Edit: Lösung: ich habs geschafft die Zertifikate am PC zu zerschießen, Chrome hat dann nicht mehr darauf zugegriffen und nginx mir dadurch korrekterweise den Zugriff verweigert, am Handy hat einmal neustarten das Problem behoben.
Edit Ende - hier Originaler Beitrag:
Hallo
wie die Überschrift schon hinweist - nginx mag mich nicht
Basis ist das aktuelle Image von Onkelandy - Reverseproxy über das Skript eingerichtet
es hat schon funktioniert, aber gestern habe ich eine neue Fritz.Box bekommen und jetzt den MyFritz DNS aktiviert - meine Domain, mit der ich SmarthomeNG aufrufe zeigt nur nicht mehr auf einen A-Record mit der IP Adresse, sondern mittels CNAME auf den DynDNS Namen (Domain von World4You).
Mein Handy, sowie mein PC verweigert nginx jetzt den Zugang (Fehler 403 - access forbidden by rule)
Das Handy der Frau, sowie das Firmenhandy funktionieren jedoch einwandfrei mit dem Zertifikat
woran scheitert es? - welches log hilft, welche config Datei etc
anbei schon mal prophylaktisch die /etc/nginx/sites-enabled/default
und die nginx.conf
und die https.conf
und zu guter letzt noch die /var/log/nginx/error.log
Danke fürs viele Lesen und die Hilfe schonmal
Edit Ende - hier Originaler Beitrag:
Hallo
wie die Überschrift schon hinweist - nginx mag mich nicht
Basis ist das aktuelle Image von Onkelandy - Reverseproxy über das Skript eingerichtet
es hat schon funktioniert, aber gestern habe ich eine neue Fritz.Box bekommen und jetzt den MyFritz DNS aktiviert - meine Domain, mit der ich SmarthomeNG aufrufe zeigt nur nicht mehr auf einen A-Record mit der IP Adresse, sondern mittels CNAME auf den DynDNS Namen (Domain von World4You).
Mein Handy, sowie mein PC verweigert nginx jetzt den Zugang (Fehler 403 - access forbidden by rule)
Das Handy der Frau, sowie das Firmenhandy funktionieren jedoch einwandfrei mit dem Zertifikat
woran scheitert es? - welches log hilft, welche config Datei etc
anbei schon mal prophylaktisch die /etc/nginx/sites-enabled/default
Code:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
upstream websocket {
server 127.0.0.1:2424;
}
upstream mainhost {
server 127.0.0.1;
keepalive 20;
}
upstream sv {
server 127.0.0.1;
keepalive 20;
}
upstream alexa {
server 127.0.0.1:9000;
}
upstream shng {
server 127.0.0.1:8383;
}
upstream nodered {
server 127.0.0.1:1880;
}
upstream shnet {
server 127.0.0.1:8888;
}
upstream monithost {
server 127.0.0.1:2812;
}
upstream grafanahost {
server 192.168.1.19:3000;
}
upstream tvheadend {
server 192.168.1.80:9981;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
include /etc/nginx/snippets/letsencrypt.conf;
root /var/www/html;
# Auf HTTPS umleiten
if ($http_x_forwarded_proto = "http") {
return 301 https://$server_name$request_uri;
}
## Blocken, wenn Zugriff aus einem nicht erlaubten Land erfolgt ##
if ($allowed_country = no) {
return 403;
}
# https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
## Block some robots ##
if ($http_user_agent ~* msnbot|scrapbot) {
return 403;
}
## Deny certain Referers ##
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
{
return 403;
}
access_log /var/log/nginx/access.log specialLog;
error_log /var/log/nginx/error.log;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name meine.domain.xy;
# Skip^1 caching variable init
set $nocache 0;
# Bypass^2 caching variable init
set $purgecache 0;
# Bypass^2 cache on no-cache (et al.) browser request
if ($http_cache_control ~ "max-age=0")
{ set $purgecache 1; }
if ($http_cache_control ~ "no-cache")
{ set $purgecache 1; }
# Bypass^2 cache with custom header set on request
if ($http_x_cache_purge ~* "true")
{ set $purgecache 1; }
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
if ($http_upgrade = websocket) {
proxy_pass http://websocket;
}
}
# pass PHP scripts to FastCGI server
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
}
location ~* favicon|apple-touch-icon|android-chrome-|mstile-|safari-pinned-tab.svg|browserconfig.xml|manifest.json|apple-icon|ms-icon|android-icon|mstile {
try_files $uri @favicons;
}
location @favicons {
rewrite ^/(.+)$ /favicons/$1 last;
}
