Jump to content
thirty bees forum
  • entry
    1
  • comments
    31
  • views
    3,621

nginx configuration for thirtybees


You might find this nginx configuration useful if you want to run your thirtybees on nginx + php-fpm

 

server {
    listen 80;
    index index.php index.html;
    server_name localhost;
    root /var/www/default;

    # use original IP address changed by cloudflare
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/13;
    set_real_ip_from 104.24.0.0/14;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2a06:98c0::/29;
    set_real_ip_from 2c0f:f248::/32;

    real_ip_header CF-Connecting-IP;

    # root
    location / {
        try_files  $uri  $uri/  /index.php?$args;
        index index.php;
    }

    location ~ /.git/ {
        deny all;
    }

    location ~* \.tpl$ {
        deny all;
    }

    location ~* \.(eot|otf|ttf|woff|woff2)$ {
	  add_header Access-Control-Allow-Origin *;
	  expires max;
    }

    # Rewriting for images pretty url - both jpg and webp formats
    location ~* \.(eot|gif|ico|jpg|jpeg|otf|pdf|png|svg|swf|ttf|woff|webp)$ {
        rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$1$2$3.jpg break;
        rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$1$2$3$4.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg break;
        rewrite ^/c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ /img/c/$1$2$3.jpg break;
        rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ /img/c/$1$2.jpg break;

        rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$1$2$3.webp break;
        rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$1$2$3$4.webp break;
        rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$1$2$3$4$5.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.webp break;
        rewrite ^/c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.webp$ /img/c/$1$2$3.webp break;
        rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.webp$ /img/c/$1$2.webp break;
 
        allow all;
        try_files  $uri  $uri/  /index.php?$args;
    }

    # php rewriting
    location ~ \.php$ {

        # Installer is using /install/sandbox/anything.php url to test rewritting capabilities
        # it should rewrite to /install/sandbox.test.php file
        rewrite ^/(.*)/sandbox/anything.php$ /$1/sandbox/test.php break;

        try_files  $uri  $uri/  /index.php?$args;
        index  index.html index.htm index.php;

        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_pass php:9000;
        fastcgi_index index.php;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_intercept_errors on;
        fastcgi_read_timeout 360s;
        fastcgi_buffers 8 64k;
        fastcgi_buffer_size 64k;
        include fastcgi_params;
    }
}

 

  • Like 3

31 Comments


Recommended Comments



wakabayashi

Posted

@datakick Do you use any expires values? I followed some examples from google, but can't make it work. Google PageSpeed Insights always says, there aren't set. How would this done be correctly?

location ~* \.(woff)$ {
	expires 300d;
	add_header Pragma "public";
	add_header Cache-Control "public";
}

I tried this one. I am using nginx and cloudflare. Not sure if cloudflare has any impact on that 🤔

datakick

Posted

3 hours ago, wakabayashi said:

@datakick Do you use any expires values? I followed some examples from google, but can't make it work. Google PageSpeed Insights always says, there aren't set. How would this done be correctly?

location ~* \.(woff)$ {
	expires 300d;
	add_header Pragma "public";
	add_header Cache-Control "public";
}

I tried this one. I am using nginx and cloudflare. Not sure if cloudflare has any impact on that 🤔

Never played with this one. But I assume cloudflare will modify these nginx headers, since it's caching layer.

you can see diffs by requesting 

curl -I https://www.domain.com/.../file.woff

vs

curl -I 199.199.199.199/.../file.woff

I get 

HTTP/2 200
date: Wed, 03 Aug 2022 14:32:20 GMT
content-type: font/woff
content-length: 90412
last-modified: Tue, 19 Feb 2019 13:44:42 GMT
etag: "5c6c084a-1612c"
cache-control: max-age=31536000
cf-cache-status: HIT
age: 3
accept-ranges: bytes
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VUCoNPsUr2WZxf4%2Bsd0XJgcgwMq4y7hqrey0LQG1a9Y2Gtno7j07DYM01T3EeJ9OsEyZp%2BLMbH%2Bwqf03i%2BNN1etvVz6JZ6w61KX1O3G7WhXfPucFeYG9h3SC2Xxdam4%2BMNsowbvT8d0%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 734fc316f984b333-PRG
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

vs

HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wed, 03 Aug 2022 14:33:17 GMT
Content-Type: font/woff
Content-Length: 90412
Last-Modified: Tue, 19 Feb 2019 13:44:42 GMT
Connection: keep-alive
ETag: "5c6c084a-1612c"
Accept-Ranges: bytes

As you can see, cloudflare adds cache-control header itself.

  • Thanks 1
Beeta

Posted (edited)

@datakickCloudflare added some ipv4 classes (see below). Do you reccomended to add them to the nginx configuration too?

