HestiaCP Update

getting this message in the notifications:

IMPORTANT: Manual Action Required

To enable the ‘Enhanced and Optimized TLS’ feature, we must update the NGINX configuration file at /etc/nginx/nginx.conf.

But for unknown reason or you edited it, may not be fully apply all the changes in this upgrade.

Please follow the default configuration file to sync it:
/usr/local/hestia/install/deb/nginx/nginx.conf

Backed up configuration file:
/root/hst_backups/120720230543/conf/nginx/nginx.conf

The message means that the installer tried to replace the nginx conf file (/etc/nginx/nginx.conf) but before replace it, the installer checks the Hestia version you are using and downloads the default nginx.conf file used for that version and compares it with the current one, if they are not the same, it means you modified the nginx conf file so the installer doesn’t replace the nginx.conf file.

If you modified the nginx.conf file, take the new default nginx conf file /usr/local/hestia/install/deb/nginx/nginx.conf as a base to made the required changes to fit your needs and replace manually the current conf file /etc/nginx/nginx.conf with the new conf.

Note: There is a backup of the original file /etc/nginx/nginx.conf here /root/hst_backups/120720230543/conf/nginx/nginx.conf but be sure that the backup is still there or make a new backup of the file just in case.

Note 2:You can compare the new and original file with this command:

diff -u /usr/local/hestia/install/deb/nginx/nginx.conf /etc/nginx/nginx.conf

Note 3: If you made changes to conf, check first whether the syntax is ok and remember to restart nginx after that.

nginx -t

If you see any error using above command, stop here and try to fix the error before restarting nginx.

systemctl restart nginx

Thanks, I haven’t changed the file though.

Could someone help with this please. I dont want to break my server.

Show the output of this command:

diff -u /usr/local/hestia/install/deb/nginx/nginx.conf /etc/nginx/nginx.conf
diff -u /usr/local/hestia/install/deb/nginx/nginx.conf /etc/nginx/nginx.conf
--- /usr/local/hestia/install/deb/nginx/nginx.conf      2023-11-27 19:40:32.000000000 +0000
+++ /etc/nginx/nginx.conf       2023-10-25 05:43:17.967678904 +0100
@@ -1,130 +1,140 @@
 # Server globals
-user                 www-data;
-worker_processes     auto;
-worker_rlimit_nofile 65535;
-error_log            /var/log/nginx/error.log;
-pid                  /run/nginx.pid;
-include              /etc/nginx/conf.d/main/*.conf;
-include              /etc/nginx/modules-enabled/*.conf;
+user                    www-data;
+worker_processes        auto;
+worker_rlimit_nofile    65535;
+error_log               /var/log/nginx/error.log;
+pid                     /run/nginx.pid;
+
+include /etc/nginx/modules-enabled/*.conf;

 # Worker config
 events {
-       worker_connections 1024;
-       use                epoll;
-       multi_accept       on;
+        worker_connections  1024;
+        use                 epoll;
+        multi_accept        on;
 }

