Конфиг под Битрикс nginx+php-fpm+ssl+http2 на ubuntu. Битрикс nginx http авторизация

nginx php-fpm bitrix | FRYAHA.RU

Рабочий конфиг. nginx для запуска bitrix.

root@site_loc:/usr/src # cat /usr/local/etc/php-fpm.conf | egrep -v '^$|;' [global] pid = run/php-fpm.pid events.mechanism = kqueue [www] user = use222 group = use222 listen = /tmp/www.sock listen.owner = use222 listen.group = use222 pm = dynamic pm.max_children = 455 pm.start_servers = 18 pm.min_spare_servers = 18 pm.max_spare_servers = 19 pm.max_requests = 4000 security.limit_extensions = .php .php3 .php4 .php5 # Соккет для второго сайт, отдельно будим его обрабатывать. [premiumsmoke] user = use222 group = use222 listen = /tmp/smoke.sock listen.owner = use222 listen.group = use222 pm = dynamic pm.max_children = 355 pm.start_servers = 15 pm.min_spare_servers = 15 pm.max_spare_servers = 17 pm.max_requests = 3500 security.limit_extensions = .php .php3 .php4 .php5 php_admin_value[mbstring.func_overload]=0 php_admin_value[mbstring.internal_encoding]=latin root@site_loc:/usr/src # cat /usr/local/etc/nginx/nginx.conf user use222 use222; worker_processes 8; timer_resolution 100ms; worker_rlimit_nofile 8192; worker_priority -5; # error_log /mnt/log/nginx/error.log error; pid /var/run/nginx.pid; events { worker_connections 3048; use kqueue; multi_accept on; } http { limit_req_zone $binary_remote_addr zone=one:10m rate=8r/s; limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; # include /usr/local/etc/nginx/mime.types; default_type application/octet-stream; # access_log /mnt/log/nginx/access.log; access_log off; log_format compression '$remote_addr - [$time_local] ' '"$request" $status ' '"$http_user_agent"'; # map $request_method $bad_method { default 1; ~(?i)(GET|HEAD|POST) 0; } # Add here all user agents that are to be blocked. map $http_user_agent $bad_bot { default 0; ~(?i)(httrack|WinHTTrack|htmlparser|libwww|Python|perl|urllib|Zeus|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopier|WebCopy|webcraw|LWP::simple|Havij) 1; } # Bad referers. map $http_referer $bad_referer { default 0; ~(?i)(babes|click|forsale|jewelry|nudit|organic|poker|amnesty|poweroversoftware|webcam|zippo|casino|replica) 1; } # sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; client_body_timeout 15; send_timeout 5; client_max_body_size 30m; keepalive_timeout 25; keepalive_requests 100; reset_timedout_connection on; fastcgi_buffer_size 156k; fastcgi_buffers 16 156k; fastcgi_read_timeout 900; # add_header X-Frame-Options SAMEORIGIN; add_header Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block;"; add_header X-Content-Security-Policy "allow 'self';"; add_header X-WebKit-CSP "allow 'self';"; add_header X-Content-Type-Options nosniff; # gzip on; gzip_disable "MSIE [1-6]\."; gzip_min_length 1100; gzip_buffers 4 8k; gzip_comp_level 7; gzip_http_version 1.1; gzip_proxied any; gzip_types text/plain application/xhtml+xml text/css application/xml application/xml+rss text/javascript application/javascript application/x-javascript # include /usr/local/etc/nginx/conf.d/*.conf; include /usr/local/etc/nginx/sites-enabled_old/*; } root@site_loc:/usr/src # cat /usr/local/etc/nginx/sites-enabled_old/site.local server { listen 1.1.2.1:80; root /usr/local/www/default; } server { listen 1.1.2.1:80; server_name www.site.local; return 301 http://site.local$request_uri; } server { listen 1.1.2.1:80; open_file_cache max=430000 inactive=120s; open_file_cache_valid 360s; open_file_cache_min_uses 1; open_file_cache_errors on; server_name site.local; access_log /mnt/log/nginx/access_akbpower.log; root /usr/local/www/site.local; index index.html index.php; rewrite ^([^.\?]*[^/])$ $1/ permanent; if ($request_uri ~ "^(/(?!personal|search).*)index\.(?:php|html)") { return 301 $1; } # Deny access based on HTTP method if ($bad_method = 1) { return 444; } # Deny access based on the User-Agent header if ($bad_bot = 1) { return 403; } # Deny access based on the Referer header if ($bad_referer = 1) { return 403; } location / { root /usr/local/www/site.local; index index.php; error_page 404 = /404.php; } location ~ \.php$ { fastcgi_pass unix:/tmp/www.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/www/site.local/$fastcgi_script_name; include fastcgi_params; if (!-f $request_filename) { rewrite ^(.*)$ /404.php last; } } location ^~ /bitrix/admin/ { index index.php; satisfy any; allow 4.3.1.9; deny all; auth_basic "closed site"; auth_basic_user_file /usr/local/.htpasswd; location ~ \.php$ { fastcgi_pass unix:/tmp/www.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $request_filename; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_ignore_client_abort off; } } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~* ^/bitrix/components/bitrix/player/mediaplayer/player$ { add_header Access-Control-Allow-Origin *; } location ~* ^/(upload|bitrix/images|bitrix/tmp) { expires 30d; access_log off; } location = /404.html { access_log off ; } location ~* \.(swf|zip|rar|arj|cab|exe|dll|ico|jpg|jpeg|gif|bmp|png|mp3|avi|mov|mpg|mpeg|txt|amr|mmf|wml|wbmp|mid|midi|3gp)$ { expires 30d; charset utf-8; source_charset utf-8; access_log off; } location ~ (/\.ht|/bitrix/modules|bitrix/managed_cache|bitrix/local_cache|bitrix/stack_cache|/upload/support/not_image|/bitrix/php_interface) { deny all; access_log off; } location ~* ^/upload/1c_[^/]+/ { deny all; } #location ~* /\.\./ { deny all; } location ~* ^/bitrix/html_pages/\.config\.php { deny all; } location ~* ^/bitrix/html_pages/\.enabled { deny all; } location ^~ /upload/support/not_image { internal; } #location ~* ^/bitrix/cache { deny all; } #location ~* .*$ { deny all; } location ~ /.svn/ { deny all; access_log off; } location ~ /\.ht { deny all; access_log off; } }

