HACK NGINX+DAV
itcod
nginx-forum на forum.nginx.org
Вс Дек 4 08:26:10 UTC 2016
> При всех сторонних модулях вы даже не показали конфиг
Туплю может.... Не видел необходимости при данной ошибке показывать конфиг.
По моей логике считал - что бы я там не написал, это не должно было
позволить воркерам и модулям
выполнять команды webdav от рута. Возможно я не прав. Сорри! Вот конфиги.
-------------------------------------------
nginx.conf
#######################################################################
#
# This is the main Nginx configuration file.
#
# More information about the configuration options is available on
# * the English wiki - http://wiki.nginx.org/Main
# * the Russian documentation - http://sysoev.ru/nginx/
#
#######################################################################
#----------------------------------------------------------------------
# Main Module - directives that cover basic functionality
#
# http://wiki.nginx.org/NginxHttpMainModule
#
#----------------------------------------------------------------------
user nginx;
worker_processes 2;
worker_rlimit_nofile 16384;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
#----------------------------------------------------------------------
# Events Module
#
# http://wiki.nginx.org/NginxHttpEventsModule
#
#----------------------------------------------------------------------
events {
use epoll;
worker_connections 1024;
multi_accept on;
}
#----------------------------------------------------------------------
# HTTP Core Module
#
# http://wiki.nginx.org/NginxHttpCoreModule
#
#----------------------------------------------------------------------
http {
client_body_temp_path /tmp/nginx-client-body;
fastcgi_temp_path /tmp/nginx-fastcgi;
uwsgi_temp_path /tmp/nginx-uwsgi;
scgi_temp_path /tmp/nginx-scgi;
proxy_cache_path /opt/nginx/cache levels=1:2 keys_zone=cache:30m
max_size=10G;
proxy_temp_path /opt/nginx/proxy 1 2;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
lua_package_cpath
'/usr/lib64/?.so;/usr/lib64/lua/5.1/?.so;/usr/local/lib/lua/5.1/?.so';
lua_package_path
'/usr/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;/usr/share/lua/resty/?.lua;/usr/local/lib/lua/resty/?.lua;/usr/local/lib/lua/resty/core/?.lua;';
lua_shared_dict sha1 10M;
lua_shared_dict a 10M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$host"
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format inweb
'$msec|$remote_addr|$remote_user|$time_local|$request|'
'$status|$body_bytes_sent|$http_referer|'
'$http_user_agent|$http_x_forwarded_for';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 1000;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.0;
gzip_types text/plain text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
gzip_static on;
gzip_disable FireFox/([0-2]\.|3\.0);
gzip_disable Chrome/2;
gzip_disable Safari;
gzip_disable MSIE[1-6].(?!.*SV1);
limit_req_zone $binary_remote_addr zone=2client:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=system:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=update:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=social:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=com:10m rate=50r/s;
limit_req_zone $binary_remote_addr zone=itcodcom:1m rate=10r/s;
limit_req_zone $binary_remote_addr zone=itcod:100m rate=100r/s;
map_hash_bucket_size 128;
map $sent_http_content_type $expires {
default off;
application/pdf 42d;
~image/ max;
}
expires $expires;
#
# The default server
#
server {
listen 80;
server_name _;
server_name_in_redirect off;
