Difference between revisions of "Nginx"

From EQdkp Plus
Jump to navigation Jump to search
(Created page with "Here are some hints for creating a nginx configuration. <source lang="yaml"> server { listen 80; ## listen for ipv4; this line is default and implied #listen [::]:80 de...")
 
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
[[Category:Installation]]
 
Here are some hints for creating a nginx configuration.
 
Here are some hints for creating a nginx configuration.
  
 +
== Deny access to folders ==
 +
There are some default folders that should not be accessible.
 +
* Change c3338889c07ac363fc08bc715b22c59c to the one that fits to your installation (fresh installs of EQdkp Plus 2.3 don't have hash subfolder anymore)
 +
* These are not all files. Some plugins require more protected folders
 +
* Check all folders that have a .htaccess files with "Deny all" content. These folders have to be protected.
 +
** data/<HASH>/tmp
 +
** data/<HASH>/repository
 +
** data/<HASH>/live_update
 +
** data/<HASH>/cache
 +
** data/<HASH>/eqdkp/backup
 +
** data/<HASH>/eqdkp/timekeeper
 +
** data/<HASH>/eqdkp/config
 +
** data/<HASH>/eqdkp/rss
 +
<source lang="yaml">
 +
location ~ /data/c3338889c07ac363fc08bc715b22c59c/eqdkp/(backup|timekeeper|config|rss) {
 +
deny all;
 +
}
 +
location ~ /data/c3338889c07ac363fc08bc715b22c59c/(tmp|repository|live_update|cache){
 +
deny all;
 +
}
 +
#Fresh installs of 2.3 dont have hash folder anymore
 +
location ~ /data/eqdkp/(backup|timekeeper|config|rss) {
 +
deny all;
 +
}
 +
#Fresh installs of 2.3 dont have hash folder anymore
 +
location ~ /data/(tmp|repository|live_update|cache){
 +
deny all;
 +
}
 +
</source>
 +
 +
== PHP-Files ==
 +
* Because we are using the structure index.php/someurl/, the configuration for php files must look like this:
 +
<source lang="yaml">
 +
location ~ \.php(/|$) {
 +
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
 +
# With php5-cgi alone:
 +
fastcgi_pass 127.0.0.1:9000;
 +
# With php5-fpm:
 +
fastcgi_pass unix:/var/run/php5-fpm.sock;
 +
fastcgi_index index.php;
 +
include fastcgi_params;
 +
}
 +
</source>
 +
 +
== FastCGI-Params ==
 +
* You have to edit the file /etc/nginx/fastcgi_params and add the following lines, if they are not present:
 +
<source lang="yaml">
 +
fastcgi_param  PATH_INFO              $fastcgi_path_info;
 +
fastcgi_param  PATH_TRANSLATED        $document_root$fastcgi_path_info;
 +
</source>
 +
 +
== SEO URLs ==
 +
* For removing the index.php from URLs, you can add the following:
 +
<source lang="yaml">
 +
location / {
 +
index index.php;
 +
try_files $uri $uri/ /index.php/$uri?$args;
 +
}
 +
</source>
 +
 +
* You have to adjust the installation path. E.g. if you have installed EQdkp Plus in subdirectory /eqdkp/, it must look like this:
 +
<source lang="yaml">
 +
location /eqdkp/ {
 +
index index.php;
 +
try_files $uri $uri/ /eqdkp/index.php/$uri?$args;
 +
}
 +
</source>
 +
 +
== Full example ==
 
<source lang="yaml">
 
<source lang="yaml">
 
server {
 
server {
Line 15: Line 85:
 
# =========================
 
# =========================
 
 
# Deny access to some folders. Please keep in mind, that there will be more if you install plugins etc.
+
# Deny access to some folders. Change the subfolder-name c3338889c07ac363fc08bc715b22c59c to the one of your installation.
 +
# Please keep in mind, that there will be more if you install plugins etc.
 
 
location ~ /data/c3338889c07ac363fc08bc715b22c59c/cache {
+
location ~ /data/c3338889c07ac363fc08bc715b22c59c/eqdkp/(backup|timekeeper|config|rss) {
 +
deny all;
 +
}
 +
location ~ /data/c3338889c07ac363fc08bc715b22c59c/(tmp|repository|live_update|cache){
 
deny all;
 
deny all;
 
}
 
}
location ~ /data/c3338889c07ac363fc08bc715b22c59c/eqdkp/(backup|timekeeper|config) {
+
#For Fresh installs of EQdkp Plus 2.3
 +
location ~ /data/eqdkp/(backup|timekeeper|config|rss) {
 
deny all;
 
deny all;
 
}
 
}
location ~ /data/c3338889c07ac363fc08bc715b22c59c/tmp {
+
#For Fresh installs of EQdkp Plus 2.3
 +
location ~ /data/(tmp|repository|live_update|cache){
 
deny all;
 
deny all;
 
}
 
}
Line 31: Line 107:
 
location ~ \.php(/|$) {  
 
location ~ \.php(/|$) {  
 
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
 
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass 127.0.0.1:9090;
+
# With php5-cgi alone:
 +
fastcgi_pass 127.0.0.1:9000;
 +
# With php5-fpm:
 +
fastcgi_pass unix:/var/run/php5-fpm.sock;
 
fastcgi_index index.php;
 
fastcgi_index index.php;
 
include fastcgi_params;
 
include fastcgi_params;
Line 76: Line 155:
 
# concurs with nginx's one
 
# concurs with nginx's one
 
#
 
#
#location ~ /\.ht {
+
location ~ /\.ht {
# deny all;
+
deny all;
#}
+
}
 
}
 
}
 
</source>
 
</source>

Latest revision as of 10:14, 23 August 2019

Here are some hints for creating a nginx configuration.

