriction in effect. File(/var/log/timetrex) is not within the allowed path(s): (/var/www/timetrex/..:/tmp/) in /var/www/timetrex/classes/modules/core/Debug.class.php on line 720PHP message: PHP Warning:  is_writable(): open_basedir restriction in effect. File(/var/log/timetrex) is not within the allowed path(s): (/var/www/timetrex/..:/tmp/) in /var/www/timetrex/classes/modules/core/Debug.class.php on line 720PHP message: PHP Warning:  is_writable(): open_basedir restriction in effect. File(/var/log/timetrex) is not within the allowed path(s): (/var/www/timetrex/..:/tmp/) in /var/www/timetrex/classes/modules/core/Debug.class.php on line 720" while reading response header from upstream, client: 172.16.30.254, server: timetrex.mstarm.net, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.3-fpm-timetrex.sock:", host: "timetrex.mstarm.net"

Re: NGINX Config Example

Posted: Thu Mar 04, 2021 8:56 am
by shaunw
2021/03/03 17:02:11 [error] 12331#12331: *2 FastCGI sent in stderr: "PHP message: PHP Warning: require_once(): open_basedir restriction in effect.
Try turning off open_basedir restrictions in your php.ini file.

Re: NGINX Config Example

Posted: Thu Mar 04, 2021 11:06 pm
by MStarM
Thank you for your time shaunw. I apologize, I am very inexperienced with php, having only implemented these apps for my business in the past year.

2021/03/03 17:02:11 [error] 12331#12331: *2 FastCGI sent in stderr: "PHP message: PHP Warning: require_once(): open_basedir restriction in effect.
This error has now been corrected. "open_basedir" is null in the global php.ini, however, my nginx-timetrex.conf was the culprit.

Code: Select all

# /etc/nginx/sites-available/nginx-timetrex.conf
[...]
    location ~ ^/index\.php(/|$) {
        fastcgi_pass unix:/run/php/php7.3-fpm-timetrex.sock;
#        fastcgi_index index.php;
#        fastcgi_read_timeout 240;
#        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi.conf;
        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/..:/tmp/";
        internal;
    }
[...]
Appended to

Code: Select all

# /etc/nginx/sites-available/nginx-timetrex.conf
[...]
    location ~ ^/index\.php(/|$) {
        fastcgi_pass unix:/run/php/php7.3-fpm-timetrex.sock;
        fastcgi_index index.php;
        fastcgi_read_timeout 240;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi.conf;
        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/..:/var/log/timetrex:/var/timetrex:/tmp";
        internal;
    }
[...]
This has not resolved the primary issue: I am still recieving error 404 or directly downloading the index.php file, and nginx's error log is no longer reporting any errors.


Yet, this has allowed the app to write its log file. The issues I notice in the log is that it is unable to connect to its database, which I did configure in timetrex.ini.php; however, it is stated that it may also be set during the install wizard. I have re-tested the login info against the database with success (mysql -u db_timetrex_user -p<REDACTED> db_timetrex), and it remains empty as I have not restored it.

I am willing to share additional info upon request.

Code: Select all

; /var/www/timetrex/timetrex.ini.php

;<?php die('Unauthorized Access...'); //SECURITY MECHANISM, DO NOT REMOVE//?>
;
;
; TimeTrex Configuration File
; *Linux* Example
;
;

;
; System paths. NO TRAILING SLASHES!
;
[path]
;URL to TimeTrex web root directory. ie: http://your.domain.com/<*BASE_URL*>
;DO NOT INCLUDE http://your.domain.com, just the directory AFTER your domain
base_url = /interface

;
;Log directory  -- NOTICE: For security reasons, this should always be outside the web server document root.
;
log = /var/log/timetrex

;
;Misc storage, for attachments/images -- NOTICE: For security reasons, this should always be outside the web server document root.
;
storage = /var/timetrex/storage

;
;Full path and name to the PHP CLI Binary
;
php_cli = /usr/bin/php



;
; Database connection settings. These can be set from the installer.
;
[database]
type = mariadb

host = localhost
database_name = db_timetrex
user = db_timetrex_user
password = "<REDACTED>"


;
; Email delivery settings.
;
[mail]
;Least setup, deliver email through TimeTrex's email relay via SOAP (HTTP port 80/443)
;delivery_method = soap

;Deliver email through remote SMTP server with the following settings.
delivery_method = smtp
smtp_host=mail.mstarm.net
smtp_port=587
smtp_username=<REDACTED>
smtp_password=<REDACTED>

;The domain that emails will be sent from, do not include the "@" or anything before it.
; *ONLY* specify this if "delivery_method" above is "smtp" or "mail"
email_domain = MStarM.net

;The local part of the email address that emails will be sent from, do not include the "@" or anything after it.
; *ONLY* specify this if "delivery_method" above is "smtp"
;email_local_part = DoNotReply