location ~* \.(css|js|ico|atrib|vas|ini) {
gzip_static on;
gzip_disable FireFox/([0-2]\.|3\.0);
gzip_disable Chrome/2;
gzip_disable Safari;
}
error_page 415 = /empty;
location = /empty {
empty_gif; # Respond with empty image
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server_names_hash_bucket_size 64;
ssl_certificate ssl/cert.pem;
ssl_certificate_key ssl/cert.key;
ssl_session_timeout 10m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
include win-utf;
include koi-utf;
# Load config files from the /etc/nginx/conf.d directory
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/virt.d/*.conf;
}
---------------------------------------------------------------
virt.conf
server {
listen 80;
listen 443 ssl;
server_name "~^ihome\d+\.itcod\.com$ ~^cdn\d+\.itcod\.com$"
www.itcod.com
itcod.com
www.itcod.ru
itcod.ru
www.itcod.su
itcod.su
www.itcod.net
itcod.net
~^cdn\d+\.itcod\.net$
ihome.itcod.com
icm.itcod.com
localhost
;
expires epoch;
keepalive_timeout 70;
ssl_certificate ssl/itcod.com/uni.crt;
ssl_certificate_key ssl/itcod.com/ssl.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers AES128-SHA:AES256-SHA:DES-CBC3-SHA:;
ssl_prefer_server_ciphers on;
ssl_stapling on;
add_header Strict-transport-Security 'max-age=604800';
ssl_buffer_size 4k;
default_type application/octet-stream;
access_log /var/log/nginx/ihome.itcod.com-access.log main;
resolver 127.0.0.1;
charset utf-8;
gzip_static on;
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/x-javascript text/javascript
application/javascript application/json text/xml application/xml
appliction/xml+rss;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Header *;
add_header Access-Control-Allow-Credentials true;
set $dir /opt/home;
set $testdir $dir$uri;
set $uri_type none;
if (-d $testdir) { # такая папка есть
set $uri_type dir;
rewrite ^(.*)$ $1/;
rewrite ^(.*)/+$ $1/;
}
if (-f $testdir) { # такой файл есть
set $uri_type file;
}
if ($request_method = "MKCOL") {
rewrite ^(.*)$ $1/;
rewrite ^(.*)/+$ $1/;
set $uri_type dir; #клиент webdav создает папку
}
if ($request_method = "PUT") {
set $uri_type file; #передаем только файлы
}
if ($request_method = "POST") {
set $uri_type file; #постим только файлы
}
set $user_open .htopen; #all:[com] file:[com] dir/:[com] (com =
private/open/block/hide)
set $user_passwd .htpasswd; #user:password[crypt(3)/md5/sha1]
set $user_permit .htpermit; #user:GET,PUT,....OPTIONS
set $user_permit_default GET,HEAD,PROPFIND,OPTIONS; # Allow
set $user_itcod guest;
set $home_itcod /;
set $itcod_automount off; #off/on
set $itcod_passwd <PASSWORD>;
set $ID_user <USER>;
merge_slashes on;
set $answer_block 0;
set $a401 no;
location / {
allow 127.0.0.0/8;
limit_req zone=com burst=50 nodelay;
limit_rate 512k;
set $uri_del /%.resize/%d+x%d+/;
set $auth_dav private; #none/private
access_by_lua_file /etc/nginx/lua/auth-dav.lua;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
dav_access user:rw group:rw;
client_body_temp_path /opt/tmp/;
client_max_body_size 0;
autoindex on;
root $dir;
header_filter_by_lua_file /etc/nginx/lua/itcod-exchange.lua;
set $md5index on; #on/off nil=off # вкл/выкл обработчик
set $md5index_hash md5; #none/md5/md4/sha1/sha/ripemd160 nil=none # тип
выводых хэшей
set $md5index_size 2000; #kb nil=unlimit # не считать для файлов более N
kb
set $md5index_path on; #on/off nil=off # заменять относительный путь
ссылок на полный URI
set $md5index_nonblank on; #on/off nil=off # заменить множественные пробелы
одним
set $md5index_type on; #on/off nil=off # добавит в строки описание типа
file/directory/etc...
