Here is my configuration file. I hope it is not too confusing, I write a lot of messages to myself:
upstream domain.com { server unix:/var/run/php-fpm_domain.com.sock; }
# Redirect HTTP to HTTPS version for Specified domain in Nginx
#server { listen 80; server_name domain.com www.domain.com; return 301
https://domain.com$request_uri; }
# HTTP server an openemr site
server {
if ($host = www.domain.com) { return 301 https://$host$request_uri; }
if ($host = domain.com) { return 301 https://$host$request_uri; }
listen *:80;
#listen [::];
server_name domain.com www.domain.com;
return 404;
}
# HTTPS server
# an openemr site, remove www
server { listen 443 ssl http2; server_name www.domain.com; return 301
https://domain.com$request_uri;
ssl_certificate /path/to/certs/www.domain.com/fullchain.pem;
ssl_certificate_key /path/to/certs/www.domain.com/privkey.pem;
}
server {
listen *:443 ssl http2;
server_name domain.com;
root /usr/local/www/domain.com;
#modsecurity_transaction_id "'$server_name'443-'$request_id'";
ssl_certificate /path/to/certs/domain.com-0001/fullchain.pem;
ssl_certificate_key /path/to/certs/domain.com-0001/privkey.pem;
include /path/to/ssl-options/options-ssl-nginx.conf;
ssl_dhparam /path/to/ssl-options/ssl-dhparams.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/certs/domain.com/chain.pem;
#ssl_prefer_server_ciphers on;
access_log /path/to/logs/domain.com.access.log combined if=$loggable buffer=512k flush=1m;
error_log /path/to/logs/domain.com.error.log;
# set client body size to 6M not allowing uploads greater than 6M#
client_max_body_size 20M;
# enable compression to speed up the system:
include enable-compression.conf;
expires $expires;
# site specific configuration file
include openemr.conf;
# Needed for zend modules and patient portal to work
# https://www.nginx.com/blog/converting-apache-to-nginx-rewrite-rules/
# if is evil only in the location block
# http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite_log
if (!-e $request_filename) {
rewrite ^(.*/zend_modules/public)(.*) $1/index.php?$2 last;
rewrite ^(.*/portal/patient)(.*) $1/index.php?_REWRITE_COMMAND=$1$2 last;
# Needed for REST API/FHIR to work
rewrite ^(.*/apis/)(.*) $1/dispatch.php?_REWRITE_COMMAND=$2 last;
# Needed for OAuth2 to work
rewrite ^(.*/oauth2/)(.*) $1/authorize.php?_REWRITE_COMMAND=$2 last;
# Needed for custom module faxsms by winginx.com
#rewrite ^(.*/faxserver)(.*) /fax_serve.php?_FAX=$1 break;
}
location /oe-module-faxsms {
alias /usr/local/www/domain.com/interface/modules/custom_modules/oe-module-faxsms;
error_log /path/to/logs/faxsms-domain.com.error.log debug;
location /oe-module-faxsms/faxserver { try_files $uri $uri/ /fax_serve.php$is_args$args; }
try_files $uri $uri/ /oe-module-faxsms/index.php$is_args$args;
location ~ \.php$ {
include fastcgi_params;
# Added to support REST API/FHIR
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
fastcgi_pass domain.com;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
location = /portal/easy { return 301 /portal/index.php?site=default; }
location / { try_files $uri $uri/ /index.php; }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html { root /usr/local/www/nginx-dist; }
# pass the PHP scripts to FastCGI server listening on php
#
location ~ \.php$ {
# If your app has an upload dir "/images/" then insert
# if ($uri !~ "^/images/") before fastcgi_pass,
# to protect your upload directory:
#if ($uri !~ "^/images/") { fastcgi_pass domain.com; }
include fastcgi_params;
# Added to support REST API/FHIR
fastcgi_param HTTP_AUTHORIZATION $http_authorization;
fastcgi_pass domain.com;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
@kkappiah
Try moving this block:
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
And place it after:
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
and before the following line:
listen [::]:11443 ssl ipv6only=on; # managed by Certbot
In other words, your file needs to look like this:
server {
listen xxxx;
listen [::]:xxxx;
root /var/www/html/openemr;
index index.html index.php index.htm;
server_name xxxx.com;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
}
#If condition included to handle Patient Portal
if (!-e $request_filename) {
# Needed for zend to work
# rewrite ^(.*/zend_modules/public)(.*) $1/index.php?$is_args$args last;
# Needed for patient portal to work
rewrite ^(.*/portal/patient)(.*) $1/index.php?_REWRITE_COMMAND=$1$2 last;
# Needed for REST API/FHIR to work
rewrite ^(.*/apis/)(.*) $1/dispatch.php?_REWRITE_COMMAND=$2 last;
# Needed for OAuth2 to work
rewrite ^(.*/oauth2/)(.*) $1/authorize.php?_REWRITE_COMMAND=$2 last;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
listen [::]:11443 ssl ipv6only=on; # managed by Certbot
listen 11443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xxxx/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xxxx/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = xxxx.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen xxxx;
server_name xxxx.com;
return 404; # managed by Certbot
}
In nginx the order for the PHP block is important!
It really needs to be at the very end of the instructions. What I mean, is the re-writes also need to eventually be sent to the FastCGI server.
But wait, if it was working in openemr version 6, the order should not be a problem.
Also check the php-fpm log please!