stub_status.conf include can break all virtual hosts
mitchellkrogza opened this issue · 5 comments
The recommendations in the docs at https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-guide.md#configuring-nginx-for-metric-collection can cause all your virtualhosts to go down. Trust me it happened to me yesterday when I tried this suggestion.
The suggested method of using an include in /conf.d/ that gets loaded into every vhost causes multiple listen commands to be inserted into your virtualhosts essentially breaking them.
The docs suggest you do your include as follows
# cat > conf.d/stub_status.conf
server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
}
But you should actually (if you are going to use it as in include) do it rather as follows.
# cat > conf.d/stub_status.conf
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
But you actually do not even need to do this. You only need the nginx_status stub in your default site and nowhere else.
So instead in your site's default virtualhost only, add the following within the server {} block. The default site is always the first to be answer a request and then pass it along to a virtualhost so just having the stub in your /etc/nginx/sites-available/default file is all you need to do.
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
Mitchell,
Thanks a lot for spotting this one. Can you possibly explain your configuration structure a little bit more? Normally, there shouldn't be any issues with the snippet above.
Is it like you have something along the lines of the following?
You keep your vhost configs inside sites-enabled/*.conf and then it's:
server {
listen 80;
server_name foo;
include conf.d/*.conf
root /bar;
}
And inside conf.d/* you keep common snippets like the following?
conf.d/disable-git-location.conf
conf.d/limit-rate-for-bots.conf
conf.d/ban-bad-user-agents.conf
Hi Andy @ptreyes
Yes all my vhosts are in /etc/nginx/sites-enabled/
All my vhosts run on ssl so they all start off like this.
server {
# SSL configuration
listen 443 ssl http2;
root /var/www/mydomain1.com;
server_name www.mydomain1.com mydomain1.com;
server {
# SSL configuration
listen 443 ssl http2;
root /var/www/mydomain2.com;
server_name www.mydomain2.com mydomain2.com;
inside my conf.d I only run globalblacklist.conf which is from my repo
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
It seems to me including additional listen directives in your stub_status.conf caused a conflict and all sites to die. Adding it just to the default site seems to work perfectly as per my snippet above.
My default host is configured as follows
# Default server configuration
#
server {
# SSL configuration
listen *:443 ssl http2;
root /var/www/html;
#other config stuff
#end off before closing brace with
# nginx_status stub configuration
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
I added a Note paragraph to the "stub_status" section in the docs. Does it explain it the right way, you think? I talked to our engineering support and they suggested the situation you describe above is more like an exclusion to how people usually treat conf.d :) Would you agree?
Yeah indeed, that seems to explain it much better 👍
Thanks! :)