YOURLS: 403 Forbidden on mydomain.com and 502 Bad Gateway on mydomain.com/admin

Question

so I'm trying to set up a YOURLS URL shortener on my Ubuntu 16.04 DO droplet. I'm very new to MySQL and PHP, so I can't figure out what might be wrong. I'm pretty good with Nginx as I've been using it forever, but it seems as if these errors are caused by the MySQL database and/or PHP config.

The setup: Nginx root (for site): /var/www/bnbr.co/public_html (bnbr.co is the domain I'll be using)

PHP config file (located at /var/www/bnbr.co/public_html/config.php)

php7.0-fpm pool (located at /etc/php/7.0/fpm/pool.d/username.conf)

MySQL setup:

MariaDB [(none)]> CREATE DATABASE yourls; MariaDB [(none)]> GRANT ALL PRIVILEGES ON yourls.* TO 'username'@'localhost' IDENTIFIED BY 'passwd'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> \q

EDIT: Nginx config file for domain (located at /etc/nginx/sites-enabled/bnbr_co)

            # main

                    server {

                            listen 443;
                            server_name bnbr.co;

                            root /var/www/bnbr.co/public_html;
                            index index.php;

                            ssl on;
                            ssl_certificate /etc/letsencrypt/live/bnbr.co/cert.pem;
                            ssl_certificate_key /etc/letsencrypt/live/bnbr.co/privkey.pem;

                            ssl_session_timeout 10m;

                            ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
                            ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
                            ssl_prefer_server_ciphers on;

                      location / {

                    try_files $uri $uri/ /yourls-loader.php;
                    expires 14d;
                    add_header Cache-Control 'public';
                }

                location ~ \.php$ {
                    fastcgi_split_path_info ^(.+\.php)(/.+)$;
                    fastcgi_pass unix:/var/run/php/php7.0-fpm-username.sock;
                    fastcgi_index index.php;
                    include fastcgi_params;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    fastcgi_intercept_errors off;
                    fastcgi_buffer_size 16k;
                    fastcgi_buffers 4 16k;
}
            }





    # HTTP --> HTTPS REDIRS

            # main

                    server {
                            listen 80;
                            server_name bnbr.co;
                            return 301 https://$server_name$request_uri;
                    } #`

I'm new to this stuff so I hope you guys can help.

Thanks!

Answer 1

I'll put here all steps necessary to do.

1) create user and walk through steps that it will ask:

adduser bnbr

2) create folders:

mkdir -p /home/bnbr/public
mkdir -p /home/bnbr/logs
mkdir -p /home/bnbr/tmp

3) copy Your stuff to public folder

4) set owner and mods:

chown -R bnbr:bnbr /home/bnbr
chmod -R 0755 /home/bnbr/public
chmod -R 0755 /home/bnbr/logs
chmod -R 0755 /home/bnbr/tmp

5) create php pool config at /etc/php/7.0/fpm/pool.d/bnbr.conf with following content:

[brbr]

user = brbr
group = brbr

listen = /var/run/php-fpm.brbr.sock
listen.owner = brbr
listen.group = brbr
listen.mode = 0666

pm = ondemand
pm.max_children = 16
pm.process_idle_timeout = 10s
pm.max_requests = 32
chdir = /

php_admin_flag[display_errors] = on
php_admin_value[error_log] = /home/bnbr/logs/fpm-php.bnbr.log
php_admin_value[log_level] = "warning"
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 128M
php_admin_value[post_max_size] = 16M
php_admin_value[upload_max_filesize] = 16M
php_admin_value[upload_tmp_dir] = /home/bnbr/tmp
php_admin_flag[allow_url_fopen] = on
php_admin_value[open_basedir] = "/usr/share/php:/tmp:/usr/local/lib/php:/home/brbr/logs:/home/bnbr/public:/home/bnbr/tmp"

6) restart php-fpm service

7) create host config for nginx and make it enabled:

server {
  listen ssl 443;
  server_name bnbr.co www.bnbr.co;

  root /home/bnbr/public
  index index.php;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/bnbr.co/cert.pem;
  ssl_certificate_key /etc/letsencrypt/live/bnbr.co/privkey.pem;
  ssl_session_timeout 10m;
  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
  ssl_prefer_server_ciphers on;

  location / {
    try_files $uri $uri/ /yourls-loader.php;
    autoindex off;
    access_log off;
    if (!-f $request_filename) {
      rewrite /(.*)$ /yourls-loader.php last;
      break;
    }
  }

  location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php-fpm.bnbr.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors off;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
  }
}

8) restart nginx

Explanation:

I'm creating bnbr user to keep all stuff in concrete isolated with user privileges place.

Telling in php-fpm pool config that I need fpm listener with bnbr privileges and also defining where that spawned by fpm php process can access with open_basedir directive.

Telling nginx to check /home/bnbr/public folder.

P.S. No need for letsencrypt, just attach Your domain to CloudFlare and it will give You long term wildcard ssl certificate + will hide Your server from ddos attacks.