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22

source: https://www.cloudflare.com/ips-v4

Edited by Beeta
datakick

Posted

yeah, absolutely. Thanks for bringing this to my attention.

 

Beeta

Posted (edited)

Another suggestion is to use a cronjob to update ip list from cloudflare.

In my case:

I use centminmod framework in the vps and I just learned that it have by default a script installed that update nginx conf with latest ip list:

You can take a look at it here:

https://community.centminmod.com/threads/csfcf-sh-automate-cloudflare-nginx-csf-firewall-setups.6241/

You can see the script (csfcf.sh) here:

https://github.com/centminmod/centminmod/tree/master/tools

Cronjob run the script, the script update /usr/local/nginx/conf/cloudflare.conf included in the main nginx conf by default (commented):

#include /usr/local/nginx/conf/cloudflare.conf;

So in my case I added the cronjob and uncommented the include row in the main nginx conf. That's it.

Thank you George Liu (eva2000)! ^_^

Edited by Beeta
zen

Posted

Here is my conf file for nginx version 1.24.0 and php-fpm 8.1 as the one on this post did not function and give me errors while lunching nginx or testing with nginx -t, hope it can help others too.
 

server {
   root /var/www/domaine_com;
   index index.php index.html index.htm;
   server_name domaine.com www.domaine.com;

   client_max_body_size 100M;

   gzip on;
   gzip_vary on;
   gzip_min_length 1024;
   gzip_proxied expired no-cache no-store private auth;
   gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
   gzip_disable "MSIE [1-6]\.";

   # use original IP address changed by cloudflare
   set_real_ip_from 103.21.244.0/22;
   set_real_ip_from 103.22.200.0/22;
   set_real_ip_from 103.31.4.0/22;
   set_real_ip_from 104.16.0.0/12;
   set_real_ip_from 108.162.192.0/18;
   set_real_ip_from 131.0.72.0/22;
   set_real_ip_from 141.101.64.0/18;
   set_real_ip_from 162.158.0.0/15;
   set_real_ip_from 172.64.0.0/13;
   set_real_ip_from 173.245.48.0/20;
   set_real_ip_from 188.114.96.0/20;
   set_real_ip_from 190.93.240.0/20;
   set_real_ip_from 197.234.240.0/22;
   set_real_ip_from 198.41.128.0/17;
   set_real_ip_from 2400:cb00::/32;
   set_real_ip_from 2606:4700::/32;
   set_real_ip_from 2803:f800::/32;
   set_real_ip_from 2405:b500::/32;
   set_real_ip_from 2405:8100::/32;
   set_real_ip_from 2c0f:f248::/32;
   set_real_ip_from 2a06:98c0::/29;
   real_ip_header CF-Connecting-IP;

   # Rewriting for images pretty url - both jpg and webp formats
   location ~* \.(eot|gif|ico|jpg|jpeg|otf|pdf|png|svg|swf|ttf|woff|webp)$ {
        rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$1$2$3.jpg break;
        rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$1$2$3$4.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.j>
        rewrite ^/c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ /img/c/$1$2$3.jpg break;
        rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ /img/c/$1$2.jpg break;

        rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$1$2$3.webp break;
        rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$1$2$3$4.webp break;
        rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$1$2$3$4$5.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.webp break;
        rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.webp$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.>
        rewrite ^/c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.webp$ /img/c/$1$2$3.webp break;
        rewrite ^/c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.webp$ /img/c/$1$2.webp break;

        expires 12M;
        access_log off;
        add_header Cache-Control "public";

        allow all;
        try_files  $uri  $uri/  /index.php?$args;
   }

   # Media: images, icons, video, audio, HTC
   location ~* \.(?:js|css|cur|gz|svg|svgz|mp4|mp3|wav|ogg|ogv|webm|htc|woff2)$ {
       expires 12M;
       access_log off;
       add_header Cache-Control "public";
   }

   # root
   location / {
       try_files  $uri  $uri/  /index.php?$args;
       index index.php;
   }

   # Block git repostiries
   location ~ /.git/ {
       deny all;
   }

   # Block access to templates
   location ~* \.tpl$ {
       deny all;
   }

   # php rewriting
   location ~ \.php$ {
      fastcgi_pass unix:/run/php/php8.1-fpm.sock;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_intercept_errors on;
      fastcgi_read_timeout 360s;
      fastcgi_buffers 8 64k;
      fastcgi_buffer_size 64k;
      include fastcgi_params;
      include snippets/fastcgi-php.conf;
   }

    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domaine.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domaine.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = www.domaine.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = domaine.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name domaine.com www.domaine.com;
    return 404; # managed by Certbot
}

 


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...