Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Z-Push 2.4.0 - nginx configuration file

    General usage of Z-Push
    5
    24
    6720
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • milauria
      milauria last edited by

      I am interested in the nginx configuration that i am testing. I installed the nginx addition an wondering what does the installer do other than creating the conf file.

      In my past experience i had to change ownership to a few directories that were owned by apache to nginx to make it work. Also the /var/log/z-push is owned by apache and i had to change to nginx or it gives error.

      1 Reply Last reply Reply Quote 0
      • milauria
        milauria last edited by milauria

        @manfred said in NGINX configuration file:

        alias /usr/share/z-push/autodiscover/autodiscover.php;

        To me the “alias” statement does not work, I had to refer to an absolute path of “fastcgi_param SCRIPT_FILENAME” and I used this:

        location ~* /Autodiscover/Autodiscover.xml {	
        		access_log  /var/log/nginx/z-push-autodiscover-access.log;
            		error_log   /var/log/nginx/z-push-autodiscover-error.log;		
        		fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php;
                	fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
                	fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
                	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                        include fastcgi_params;
                }
        

        and this:

        location ~* /Microsoft-Server-ActiveSync {
        	        access_log  /var/log/nginx/z-push-access.log;
        	        error_log   /var/log/nginx/z-push-error.log;
        		fastcgi_param SCRIPT_FILENAME /usr/share/z-push/index.php;
            		fastcgi_param   PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
            		fastcgi_param   PHP_VALUE "post_max_size=20M \n upload_max_filesize=20M \n max_execution_time=3660";
            		fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
            		fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe        
        		fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                        include fastcgi_params;
        	}
        
        1 Reply Last reply Reply Quote 0
        • Manfred
          Manfred Kopano last edited by

          Hi milauria,

          which OS and nginx versions are you using?

          Did alias also not work for Microsoft-Server-ActiveSync?

          For /Autodiscover/Autodiscover.xml location you don’t need fastcgi_read_timeout 3660 as those requests are really short and will never run for an hour. This setting only makes sense for Ping requests which might run up to 59 minutes (the comment in the config is not correct saying 3600s).

          Manfred

          milauria 1 Reply Last reply Reply Quote 0
          • milauria
            milauria @Manfred last edited by

            @manfred
            I run on Centos 7 and latest Nginx (not sure the version) … the problem with the ‘alias’ statement is that with this:

            location ~* /Microsoft-Server-ActiveSync {
                           	access_log  /var/log/nginx/z-push-access.log;
                           	error_log   /var/log/nginx/z-push-error.log;
                            alias /usr/share/z-push/index.php;
                           	fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock;
            }
            
                include         fastcgi_params;
                fastcgi_index   index.php;
                fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param   REQUEST_URI $1;
                fastcgi_param   PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
                fastcgi_param   PHP_VALUE "post_max_size=20M \n upload_max_filesize=20M \n max_execution_time=3660";
                fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
                fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
            

            I get an access denied in the z-push-error.log because of this result (note I have no 'root" statements):

            Access to the script '/usr/share/z-push/index.php/Microsoft-Server-Activesync' has been denied (see security.limit_extensions)
            

            Most interesting are also some z-push directories permission that needs to be updated if moving from apache to nginx … any experience to share ?

            1 Reply Last reply Reply Quote 0
            • Manfred
              Manfred Kopano last edited by

              Hi milauria,

              @milauria said in Z-Push 2.4.0 - nginx configuration file:

              I am interested in the nginx configuration that i am testing. I installed the nginx addition an wondering what does the installer do other than creating the conf file.

              Right now the installer only creates a config file. The adjustments, permissions and nginx reloading have to be done manually. We are working on updating the documentation on this.

              In my past experience i had to change ownership to a few directories that were owned by apache to nginx to make it work. Also the /var/log/z-push is owned by apache and i had to change to nginx or it gives error.

              I’m not sure if it’s the same in CentOS, but e.g. for debian the default nginx user is www-data, the same as apache. You could check /etc/nginx/nginx.conf and what is the value of user directive. Changing it to match apache’s user (which is apache if I remember correctly) should solve at least the ownership issues for you.

              As for the Z-Push nginx configuration file, I will investigate that, but it’ll might take some time as I’m not very familiar with RHEL based systems.

              Thanks for your feedback so far.