Deny access to folders

There are some default folders that should not be accessible.

  • Change c3338889c07ac363fc08bc715b22c59c to the one that fits to your installation (fresh installs of EQdkp Plus 2.3 don't have hash subfolder anymore)
  • These are not all files. Some plugins require more protected folders
  • Check all folders that have a .htaccess files with "Deny all" content. These folders have to be protected.
    • data/<HASH>/tmp
    • data/<HASH>/repository
    • data/<HASH>/live_update
    • data/<HASH>/cache
    • data/<HASH>/eqdkp/backup
    • data/<HASH>/eqdkp/timekeeper
    • data/<HASH>/eqdkp/config
    • data/<HASH>/eqdkp/rss
	location ~ /data/c3338889c07ac363fc08bc715b22c59c/eqdkp/(backup|timekeeper|config|rss) {
		deny all;
	}
	location ~ /data/c3338889c07ac363fc08bc715b22c59c/(tmp|repository|live_update|cache){
		deny all;
	}
	#Fresh installs of 2.3 dont have hash folder anymore
	location ~ /data/eqdkp/(backup|timekeeper|config|rss) {
		deny all;
	}
	#Fresh installs of 2.3 dont have hash folder anymore
	location ~ /data/(tmp|repository|live_update|cache){
		deny all;
	}

PHP-Files

  • Because we are using the structure index.php/someurl/, the configuration for php files must look like this:
	location ~ \.php(/|$) { 
		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		# With php5-cgi alone:
		fastcgi_pass 127.0.0.1:9000;
		# With php5-fpm:
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		include fastcgi_params;
	}

FastCGI-Params

  • You have to edit the file /etc/nginx/fastcgi_params and add the following lines, if they are not present:
fastcgi_param   PATH_INFO               $fastcgi_path_info;
fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;

SEO URLs

  • For removing the index.php from URLs, you can add the following:
	location / {
		index index.php;
		try_files $uri $uri/ /index.php/$uri?$args;
	}
  • You have to adjust the installation path. E.g. if you have installed EQdkp Plus in subdirectory /eqdkp/, it must look like this:
	location /eqdkp/ {
		index index.php;
		try_files $uri $uri/ /eqdkp/index.php/$uri?$args;
	}

Full example

server {
	listen   80; ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default_server ipv6only=on; ## listen for ipv6

	root /var/www/nginx;
	index index.html index.htm index.php;

	# Make site accessible from http://localhost/
	server_name localhost;
	
	# START EQDKP CONFIGURATION
	# =========================
	
	# Deny access to some folders. Change the subfolder-name c3338889c07ac363fc08bc715b22c59c to the one of your installation. 
	# Please keep in mind, that there will be more if you install plugins etc.
	
	location ~ /data/c3338889c07ac363fc08bc715b22c59c/eqdkp/(backup|timekeeper|config|rss) {
		deny all;
	}
	location ~ /data/c3338889c07ac363fc08bc715b22c59c/(tmp|repository|live_update|cache){
		deny all;
	}
	#For Fresh installs of EQdkp Plus 2.3
	location ~ /data/eqdkp/(backup|timekeeper|config|rss) {
		deny all;
	}
	#For Fresh installs of EQdkp Plus 2.3
	location ~ /data/(tmp|repository|live_update|cache){
		deny all;
	}
	
	# Configuration of php Files
	# Maybe you have to adjust fastcgi_pass unix:/var/run/php5-fpm.sock;
	location ~ \.php(/|$) { 
		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		# With php5-cgi alone:
		fastcgi_pass 127.0.0.1:9000;
		# With php5-fpm:
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		include fastcgi_params;
	}
	
	# SEO URLs. Here you have to change your install directory
	location / {
		index index.php;
		try_files $uri $uri/ /index.php/$uri?$args;
	}
	
	# END EQDKP CONFIGURATION
	# =========================

	# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
	#location /RequestDenied {
	#	proxy_pass http://127.0.0.1:8080;    
	#}

	#error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	#error_page 500 502 503 504 /50x.html;
	#location = /50x.html {
	#	root /usr/share/nginx/www;
	#}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#	# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	#
	#	# With php5-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php5-fpm:
	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
	#	fastcgi_index index.php;
	#	include fastcgi_params;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	location ~ /\.ht {
		deny all;
	}
}