Тут можно посмотреть какие редиректы можно добавить к конфигу nginx редиректы nginx.

Категории: web Метки: nginx, web

www.fryaha.ru

Настраиваем nginx без апача под битрикс (nginx+fastcgi)

Для некоторых случаев просто незаменимый конфиг. Привожу пример настройки под битрикс с соблюдением всех правил ЧПУ а так же с композитным сайтом. server { listen 80; server_name echo-group.biz;

set $test_file "bitrix/html_pages/$host$uri/index@$args.html"; set $storedAuth ""; set $usecache ""; # check user auth if ( $cookie_BITRIX_SM_LOGIN != "" ) { set $storedAuth "A"; } if ( $cookie_BITRIX_SM_UIDH != "" ) { set $storedAuth "${storedAuth}B"; } if ( $cookie_BITRIX_SM_CC != "Y" ) { set $storedAuth "${storedAuth}C"; }

# check all conditions for enable composite if ( $http_bx_action_type = "" ) { set $usecache "A"; } if ( $request_method = "GET" ) { set $usecache "${usecache}B"; } if ( $cookie_BITRIX_SM_NCC = "" ) { set $usecache "${usecache}C"; } if ( $http_x_forwarded_scheme !~ "https" ){ set $usecache "${usecache}D"; } if ( $storedAuth !~ "ABC" ) { set $usecache "${usecache}E"; }

