Bretticus's questions

I have recently switched an opencart instance from Apache+mod_php to nginx+fastcgi+php-fpm. I have been trying to leverage caching for most pages through fastcgi-cache.

Unfortunately, many users began reporting ghost orders or taking over others accounts (weeee!!!!) From exhaustive digging, it appears that pages were cached with set-cookie! So subsequent users who did not send a pre-existing session cookie were getting the cache-initiator's session cookie. Bad!

According to all the documentation out there, the following settings are supposed to prevent this from happening (to the best of my understanding at least:)

 fastcgi_pass_header Set-Cookie;
 fastcgi_pass_header Cookie;
 fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

When I looked through the individual caches I noticed several pages with set-cookie: [somerandomsessionid] According to nginx documentation under fastcgi_cache_valid...

If the header includes the “Set-Cookie” field, such a response will not be cached.

By including Set-Cookie with fastcgi_ignore_headers, am I telling it to cache set-cookie? In many examples, Set-Cookie is part of the arguments to fastcgi_ignore_headers. Or is it supposed to prevent Set-Cookie from being processed even though it's obviously in the cached files?

Here are the pertinent parts of my configuration:

location ~ .php$ { ...

fastcgi_next_upstream error timeout invalid_header http_500 http_503;
fastcgi_cache OPENCART;
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
fastcgi_cache_purge $purge_method;
fastcgi_cache_methods GET HEAD;
fastcgi_cache_valid 200 5m;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_pass_header Set-Cookie;
#fastcgi_hide_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

My cache bypass rules (called in /etc/conf.d)...

################## Fast CGI Cache Settings

# if we find a PHP session cookie, let's cache it's contents

map $http_cookie $php_session_cookie {
    default "";
    ~PHPSESSID=(?<sessionkey>[a-zA-Z0-9]+) $sessionkey; # PHP session cookie
}

fastcgi_cache_path /var/nginx/cache levels=1:2 keys_zone=OPENCART:5m max_size=10000m inactive=15m;
fastcgi_cache_key "$scheme$request_method$host$request_uri$is_mobile$php_session_cookie";

map $request_method $purge_method {
    PURGE   1;
    default 0;
}

################## Cache Header

add_header X-Cache $upstream_cache_status;

################## Cache Bypass Maps

#Don't cache the following URLs
map $request_uri $no_cache_uri {
    default 0;
    ~*/admin/ 1;
    ~*/dl/ 1;
}

# ~*/music/mp3_[^/]+/[0-9]+/.+$ 1;

map $query_string $no_cache_query {
    default 0;
    ~*route=module/cart$ 1;
    ~*route=account/ 1; #exclude account links
    ~*route=checkout/ 1; #exclude checkout links
    ~*route=module/founders 1;
    ~*route=module/cart 1;
    ~*route=product/product/captcha 1;
    ~*nocache=1 1; # exclude ajax blocks and provide for manual cache override
}

map $http_cookie $no_cache_cookie {
    default 0;
}  

map $http_x_requested_with $no_cache_ajax {
    default 0;
    XMLHttpRequest 1; # Don't cache AJAX
}

map $sent_http_x_no_cache $no_no_cache {
    default 0;
    on 1; # Don't cache generic header when present and set to "on"
}

## Combine all results to get the cache bypass mapping.
map $no_cache_uri$no_cache_query$no_cache_cookie$no_cache_ajax$no_no_cache $no_cache {
        default 1;
        00000 0;
}

Session setting in php.ini

session.auto_start = 1
session.cache_expire = 180
session.cache_limiter = nocache
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_secure = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 3600
session.gc_probability = 0
session.hash_function = "sha256"
session.name = PHPSESSID
session.serialize_handler = php
session.use_cookies = 1
session.use_only_cookies = 1
session.use_strict_mode = 1
session.use_trans_sid = 0

Opencart using session_start() on every page load so bypassing php session does me no good for the most part. If there were a way to prevent Set-Cookie headers from ending up in the cache, this would probably work for me.

Can anyone point me in the right direction?

I'm attempting a website cut-over. We want to preserve our external links by using 301 redirects. I have a lengthy list of redirects in a named location that resembles:

location @redirects {       
    rewrite ^/path/one.html$ http://www.ourdomain.tld/one-but-different permanent;
    rewrite ^/path/two.html$ http://www.ourdomain.tld/two-but-different permanent;
    rewrite ^/path/three.html$ http://www.ourdomain.tld/three-but-different permanent;
    rewrite ^/path/four.html$ http://www.ourdomain.tld/four-but-different permanent;
}

(please note that even though it appears that my example shows a pattern, no pattern exists. In other words they are one-to-one redirects.)

I have a CMS web application that I'm using the following try_files statement currently (which has been working all along for falling back to the index.php script):

location / {
    try_files $uri $uri/ /index.php;
}

Now I'm attempting to use try_files to "look at" the redirects named location and processing the rewrite BEFORE falling back to index.php. Like this:

location / {
    try_files @redirects $uri $uri/ /index.php;
}

However, the fallback is being triggered each time as the CMS is handling 404's. In other words, if I try http://www.ourdomain.tld/path/one.html, I get the 404 page for my CMS instead of a redirect! Is it possible to "try" a named location first or does the named location have to be the fallback?

I'm sure I'm doing this wrong. However, can someone point me in the right direction?

nginx/1.2.4

Thanks!

