Hi all,
I'm new to nginx and trying to setup a piwik virtual hosts on an
up-to-date CentOS 6.3 box with nginx 1.2.6, php-5.3.3 with php-fpm src
from the 5.3.20 release. I'm seeing some "Primary script unknown" errors
which I can't figure out with the info in the book, wiki or google.
Below are my configs. Hopefully someone has a clue what I am doing
wrong.
# ls -l /usr/share/nginx
drwxr-xr-x. 12 root root 4096 Jan 8 18:47 piwik
# ls -l /usr/share/nginx/piwik
total 96
-rw-r-----. 1 nginx nginx 676 Aug 12 16:05 composer.json
drwxr-x---. 2 nginx nginx 4096 Nov 27 11:11 config
drwxr-x---. 25 nginx nginx 4096 Nov 27 11:11 core
-rw-r-----. 1 nginx nginx 822 Feb 14 2005 favicon.ico
-rw-rw-r--. 1 nginx nginx 273 Nov 27 11:11 How to install Piwik.html
-rw-r-----. 1 nginx nginx 1611 Mar 20 2012 index.php
drwxr-x---. 2 nginx nginx 4096 Nov 27 11:11 js
drwxr-x---. 2 nginx nginx 4096 Nov 27 11:11 lang
-rw-r-----. 1 nginx nginx 6070 Feb 13 2012 LEGALNOTICE
drwxr-x---. 21 nginx nginx 4096 Nov 27 11:11 libs
drwxr-x---. 6 nginx nginx 4096 Nov 27 11:11 misc
-rw-r-----. 1 nginx nginx 21548 Nov 1 10:02 piwik.js
-rw-r-----. 1 nginx nginx 2967 Oct 23 11:22 piwik.php
drwxr-x---. 46 nginx nginx 4096 Nov 27 11:11 plugins
-rw-r-----. 1 nginx nginx 2640 Mar 6 2012 README
drwxr-x---. 2 nginx nginx 4096 Nov 27 11:11 tests
drwxr-x---. 3 nginx nginx 4096 Nov 27 11:11 themes
drwxr-x---. 2 nginx nginx 4096 Nov 27 11:11 tmp
# cat /etc/nginx/nginx.conf
user nginx nginx;
## as recommended in the Nginx book, p98
worker_processes 2;
worker_rlimit_nofile 1024;
worker_priority -5;
worker_cpu_affinity 01 10;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
## as recommended in the Nginx book, p98
worker_connections 128;
## epoll is preferred on 2.6 Linux
use epoll;
## Accept as many connections as possible
multi_accept on;
}
http {
## http://nginx.org/en/docs/http/server_names.html
server_names_hash_bucket_size 64;
## MIME types
include /etc/nginx/mime.types;
default_type application/octet-stream;
## FastCGI
include /etc/nginx/fastcgi.conf;
## define the log format
log_format main '$remote_addr - $remote_user [$time_local]
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
## Default log and error files
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
## Use sendfile() syscall to speed up I/O operations and speed up
## static file serving
sendfile on;
## Handling of IPs in proxied and load balancing situations
set_real_ip_from 0.0.0.0/32; # all addresses get a real IP
real_ip_header X-Forwarded-For; # ip forwarded from the load
balancer/proxy
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones
limit_conn_zone $binary_remote_addr zone=arbeit:10m;
## Timeouts
client_body_timeout 60;
client_header_timeout 60;
keepalive_timeout 10 10;
send_timeout 60;
## reset lingering timed out connections. Deflect DDoS
reset_timedout_connection on;
## Body size
client_max_body_size 10m;
## TCP options
tcp_nodelay on;
## Optimization of socket handling when using sendfile
tcp_nopush on;
## Compression.
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 1;
gzip_http_version 1.1;
gzip_min_length 10;
gzip_types text/plain text/css application/x-javascript
text/xml application/xml application/xml+rss text/javascript
image/x-icon application/vnd.ms-fontobject font/opentype
application/x-font-ttf;
gzip_vary on;
gzip_proxied any; # Compression for all requests
## No need for regexps. See
## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
gzip_disable "msie6";
## Serve already compressed files directly, bypassing on-the-fly
## compression
gzip_static on;
## Hide the Nginx version number.
server_tokens off;
## Use a SSL/TLS cache for SSL session resume. This needs to be
## here (in this context, for session resumption to work. See this
## thread on the Nginx mailing list:
## http://nginx.org/pipermail/nginx/2010-November/023736.html
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
## Enable clickjacking protection in modern browsers. Available in
## IE8 also. See
##
https://developer.mozilla.org/en/The_X-FRAME-OPTIO...
