"server" directive is not allowed here error

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

"server" directive is not allowed here error

Dino Edwards

Hello,

 

I’m hoping someone can help me with this nginx config issue that I’m having. I can’t seem to figure out what the problem is. If I set  with the a location directive “location /” it works fine. However, I seem to be having an issue with modsecurity breaking one of my applications, so I figured I split the nginx config into multiple location directives and disable modsecurity on the location with the broken application that I’m having a problem with and have it enabled on the ones that I don’t have a problem with.

 

So, let me start off with the config that actually works below:

 

server {

        listen              443 ssl;

        server_name         server.domain.tld;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        keepalive_timeout   70;

 

        ssl_certificate     /etc/nginx/ssl/domain.tld.pem;

        ssl_certificate_key /etc/nginx/ssl/domain.tld.key;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        ssl_prefer_server_ciphers on;

        ssl_session_cache shared:SSL:10m;

        client_max_body_size 4G;

        set_real_ip_from 192.xxx.xxx.xxx;

        real_ip_header X-Real-IP;

        real_ip_recursive on;

        modsecurity on;

 

location / {

  modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;

  proxy_connect_timeout       3600;

  proxy_send_timeout          3600;

  proxy_read_timeout          3600;

  send_timeout                3600;

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header Host $host;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_pass https://server.domain.tld:9080;

}

 

}

 

Unfortunately, in the config above modsecurity breaks one of my applications under the /web directory, so https://server.domain.tld:9080/web breaks.

 

So, I setup the following config, where I removed  “modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf” from the “ location /web” directive.

 

 

server {

        listen              443 ssl;

        server_name         server.domain.tld;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        keepalive_timeout   70;

 

        ssl_certificate     /etc/nginx/ssl/domain.tld.pem;

        ssl_certificate_key /etc/nginx/ssl/domain.tld.key;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        ssl_prefer_server_ciphers on;

        ssl_session_cache shared:SSL:10m;

        client_max_body_size 4G;

        set_real_ip_from 192.xxx.xxx.xxx;

        real_ip_header X-Real-IP;

        real_ip_recursive on;

        modsecurity on;

 

location /web {

  proxy_connect_timeout       3600;

  proxy_send_timeout          3600;

  proxy_read_timeout          3600;

  send_timeout                3600;

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header Host $host;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_pass https://server.domain.tld:9080:9080/web;

}

 

location /admin {

  modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;

  proxy_connect_timeout       3600;

  proxy_send_timeout          3600;

  proxy_read_timeout          3600;

  send_timeout                3600;

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header Host $host;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_pass https://server.domain.tld:9080:9080/admin;

}

 

location /main {

  modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;

  proxy_connect_timeout       3600;

  proxy_send_timeout          3600;

  proxy_read_timeout          3600;

  send_timeout                3600;

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header Host $host;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_pass https://server.domain.tld:9080:9080/main;

}

 

location /tasks {

  modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;

  proxy_connect_timeout       3600;

  proxy_send_timeout          3600;

  proxy_read_timeout          3600;

  send_timeout                3600;

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header Host $host;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_pass https://server.domain.tld:9080:9080/tasks;

}

 

 

}

 

 

However, the configuration below gives me the following error:

 

[emerg] 19968#0: "server" directive is not allowed here in /usr/local/nginx/conf/sites-enabled/server.domain.tld-ssl:1

 

Googling the error, kept bring up results about the server directive being inside an http directive, which I don’t obviously have or have a need for. I would appreciate some help on this.

 

Thank you

 

 

 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: "server" directive is not allowed here error

Reinis Rozitis
> [emerg] 19968#0: "server" directive is not allowed here in /usr/local/nginx/conf/sites-enabled/server.domain.tld-ssl:1
>
> Googling the error, kept bring up results about the server directive being inside an http directive, which I don’t obviously have or have a need for. I would appreciate some help on this.


