Debugging ssl and php-fpm

Okay, so rule #1 is to never think a server migration will go easy.

As I’ve said in another thread, I’ve been running nginx and php-fpm for
years on my site. But I’m moving from a CentOS to an Ubuntu server and
things aren’t going as smooth as they should be.

I’ve got the non-ssl server working just fine. Tested out the SSL pages
and I’m getting blank pages but I can’t seem to see anything in the logs
or at least nothing that’s clear to me.

Here’s a snippet of the SSL server:

server {
server_name www.example.com;
listen 443;
root /usr/share/nginx/html;
index index.shtml index.php index.html;
include /etc/nginx/fastcgi_params;
error_log /var/log/nginx/sslerror.log debug;

ssl on;
ssl_certificate /etc/nginx/certs/example.pem;
ssl_certificate_key /etc/nginx/certs/example.key;
ssl_session_timeout 5m;
error_page 404 /dhe404.shtml;

location / {
rewrite ^ http://www.example.com$request_uri? permanent;
}

location ~ .(shtml|php|inc)$ {
fastcgi_pass 127.0.0.1:9000;
}

location ^~ /rather/ {
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS on;
fastcgi_index index.shtml;
auth_basic “DHENEWS”;
auth_basic_user_file .htpasswd;
}


}

So, I’m trying to go a php page under /rather, a page I’ve used
thousands of times on the old server.

I get prompted for my username and password by the auth. That works, but
then I get a blank page.

so:

  • PHP is working on the non-ssl side
  • we’ve got fastcgi_pass in the locations.

And most importantly…it works on the old server so why am I pulling my
hair out? :wink: Is there something I’m missing in regards to ssl and
php-fpm? Here’s the fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

cache stuff

fastcgi_cache MYCACHE;
fastcgi_keep_conn on;
fastcgi_cache_bypass $no_cache $no_cache_dirs;
fastcgi_no_cache $no_cache $no_cache_dirs;
fastcgi_cache_valid 200 301 5m;
fastcgi_cache_valid 302 5m;
fastcgi_cache_valid 404 1m;
fastcgi_cache_use_stale error timeout invalid_header updating http_500;
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_cache_lock on;

Thanks to the list for a fresh pair of eyes.

On Sun, Nov 24, 2013 at 07:54:56AM -0500, Ian E. wrote:

Hi there,

location ^~ /rather/ {
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS on;

Does it work if you remove that line? It looks unnecessary to me. And
it breaks your config.

fastcgi_index index.shtml;
auth_basic “DHENEWS”;
auth_basic_user_file .htpasswd;
}

And most importantly…it works on the old server so why am I pulling my
hair out? :wink:

What does “diff” say about the config on the old server and the config
on the new server?

Is there something I’m missing in regards to ssl and
php-fpm? Here’s the fastcgi_params:

fastcgi_params is included at server level, not within /rather/. Only
some parts of its contents are inherited into /rather/.

f

Francis D. [email protected]

Hello,

On Sun, Nov 24, 2013 at 3:43 PM, Francis D. [email protected]
wrote:

it breaks your config.

​Sorry to interrupt, but could you explain a little bit more about what
breaks the config?​

B. R.

On 24/11/2013 9:43 AM, Francis D. wrote:

What does “diff” say about the config on the old server and the config
on the new server?

As I moved to a new server, I split everytng from one file to the whole
sites-available format so I’d have to recombine everything. However…

fastcgi_params is included at server level, not within /rather/. Only
some parts of its contents are inherited into /rather/.

Tossing the params into /rather did the trick.

Many, many thanks.

On Sun, Nov 24, 2013 at 03:51:21PM +0100, B.R. wrote:

On Sun, Nov 24, 2013 at 3:43 PM, Francis D. [email protected] wrote:

On Sun, Nov 24, 2013 at 07:54:56AM -0500, Ian E. wrote:

Hi there,

location ^~ /rather/ {
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS on;

Does it work if you remove that line? It looks unnecessary to me. And
it breaks your config.

Sorry to interrupt, but could you explain a little bit more about what
breaks the config?

The upstream of fastcgi_pass usually requires a “fastcgi_param
SCRIPT_FILENAME” to be set.

Directive inheritance rules mean that this “fastcgi_param” directive is
the only one that applies in this location.

f

Francis D. [email protected]