add_header X-Frame-Options SAMEORIGIN;
## add Maxmind GeoIP databases
## http://dev.maxmind.com/geoip/geolite
geoip_country /etc/nginx/GeoIP.dat;
##geoip_country /etc/nginx/GeoIPv6.dat;
geoip_city /etc/nginx/GeoLiteCity.dat;
##geoip_city /etc/nginx/GeoLiteCityv6.dat;
## Include the upstream servers for PHP FastCGI handling config.
include upstream_phpcgi.conf;
## FastCGI cache zone definition.
include fastcgi_cache_zone.conf;
## Include the php-fpm status allowed hosts configuration block.
## Uncomment to enable if you're running php-fpm.
include php_fpm_status_allowed_hosts.conf;
## Include all vhosts.
include /etc/nginx/sites-enabled/*;
}
# cat /etc/nginx/fastcgi.conf
### fastcgi configuration.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 256 4k;
fastcgi_intercept_errors on;
## allow 4 hrs - pass timeout responsibility to upstream
fastcgi_read_timeout 14400;
fastcgi_index index.php;
# cat /etc/nginx/upstream_phpcgi.conf
### Upstream configuration for PHP FastCGI.
## Add as many servers as needed. Cf.
http://wiki.nginx.org/HttpUpstreamModule.
upstream phpcgi {
##server unix:/var/run/php-fpm.sock;
server 127.0.0.1:9000;
}
# cat /etc/nginx/fastcgi_cache_zone.conf
fastcgi_cache_path /var/lib/nginx/tmp/fastcgi levels=1:2
keys_zone=fcgicache:100k max_size=10M inactive=3h
loader_threshold=2592000000 loader_sleep=1 loader_files=100000;
# cat /etc/nginx/sites-available/piwik.conf
### Nginx configuration for Piwik.
### based on https://github.com/perusio/piwik-nginx
server {
listen <my_public_ip>:80; # IPv4
listen <my_public_ipv6>:80; # IPv6
server_name piwik.domain.com;
# always redirect to the ssl version
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen <my_public_ip>:80; # IPv4
listen <my_public_ipv6>:80; # IPv6
## SSL config
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
ssl_prefer_server_ciphers on;
# public server cert
ssl_certificate /etc/pki/tls/certs/piwik.domain.com.crt;
# private server key without pass
ssl_certificate_key /etc/pki/tls/private/piwik.domain.com.key;
# public CA cert to verify client certs
ssl_client_certificate /etc/pki/tls/certs/My_CA.crt;
## verify client certs
ssl_verify_client on;
#ssl_verify_depth 1;
limit_conn arbeit 32;
server_name piwik.domain.com;
## Access and error log files.
access_log /var/log/nginx/piwik.domain.com_access.log;
error_log /var/log/nginx/piwik.domain.com_error.log;
root /usr/share/nginx/piwik.domain.com;
index index.php;
## Disallow any usage of piwik assets if referer is non valid.
location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ {
## Defining the valid referers.
valid_referers none blocked *.domain.com domain.com;
if ($invalid_referer) {
return 444;
}
expires max;
## No need to bleed constant updates. Send the all shebang in
one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=500 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## Support for favicon. Return a 204 (No Content) if the favicon
## doesn't exist.
location = /favicon.ico {
try_files /favicon.ico =204;
}
## Try all locations and relay to index.php as a fallback.
location / {
try_files $uri /index.php?$query_string;
}
## Relay all index.php requests to fastcgi.
location = /index.php {
fastcgi_pass 127.0.0.1:9001;
## FastCGI cache.
## cache ui for 5m (set the same interval of your crontab)
include sites-available/fcgi_piwik_cache.conf;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
## Relay all piwik.php requests to fastcgi.
location = /piwik.php {
fastcgi_pass 127.0.0.1:9001;
include sites-available/fcgi_piwik_long_cache.conf;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
## Any other attempt to access PHP files redirects to the root.
location ~* ^.+\.php$ {
return 302 /;
}
## Redirect to the root if attempting to access a txt file.
location ~*
(?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
return 302 /;
}
## Disallow access to several helper files.
location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
return 404;
}
## No crawling of this site for bots that obey robots.txt.
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
## Including the php-fpm status and ping pages config.
## Uncomment to enable if you're running php-fpm.
include php_fpm_status_vhost.conf;