 http {
-       # Main settings
-       sendfile                        on;
-       tcp_nopush                      on;
-       tcp_nodelay                     on;
-       client_header_timeout           180s;
-       client_body_timeout             180s;
-       client_header_buffer_size       2k;
-       client_body_buffer_size         256k;
-       client_max_body_size            1024m;
-       large_client_header_buffers     4 8k;
-       send_timeout                    60s;
-       keepalive_timeout               30s;
-       keepalive_requests              1000;
-       reset_timedout_connection       on;
-       server_tokens                   off;
-       server_name_in_redirect         off;
-       server_names_hash_max_size      512;
-       server_names_hash_bucket_size   512;
-       charset                         utf-8;
-       # FastCGI settings
-       fastcgi_buffers                 512 4k;
-       fastcgi_buffer_size             256k;
-       fastcgi_busy_buffers_size       256k;
-       fastcgi_temp_file_write_size    256k;
-       fastcgi_connect_timeout         30s;
-       fastcgi_read_timeout            300s;
-       fastcgi_send_timeout            180s;
-       fastcgi_cache_lock              on;
-       fastcgi_cache_lock_timeout      5s;
-       fastcgi_cache_background_update on;
-       fastcgi_cache_revalidate        on;
-       # Proxy settings
-       proxy_redirect                  off;
-       proxy_set_header                Host $host;
-       proxy_set_header                Early-Data $rfc_early_data;
-       proxy_set_header                X-Real-IP $remote_addr;
-       proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
-       proxy_pass_header               Set-Cookie;
-       proxy_buffers                   256 4k;
-       proxy_buffer_size               32k;
-       proxy_busy_buffers_size         32k;
-       proxy_temp_file_write_size      256k;
-       proxy_connect_timeout           30s;
-       proxy_read_timeout              300s;
-       proxy_send_timeout              180s;
-       # Log format
-       log_format                      main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
-       log_format                      bytes '$body_bytes_sent';
-       log_not_found                   off;
-       access_log                      off;
-       # Mime settings
-       include                         /etc/nginx/mime.types;
-       default_type                    application/octet-stream;
-       # Compression
-       gzip                            on;
-       gzip_vary                       on;
-       gzip_static                     on;
-       gzip_comp_level                 6;
-       gzip_min_length                 1024;
-       gzip_buffers                    128 4k;
-       gzip_http_version               1.1;
-       gzip_types                      text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
-       gzip_proxied                    any;
-       # Cloudflare IPs
-       include                         /etc/nginx/conf.d/cloudflare.inc;
-       # SSL PCI compliance
-       ssl_buffer_size                 1369;
-       ssl_ciphers                     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
-       ssl_dhparam                     /etc/ssl/dhparam.pem;
-       ssl_early_data                  on;
-       ssl_ecdh_curve                  auto;
-       ssl_prefer_server_ciphers       on;
-       ssl_protocols                   TLSv1.2 TLSv1.3;
-       ssl_session_cache               shared:SSL:20m;
-       ssl_session_tickets             on;
-       ssl_session_timeout             7d;
-       resolver                        1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
-       resolver_timeout                5s;
-       # Error pages
-       error_page                      403 /error/404.html;
-       error_page                      404 /error/404.html;
-       error_page                      410 /error/410.html;
-       error_page                      500 501 502 503 504 505 /error/50x.html;
-       # Proxy cache
-       proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
-       proxy_cache_key                 "$scheme$request_method$host$request_uri";
-       proxy_temp_path                 /var/cache/nginx/temp;
-       proxy_ignore_headers            Cache-Control Expires;
-       proxy_cache_use_stale           error timeout invalid_header updating http_502;
-       proxy_cache_valid               any 1d;
-       # FastCGI cache
-       fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
-       fastcgi_cache_key               "$scheme$request_method$host$request_uri";
-       fastcgi_ignore_headers          Cache-Control Expires Set-Cookie;
-       fastcgi_cache_use_stale         error timeout invalid_header updating http_500 http_503;
-       add_header                      X-FastCGI-Cache $upstream_cache_status;
-
-       # Cache bypass
-       map $http_cookie $no_cache {
-               default              0;
-               ~SESS                1;
-               ~wordpress_logged_in 1;
-       }
-
-       # File cache (static assets)
