0

I have multiple servers (divided in config files in sites-available).

nginx.conf

include /etc/nginx/modules-enabled/*.conf;


events {
    worker_connections 1024;
}

http {
    client_max_body_size 500M;
    client_header_buffer_size 24k;
    large_client_header_buffers 4 24k;

    proxy_send_timeout 86400;
    proxy_read_timeout 86400;

    include /etc/nginx/mime.types;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log debug;

    include /etc/nginx/conf.d/*.conf;
    
    # Default server - must be first in config
    # PLAIN HTTP REDIRECT
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        return 301 https://$http_host$request_uri;
    }

    map "" $empty {
            default "";
    }

    server {
        listen 443 default_server ssl;
        listen [::]:443 default_server ssl;
        
        ssl_ciphers aNULL;
        ssl_certificate data:$empty;
        ssl_certificate_key data:$empty;

        return 404;
    }

    include /etc/nginx/sites-enabled/*;
}

During some dev time(adding some new revers-proxy configs etc.) when one configuration is incorrect - for example missing crt files in used in config folder - nginx failes to start and serve those proper configuration, but gives error in logs:

 nginx: [emerg] cannot load certificate "/etc/ssl/xxx/fullchain.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/xxx/fullchain.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

and restart itself infinitly (I know I can fix this by creating dummy cert files, but still some other errors may occure ;))...

Is there any way to skip all server configs that are incorrect during nginx start? I was looking some flag skip incorrect sites in documentation but without luck...

Its pain in the ass when someone test new configurtion options do restart and all the services are not available because of this one fail...

Antoni Trad
  • 1
  • 3
  • The main (default) server is running while you edit one of your additional servers, and it shouldn’t give errors unless you reload nginx before validating that your changes are good. So just test with sudo nginx -t, and don’t reload until it passes the test? p.s. I’m running multiple sites-enabled too, but only the main one has “default_server” block. – Bman70 Aug 02 '22 at 10:35
  • It would by the best solution to delete errors before restart - but I want to have general configuration in git repository that only part of it is used (is valid) on some servers. For example moving dev environment to second server and configure only one instance - I have to explicitly remove rest config from sites-available because no ssl certs are generated. For your default_server ps ;) - as I understand nginx - it is config per port, so I want to have default logic for 80 and 443 ports to catch all web requests. otherwise https request will go to my first server listening on port 443. – Antoni Trad Aug 03 '22 at 09:02

0 Answers0