location /visu_websocket/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_ignore_client_abort on;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /api/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_ignore_client_abort on;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /admin/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /backend/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
location /gstatic/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://$host:8383;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$host:8383;
}
}
# Network Plugin Weiterleitung
location /shnet/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Network";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://shnet;
rewrite ^/shnet/(.*) /$1 break;
}
# Nodered Weiterleitung
location /red/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Network";
#auth_basic_user_file /etc/nginx/.shng;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
proxy_pass http://nodered;
#rewrite ^/red/(.*) /$1 break;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://nodered;
}
}
# Weiterleitung zu Grafana
location /grafana/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monit";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
proxy_pass http://grafanahost/;
include /etc/nginx/headers.conf;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
rewrite ^/grafana/(.*) /$1 break;
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://grafanahost;
}
}
# Weiterleitung zu TVHeadend
location /tvheadend {
proxy_pass http://tvheadend;
rewrite ^/tvheadend(/.*)$ $1 break;
}
# Weiterleitung zu Monit
location /monit/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
allow ::1;
#auth_basic "Restricted Area: Monit";
#auth_basic_user_file /etc/nginx/.monit;
deny all;
proxy_ignore_client_abort on;
rewrite ^/monit/(.*) /$1 break;
proxy_pass http://monithost;
include /etc/nginx/headers.conf;
location ~* favicon.ico {
alias /var/www/html/favicon/monit/favicon.ico;
}
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Code:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
log_format specialLog '[$time_local] $remote_addr forwarded for $http_x_real_ip - '
'Request: "$request" - Status: $status - Bytes sent: $body_bytes_sent '
'Referrer: "$http_referer" - User Agent: "$http_user_agent"';
##
# Basic Settings
##
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/proxy_params;
include /etc/nginx/fastcgi_params;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log specialLog buffer=64K;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gunzip on;
gzip_static on;
gzip_comp_level 2;
gzip_proxied any;
gzip_types application/javascript application/json application/vnd.ms-fontobject application/x-font-ttf image/svg+xml text/css text/plain text/xml;
gzip_vary on;
gzip_buffers 16 8k;
gzip_http_version 1.1;
##
# GeoIP Settings
# Nur Länder aus erlaubten IP Bereichen dürfen den ReverseProxy
# passieren!
# https://www.howtoforge.de/anleitung/nginx-besucher-mit-dem-geoip-modul-nach-landern-blocken-debianubuntu/
##
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default yes;
BY no;
BR no;
KP no;
KR no;
RS no;
RO no;
RU no;
CN no;
CD no;
NE no;
GH no;
IQ no;
IR no;
SY no;
UA no;
HK no;
JP no;
SC no;
}
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
##
# Harden nginx against DDOS
##
client_header_timeout 10;
client_body_timeout 10;
}
Code:
server {
set $nw_port 8888;
set $backend_port 8383;
set $red_port 1880;
server_tokens off;
## Blocken, wenn Zugriff aus einem nicht erlaubten Land erfolgt ##
if ($allowed_country = no) {
return 403;
}
# https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
## Block some robots ##
if ($http_user_agent ~* msnbot|scrapbot) {
return 403;
}
## Deny certain Referers ##
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
{
return 403;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name meine.domain.xy;
##
# SSL
##
## Activate SSL, setze SERVER Zertifikat Informationen ##
# Generiert via Let's Encrypt!
ssl_certificate /etc/letsencrypt/live/meine.domain.xy/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meine.domain.xy/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/meine.domain.xy/fullchain.pem;
ssl_session_cache builtin:1000 shared:SSL:60m;
ssl_prefer_server_ciphers on;