} # server
# cat /etc/nginx/fastcgi_params
### fastcgi parameters.
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# Maxmind GeoIP for Piwik
# http://piwik.org/faq/how-to/#faq_166
fastcgi_param GEOIP_ADDR $remote_addr;
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_REGION_NAME $geoip_region_name;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_AREA_CODE $geoip_area_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# cat /etc/php-fpm.conf
[global]
pid = run/php-fpm.pid
error_log = log/php-fpm.log
syslog.facility = daemon
log_level = notice
emergency_restart_threshold = 10
emergency_restart_interval = 1
process_control_timeout = 10s
daemonize = yes
rlimit_files = 131072
rlimit_core = unlimited
events.mechanism = epoll
[piwik]
user = nginx
group = nginx
listen = 127.0.0.1:9001
listen.owner = nginx
listen.group = nginx
listen.mode = 0666
listen.backlog = -1
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 10
pm.start_servers = 3
pm.min_spare_servers = 2
pm.max_spare_servers = 4
pm.status_path = /fpm-status
ping.path = /ping
access.log = /var/log/php-fpm-$pool.access.log
slowlog = /var/log/php-fpm-$pool.slow.log
request_slowlog_timeout = 5s
request_terminate_timeout = 120s
catch_workers_output = yes
security.limit_extensions = .php
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
The various errors I see are:
2013/01/08 19:31:00 [error] 638#0: *3 FastCGI sent in stderr: "Primary
script unknown" while reading response header from upstream, client:
<client_ipv6_address>, server: piwik.domain.com, request: "GET /
HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host:
"piwik.domain.com"
2013/01/08 19:32:00 [error] 638#0: *15 FastCGI sent in stderr: "Primary
script unknown", client: <client_ipv6_address>, server:
piwik.domain.com, request: "GET / HTTP/1.1", host: "piwik.domain.com"
Any advice or pointers to docs where I can find a solution are most
appreciated.
Thanks/спасибо,
Patrick
on 2013-01-08 20:09
on 2013-01-08 21:10
On Tue, Jan 08, 2013 at 08:08:33PM +0100, Patrick Lists wrote: Hi there, > I'm seeing some "Primary script unknown" errors That message from the fastcgi server usually means that the SCRIPT_FILENAME that it was given was not found as a file on its filesystem. Your filesystem has: > # ls -l /usr/share/nginx > drwxr-xr-x. 12 root root 4096 Jan 8 18:47 piwik > > # ls -l /usr/share/nginx/piwik <snip> > -rw-r-----. 1 nginx nginx 1611 Mar 20 2012 index.php But your nginx config file has: > root /usr/share/nginx/piwik.domain.com; > location = /index.php { <snip> > fastcgi_param SCRIPT_FILENAME > $document_root$fastcgi_script_name; <snip> > } so SCRIPT_FILENAME will be /usr/share/nginx/piwik.domain.com/index.php Which does not exist, and so is not found. > Any advice or pointers to docs where I can find a solution are most > appreciated. Set "root" correctly in the nginx config. (Which is more or less the same as "set the directory name correctly in the filesystem".) f -- Francis Daly francis@daoine.org
on 2013-01-08 21:40
On 01/08/2013 08:44 PM, Steve Holdoway wrote: > At first glance I can't see anything listening on port 443. Thanks Steve. It was a copy & paste error. Here's what it really should be: server { listen IP:80; # IPv4 listen IP:80; # IPv6 server_name piwik.mydomain.com; # always redirect to the ssl version rewrite ^ https://$server_name$request_uri? permanent; } server { listen IP:443 ssl; # IPv4 listen IP:443 ssl ; ## SSL config ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5:!RC4; ssl_prefer_server_ciphers on; ... The SSL part works fine. Regards, Patrick
on 2013-01-08 22:40
On 01/08/2013 09:09 PM, Francis Daly wrote: [snip] > Set "root" correctly in the nginx config. (Which is more or less the > same as "set the directory name correctly in the filesystem".) Thanks Francis. Another sharp pair of eyes and mine not so much. The error was introduced when redacting the configs to protect the innocent. The root in piwik.conf points correctly to the actual location of the site in /usr/share/nginx. I also tried turning off SELinux but that did not make a difference. I can make it work when I chmod all files to 644 and all directories to 755. But I do not understand why that is. If nginx and php-fpm are running as nginx/ningx shouldn't both be able to handle files & dirs owned by nginx/nginx with mode 640 and mode 750? Regards, Patrick
on 2013-01-08 22:45
In my experience, that's usually caused by access to parent dirs... ie /home is made unreadable by nginx user when changed to 750 root:root. Cheers, Steve
on 2013-01-08 22:56
On 01/08/2013 10:44 PM, Steve Holdoway wrote: > In my experience, that's usually caused by access to parent dirs... > ie /home is made unreadable by nginx user when changed to 750 root:root. Gold star for you Steve :-) It works fine now. I guess that's what you get for staring at configs for way too long. Thank you very much! Regards, Patrick
on 2013-01-08 23:10
On Tue, 2013-01-08 at 22:56 +0100, Patrick Lists wrote: > On 01/08/2013 10:44 PM, Steve Holdoway wrote: > > In my experience, that's usually caused by access to parent dirs... > > ie /home is made unreadable by nginx user when changed to 750 root:root. > > Gold star for you Steve :-) It works fine now. I guess that's what you > get for staring at configs for way too long. Thank you very much! > > Regards, > Patrick Graag gedaan (: Steve
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.