Correctness and optimization of nginx config?

A

Andrey2018-01-07 18:23:50

Nginx

Andrey, 2018-01-07 18:23:50

I use Nginx + PHP-FPM (php version 7.1) in the ISPmanager 5 Lite panel. I am slowly moving away from the usual Nginx + Apache bundle. Due to the fact that the classic .htaccess cannot be used, I am making some changes to the config /etc/nginx/vhosts/siteru/site.ru.conf
Who is familiar with the Nginx + PHP-FPM connection, tell me if this config can be then improve? (embarrassing that you have to duplicate all the data) Or is it perfect? :)

server {
  server_name site.ru www.site.ru;
  charset off;
  disable_symlinks if_not_owner from=$root_path;
  include /etc/nginx/vhosts-includes/*.conf;
  include /etc/nginx/vhosts-resources/site.ru/*.conf;
  access_log /var/www/httpd-logs/site.ru.access.log;
  error_log /var/www/httpd-logs/site.ru.error.log notice;
  ssi on;
  set $root_path /var/www/siteru/data/www/site.ru;
  root $root_path;
  location / {
    location ~ [^/]\.ph(p\d*|tml)$ {
      try_files /does_not_exists @php;
    }
    location / {
            try_files $uri $uri/ /index.php?$args;
        }
  }
  listen xx.xxx.xx.xx:80;
  index index.php;
  return 301 https://$host:443$request_uri;
  location @php {
    fastcgi_index index.php;
    fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
    fastcgi_pass unix:/var/www/php-fpm/siteru.sock;
    fastcgi_split_path_info ^((?U).+\.ph(?:p\d*|tml))(/?.+)$;
    try_files $uri =404;
    include fastcgi_params;
  }
  location = /wp-login.php {
        try_files /does_not_exists @deny;
    }
 
    location @deny {
        allow xx.xxx.xx.xxx;
        deny all;
    }
    
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    # Запрещаем доступ к скрытым файлам
        location ~ /\. {
        deny all;
    }
 
    # Запрещаем доступ к файлам .php в директории uploads
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }
}
server {
  server_name site.ru www.site.ru;
  ssl on;
  ssl_certificate "/var/www/httpd-cert/siteru/site.ru_le1.crtca";
  ssl_certificate_key "/var/www/httpd-cert/siteru/site.ru_le1.key";
  ssl_ciphers EEEEH:+AEEE56:-EEES:REE+AES:!NULL:!RC4;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
  charset off;
  index index.php;
  disable_symlinks if_not_owner from=$root_path;
  include /etc/nginx/vhosts-includes/*.conf;
  include /etc/nginx/vhosts-resources/site.ru/*.conf;
  access_log /var/www/httpd-logs/site.ru.access.log;
  error_log /var/www/httpd-logs/site.ru.error.log notice;
  ssi on;
  set $root_path /var/www/siteru/data/www/site.ru;
  root $root_path;
  listen xx.xxx.xx.xx:443 ssl http2;
  location / {
    location ~ [^/]\.ph(p\d*|tml)$ {
      try_files /does_not_exists @php;
    }
    location / {
            try_files $uri $uri/ /index.php?$args;
        }
  }
  location @php {
    fastcgi_index index.php;
    fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]";
    fastcgi_pass unix:/var/www/php-fpm/siteru.sock;
    fastcgi_split_path_info ^((?U).+\.ph(?:p\d*|tml))(/?.+)$;
    try_files $uri =404;
    include fastcgi_params;
  }
  location = /wp-login.php {
        try_files /does_not_exists @deny;
    }
 
    location @deny {
        allow xx.xxx.xx.xxx;
        deny all;
    }
    
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    # Запрещаем доступ к скрытым файлам
        location ~ /\. {
        deny all;
    }
 
    # Запрещаем доступ к файлам .php в директории uploads
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }
}

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

N

neol, 2018-01-07
@dyba

You have a redirect to https in the http part, then why is everything else there?
If http access is not needed, then this part of the config can be reduced to

server {
  server_name site.ru www.site.ru;
  listen xx.xxx.xx.xx:80;
  return 301 https://$host:443$request_uri;
}

If you still need it, then you can take out all the duplicate lines in a separate file and connect it via include.

M

Mikhail Grigoriev, 2018-01-08
@Sleuthhound

If you still need it, then you can take out all the duplicate lines in a separate file and connect it via include.

From the point of view of autonomy + following the recommendations of the nginx developers is wrong, the entire config related to the site should be in one file as much as possible.
Using include with the removal of common parts into separate files is convenient when you have 100,500 sites on the server with the same configuration and it is not supposed to be changed locally (for one site), but if you have 5 sites on the server with different configurations, then moving the common parts into separate files and use include You will only complicate the reading of the config, because you have to remember what you have connected there via include or constantly twitch and look at a bunch of files - this is terribly inconvenient, I'm not talking about transferring the configuration to another server - with 1 file you took and copied it, and with the file containing include you need to transfer the whole bunch of configs and you need to remember about this.