set $md5index_ico https://itcod.com/ui/icons/16ext/; # путь к библиотека
иконок
set $md5index_icopref icon-; # префикс имени файла иконки
#set $md5index_icosuf -icon; # суфикс имени файла иконки
set $md5index_icoext .gif; # расширение файла иконки
set $md5index_win VIEW; # target window for !winext! files
set $md5index_winext all; # file extension for target windows
set $md5index_htindex .htindex; # файл главного рекурсивного шаблона
верхнего уровня
set $md5index_htindex_add .htindex.add; # файл корректировочного
рекурсивного шаблона
body_filter_by_lua_file /etc/nginx/lua/md5index.lua; # addon
обработчик
}
location ~/\.uht {
deny all;
}
location /i/search/ {
content_by_lua_file /etc/nginx/lua/itcod-search.lua;
}
# location /i/mnt/ {
# content_by_lua_file /etc/nginx/lua/itcod-mnt.lua;
# }
location /i/user/ {
set $user_passwd <PASSWORD>;
set $user_captcha_test recaptcha;
set $user_captcha_test_secret <SECRET>;
set $user_captcha_add recaptcha;
set $user_captcha_add_secret <SECRET>;
set $user_link /opt/home; # link generation
set $user_home /opt/fs/local; #general create home userbox
content_by_lua_file /etc/nginx/lua/itcod-user.lua;
}
location /i/send/ {
gzip_static off;
gzip off;
content_by_lua_file /etc/nginx/lua/itcod-send.lua;
}
location /i/sendNote/ {
set $sendNote_captcha_new recaptcha;
set $sendNote_captcha_new_secret <SECRET>;
set $sendNote_captcha_add recaptcha;
set $sendNote_captcha_add_secret <SECRET>;
set $sendNote_domain itcod.net;
set $sendNote_email no;
set $send_server http://localhost/;
content_by_lua_file /etc/nginx/lua/itcod-sendNote.lua;
}
location /i/sendText/ {
set $sendText_captcha_new recaptcha;
set $sendText_captcha_new_secret <SECRET>;
set $sendText_captcha_add recaptcha;
set $sendText_captcha_add_secret <SECRET>;
set $send_server http://localhost/;
content_by_lua_file /etc/nginx/lua/itcod-sendText.lua;
}
############
location /.resize/ {
alias /opt/home/;
expires 3d;
add_header Cache-Control public;
set $uri_del ^/%.resize/%d+x%d+/;
access_by_lua_file /etc/nginx/lua/auth-dav.lua;
set $width 100;
set $height 100;
set $demins "100x100";
if ($uri ~* "^/.resize/(\d+)x(\d+)/(.*)" ) {
set $width $1; # ширина
set $height $2; # высота
set $image_path $3; #реальный url к картинке
set $demins "$1x$2"; #маска(подпапка) размера
}
if ($image_path ~* "(.*)/(.*)\.(.*)$") {
set $image_dir $1; #путь
set $image_name $2; #имя файла
set $image_ext $3; #расширение
}
set_unescape_uri $image_dir;
set_unescape_uri $image_dir;
set_unescape_uri $image_name;
set_unescape_uri $image_name;
set $image_req /resize/$image_dir/$demins/$image_name.$image_ext;
set $image_request
/opt/home/resize/$image_dir/$demins/$image_name.$image_ext;
set $image_uri image_resize/$image_path?width=$width&height=$height;
if (!-f $image_request) {
access_log /var/log/nginx/itcod-noimg.log main;
proxy_pass http://localhost/$image_uri;
}
proxy_store $image_request;
proxy_store_access user:rw group:rw all:r;
proxy_temp_path /tmp/images;
proxy_set_header Host $host;
# отправить запрос к кэшу
proxy_pass http://localhost/$image_req;
}
location /image_resize {
access_log /var/log/nginx/itcod-resize.log main;
alias /opt/home;
image_filter resize $arg_width $arg_height;
image_filter_buffer 20M;
image_filter_jpeg_quality 75;
image_filter_sharpen 35;
image_filter_interlace on;
image_filter_transparency on;
error_page 415 = /.empty;
}
# Error handler
location = /.empty {
empty_gif; # Respond with empty image
}
}
---------------
Источник: https://itcod.com/test/2016.12.04.demo.nginxConfig/
Posted at Nginx Forum: https://forum.nginx.org/read.php?21,271302,271331#msg-271331
Подробная информация о списке рассылки nginx-ru