Nginx Configuration

Nginx Configuration

Allowing AutoSSL to Work

Add this at the start of your location blocks in your vhosts file’s port 80 sever block. (the vhost file is in /etc/nginx/vhosts/)

location ~ "^(/\.well-known)" {
    expires 7d;
    add_header Cache-Control "public, must-revalidate";
    add_header X-Proxy-Cache "STATIC/TYPE";
}

location /.well-known/ {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;

    add_header X-Proxy-Cache "DISABLED";

    proxy_pass http://23.235.221.48:8080;
}

Redirecting HTTP traffic to HTTPS

Remove all the location blocks from your vhosts file’s port 80 sever block and replace them with either the AutoSSL section above followed by the block below, or just the block below if you don’t need AutoSSL.

location / {
    expires 7d;
    add_header Cache-Control "public, must-revalidate";
    add_header X-Proxy-Cache "STATIC/TYPE";

    return 301 https://battlegrid.thegreatdivide.info$request_uri;
}

IP Whitelisting

To make a site available to only a select group of IP addresses, I prefer to put the allow list in the home directory to keep them private in this format:

allow 127.0.0.1;
allow 192.168.1.0/24;

deny all;

Next I add the red text to my /etc/nginx/vhosts/code__code_thegreatdivide_info.conf file to the start of each location block except the AutoSSL blocks.

[...]
    location / {
        include /home/code/.code.thegreatdivide.info.*.nginx;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;

        add_header X-Proxy-Cache "DISABLED";


        proxy_ssl_verify off;
        proxy_ssl_session_reuse off;
        proxy_ssl_name $http_host;
        proxy_ssl_server_name on;
        proxy_pass https://23.235.221.48:8443;
    }
[...]

Enabling exec functions in Apache FPM

Method from WilliamH:

echo "php_admin_value_disable_functions : passthru,system" >> /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
/scripts/php_fpm_config --rebuild
service httpd restart

You can do this per domain as well. Follow this script to edit the domain file:

domainList=$(ls /var/cpanel/userdata/*/*.php-fpm.yaml | grep -v "/fallback.*$");echo "";echo "$domainList" | sed -e 's-.*/--' -e 's/.php-fpm.yaml$//' | nl;echo "";read -p "Select Domain Number: " domainLine;fileName=$(echo "$domainList"|head -$domainLine|tail -1);nano $fileName;domainName=$(echo "$fileName"|sed -e 's-.*/--' -e 's/.php-fpm.yaml$//');/scripts/php_fpm_config --rebuild --domain=$domainName

Then add this line, save and exit nano.

To do other configuration changes, visit the guide for this file here. To allow usage of exec or similar in php7.1, edit the file /opt/cpanel/ea-php71/root/etc/php-fpm.d/example.com.conf and edit the value php_admin_value[disable_functions] Default value: 
php_admin_value[disable_functions] = exec,passthru,shell_exec,system

allow all:

php_admin_value[disable_functions] =

You can also use this line to the yaml file to set the error log path

php_admin_value_error_log: { name: 'php_admin_value[error_log]', value: /home/username/public_html/error_log }

Allowing normal users to reload the nginx configuration

As root, run visudo to edit your sudoers file. Add the following line.

code      ALL=(ALL)       NOPASSWD: /usr/sbin/nginx -s reload

Then as the user “code” you can run sudo nginx -s reload

© 2025 Sean Walter