;
; Cache settings
;
[cache]
enable = TRUE
;NOTICE: For security reasons, this must be outside the web server document root.
dir = /tmp/timetrex



[debug]
;Set to false if you're debugging
production = FALSE

enable = TRUE
enable_display = FALSE
buffer_output = TRUE
enable_log = TRUE
verbosity = 10



[other]
; Force all clients to use SSL.
force_ssl = FALSE
installer_enabled = TRUE
primary_company_id = 0

;Specify the URL hostname to be used to access TimeTrex. The BASE_URL specified above will be appended on to this automatically.
; This should be a fully qualified domain name only, do not include http:// or any trailing directories.
hostname = timetrex.mstarm.net

;ONLY when using a fully qualified hostname specified above, enable CSRF validation for increased security.
;enable_csrf_validation = TRUE

; System Administrators Email address to send critical errors to if necessary. Set to FALSE to disable completely.
;system_admin_email = "sysadmin@mydomain.com"

;WARNING: DO NOT CHANGE THIS AFTER YOU HAVE INSTALLED TIMETREX.
;If you do it will cause all your passwords to become invalid,
;and you may lose access to some encrypted data.
salt = 0
timetrex.log
(22.16 KiB) Downloaded 254 times

Finally, I have also added to the nginx-timetrex.conf specific log files. Error.log is still empty, Access.log is below, not certain this helps at all. 172.16.30.254 is an internal HAProxy connection with the subdomain, and 192.168.10.1 is a direct connection to IPAddress:Port

Code: Select all

172.16.30.254 - - [04/Mar/2021:22:25:43 -0700] "GET /interface/html5/index.php HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:25:45 -0700] "GET /interface/html5/index.php HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:25:45 -0700] "GET /favicon.ico HTTP/1.1" 200 32988 "https://timetrex.mstarm.net/interface/html5/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:25:50 -0700] "GET /interface/ HTTP/1.1" 302 59 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:25:50 -0700] "GET /interface/html5/index.php?installer=1&disable_db=1&external_installer=0 HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
192.168.10.1 - - [04/Mar/2021:22:26:38 -0700] "GET /en/login HTTP/1.1" 302 59 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
192.168.10.1 - - [04/Mar/2021:22:26:38 -0700] "GET /interface/html5/index.php?installer=1&disable_db=1&external_installer=0 HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
192.168.10.1 - - [04/Mar/2021:22:26:38 -0700] "GET /favicon.ico HTTP/1.1" 200 32988 "http://172.16.30.141:30080/interface/html5/index.php?installer=1&disable_db=1&external_installer=0" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
192.168.10.1 - - [04/Mar/2021:22:30:22 -0700] "GET /interface/html5/index.php?installer=1&disable_db=1&external_installer=0 HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
192.168.10.1 - - [04/Mar/2021:22:30:22 -0700] "GET /favicon.ico HTTP/1.1" 200 32988 "http://172.16.30.141:30080/interface/html5/index.php?installer=1&disable_db=1&external_installer=0" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:30:28 -0700] "GET / HTTP/1.1" 302 59 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:30:28 -0700] "GET /interface/html5/index.php?installer=1&disable_db=1&external_installer=0 HTTP/1.1" 404 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
172.16.30.254 - - [04/Mar/2021:22:30:28 -0700] "GET /favicon.ico HTTP/1.1" 200 32988 "https://timetrex.mstarm.net/interface/html5/index.php?installer=1&disable_db=1&external_installer=0" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"

Re: NGINX Config Example

Posted: Fri Mar 05, 2021 9:09 am
by shaunw
A few things:

1. You should be trying to access "/interface/install/install.php" the first time you install TimeTrex.
2. MySQL database is not supported, you must use PostgreSQL instead.
3. I would recommend using the default timetrex.ini.php initially, going through the above installer will help you configure everything. Since you have modified the timetrex.ini.php file, you've actually used settings that aren't valid and are causing fatal errors because of it.

Re: NGINX Config Example

Posted: Fri Mar 05, 2021 11:38 am
by MStarM
Understandable.

1. Same issue.
2. I thought I had read somewhere on the installation pages or in the forums that it was possible to use another database. I must be mistaken.

I was really hoping to integrate TimeTrex into preexisting stacks and not have multiple, similar, yet different backends to save resources. But, I will try again with a new VM and recommended/default setup - Postgres & Apache.
Thank you again for your time. I will report back if any issues arise with the fresh setup.

Re: NGINX Config Example

Posted: Fri Mar 05, 2021 2:19 pm
by shaunw
If you are getting the same error, its likely that you haven't corrected your timetrex.ini.php, which states "mariadb" for the database type and can only be "postgres" like the example file uses.

Please note we have step-by-step instructions for standard installations of TimeTrex on Linux here:
https://www.timetrex.com/how-to-install ... ntu-debian