Nginx ne démarre plus

stemy2 · October 3, 2019, 1:24pm

Matériel: PC fixe
Version de YunoHost: 3.6.4.6
J’ai accès à mon serveur : Console et ssh local uniquement
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non

Bonjour,

Le problème a commencé quand je n’ai plus pu effectuer des opérations telles que la mise à jour ou l’installation d’apps. J’ai vu dans les logs plusieurs vaines tentatives de redémarrer nginx. J’ai donc redémarré tout le serveur, mais ça n’a fait qu’empirer. Maintenant, plus moyen de démarrer nginx et l’interface web n’est plus accessible. le log me dit ceci (funk.stemy.me est un sous-domaine que j’ai créé puis supprimé, y compris dans les entrées DNS):

Oct 03 15:14:56 stemy.me systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 03 15:14:57 stemy.me nginx[4711]: nginx: [emerg] BIO_new_file("/etc/yunohost/certs/funk.stemy.me/crt.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/e
Oct 03 15:14:57 stemy.me nginx[4711]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 03 15:14:57 stemy.me systemd[1]: nginx.service: Control process exited, code=exited status=1
Oct 03 15:14:57 stemy.me systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Oct 03 15:14:57 stemy.me systemd[1]: nginx.service: Unit entered failed state.
Oct 03 15:14:57 stemy.me systemd[1]: nginx.service: Failed with result 'exit-code'.

Aleks · October 3, 2019, 1:27pm

Est-ce que yunohost tools regen-conf nginx --dry-run -d parle de fichier qu’il faudrait enlever mais qui ont été modifié manuellement ?

stemy2 · October 3, 2019, 1:31pm

Apparemment, 3 fichiers de config sont marquée comme modifiés manuellement (ce qui est faux, je n’y ai même pas touché). Voici la sortie complète:

Warning: The configuration file '/etc/nginx/conf.d/stemy.me.conf' has been manually modified and will not be updated
Warning: The configuration file '/etc/nginx/conf.d/peertube.stemy.me.conf' has been manually modified and will not be updated
Warning: The configuration file '/etc/nginx/conf.d/funk.stemy.me.conf' has been manually modified and will not be updated
nginx: 
  applied: 
  pending: 
    /etc/nginx/conf.d/funk.stemy.me.conf: 
      diff: @@ -1,74 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name funk.stemy.me;
-
-    access_by_lua_file /usr/share/ssowat/access.lua;
-
-    include /etc/nginx/conf.d/funk.stemy.me.d/*.conf;
-
-    location /yunohost/admin {
-        return 301 https://$http_host$request_uri;
-    }
-
-    location /.well-known/autoconfig/mail/ {
-        alias /var/www/.well-known/funk.stemy.me/autoconfig/mail/;
-    }
-
-    access_log /var/log/nginx/funk.stemy.me-access.log;
-    error_log /var/log/nginx/funk.stemy.me-error.log;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name funk.stemy.me;
-
-    ssl_certificate /etc/yunohost/certs/funk.stemy.me/crt.pem;
-    ssl_certificate_key /etc/yunohost/certs/funk.stemy.me/key.pem;
-    ssl_session_timeout 5m;
-    ssl_session_cache shared:SSL:50m;
-
-    
-    # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
-    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
-    ssl_prefer_server_ciphers on;
-
-    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-
-    # Uncomment the following directive after DH generation
-    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
-    #ssl_dhparam /etc/ssl/private/dh2048.pem;
-    
-
-    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
-    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
-    # https://observatory.mozilla.org/ 
-    
-    more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
-    more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
-    more_set_headers "X-Content-Type-Options : nosniff";
-    more_set_headers "X-XSS-Protection : 1; mode=block";
-    more_set_headers "X-Download-Options : noopen";
-    more_set_headers "X-Permitted-Cross-Domain-Policies : none";
-    more_set_headers "X-Frame-Options : SAMEORIGIN";
-
-    
-
-    # Disable gzip to protect against BREACH
-    # Read https://trac.nginx.org/nginx/ticket/1720 (text/html cannot be disabled!)
-    gzip off;
-
-    access_by_lua_file /usr/share/ssowat/access.lua;
-
-    include /etc/nginx/conf.d/funk.stemy.me.d/*.conf;
-
-    include /etc/nginx/conf.d/yunohost_admin.conf.inc;
-    include /etc/nginx/conf.d/yunohost_api.conf.inc;
-
-    access_log /var/log/nginx/funk.stemy.me-access.log;
-    error_log /var/log/nginx/funk.stemy.me-error.log;
-}
      status: modified
    /etc/nginx/conf.d/peertube.stemy.me.conf: 
      diff: @@ -61,7 +61,7 @@
     more_set_headers "X-XSS-Protection : 1; mode=block";
     more_set_headers "X-Download-Options : noopen";
     more_set_headers "X-Permitted-Cross-Domain-Policies : none";
-    more_set_headers "X-Frame-Options : ALLOWALL";
+    more_set_headers "X-Frame-Options : SAMEORIGIN";
 
