nginx reverse proxy and php's $_SERVER['SERVER_PORT']

[wombat]

I tried using nginx as a reverse proxy as provided by plesk 11. Only problem remaining (so far) is that i have a php software that uses $_SERVER['SERVER_PORT'] inside redirects.

apache's mod_php gets the wrong server port when using nginx: 7080 instead of 80, so every php script depending on the correct port won't run.

i tried editing /opt/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php and added $server_port:

proxy_set_header Host $host:$server_port;

this works on some scripts, but crashes typo3 for example.

[abdi]

apache's mod_php gets the wrong server port when using nginx: 7080 instead of 80,

I don't think its a wrong port, its just the exact port that apache is running on. 80 is for nginx. However, with an extra manuplation of your system you can have both apache and nginx run on port 80 but you would require 2 IPs on the server, tieing each web server on its own IP.

[wombat]

yes, technically it's not the "wrong" port but it's the wrong port for most of the php scripts. e.g. i have one that has a redirect class. it's called if a user should be redirected via php to another site. the script checks also the server_port, to ensure, that installations of the script running on an apache that's not running on the standard port (80), will do a correct redirect. if the apache runs on 7080, the script will forward to "http://forward_url:7080".

and that's the problem. the client sends it's request to port 80, nginx handles it, apache runs the php script, send the forward and determins port 7080 as server port, sends the header back to nginx and than to the client which will be redirected to port 7080 - a port the client never connected to.

plesk uses special apache modules to ensure that apache gets the "right" ip adresses of it's clients (and not nginx ip in all requests). so there is already a methode of correction such problems but only for the client's ip.

with the current configuration of plesk with nginx, you simply can't use nginx if you don't know exactly what php scripts you or your customers run. otherwise you will break something, that's for sure

the suggested usage of a second ip for apache could solve the problem, i will test this on a second server. for now i won't use nginx with the plesk configuration as it seems more an alpha testing version.

regards,
andreas

[paulieG]

Hi,

In /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php (I'm guessing) you will see that the configuration file is appending the server port to the "ServerName" directive, if you remove this (well if you copy this file to /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php and then remove the tertiary statement that echo's the port out to ServerName) then most (but perhaps not all) of these problems go away.

I read up on this last week as I had serious problems getting proxy_redirect in nginx to actually do anything, and my fix on Plesk 9 (we run nginx as a frontend on some Plesk 9 servers) wasn't working on Plesk 11. Since fixing the above I fixed the two use cases where I was getting the problem (haven't tested any others).

Let me know how you get on with it,

Paul.

[abdi]

Paul, removing the apache port from the template or domain vhosts, doesn't that render apache useless? Ie, without that port, it means all requests should now be handled by nginx.

Help me understand or show me apache in that picture while the port is removed and Nginx is still running as front-end.

[paulieG]

Hi,

Well first it kind of works : http://vz3001.nu-vps.com/phpinfo.php (That won't be available for long!)

I say kind of because I've also made some other changes to virtualhost template that could be working in tandem.

Second, you're changing the Apache configuration to make Apache think its running on its default ports 80/443, so that it won't append a port to any url redirects it builds.

I should add for completeness that I also have these values in my apache virtualhost template :

UseCanonicalName On
UseCanonicalPhysicalPort Off

These were required to stop the same thing happening on Plesk 9 nginx proxy setup.

Paul

[CyberEdge_Alan]

Paul,

You referred me here as I was reading what you did would you be able to post the information for the configurations? What they look like. I don't want to change something and not be able to come back from the change. I want to be able to know what exactly I'd change to resolve this problem.

I don't know if this is what you meant but I removed the entire ServerName statement and was going to move it to "/usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php" however this path doesn't even exist on my server. Does it need to be created?

My modified domainVirtualHost.php file - http://pastebin.com/n6kPJ9wL

[paulieG]

Hi,

You will need to create the following two paths, its entirely correct that these directories don't exist on your server :

/usr/local/psa/admin/conf/templates/custom/
/usr/local/psa/admin/conf/templates/custom/domain/

The Plesk templating system works by first looking for the template in /usr/local/psa/admin/conf/templates/custom, if it doesn't find it there then it looks in /usr/local/psa/admin/conf/templates/default .

The custom directory isn't created or edited by Plesk, so any customisations you make will not be overwritten. Its probable that updates to Plesk _will_ overwrite the files in the default directory.

You should not remove the ServerName directive, its pretty important
You should remove the following from line 6 :

:<?php echo $OPT['ssl'] ? $VAR->server->webserver->httpsPort : $VAR->server->webserver->httpPort ?>

Leaving line 6 as :

ServerName "<?php echo $VAR->domain->asciiName ?>"

And insert the following at line 132 :

<?php if ($VAR->server->webserver->proxyActive) echo "UseCanonicalName On\nUseCanonicalPhysicalPort Off\n"; ?>

(This will only insert these directives if Nginx is enabled)

However, I've just noticed that line 19 is UseCanonicalName Off, I don't have the time to investigate that further now but I'll work out where its being placed and why later.

Paul.

[CyberEdge_Alan]

I did what was said and restarted the services. Is there a specific command I need to run for PSA? I restarted Apache and Nginx from the Plesk panel.