## cache location location ~* @.*\.html$ { internal; root /home/bitrix/www/bitrix/cache; }

location / { root /home/bitrix/www; index index.php index.html index.htm; if (!-e $request_filename){ rewrite ^(.*)$ /bitrix/urlrewrite.php last; } if ( -f "$document_root/$test_file" ) { set $usecache "${usecache}F"; } if ($usecache = "ABCDEF" ){ rewrite .* /$test_file last; } gzip_min_length 1100; }

if ($request_filename ~* \.(css|js|gif|png|jpg|jpeg|ico)$) { break; } location ~ \.php$ { root /home/bitrix/www; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; if (!-f $request_filename) { rewrite ^(.*)/index.php$ $1/ redirect; } set $test_file "bitrix/html_pages/$host$1@$args.html"; if ( -f "$document_root/$test_file" ) { set $usecache "${usecache}F"; } if ($usecache = "ABCDEF" ){ rewrite .* /$test_file last; } } }

Возврат к списку

echo-group.biz

Конфиг под Битрикс nginx+php-fpm+ssl+http2 на ubuntu

Настраиваем хост под Битрикс на своем VDS

Делаю один магазинчик на Битрикс редакции «Малый бизнес», думаю поделиться конфигурацией хоста под nginx, может кому то пригодится. На PHP7 полет нормальный, версия Битрикс — 1С-Битрикс: Управление сайтом 16.5.4. По поводу установки SSL, он LE, читать здесь, по поводу http2 — это из коробки ubuntu 16.04, стандартная сборка от хостера ihor, на котором поднят VDS, почитать, как там все просто ставится можно здесь. (это не реклама, а просто инфо :-)

#user 'user' virtual host 'site.com' configuration file server { listen *:80; server_name site.com; return 301 https://$server_name$request_uri; } server { listen *:443 ssl http2; server_name site.com; keepalive_timeout 75 75; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_password_file /etc/nginx/ssl/ssl.pass; ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem; ssl_dhparam /etc/ssl/dh3048.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; add_header Strict-Transport-Security 'max-age=31536000'; ssl_stapling on; ssl_stapling_verify on; charset off; gzip on; gzip_comp_level 5; gzip_types application/x-javascript application/javascript text/css; index index.php; include /etc/nginx/vhosts-includes/*.conf; include /etc/nginx/vhosts-resources/site.com/*.conf; access_log /var/www/httpd-logs/site.com.access.log; error_log /var/www/httpd-logs/site.com.error.log notice; ssi on; set $root_path /path/to/site.com; root $root_path; set $php_sock unix:/var/www/php-fpm/user.sock; if ( $scheme = "http" ) { rewrite ^/(.*)$ https://$host/$1 permanent; } proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; client_max_body_size 1024M; client_body_buffer_size 4M; location / { try_files $uri $uri/ @bitrix; } location ~* /upload/.*\.(php|php3|php4|php5|php6|phtml|pl|asp|aspx|cgi|dll|exe|shtm|shtml|fcg|fcgi|fpl|asmx|pht|py|psp|rb|var)$ { types { text/plain text/plain php php3 php4 php5 php6 phtml pl asp aspx cgi dll exe ico shtm shtml fcg fcgi fpl asmx pht py psp rb var; } } location ~ \.php$ { try_files $uri @bitrix; fastcgi_pass $php_sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]"; include fastcgi_params; } location @bitrix { fastcgi_pass $php_sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/bitrix/urlrewrite.php; fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]"; } location ~* /bitrix/admin.+\.php$ { try_files $uri @bitrixadm; fastcgi_pass $php_sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]"; include fastcgi_params; } location @bitrixadm{ fastcgi_pass $php_sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/bitrix/admin/404.php; fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f [email protected]"; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # # block this locations for any installation # # ht(passwd|access) location ~* /\.ht { deny all; } # repositories location ~* /\.(svn|hg|git) { deny all; } # bitrix internal locations location ~* ^/bitrix/(modules|local_cache|stack_cache|managed_cache|php_interface) { deny all; } # upload files location ~* ^/upload/1c_[^/]+/ { deny all; } # use the file system to access files outside the site (cache) location ~* /\.\./ { deny all; } location ~* ^/bitrix/html_pages/\.config\.php { deny all; } location ~* ^/bitrix/html_pages/\.enabled { deny all; } # Intenal locations location ^~ /upload/support/not_image { internal; } # Cache location: composite and general site location ~* @.*\.html$ { internal; # disable browser cache, php manage file expires -1y; add_header X-Bitrix-Composite "Nginx (file)"; } # Player options, disable no-sniff location ~* ^/bitrix/components/bitrix/player/mediaplayer/player$ { add_header Access-Control-Allow-Origin *; } # Accept access for merged css and js location ~* ^/bitrix/cache/(css/.+\.css|js/.+\.js)$ { expires 30d; error_page 404 /404.html; } # Disable access for other assets in cache location location ~* ^/bitrix/cache { deny all; } # Use nginx to return static content from s3 cloud storage # /upload/bx_cloud_upload/<schema>.<backet_name>.<s3_point>.amazonaws.com/<path/to/file> location ^~ /upload/bx_cloud_upload/ { location ~ ^/upload/bx_cloud_upload/(http[s]?)\.([^/:]+)\.(s3|s3-us-west-1|s3-eu-west-1|s3-ap-southeast-1|s3-ap-northeast-1)\.amazonaws\.com/(.+)$ { internal; resolver 8.8.8.8; proxy_method GET; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; #proxy_max_temp_file_size 0; proxy_pass $1://$2.$3.amazonaws.com/$4; } location ~* .*$ { deny all; } } # Static content location ~* ^/(upload|bitrix/images|bitrix/tmp) { expires 30d; } location ~* \.(css|js|gif|png|jpg|jpeg|ico|ogg|ttf|woff|eot|otf)$ { error_page 404 /404.html; expires 30d; } location = /404.html { access_log off ; } listen x.x.x.x:80; }