-       open_file_cache                 max=10000 inactive=30s;
-       open_file_cache_valid           60s;
-       open_file_cache_min_uses        2;
-       open_file_cache_errors          off;
-       # Wildcard include
-       include                         /etc/nginx/conf.d/*.conf;
-       include                         /etc/nginx/conf.d/domains/*.conf;
-}
\ No newline at end of file
+    # Main settings
+    sendfile                        on;
+    tcp_nopush                      on;
+    tcp_nodelay                     on;
+    client_header_timeout           180s;
+    client_body_timeout             180s;
+    client_header_buffer_size       2k;
+    client_body_buffer_size         256k;
+    client_max_body_size            256m;
+    large_client_header_buffers     4 8k;
+    send_timeout                    60s;
+    keepalive_timeout               30s;
+    keepalive_requests              100000;
+    reset_timedout_connection       on;
+    server_tokens                   off;
+    server_name_in_redirect         off;
+    server_names_hash_max_size      512;
+    server_names_hash_bucket_size   512;
+    charset                         utf-8;
+
+    # FastCGI settings
+    fastcgi_buffers                 8 256k;
+    fastcgi_buffer_size             256k;
+    fastcgi_busy_buffers_size       256k;
+    fastcgi_temp_file_write_size    256k;
+    fastcgi_connect_timeout         30s;
+    fastcgi_read_timeout            300s;
+    fastcgi_send_timeout            180s;
+    fastcgi_cache_lock              on;
+    fastcgi_cache_lock_timeout      5s;
+    fastcgi_cache_background_update on;
+    fastcgi_cache_revalidate        on;
+
+    # Proxy settings
+    proxy_redirect                  off;
+    proxy_set_header                Host $host;
+    proxy_set_header                X-Real-IP $remote_addr;
+    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass_header               Set-Cookie;
+    proxy_buffers                   32 4k;
+    proxy_connect_timeout           30s;
+    proxy_read_timeout              300s;
+    proxy_send_timeout              180s;
+
+    # Log format
+    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
+                        '"$status" $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+    log_format  bytes   '$body_bytes_sent';
+    log_not_found off;
+    access_log off;
+
+    # Mime settings
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Compression
+    gzip                on;
+    gzip_static         on;
+    gzip_vary           on;
+    gzip_comp_level     6;
+    gzip_min_length     1024;
+    gzip_buffers        16 8k;
+    gzip_http_version   1.1;
+    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
+    gzip_proxied        any;
+    gzip_disable        "MSIE [1-6]\.";
+
+    # Cloudflare https://www.cloudflare.com/ips
+    include /etc/nginx/conf.d/cloudflare.inc;
+
+    # SSL PCI compliance
+    ssl_session_cache   shared:SSL:20m;
+    ssl_session_timeout 60m;
+    ssl_buffer_size     1400;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    ssl_dhparam         /etc/ssl/dhparam.pem;
+    ssl_ecdh_curve      secp384r1;
+    ssl_session_tickets off;
+    resolver 127.0.0.53  valid=300s ipv6=off;
+    resolver_timeout    5s;
+
+    # Error pages
+    error_page 403 /error/404.html;
+    error_page 404 /error/404.html;
+    error_page 410 /error/410.html;
+    error_page 500 501 502 503 504 505 /error/50x.html;
+
+    # Proxy cache
+    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
+    proxy_cache_key "$host$request_uri $cookie_user";
+    proxy_temp_path  /var/cache/nginx/temp;
+    proxy_ignore_headers Expires Cache-Control;
+    proxy_cache_use_stale error timeout invalid_header http_502;
+    proxy_cache_valid any 1d;
+
+    # FastCGI cache
+    fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=30m;
+    fastcgi_cache_key "$scheme$request_method$host$request_uri";
+    fastcgi_cache_methods GET HEAD;
+    fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503;
+    fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+    add_header X-FastCGI-Cache $upstream_cache_status;
+
+    # Cache bypass
+    map $http_cookie $no_cache {
+        default 0;
+        ~SESS 1;
+        ~wordpress_logged_in 1;
+    }
+
+    # File cache (static assets)
+    open_file_cache          max=10000 inactive=30s;
+    open_file_cache_valid    60s;
+    open_file_cache_min_uses 2;
+    open_file_cache_errors   off;
+
+    # Wildcard include
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/conf.d/domains/*.conf;```

I see no problem to replace the conf file.

nginx -t
cp /etc/nginx/nginx.conf /root/nginx.conf.backup_2024-04-10
cp /usr/local/hestia/install/deb/nginx/nginx.conf /etc/nginx/nginx.conf
nginx -t
systemctl restart nginx

If it fails or your sites don’t work as they should:

cp /root/nginx.conf.backup_2024-04-10 /etc/nginx/nginx.conf
systemctl restart nginx
2 Likes

I have done this thank you. Should this get rid of the notification inside the Hestia Panel?

You’re welcome.

You should remove manually the notification.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.