You can't have server {} block outside http {} ( http://nginx.org/en/docs/http/ngx_http_core_module.html#server )

So it has to be:

http {
  server {
   // whatever goes here
  }
}


tt

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: "server" directive is not allowed here error

Dino Edwards

> You can't have server {} block outside http {} ( http://nginx.org/en/docs/http/ngx_http_core_module.html#server )

> So it has to be:

> http {
> server {
>   // whatever goes here
>  }
> }


That can't be right, because before I used the multiple location directives, I didn't have http and it worked fine. Regardless, I followed your advice and I got the following now:

nginx: [emerg] "http" directive is not allowed here in /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1

Thanks in advance
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: "server" directive is not allowed here error

Anoop Alias
Hi Dino,

I believe you have an unbalanced curly brace somewhere causing the error. 

You should check this in a text editor that can highlight syntax.



On Sun, Jun 4, 2017 at 3:58 PM, Dino Edwards <[hidden email]> wrote:

> You can't have server {} block outside http {} ( http://nginx.org/en/docs/http/ngx_http_core_module.html#server )

> So it has to be:

> http {
> server {
>   // whatever goes here
>  }
> }


That can't be right, because before I used the multiple location directives, I didn't have http and it worked fine. Regardless, I followed your advice and I got the following now:

nginx: [emerg] "http" directive is not allowed here in /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1

Thanks in advance
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Anoop P Alias 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: "server" directive is not allowed here error

Jim Ohlstein-3
In reply to this post by Dino Edwards
On Sun, 2017-06-04 at 10:28 +0000, Dino Edwards wrote:

> >
> > You can't have server {} block outside http {} ( http://nginx.org/e
> > n/docs/http/ngx_http_core_module.html#server )
> >
> > So it has to be:
> >
> > http {
> > server {
> >   // whatever goes here
> >  }
> > }
>
> That can't be right, because before I used the multiple location
> directives, I didn't have http and it worked fine. Regardless, I
> followed your advice and I got the following now:
>
> nginx: [emerg] "http" directive is not allowed here in
> /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1

The "http" directive is likely in your main nginx.conf.

For testing (not maintenance), you may try putting it all in one file
so you can more easily find your error. Likely, as has been suggested,
it is a misplaced curly brace ({ or }).

>
> Thanks in advance

Jim Ohlstein
Professional Mailman Hosting
https://mailman-hosting.com/

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: "server" directive is not allowed here error

Reinis Rozitis
In reply to this post by Dino Edwards
> That can't be right, because before I used the multiple location directives, I
> didn't have http and it worked fine. Regardless, I followed your advice and I got
> the following now:

As people have already pointed you probably have something like main config nginx.conf  with:

http {
..
include sites-enabled/*;
..
}

where each separate config file indeed doesn't need an extra http {} but the different server{} blocks still end up being within a (single) http {}.


> nginx: [emerg] "http" directive is not allowed here in
> /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1

Nginx includes/parses the files in the order they appear in the directory (sites-enabled/) - as it was stated you might try to check if the server file before " server.domain.tld -ssl" has a correct configuration (all the braces {} are closed etc).

rr

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: "server" directive is not allowed here error

Peter Booth
FWIWI have never understood the desire to have nginx configuration spread across multiple files.
It just seems to invite error and make it harder to see what is going on.

Perhaps if I worked for a hosting company I’d feel differently but on the sites that I have worked on,
even with quite complicated, subtle caching logic the entire nginx.conf has been under 600 lines - not
that different from a default Apache httpd.conf but with all configuration not 90% comments


> On 4 Jun 2017, at 7:41 AM, Reinis Rozitis <[hidden email]> wrote:
>
>> That can't be right, because before I used the multiple location directives, I
>> didn't have http and it worked fine. Regardless, I followed your advice and I got
>> the following now:
>
> As people have already pointed you probably have something like main config nginx.conf  with:
>
> http {
> ..
> include sites-enabled/*;
> ..
> }
>
> where each separate config file indeed doesn't need an extra http {} but the different server{} blocks still end up being within a (single) http {}.
>
>
>> nginx: [emerg] "http" directive is not allowed here in
>> /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1
>
> Nginx includes/parses the files in the order they appear in the directory (sites-enabled/) - as it was stated you might try to check if the server file before " server.domain.tld -ssl" has a correct configuration (all the braces {} are closed etc).
>
> rr
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: "server" directive is not allowed here error

oscaretu .
Hello, Peter.