              Manfred

              1 Reply Last reply Reply Quote 0
              • milauria
                milauria last edited by

                Hi, in my endeavour to move the z-push installation under nginx and Centos7, I had all working with the exception of the log file rotation

                The email error notification I get says:
                ​​​​​/etc/cron.daily/logrotate:
                error: stat of /var/log/z-push/autodiscover-error.log failed: Permission denied
                error: stat of /var/log/z-push/autodiscover.log failed: Permission denied
                error: stat of /var/log/z-push/z-push-error.log failed: Permission denied
                error: stat of /var/log/z-push/z-push.log failed: Permission denied

                I have the following permissions set:

                drwxr-x---. 2 nginx  nginx     102 Oct 31 04:56 z-push
                

                and

                -rw-r--r--. 1 nginx nginx       0 Oct 31 04:56 autodiscover-error.log
                -rw-r--r--. 1 nginx nginx   12224 Oct 31 04:56 autodiscover.log
                -rw-r--r--. 1 nginx nginx  157546 Nov  1 04:57 z-push-error.log
                -rw-r--r--. 1 nginx nginx 2770015 Nov  1 12:36 z-push.log
                

                I also modified the /etc/logrotate.d/z-push.lr to:

                /var/log/z-push/*.log {
                        size 1k
                        create nginx nginx
                	compress
                        notifempty
                        rotate 4
                }
                

                I have tried to tweak the permission to every possible value I could think of … but nothing

                Also I have tried to change the destination of the log file in the z-psuh config.php, but z-push stops working for some other problems and put it back to standard, I though it might be the php-fpm permissions but seems all set as user=nginx group=nginx.

                Just as a note the nginx user has been created by nginx installer as a standard user also for its main .conf and I didn’t want to touch it if not necessary.

                Thanks for any advise you might have to fix the log rotation … !

                Wiz 1 Reply Last reply Reply Quote 0
                • Wiz
                  Wiz @milauria last edited by

                  @milauria Hosting on Centos here too … Your permissions look ok although I would highly recommend running nginx sites/services under custom assigned/created usernames and groups - better security.

                  The issue you are having is with the file /etc/logrotate.d/z-push.lr … you can delete that and replace it with /etc/logrotate.d/z-push with contents:

                  /var/log/z-push/*.log {
                  	daily
                  	copytruncate
                          missingok
                          notifempty
                          compress
                          delaycompress
                  	create nginx nginx
                  	rotate 4
                  }
                  

                  Cheers

                  1 Reply Last reply Reply Quote 0
                  • milauria
                    milauria last edited by

                    Nada, not working …

                    • I tried to put: ‘create nginx nginx’ (was create apache apache)
                    • I tried also to put: ‘su nginx nginx’

                    … but I still get the above permission denied notification from ​​​​​/etc/cron.daily/logrotate

                    I also tried to manually test logrotate from root and it rotates the logs correctly:

                    logrotate -f  /etc/logrotate.conf
                    

                    So there might some some other permissions to fix externally to the script eg in the crontab execution ? I didn’t touch that from the yum install of z-push. All the other logrotation scripts work fine

                    I will continue to dig into this problem, any other suggestions is mostly welcome !

                    Wiz 1 Reply Last reply Reply Quote 0
                    • Wiz
                      Wiz @milauria last edited by

                      @milauria said in Z-Push 2.4.0 - nginx configuration file:

                      Nada, not working …

                      Sounds like you have selinux enabled. If so, you will need to adjust selinux context for /etc/logrotate.d/z-push

                      1 Reply Last reply Reply Quote 0
                      • milauria
                        milauria last edited by milauria

                        You are right … to make sure that php-fpm can write its logs, I did:

                        semanage fcontext -a -t httpd_sys_rw_content_t /var/log/z-push
                        restorecon -v /var/log/z-push
                        

                        Then I am still checking if the logrotate needs the var_log_t context for the same directory to be able to read/write for file rotation … and i yes I need to find a way to make both php-fpm and logrotate work with selinux on the same directory … no idea how!

                        1 Reply Last reply Reply Quote 0
                        • milauria
                          milauria last edited by milauria

                          Hi to all – to make z-push work with nginx and Centos 7, after each time I update or install z-push (yum install z-push-common z-push-ipc-sharedmemory) I always run a small script to make permissions suitable for nginx:

                          chown root:nginx /etc/z-push/* 
                          chown -R nginx:nginx /var/lib/z-push 
                          chown -R nginx:nginx /var/log/z-push
                          

                          To make it work with nginx … I also edited the /etc/logrotate.d/z-push.lr to remove the line

                          create apache apache
                          

                          Otherwise z-push creates log files owned by apache:apache that cannot be written by nginx and this permission mismatch blocks the syncing