It seems to be causing the same error unless I haven't did the update right. adbi I believe it was mentioned about unblocking 7080 TCP to everyone. Does this need to happen too? I was hoping I could leave it blocked and set up the reverse proxy to work like that so no one can bypass using 7080.

[Blake@Parallels]

You can restart Plesk with:

# service psa restart

[CyberEdge_Alan]

Yes, I don't have to do a reconfigure or anything though?

[paulieG]

Hi Alan,

Yes you do, you need to reconfigure the apache configuration files with :

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

And you should be fine to leave 7080 and 7081 blocked.

Paul.

[CyberEdge_Alan]

Paul,

I did that and its now loading without unblocking anything from the firewall. It still displays the port now though http://site.com:7080 but I guess its reading from 80, is there a way to force the port out of the URL so it looks as if its a normal webpage now?

[AntonyJ]

Hi,

Could someone please provide a novice walkthrough for getting this to work so that the 7080 doesn't show after the domain, I'm having the same issue.

The Second IP address solution would be fine if that too could be explained.

Thanks

[paulieG]

Hi,

Alan, Antony, what applications are doing this? I'll need to replicate the problem to try to fix it,

paul.

[AntonyJ]

Hi Paul,

I'm currently using the CMS Modx Revolution on a Centos 6.2 server running PhP 5.3, I tried this just using a static file too though and the same thing happened, it insists on sticking the 7080 port in there.

[CyberEdge_Alan]

I'm running CentOS 6.2 Final x64. Using vBulletin forum. When accessing admincp, modcp it will redirect to those ports. The login.php also causes it when logging in.

[paulieG]

Hi,

Tested with modx and I can't replicate (that said my Installatron install of modx whitescreens on the frontend and only works on the backend). I can't easily get access to vbulletin so that rules that out.

I did notice that my template may be somewhat different to what I first claimed, so I'm going to take a look at that and post my changes again (although I think the only non-mentioned change is : UseCanonicalName Off inserted immediately after the serverName and ServerAlias directives).

Since I'm pretty certain my proxy_redirect within nginx is broken it can only be the code in the apache template thats making this work.

I'll try to compare my template with a newly installed default later today and post the diff.

Paul.

[paulieG]

Hi,

Here's my diff output, you can use it to create a patch. This appears to work for me with the following port redirection problems I've encountered in the past :

Wordpress Admin
Joomla Admin
Webtrees All Links
Modx Admin

Code:

CT-9999-bash-4.1# diff -u custom/domain/domainVirtualHost.php default/domain/domainVirtualHost.php
--- custom/domain/domainVirtualHost.php 2012-07-03 15:12:09.000000000 +0100
+++ default/domain/domainVirtualHost.php        2012-05-03 09:05:07.000000000 +0100
@@ -3,7 +3,7 @@
 <?php endif; ?>

 <VirtualHost <?php echo $OPT['ipAddress']->escapedAddress ?>:<?php echo $OPT['ssl'] ? $VAR->server->webserver->httpsPort : $VAR->server->webserver->httpPort ?> <?php echo ($VAR->server->webserver->proxyActive) ? "127.0.0.1:" . ($OPT['ssl'] ? $VAR->server->webserver->httpsPort : $VAR->server->webserver->httpPort) : ''; ?>>
-    ServerName "<?php echo $VAR->domain->asciiName ?>"
+    ServerName "<?php echo $VAR->domain->asciiName ?>:<?php echo $OPT['ssl'] ? $VAR->server->webserver->httpsPort : $VAR->server->webserver->httpPort ?>"
     <?php if ($VAR->domain->isWildcard): ?>
     ServerAlias  "<?php echo $VAR->domain->wildcardName ?>"
     <?php else: ?>
@@ -129,8 +129,6 @@

     <Directory <?php echo $OPT['ssl'] ? $VAR->domain->physicalHosting->httpsDir : $VAR->domain->physicalHosting->httpDir ?>>

-   <?php if ($VAR->server->webserver->proxyActive) echo "UseCanonicalName On\nUseCanonicalPhysicalPort Off\n"; ?>
-
 <?php
 if ($VAR->domain->physicalHosting->perl) {
     echo $VAR->includeTemplate('service/mod_perl.php');
@@ -148,7 +146,7 @@
         'enabled' => $VAR->domain->physicalHosting->php,
         'safe_mode' => $VAR->domain->physicalHosting->phpSafeMode,
         'dir' => $OPT['ssl'] ? $VAR->domain->physicalHosting->httpsDir : $VAR->domain->physicalHosting->httpDir,
-        'settings' => $VAR->domain->physicalHosting->phpSettings
+        'settings' => $VAR->domain->physicalHosting->phpSettings,
     ));
 }

If you copy/paste all but the first line into a file then you have yourself a patch file :

mkdir -p /usr/local/psa/admin/conf/templates/custom/domain
cp /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php
patch /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php < your_patch.patch
/usr/local/psa/admin/bin/httpdmng --reconfigure-all

[Timchen]

Your patch does not work:

Code:

root@login ~ # patch /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php < plesk.patch 
patching file /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.php
patch: **** malformed patch at line 4: <?php endif; ?>

Best regards
Tim