# unsichere SSL Ciphers deaktivieren!
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1.2;
ssl_session_timeout 60m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/nginx_ticketkey;
#ssl_buffer_size 16k; #for throughput, video applications
ssl_buffer_size 4k; #for quick first byte delivery
# Client Zertifikat spezifisch
ssl_client_certificate /etc/ssl/ca/certs/ca.crt;
ssl_crl /etc/ssl/ca/private/ca.crl;
ssl_verify_client optional;
ssl_dhparam /etc/ssl/ca/dh.pem;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
client_body_buffer_size 8K;
client_max_body_size 20m;
client_body_timeout 10s;
client_header_buffer_size 1k;
large_client_header_buffers 2 16k;
client_header_timeout 5s;
##
# global
##
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
# Proxy Caching
# Skip^1 caching variable init
set $nocache 0;
# Bypass^2 caching variable init
set $purgecache 0;
# Bypass^2 cache on no-cache (et al.) browser request
if ($http_cache_control ~ "max-age=0")
{ set $purgecache 1; }
if ($http_cache_control ~ "no-cache")
{ set $purgecache 1; }
# Bypass^2 cache with custom header set on request
if ($http_x_cache_purge ~* "true")
{ set $purgecache 1; }
location ~* favicon|apple-touch-icon|android-chrome-|mstile-|safari-pinned-tab.svg|browserconfig.xml|manifest.json|apple-icon|ms-icon|android-icon|mstile {
try_files $uri @favicons;
}
location @favicons {
rewrite ^/(.+)$ /favicons/$1 last;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|xml)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
# Weiterleitung zu SmartHomeNG (Websocket Schnittstelle) mit Basic Auth
location = / {
include /etc/nginx/headers.conf;
satisfy any;
# auth_basic "Restricted Area: smartVISU2.9";
# auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
# Nur Websocket Verbindungen gegen "/" durchlassen!
if ($http_upgrade = websocket) {
proxy_pass http://websocket;
}
}
# Zugriff auf die smartVISU mit Basic Auth
location /smartVISU {
include /etc/nginx/headers.conf;
satisfy any;
# auth_basic "Restricted Area: smartVISU2.9";
# auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
# allow all;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
#This is alternative to the lua script but doesn't work with Apple devices.
#if ($ssl_client_verify != SUCCESS) {
# return 403;
#}
proxy_pass http://sv/smartVISU;
}
# Zugriff auf die smartVISU 2.9 mit Basic Auth
location /smartVISU2.9 {
include /etc/nginx/headers.conf;
satisfy any;
# auth_basic "Restricted Area: smartVISU2.9";
# auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
# deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://sv/smartVISU2.9;
}
# Zugriff auf nodered
location /red/ {
include /etc/nginx/headers.conf;
satisfy any;
# auth_basic "Restricted Area: smartVISU2.9";
# auth_basic_user_file /etc/nginx/.smartvisu;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://$server_addr:$red_port;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$red_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
}
# Alexa Plugin Weiterleitung
location /alexa/ {
include /etc/nginx/headers.conf;
satisfy any;
# auth_basic "Restricted Area: Alexa";
# auth_basic_user_file /etc/nginx/.alexa;
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://alexa;
}
# Backend Plugin Weiterleitung
location /gstatic/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /visu_websocket/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /api/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /admin/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
location /backend/ {
include /etc/nginx/headers.conf;
satisfy any;
#auth_basic "Restricted Area: Smarthome NG Backend";
#auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://$server_addr:$backend_port;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
proxy_pass http://$server_addr:$backend_port;
}
# Network Plugin Weiterleitung
location /shnet/ {
include /etc/nginx/headers.conf;
satisfy any;
# auth_basic "Restricted Area: Smarthome NG Network";
# auth_basic_user_file /etc/nginx/.shng;
proxy_set_header Authorization "Basic c21hcnRob21lCg==";
# Create your base64 Passwort on the commandline: openssl enc -base64 <<< '<PASSWORD>'
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/16;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
rewrite ^/shnet/(.*) /$1 break;
proxy_pass http://$server_addr:$nw_port;
}
# Weiterleitung zu Grafana
location /grafana/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monit";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://grafanahost/;
include /etc/nginx/headers.conf;
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
rewrite ^/grafana/(.*) /$1 break;
include /etc/nginx/headers.conf;
expires 7d;
add_header Cache-Control "public, no-transform";
proxy_pass http://grafanahost;
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
}
}
# Weiterleitung zu Monit
location /monit/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monit";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
rewrite ^/monit/(.*) /$1 break;
proxy_pass http://monithost;
include /etc/nginx/headers.conf;
location ~* favicon.ico {
alias /var/www/html/favicon/monit/favicon.ico;
}
}
# Weiterleitung zu Monitgraph
location /monitgraph/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: Monitgraph";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://mainhost/monitgraph/;
include /etc/nginx/headers.conf;
}
# Weiterleitung zu phpmydmin
location /phpmyadmin/ {
satisfy any;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 192.168.0.0/16;
# auth_basic "Restricted Area: PHP MyAdmin";
# auth_basic_user_file /etc/nginx/.monit;
allow ::1;
deny all;