Ну собственно после этого делаем установку системы, следуя всем инструкциям

zharikov.site

Bitrix конфиг для nginx+php_fpm (fastcgi) / Заметки по битриксу / BPOU

server { listen 80; server_name bitrixnginxcgi.com; location / { root /var/www/bitrixnginxcgi.com; index index.php index.html index.htm; if (!-e $request_filename) { rewrite ^(.*)$ /bitrix/urlrewrite.php last; } } location ~ \.(php|phtml|txt)$ { root /var/www/bitrixnginxcgi.com; access_log /var/log/nginx/bitrixnginxcgi.log; if (!-f $request_filename) { rewrite ^(.*)/index.php$ $1/ redirect; } # если на сайте пользователь может загрузить картинку, то сможет и загрузить эксплойт # который фастсиджиай с радостью выполнит. для аплоада не будем включать фастсиджиай if ($uri !~ "^/upload/") { fastcgi_pass 127.0.0.1:9000; } fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME /var/www/bitrixnginxcgi.com$fastcgi_script_name; include /etc/nginx/fastcgi_params; } # время жизни для картинок и прочей статики на 7 дней location ~* ^.+\.(bmp|gif|jpg|jpeg|ico|png|swf|tiff|css|js|xml)$ { root /var/www/bitrixnginxcgi.com; expires 7d; } # закрываем старые htaccess и сюда можно включить другие папки (типа гит/свн) location ~ /\.hta { deny all; } # выведем барахлишко в сжатом виде gzip on; gzip_types text/plain text/css text/javascript text/x-javascript application/x-javascript; gzip_vary on; gzip_http_version 1.0; gzip_proxied any; # IE6 и ниже сжатие не поймут, им как есть отдаём # поэтому хакеры притворяются ИЕ6, что бы не разжимать исходные данные gzip_disable "MSIE [1-6]\."; }

b.pages.org.ua