Z-Push 2.4.0 - nginx configuration file


  • Kopano

    Discussion about nginx configuration file.

    @milauria I moved your posts here as in my opinion it makes more sense to have them in a separate topic.



  • I am interested in the nginx configuration that i am testing. I installed the nginx addition an wondering what does the installer do other than creating the conf file.

    In my past experience i had to change ownership to a few directories that were owned by apache to nginx to make it work. Also the /var/log/z-push is owned by apache and i had to change to nginx or it gives error.



  • @manfred said in NGINX configuration file:

    alias /usr/share/z-push/autodiscover/autodiscover.php;

    To me the “alias” statement does not work, I had to refer to an absolute path of “fastcgi_param SCRIPT_FILENAME” and I used this:

    location ~* /Autodiscover/Autodiscover.xml {	
    		access_log  /var/log/nginx/z-push-autodiscover-access.log;
        		error_log   /var/log/nginx/z-push-autodiscover-error.log;		
    		fastcgi_param SCRIPT_FILENAME /usr/share/z-push/autodiscover/autodiscover.php;
            	fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
            	fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
            	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                    include fastcgi_params;
            }
    

    and this:

    location ~* /Microsoft-Server-ActiveSync {
    	        access_log  /var/log/nginx/z-push-access.log;
    	        error_log   /var/log/nginx/z-push-error.log;
    		fastcgi_param SCRIPT_FILENAME /usr/share/z-push/index.php;
        		fastcgi_param   PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
        		fastcgi_param   PHP_VALUE "post_max_size=20M \n upload_max_filesize=20M \n max_execution_time=3660";
        		fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
        		fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe        
    		fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                    include fastcgi_params;
    	}
    

  • Kopano

    Hi milauria,

    which OS and nginx versions are you using?

    Did alias also not work for Microsoft-Server-ActiveSync?

    For /Autodiscover/Autodiscover.xml location you don’t need fastcgi_read_timeout 3660 as those requests are really short and will never run for an hour. This setting only makes sense for Ping requests which might run up to 59 minutes (the comment in the config is not correct saying 3600s).

    Manfred



  • @manfred
    I run on Centos 7 and latest Nginx (not sure the version) … the problem with the ‘alias’ statement is that with this:

    location ~* /Microsoft-Server-ActiveSync {
                   	access_log  /var/log/nginx/z-push-access.log;
                   	error_log   /var/log/nginx/z-push-error.log;
                    alias /usr/share/z-push/index.php;
                   	fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock;
    }
    
        include         fastcgi_params;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param   REQUEST_URI $1;
        fastcgi_param   PHP_FLAG "magic_quotes_gpc=off \n register_globals=off \n magic_quotes_runtime=off \n short_open_tag=on";
        fastcgi_param   PHP_VALUE "post_max_size=20M \n upload_max_filesize=20M \n max_execution_time=3660";
        fastcgi_param   HTTP_PROXY ""; # Mitigate https://httpoxy.org/ vulnerabilities
        fastcgi_read_timeout 3660; # Z-Push Ping might run 3600s, but to be safe
    

    I get an access denied in the z-push-error.log because of this result (note I have no 'root" statements):

    Access to the script '/usr/share/z-push/index.php/Microsoft-Server-Activesync' has been denied (see security.limit_extensions)
    

    Most interesting are also some z-push directories permission that needs to be updated if moving from apache to nginx … any experience to share ?


  • Kopano

    Hi milauria,

    @milauria said in Z-Push 2.4.0 - nginx configuration file:

    I am interested in the nginx configuration that i am testing. I installed the nginx addition an wondering what does the installer do other than creating the conf file.

    Right now the installer only creates a config file. The adjustments, permissions and nginx reloading have to be done manually. We are working on updating the documentation on this.

    In my past experience i had to change ownership to a few directories that were owned by apache to nginx to make it work. Also the /var/log/z-push is owned by apache and i had to change to nginx or it gives error.

    I’m not sure if it’s the same in CentOS, but e.g. for debian the default nginx user is www-data, the same as apache. You could check /etc/nginx/nginx.conf and what is the value of user directive. Changing it to match apache’s user (which is apache if I remember correctly) should solve at least the ownership issues for you.

    As for the Z-Push nginx configuration file, I will investigate that, but it’ll might take some time as I’m not very familiar with RHEL based systems.

    Thanks for your feedback so far.

    Manfred



  • Hi, in my endeavour to move the z-push installation under nginx and Centos7, I had all working with the exception of the log file rotation

    The email error notification I get says:
    ​​​​​/etc/cron.daily/logrotate:
    error: stat of /var/log/z-push/autodiscover-error.log failed: Permission denied
    error: stat of /var/log/z-push/autodiscover.log failed: Permission denied
    error: stat of /var/log/z-push/z-push-error.log failed: Permission denied
    error: stat of /var/log/z-push/z-push.log failed: Permission denied

    I have the following permissions set:

    drwxr-x---. 2 nginx  nginx     102 Oct 31 04:56 z-push
    

    and

    -rw-r--r--. 1 nginx nginx       0 Oct 31 04:56 autodiscover-error.log
    -rw-r--r--. 1 nginx nginx   12224 Oct 31 04:56 autodiscover.log
    -rw-r--r--. 1 nginx nginx  157546 Nov  1 04:57 z-push-error.log
    -rw-r--r--. 1 nginx nginx 2770015 Nov  1 12:36 z-push.log
    

    I also modified the /etc/logrotate.d/z-push.lr to:

    /var/log/z-push/*.log {
            size 1k
            create nginx nginx
    	compress
            notifempty
            rotate 4
    }
    

    I have tried to tweak the permission to every possible value I could think of … but nothing

    Also I have tried to change the destination of the log file in the z-psuh config.php, but z-push stops working for some other problems and put it back to standard, I though it might be the php-fpm permissions but seems all set as user=nginx group=nginx.

    Just as a note the nginx user has been created by nginx installer as a standard user also for its main .conf and I didn’t want to touch it if not necessary.

    Thanks for any advise you might have to fix the log rotation … !



  • @milauria Hosting on Centos here too … Your permissions look ok although I would highly recommend running nginx sites/services under custom assigned/created usernames and groups - better security.

    The issue you are having is with the file /etc/logrotate.d/z-push.lr … you can delete that and replace it with /etc/logrotate.d/z-push with contents:

    /var/log/z-push/*.log {
    	daily
    	copytruncate
            missingok
            notifempty
            compress
            delaycompress
    	create nginx nginx
    	rotate 4
    }
    

    Cheers



  • Nada, not working …

    • I tried to put: ‘create nginx nginx’ (was create apache apache)
    • I tried also to put: ‘su nginx nginx

    … but I still get the above permission denied notification from ​​​​​/etc/cron.daily/logrotate

    I also tried to manually test logrotate from root and it rotates the logs correctly:

    logrotate -f  /etc/logrotate.conf
    

    So there might some some other permissions to fix externally to the script eg in the crontab execution ? I didn’t touch that from the yum install of z-push. All the other logrotation scripts work fine

    I will continue to dig into this problem, any other suggestions is mostly welcome !



  • @milauria said in Z-Push 2.4.0 - nginx configuration file:

    Nada, not working …

    Sounds like you have selinux enabled. If so, you will need to adjust selinux context for /etc/logrotate.d/z-push


Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.