I have a little dilemma. I wrote a custom PHP MVC framework and built a CMS on top of it. I decided to give nginx+fpm a whirl too. Which is the root of my dilemma. I was asked to incorporate a wordpress blog into my website (yah.) It has much content and it's not feasible in the short amount of time I have to bring all the content into my CMS. Because of using Apache for years, I'm, admittedly, a little lost using nginx.

My website has the file path:

/opt/directories/mysite/public/

The wordpress files are located at:

/opt/directories/mysite/news/

I know I just need to setup location(s) that targets /news[/*] and then forces all matching URI's to the index.php within. Can someone point me in the right direction perhaps?

My configuration is below:

server {

        listen   80;
        server_name staging.mysite.com

        index   index.php;

        root /opt/directories/mysite/public;

        access_log  /var/log/nginx/mysite/access.log;
        error_log   /var/log/nginx/mysite/error.log;

        add_header  X-NodeName  directory01;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location / {
                try_files $uri $uri/ /index.php?route=$uri&$args;
        }

        location ~ /news {
                try_files $uri $uri/ @news;
        }

        location @news {
                fastcgi_pass unix:/tmp/php-fpm.sock;
                fastcgi_split_path_info ^(/news)(/.*)$;
                fastcgi_param SCRIPT_FILENAME /opt/directories/mysite/news/index.php;
                fastcgi_param PATH_INFO $fastcgi_path_info;
        }

        include fastcgi_params;
        include php.conf;

        location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
                access_log        off;
                expires           30d;
        }

        ## Disable viewing .htaccess & .htpassword
        location ~ /\.ht {
                deny  all;
        }
}

My php.conf file:

location ~ \.php {
        fastcgi_param  QUERY_STRING       $query_string;
        fastcgi_param  REQUEST_METHOD     $request_method;
        fastcgi_param  CONTENT_TYPE       $content_type;
        fastcgi_param  CONTENT_LENGTH     $content_length;

        fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param  REQUEST_URI        $request_uri;
        fastcgi_param  DOCUMENT_URI       $document_uri;
        fastcgi_param  DOCUMENT_ROOT      $document_root;
        fastcgi_param  SERVER_PROTOCOL    $server_protocol;

        fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
        fastcgi_param  SERVER_SOFTWARE    nginx;

        fastcgi_param  REMOTE_ADDR        $remote_addr;
        fastcgi_param  REMOTE_PORT        $remote_port;
        fastcgi_param  SERVER_ADDR        $server_addr;
        fastcgi_param  SERVER_PORT        $server_port;
        fastcgi_param  SERVER_NAME        $server_name;

        fastcgi_pass unix:/tmp/php-fpm.sock;

    # If you must use PATH_INFO and PATH_TRANSLATED then add 
    # the following within your location block above 
    # (make sure $ does not exist after \.php or /index.php/some/path/ will not match):

    #fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #fastcgi_param  PATH_INFO          $fastcgi_path_info;
    #fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
}

fastcgi_params file:

fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;

Thanks, in large part, to @Kromey, I have adjusted my location /news/ but I am still not getting the desired result.

I was able to learn to tack a ~ my /news location as I discovered that my php location was being matched first.

With this setup, I now get a 200 status, but the page is blank. Any ideas?

After testing much and retracing my steps, I still cannot get google mail to validate.

My mail server is Debian 5.0 with exim

Exim version 4.72 #1 built 31-Jul-2010 08:12:17
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.8.24: (August 14, 2009)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
GnuTLS compile-time version: 2.4.2
GnuTLS runtime version: 2.4.2
Configuration file is /var/lib/exim4/config.autogenerated

My remote smtp transport configuration:

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  helo_data = mailer.mydomain.com
  dkim_domain = mydomain.com
  dkim_selector = mailer
  dkim_private_key = /etc/exim4/dkim/mailer.mydomain.com.key
  dkim_canon = relaxed

.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_FROM_DNS
  helo_data=REMOTE_SMTP_HELO_DATA
.endif

The path to my private key is correct.

I see a DKIM header in my messages as they end up in my gmail account:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mydomain.com; s=mailer;
    h=Content-Type:MIME-Version:Message-ID:Date:Subject:Reply-To:To:From; bh=nKgQAFyGv<snip>tg=;
    b=m84lyYvX6<snip>RBBqmW52m1ce2g=;

However, gmail headers always report dkim=neutral (no signature):

dkim=neutral (no signature) [email protected]

My DNS results:

dig +short txt mailer._domainkey.mydomain.com
mailer._domainkey. mydomain.com descriptive text "v=DKIM1\; k=rsa\; t=y\; p=LS0tLS1CRUdJ<snip>M0RRRUJBUVV" "BQTRHTkFEQ0J<snip>GdLamdaaG" "JwaFZkai93b3<snip>laSCtCYmdsYlBrWkdqeVExN3gxN" "mpQTzF6OWJDN3hoY21LNFhaR0NjeENMR0FmOWI4Z<snip>tLQo="

Note that the base64 public key is 364 chars long so I had to break up the key using bind9.

$ORIGIN _domainkey. mydomain.com.
mailer                  TXT     ("v=DKIM1; k=rsa; t=y; p=LS0tLS1CRUdJTiBQVUJM<snip>U0liM0RRRUJBUVV"
                                "BQTRHTkFEQ0JpUUtCZ1<snip>15MGdLamdaaG"
                                "JwaFZkai93b3lDK21MR<snip>YlBrWkdqeVExN3gxN"
                                "mpQTzF6OWJDN3hoY21L<snip>Ci0tLS0tRU5E"
                                "IFBVQkxJQyBLRVktLS0tLQo=")

Can anyone point me in the right direction? I would really appreciate it.