So couple days ago I installed NGINX 1.23.3 QUIC with Brotli, TLS 1.3, OpenSSL 1.1.1s with HTTP/2 and HTTP/3... so server with fastcgi and php-fpm... when I load site for first time it works with http2 and everything is fine. After reload page, or I visit on site some article or category there is no more domain.com in links... for example https: //example.com/somecat/subcat... with http3 is https ://somecat/subcat... a lot of hours I was trying to find problem but nothing, even cant imagine where to look.
Only what I figured out is that if i put proxy_pass http: //example.com; after location / { it fixes problem only for main page but not all around site (categories...etc.). Maybe somebody had this kind of problem... Any advise would be great!!!
Host config looks like:
server {
listen IP:443 http3;
listen IP:443 ssl http2;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
ssl_certificate /home/admin/conf/web/ssl.example.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.example.com.key;
}
server {
listen IP:443 http3 reuseport;
listen IP:443 ssl http2;
server_name example.com;
root /home/admin/web/example.com/public_html;
index index.php index.html index.htm;
#access_log /var/log/nginx/domains/example.com.log combined;
#access_log /var/log/nginx/domains/example.com.bytes bytes;
access_log off;
error_log /var/log/nginx/domains/example.com.error.log error;
ssl_protocols TLSv1.2 TLSv1.3;
quic_retry on;
ssl_early_data on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:!COMPLEMENTOFDEFAULT;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;
ssl_certificate /home/admin/conf/web/ssl.example.com.pem;
ssl_certificate_key /home/admin/conf/web/ssl.example.com.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
http2_push_preload on;
add_header Alt-Svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';
add_header QUIC-Status $http3;
include /etc/nginx/badbots.conf;
location / {
rewrite "^/pm(/(.*))?/?$" /index.php?do=pm last;
rewrite "^/friends/([^/]*)(/?)+$" /index.php?do=friends&user=$1 last;
rewrite "^/friends/([^/]*)/page/([0-9]+)(/?)+$" /index.php?do=friends&user=$1&cstart=$2 last;
rewrite "^/friends/([^/]*)/common(/?)+$" /index.php?do=friends&subaction=common&user=$1 last;
rewrite "^/friends/([^/]*)/common/page/([0-9]+)(/?)+$" /index.php?do=friends&subaction=common&user=$1&cstart=$2 last;
rewrite "^/friends/([^/]*)/requests(/?)+$" /index.php?do=friends&subaction=requests&user=$1 last;
rewrite "^/friends/([^/]*)/requests/page/([0-9]+)(/?)+$" /index.php?do=friends&subaction=requests&user=$1&cstart=$2 last;
rewrite "^/friends/([^/]*)/suggestions(/?)+$" /index.php?do=friends&subaction=suggestions&user=$1 last;
rewrite "^/page/([0-9]+)(/?)$" /index.php?cstart=$1 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),([0-9]+),(.*).html$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&cstart=$5&news_name=$6&seourl=$6 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/page,([0-9]+),(.*).html$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5&seourl=$5 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/print:page,([0-9]+),(.*).html$" /index.php?mod=print&subaction=showfull&year=$1&month=$2&day=$3&news_page=$4&news_name=$5&seourl=$5 last;
rewrite "^/([0-9]{4})/([0-9]{2})/([0-9]{2})/(.*).html$" /index.php?subaction=showfull&year=$1&month=$2&day=$3&news_name=$4&seourl=$4 last;
rewrite "^/([^.]+)/page,([0-9]+),([0-9]+),([0-9]+)-(.*).html$" /index.php?newsid=$4&news_page=$2&cstart=$3&seourl=$5&seocat=$1 last;
rewrite "^/([^.]+)/page,([0-9]+),([0-9]+)-(.*).html$" /index.php?newsid=$3&news_page=$2&seourl=$4&seocat=$1 last;
rewrite "^/([^.]+)/print:page,([0-9]+),([0-9]+)-(.*).html$" /index.php?mod=print&news_page=$2&newsid=$3&seourl=$4&seocat=$1 last;
rewrite "^/([^.]+)/([0-9]+)-(.*).html$" /index.php?newsid=$2&seourl=$3&seocat=$1 last;
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js|woff|woff2|webp)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass unix:/var/run/php-example.com.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias /home/admin/web/example.com/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias /home/admin/web/example.com/stats/;
include /home/admin/conf/web/example.com.auth*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
include /home/admin/conf/web/snginx.example.com.conf*;
location ~ "/uploads/.*\.php$|/templates/.*\.php$|/language/.*\.php$|/images/.*\.php$"
{
return 403;
}
location ~* (uploads|uploads/fotos|templates|language)/.+\.php {
deny all;
}
location ~* /templates/.+\.tpl {
deny all;
}
location ~* (engine/cache|engine/data) {
deny all;
}
location ~ /\.ht {
deny all;
}
}
Nginx config:
# Server globals
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
#tcp_nopush on;
#tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 256m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
types_hash_max_size 2048;
variables_hash_max_size 1024;
variables_hash_bucket_size 128;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
#access_log /var/log/nginx/access.log main;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype text/x-component text/x-cross-domain-policy;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
# SSL PCI Compliance
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:!COMPLEMENTOFDEFAULT;
# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;
# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;
# FastCgi Cache
fastcgi_buffers 8 256k;
fastcgi_buffer_size 256k;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_cache_path /tmp/nginx_cache levels=1:2 keys_zone=fastcgicache:10m max_size=1024m inactive=1h;
# File cache settings
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
}