     
     # OCSP settings
      status: modified
    /etc/nginx/conf.d/stemy.me.conf: 
      diff: @@ -61,7 +61,7 @@
     more_set_headers "X-XSS-Protection : 1; mode=block";
     more_set_headers "X-Download-Options : noopen";
     more_set_headers "X-Permitted-Cross-Domain-Policies : none";
-    more_set_headers "X-Frame-Options : ALLOW-FROM https://stemy.me/nextcloud";
+    more_set_headers "X-Frame-Options : SAMEORIGIN";
 
     
     # OCSP settings
      status: modified

Aleks · October 3, 2019, 1:42pm

Peut-être que toi non, mais il y a des apps qui font des trucs pas super propre apparament … :

github.com

YunoHost-Apps/peertube_ynh/blob/ef94fba50c6c0a860b0abd6f3367f4432ef9af6e/scripts/install#L165


      
          ynh_replace_string --match_string="__email__" --replace_string="$admin_email" --target_file="$final_path/config/production.yaml"
          ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$final_path/config/production.yaml"
          
          #Create the admin settings file
          touch "$final_path/config/local-production.json"
          
          #=================================================
          # FIX NGINX DOMAIN CONFIGURATION
          #=================================================
          
          ynh_replace_string --match_string="X-Frame-Options : SAMEORIGIN" --replace_string="X-Frame-Options : ALLOWALL" --target_file="/etc/nginx/conf.d/$domain.conf"
          
          #=================================================
          # STORE THE CHECKSUM OF THE CONFIG FILE
          #=================================================
          
          # Calculate and store the config file checksum into the app settings
          ynh_store_file_checksum --file="$final_path/config/production.yaml"
          ynh_store_file_checksum --file="$final_path/config/local-production.json"
          
          #=================================================

github.com

YunoHost-Apps/onlyoffice_ynh/blob/07c565b882c288a4490302f2123dc0dc1e76a74e/scripts/install#L110


      
          if [ $path_url = "/" ]; then
             ynh_replace_string --match_string="__SUB_PATH__" --replace_string="" --target_file="../conf/nginx.conf"
          else
            ynh_replace_string --match_string="__SUB_PATH__" --replace_string="$path_url" --target_file="../conf/nginx.conf"
          fi
          
          # Create a dedicated nginx config
          ynh_add_nginx_config "nextclouddomain"
          
          # Fix main domain X-Frame-Options
          ynh_replace_string --match_string="X-Frame-Options : SAMEORIGIN" --replace_string="X-Frame-Options : ALLOW-FROM https://$nextclouddomain" --target_file="/etc/nginx/conf.d/$domain.conf"
          
          #=================================================
          # CREATE DEDICATED USER
          #=================================================
          ynh_print_info --message="Configuring system user..."
          
          # Create a system user
          ynh_system_user_create --username=$app
          
          #=================================================

stemy2 · October 3, 2019, 3:11pm

Ah, d’accord. Du coup, que faut-il que je fasse ?

stemy2 · October 3, 2019, 5:42pm

C’est bon, j’ai trouvé. J’ai recréé le sous-domaine funk.stemy.me et ça a tout débloqué.

system · October 18, 2019, 5:42pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.