From a215ed5b28ec1cf2de3ea3df1409b0be5fc21328 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 13 Jan 2021 22:42:56 +0100 Subject: [PATCH] Add eample for magento2 configuration. --- example/magento2.conf | 305 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 305 insertions(+) create mode 100644 example/magento2.conf diff --git a/example/magento2.conf b/example/magento2.conf new file mode 100644 index 0000000..3e4a3a9 --- /dev/null +++ b/example/magento2.conf @@ -0,0 +1,305 @@ +## Example configuration: +# upstream fastcgi_backend { +# # use tcp connection +# # server 127.0.0.1:9000; +# # or socket +# server unix:/var/run/php5-fpm.sock; +# server unix:/var/run/php/php7.0-fpm.sock; +# } +# server { +# listen 80; +# server_name mage.dev; +# set $MAGE_ROOT /var/www/magento2; +# include /vagrant/magento2/nginx.conf.sample; +# } +# +## Optional override of deployment mode. We recommend you use the +## command 'bin/magento deploy:mode:set' to switch modes instead. +## +## set $MAGE_MODE default; # or production or developer +## +## If you set MAGE_MODE in server config, you must pass the variable into the +## PHP entry point blocks, which are indicated below. You can pass +## it in using: +## +## fastcgi_param MAGE_MODE $MAGE_MODE; +## +## In production mode, you should uncomment the 'expires' directive in the /static/ location block + +upstream php-7.4-fpm_backend { + server unix:/tmp/php-7.4-fpm.www.sock; +} + + +server { + listen 80; + listen [::]:80; + + server_name ; + + return 301 https://$host$request_uri; +} + + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ; + + # Include location directive for Let's Encrypt ACME Challenge + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE + # omit SSLv3 because of POODLE + # omit TLSv1 TLSv1.1 + ssl_protocols TLSv1.2 TLSv1.3; + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + ssl_certificate /var/lib/dehydrated/certs//fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs//privkey.pem; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + # + add_header Strict-Transport-Security "max-age=15768000" always; + + set $MAGE_ROOT /var/www/; + #set $MAGE_MODE developer; + + + root $MAGE_ROOT/pub; + + index index.php; + autoindex off; + charset UTF-8; + error_page 404 403 = /errors/404.php; + #add_header "X-UA-Compatible" "IE=Edge"; + + # Only for checking PHP installation + # + location ~ phpinfo\.php$ { + root $MAGE_ROOT; + try_files $uri =404; + fastcgi_pass php-7.4-fpm_backend; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + + # Deny access to sensitive files + location /.user.ini { + deny all; + } + + # PHP entry point for setup application + location ~* ^/setup($|/) { + root $MAGE_ROOT; + location ~ ^/setup/index.php { + fastcgi_pass php-7.4-fpm_backend; + + fastcgi_param PHP_FLAG "session.auto_start=off \n suhosin.session.cryptua=off"; + fastcgi_param PHP_VALUE "memory_limit=756M \n max_execution_time=600"; + fastcgi_read_timeout 600s; + fastcgi_connect_timeout 600s; + + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + #fastcgi_param MAGE_MODE $MAGE_MODE; + + include fastcgi_params; + } + + location ~ ^/setup/(?!pub/). { + deny all; + } + + location ~ ^/setup/pub/ { + add_header X-Frame-Options "SAMEORIGIN"; + } + } + + # PHP entry point for update application + location ~* ^/update($|/) { + root $MAGE_ROOT; + + location ~ ^/update/index.php { + fastcgi_split_path_info ^(/update/index.php)(/.+)$; + fastcgi_pass php-7.4-fpm_backend; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + + #fastcgi_param MAGE_MODE $MAGE_MODE; + + include fastcgi_params; + } + + # Deny everything but index.php + location ~ ^/update/(?!pub/). { + deny all; + } + + location ~ ^/update/pub/ { + add_header X-Frame-Options "SAMEORIGIN"; + } + } + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location /pub/ { + location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) { + deny all; + } + alias $MAGE_ROOT/pub/; + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /static/ { + # Uncomment the following line in production mode + # expires max; + + # Remove signature of the static files that is used to overcome the browser cache + location ~ ^/static/version { + rewrite ^/static/(version[^/]+/)?(.*)$ /static/$2 last; + } + + location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires +1y; + + if (!-f $request_filename) { + rewrite ^/static/?(.*)$ /static.php?resource=$1 last; + } + } + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + + if (!-f $request_filename) { + rewrite ^/static/?(.*)$ /static.php?resource=$1 last; + } + } + if (!-f $request_filename) { + rewrite ^/static/?(.*)$ /static.php?resource=$1 last; + } + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /media/ { + try_files $uri $uri/ /get.php$is_args$args; + + location ~ ^/media/theme_customization/.*\.xml { + deny all; + } + + location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires +1y; + try_files $uri $uri/ /get.php$is_args$args; + } + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + try_files $uri $uri/ /get.php$is_args$args; + } + add_header X-Frame-Options "SAMEORIGIN"; + } + + location /media/customer/ { + deny all; + } + + location /media/downloadable/ { + deny all; + } + + location /media/import/ { + deny all; + } + + location /media/custom_options/ { + deny all; + } + + location /errors/ { + location ~* \.xml$ { + deny all; + } + } + + # PHP entry point for main application + location ~ (index|get|static|report|404|503|health_check)\.php$ { + try_files $uri =404; + fastcgi_pass php-7.4-fpm_backend; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + + fastcgi_param PHP_FLAG "session.auto_start=off \n suhosin.session.cryptua=off"; + fastcgi_param PHP_VALUE "memory_limit=756M \n max_execution_time=18000"; + fastcgi_read_timeout 600s; + fastcgi_connect_timeout 600s; + + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + #fastcgi_param MAGE_MODE $MAGE_MODE; + + include fastcgi_params; + } + + gzip on; + gzip_disable "msie6"; + + gzip_comp_level 6; + gzip_min_length 1100; + gzip_buffers 16 8k; + gzip_proxied any; + gzip_types + text/plain + text/css + text/js + text/xml + text/javascript + application/javascript + application/x-javascript + application/json + application/xml + application/xml+rss + image/svg+xml; + gzip_vary on; + + # Banned locations (only reached if the earlier PHP entry point regexes don't match) + location ~* (\.php$|\.htaccess$|\.git) { + deny all; + } +} +