# This script tests the SSL certificate and enables Websocket access with Apple devices.
# If you want to limit your access to devices with certificates (recommended!), don't remove this line!
access_by_lua_file /etc/nginx/scripts/hass_access.lua;
proxy_pass http://mainhost/phpmyadmin/;
include /etc/nginx/headers.conf;
}
}
Code:
2019/12/29 17:43:32 [error] 29097#29097: *3 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php?page=config HTTP/2.0", host: "meine.domain.xy", referrer: "https://meine.domain.xy/smartVISU/index.php?" 2019/12/29 17:43:33 [error] 29097#29097: *3 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php?page=config HTTP/2.0", host: "meine.domain.xy", referrer: "https://meine.domain.xy/smartVISU/index.php?" 2019/12/29 17:43:34 [error] 29097#29097: *3 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php?page=config HTTP/2.0", host: "meine.domain.xy", referrer: "https://meine.domain.xy/smartVISU/index.php?" 2019/12/29 17:53:33 [error] 29097#29097: *18 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php?page=EG.WC HTTP/2.0", host: "meine.domain.xy", referrer: "https://meine.domain.xy/smartVISU/index.php" 2019/12/29 18:00:31 [error] 29097#29097: *34 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:00:34 [error] 29097#29097: *34 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:11:35 [error] 29098#29098: *61 FastCGI sent in stderr: "PHP message: PHP Warning: Use of undefined constant config_debug - assumed 'config_debug' (this will throw an Error in a future version of PHP) in /var/www/html/smartVISU/index.php on line 66" while reading response header from upstream, client: 127.0.0.1, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host: "meine.domain.xy" 2019/12/29 18:11:37 [error] 29098#29098: *82 FastCGI sent in stderr: "PHP message: PHP Warning: Use of undefined constant config_debug - assumed 'config_debug' (this will throw an Error in a future version of PHP) in /var/www/html/smartVISU/index.php on line 66" while reading response header from upstream, client: 127.0.0.1, server: meine.domain.xy, request: "GET /smartVISU/index.php?page=manifest HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host: "meine.domain.xy", referrer: "https://meine.domain.xy/smartVISU/index.php" 2019/12/29 18:12:08 [error] 29097#29097: *86 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/ HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:15:45 [error] 29098#29098: *105 FastCGI sent in stderr: "PHP message: PHP Warning: Use of undefined constant config_debug - assumed 'config_debug' (this will throw an Error in a future version of PHP) in /var/www/html/smartVISU/index.php on line 66" while reading response header from upstream, client: 127.0.0.1, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host: "meine.domain.xy" 2019/12/29 18:18:55 [error] 29097#29097: *132 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:22:25 [error] 29097#29097: *139 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:22:26 [error] 29097#29097: *139 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:22:26 [error] 29097#29097: *139 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:25:26 [error] 29097#29097: *139 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:25:27 [error] 29097#29097: *139 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU/index.php HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:25:53 [error] 29097#29097: *151 FastCGI sent in stderr: "PHP message: PHP Warning: Use of undefined constant config_debug - assumed 'config_debug' (this will throw an Error in a future version of PHP) in /var/www/html/smartVISU/index.php on line 66PHP message: PHP Warning: count(): Parameter must be an array or an object that implements Countable in /var/www/html/smartVISU/vendor/Twig/Extension/Core.php on line 1266" while reading response header from upstream, client: 192.168.1.101, server: meine.domain.xy, request: "GET /smartVISU/index.php?page=Sonder.Heizung HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm.sock:", host: "192.168.1.20", referrer: "http://192.168.1.20/smartVISU/index.php?page=Sonder.Wetterstation" 2019/12/29 18:29:38 [error] 29097#29097: *160 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU HTTP/2.0", host: "meine.domain.xy" 2019/12/29 18:30:38 [error] 29097#29097: *162 access forbidden by rule, client: 193.xxx.xxx.179, server: meine.domain.xy, request: "GET /smartVISU HTTP/2.0", host: "meine.domain.xy"