                          This is just FYI in case other users are having troubles under nginx … cheers

                          fbartels 1 Reply Last reply Reply Quote 0
                          • fbartels
                            fbartels Kopano @milauria last edited by

                            Hi @milauria ,

                            which version of z-push are you running? Z-Push 2.4 introduces a nginx config package which should make those steps obsolete https://jira.z-hub.io/browse/ZP-1162

                            Regards Felix

                            Resources:
                            https://kopano.com/blog/how-to-get-kopano/
                            https://documentation.kopano.io/
                            https://kb.kopano.io/

                            Support overview:
                            https://kopano.com/support/

                            1 Reply Last reply Reply Quote 0
                            • milauria
                              milauria last edited by milauria

                              Hi for the moment I am sticking with production version 2.3.9. I did not try the 2.4 beta yet … I was waiting to see the final release of 2.4 making sure it works with the backend I need (Zimbra)

                              It would be useful to know what the installation exactly does other than creating the .conf described here [https://forum.kopano.io/topic/133/nginx-configuration-file/4](link url).

                              My concern is to make sure that all the permissions are set properly (/etc/z-push … /var/lib/z-push … /logrotate.d/z-push.lr … etc)

                              Thanks

                              1 Reply Last reply Reply Quote 0
                              • fbartels
                                fbartels Kopano last edited by

                                @milauria there are quite some pull requests attached to the ticket I’ve linked you. if you login at jira.z-hub.io then you can see all the changes that have been done.

                                Regards Felix

                                Resources:
                                https://kopano.com/blog/how-to-get-kopano/
                                https://documentation.kopano.io/
                                https://kb.kopano.io/

                                Support overview:
                                https://kopano.com/support/

                                1 Reply Last reply Reply Quote 0
                                • milauria
                                  milauria last edited by milauria

                                  Now that Z-push 2.4 has been released as official … I may suggest that when installing the z-push-config-nginx module the following permissions are also set during installation:

                                  /var/lib/z-push/* must be owned by nginx : z-push (not apache:z-push)
                                  /etc/logrotate.d/z-push.lr should remove “create apache apache”

                                  I am running on Centos 7 with Nginx
                                  thanks

                                  1 Reply Last reply Reply Quote 0
                                  • Sebastian
                                    Sebastian Kopano last edited by

                                    Hi, thanks for the report. I’ve created an issue for it https://jira.z-hub.io/browse/ZP-1375
                                    I am not sure why we didn’t see this/create the ticket before, but we will fix asap.

                                    Cheers, Sebastian

                                    1 Reply Last reply Reply Quote 0
                                    • Sebastian
                                      Sebastian Kopano last edited by

                                      @milauria we have fixed ZP-1375 and it’s released in Z-Push 2.4.1 beta1.
                                      Could you try to install/update to this version and report back? Thank you!

                                      1 Reply Last reply Reply Quote 0
                                      • milauria
                                        milauria last edited by milauria

                                        With the Z-Push 2.4.1 beta1 installed I see that now the logrotate contains “create root z-push” which also does not work for me.

                                        I need to be “create nginx z-push” to make let z-push write its log file … or just delete the “create” statement so that it inherits the permission from its folder

                                        Basically to make it work I need both /var/log/z-push and /var/lib/z-push to be owned by the “nginx” user

                                        1 Reply Last reply Reply Quote 0
                                        • Manfred
                                          Manfred Kopano last edited by

                                          Hi milauria,

                                          are there any errors? z-push group does have the right permissions for both folders, doesn’t it?

                                          Manfred

                                          1 Reply Last reply Reply Quote 0
                                          • milauria
                                            milauria last edited by milauria

                                            Hi manfred,
                                            seems to be the file owner the problem, not the file group

                                            The /var/lib/z-push owner needs to be “nginx”. The z-push install I think defaults the owner as “root” and in that case I get the below fatal error. After I did the “chown nginx” the error went away.

                                            [FATAL] Exception: (FatalMisconfigurationException) - Not possible to write to the configured state directory.
                                            [FATAL] FatalMisconfigurationException: Not possible to write to the configured state directory. - code: 0 - file: /usr/share/z-push/lib/default/filestatemachine.php:63

                                            Similarly /var/log/z-push needs to owned by nginx AND needs to be writable only by the user.
                                            The error I get: “parent directory has insecure permissions (It’s world writable or writable by group which is not “root”)”
                                            I also removed altogether the “create” statement in the z-push.lr so that every new log is created with the same folder permission

                                            Cheers

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post