In the company where I work the file nginx.conf is bigger than 1 MB. Por each virtual server, there are lots of definitions that are almost equal. If I where the one who had to decide the file structure, I problably choose to use a different file for each virtual host, so when we have to create a new one, I just use a perl script to create the new one using some substitutions in one of the existing ones. So it is easy for my to watch the differences using a program like meld (or tkdiff, kompare or similar)

There is a diffent approach, that is the inverse process: i've created a script that splits the whole nginx.conf file to create an individual file for each virtual host, and then I can compare a virtual host with another one using meld in a easy way. Then I delete all the individual temporal files.

I think than having small files is less error-prone...

Kind regards,
Oscar

On Sun, Jun 4, 2017 at 2:58 PM, Peter Booth <[hidden email]> wrote:
FWIWI have never understood the desire to have nginx configuration spread across multiple files.
It just seems to invite error and make it harder to see what is going on.

Perhaps if I worked for a hosting company I’d feel differently but on the sites that I have worked on,
even with quite complicated, subtle caching logic the entire nginx.conf has been under 600 lines - not
that different from a default Apache httpd.conf but with all configuration not 90% comments


> On 4 Jun 2017, at 7:41 AM, Reinis Rozitis <[hidden email]> wrote:
>
>> That can't be right, because before I used the multiple location directives, I
>> didn't have http and it worked fine. Regardless, I followed your advice and I got
>> the following now:
>
> As people have already pointed you probably have something like main config nginx.conf  with:
>
> http {
> ..
> include sites-enabled/*;
> ..
> }
>
> where each separate config file indeed doesn't need an extra http {} but the different server{} blocks still end up being within a (single) http {}.
>
>
>> nginx: [emerg] "http" directive is not allowed here in
>> /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1
>
> Nginx includes/parses the files in the order they appear in the directory (sites-enabled/) - as it was stated you might try to check if the server file before " server.domain.tld -ssl" has a correct configuration (all the braces {} are closed etc).
>
> rr
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Oscar Fernandez Sierra
[hidden email]

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: "server" directive is not allowed here error

Anoop Alias
In reply to this post by Peter Booth
You can do

nginx -T > mynginx.conf 

to have it in single file 

On Sun, Jun 4, 2017 at 6:28 PM, Peter Booth <[hidden email]> wrote:
FWIWI have never understood the desire to have nginx configuration spread across multiple files.
It just seems to invite error and make it harder to see what is going on.

Perhaps if I worked for a hosting company I’d feel differently but on the sites that I have worked on,
even with quite complicated, subtle caching logic the entire nginx.conf has been under 600 lines - not
that different from a default Apache httpd.conf but with all configuration not 90% comments


> On 4 Jun 2017, at 7:41 AM, Reinis Rozitis <[hidden email]> wrote:
>
>> That can't be right, because before I used the multiple location directives, I
>> didn't have http and it worked fine. Regardless, I followed your advice and I got
>> the following now:
>
> As people have already pointed you probably have something like main config nginx.conf  with:
>
> http {
> ..
> include sites-enabled/*;
> ..
> }
>
> where each separate config file indeed doesn't need an extra http {} but the different server{} blocks still end up being within a (single) http {}.
>
>
>> nginx: [emerg] "http" directive is not allowed here in
>> /usr/local/nginx/conf/sites-enabled/ server.domain.tld -ssl:1
>
> Nginx includes/parses the files in the order they appear in the directory (sites-enabled/) - as it was stated you might try to check if the server file before " server.domain.tld -ssl" has a correct configuration (all the braces {} are closed etc).
>
> rr
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Anoop P Alias 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: "server" directive is not allowed here error

Reinis Rozitis
> You can do
>
> nginx -T > mynginx.conf
>
> to have it in single file

This doesn't produce a valid (immediately usable) nginx configuration though, just concats/dumps out all the various configuration files referenced from the main config.

p.s. maybe it would make a sense to have a command line argument to export actually parsed (replace all the includes with actual file content) configuration.

rr


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx