Answer the question
In order to leave comments, you need to log in
Correctness and optimization of nginx config?
I use Nginx + PHP-FPM (php version 7.1) in the ISPmanager 5 Lite panel. I am slowly moving away from the usual Nginx + Apache bundle. Due to the fact that the classic .htaccess cannot be used, I am making some changes to the config /etc/nginx/vhosts/siteru/site.ru.conf
Who is familiar with the Nginx + PHP-FPM connection, tell me if this config can be then improve? (embarrassing that you have to duplicate all the data) Or is it perfect? :)
server {
server_name site.ru www.site.ru;
charset off;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/site.ru/*.conf;
access_log /var/www/httpd-logs/site.ru.access.log;
error_log /var/www/httpd-logs/site.ru.error.log notice;
ssi on;
set $root_path /var/www/siteru/data/www/site.ru;
root $root_path;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @php;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
}
listen xx.xxx.xx.xx:80;
index index.php;
return 301 https://$host:443$request_uri;
location @php {
fastcgi_index index.php;
fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
fastcgi_pass unix:/var/www/php-fpm/siteru.sock;
fastcgi_split_path_info ^((?U).+\.ph(?:p\d*|tml))(/?.+)$;
try_files $uri =404;
include fastcgi_params;
}
location = /wp-login.php {
try_files /does_not_exists @deny;
}
location @deny {
allow xx.xxx.xx.xxx;
deny all;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Запрещаем доступ к скрытым файлам
location ~ /\. {
deny all;
}
# Запрещаем доступ к файлам .php в директории uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
}
server {
server_name site.ru www.site.ru;
ssl on;
ssl_certificate "/var/www/httpd-cert/siteru/site.ru_le1.crtca";
ssl_certificate_key "/var/www/httpd-cert/siteru/site.ru_le1.key";
ssl_ciphers EEEEH:+AEEE56:-EEES:REE+AES:!NULL:!RC4;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
charset off;
index index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/site.ru/*.conf;
access_log /var/www/httpd-logs/site.ru.access.log;
error_log /var/www/httpd-logs/site.ru.error.log notice;
ssi on;
set $root_path /var/www/siteru/data/www/site.ru;
root $root_path;
listen xx.xxx.xx.xx:443 ssl http2;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @php;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
}
location @php {
fastcgi_index index.php;
fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
fastcgi_pass unix:/var/www/php-fpm/siteru.sock;
fastcgi_split_path_info ^((?U).+\.ph(?:p\d*|tml))(/?.+)$;
try_files $uri =404;
include fastcgi_params;
}
location = /wp-login.php {
try_files /does_not_exists @deny;
}
location @deny {
allow xx.xxx.xx.xxx;
deny all;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Запрещаем доступ к скрытым файлам
location ~ /\. {
deny all;
}
# Запрещаем доступ к файлам .php в директории uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
}
Answer the question
In order to leave comments, you need to log in
You have a redirect to https in the http part, then why is everything else there?
If http access is not needed, then this part of the config can be reduced to
server {
server_name site.ru www.site.ru;
listen xx.xxx.xx.xx:80;
return 301 https://$host:443$request_uri;
}
If you still need it, then you can take out all the duplicate lines in a separate file and connect it via include.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question