From 8d6d985a7c1cf66684b10c2cf96d8d875d58aa95 Mon Sep 17 00:00:00 2001 From: Fred Condo Date: Mon, 29 Jan 2018 11:27:22 -0800 Subject: [PATCH] Port nginx configuration changes from 3 --- .../01_Installation/How_To/Configure_Nginx.md | 163 ++++++++---------- 1 file changed, 75 insertions(+), 88 deletions(-) diff --git a/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md b/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md index 8d3051d4549..fd8ff85c776 100644 --- a/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md +++ b/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md @@ -1,7 +1,7 @@ # Nginx These instructions are also covered on the -[Nginx Wiki](http://wiki.nginx.org/SilverStripe). +[Nginx Wiki](https://www.nginx.com/resources/wiki/start/topics/recipes/silverstripe/). The prerequisite is that you have already installed Nginx and you are able to run PHP files via the FastCGI-wrapper from Nginx. @@ -18,92 +18,79 @@ Especially be aware of [accidental php-execution](https://nealpoole.com/blog/201 But enough of the disclaimer, on to the actual configuration — typically in `nginx.conf`: - server { - listen 80; - root /path/to/ss/folder; - - server_name site.com www.site.com; - - # Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013 - if ($http_x_forwarded_host) { - return 400; - } - - location / { - try_files $uri /index.php?$query_string; - } - - error_page 404 /assets/error-404.html; - error_page 500 /assets/error-500.html; - - location ^~ /assets/ { - location ~ /\. { - deny all; - } - sendfile on; - try_files $uri /index.php?$query_string; - } - - location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$ { - fastcgi_keep_conn on; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include fastcgi_params; - } - - location ~ /(mysite|framework|cms)/.*\.(php|php3|php4|php5|phtml|inc)$ { - deny all; - } - - location ~ /\.. { - deny all; - } - - location ~ \.ss$ { - satisfy any; - allow 127.0.0.1; - deny all; - } - - location ~ web\.config$ { - deny all; - } - - location ~ \.ya?ml$ { - deny all; - } - - location ^~ /vendor/ { - deny all; - } - - location ~* /silverstripe-cache/ { - deny all; - } - - location ~* composer\.(json|lock)$ { - deny all; - } - - location ~* /(cms|framework)/silverstripe_version$ { - deny all; - } - - location ~ \.php$ { - fastcgi_keep_conn on; - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include fastcgi_params; - fastcgi_buffer_size 32k; - fastcgi_busy_buffers_size 64k; - fastcgi_buffers 4 32k; - } - } - -The above configuration sets up a virtual host `site.com` with -rewrite rules suited for SilverStripe. The location block for php files -passes all php scripts to the FastCGI-wrapper via a TCP socket. +```nginx +server { + include mime.types; + default_type application/octet-stream; + client_max_body_size 0; # Manage this in php.ini + listen 80; + root /path/to/ss/folder; + server_name example.com www.example.com; + + # Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013 + if ($http_x_forwarded_host) { + return 400; + } + + location / { + try_files $uri /index.php?$query_string; + } + + error_page 404 /assets/error-404.html; + error_page 500 /assets/error-500.html; + + location ^~ /assets/ { + sendfile on; + try_files $uri =404; + } + + location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$ { + fastcgi_buffer_size 32k; + fastcgi_busy_buffers_size 64k; + fastcgi_buffers 4 32k; + fastcgi_keep_conn on; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + # Denials + location ~ /\.. { + deny all; + } + location ~ \.ss$ { + satisfy any; + allow 127.0.0.1; + deny all; + } + location ~ web\.config$ { + deny all; + } + location ~ \.ya?ml$ { + deny all; + } + location ~* README.*$ { + deny all; + } + location ^~ /vendor/ { + deny all; + } + location ~* /silverstripe-cache/ { + deny all; + } + location ~* composer\.(json|lock)$ { + deny all; + } + location ~* /(cms|framework)/silverstripe_version$ { + deny all; + } +} +``` + +The above configuration sets up a virtual host `example.com` with +rewrite rules suited for SilverStripe. The location block for framework +php files passes all the php scripts to the FastCGI-wrapper via a TCP +socket. Now you can proceed with the SilverStripe installation normally.