Task #54316

Provide a Nginx server configuration

Added by Stefan Neufeind almost 5 years ago. Updated 10 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2013-12-11
Due date:
% Done:

0%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
medium
Sprint Focus:

Description

We ship with .htaccess-configuration (by default only as an example). Imho these we should also provide an equivalent for nginx-syntax.


Related issues

Related to TYPO3 Core - Task #56553: Move files from toplevel to docs-directory Rejected 2014-03-04
Related to TYPO3 Core - Bug #71787: Redirection to Install Tool Closed 2015-11-23
Related to TYPO3 Core - Bug #76567: "Error - reference to main window is not set properly" on NGINX when using deprecated entry point browser.php Closed 2016-06-09
Related to TYPO3 Core - Task #83704: Add nginx server example Closed 2018-01-28

History

#1 Updated by Stefan Neufeind almost 5 years ago

Because nginx won't magically pull in configuration because it exists in a file (like .htaccess) that would more be a "documentation". But imho we should still ship it side-by-side with the example .htaccess and not just hide it somewhere in a wiki or even the TYPO3-documentation.

#2 Updated by Pascal Dürsteler over 4 years ago

I am not sure where I should put this, otherwise I'd have made a commit. I adapted the .htaccess for apache for nginx and it seems to work quite nice. I am still testing it out, though.

A few points to mention:
  • I didn't copy over the comments from .htacces 1:1, but made some changes to them to fit nginx
  • I modified a few regexes to include more things, mostly for the sake of security
  • I added a "security" block to provide some basic security-related rules. I felt like this would be the right place.
  • There is no php-cgi or php-fpm block included, as I assume a sane environment with php already working, when someone is deploying a TYPO3 setup on nginx. However, I'd suggest to put a second snippet into the documentations folder about the proper setup of php-fpm, since most of the tutorials are vulnerable to arbitrary code execution (see http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP).
  • I am not yet satisfied with the versioned static files rules, as an IF gets evaluated on EVERY request, which is a bit of a performance sucker. This may be solvable with try_files.

In addition to the previous points: I've put this configuration into conf.d/typo3.conf next to a php5.conf which contains the said php5-fpm settings. This allows very flexible host setups, as you just need to provide a server-block with root and hostname, and then include the desired configurations. So, my host config file is as simple as:

server {
    server_name ~(.*\.)?mydomain\..*;
    root /var/www/mydomain/public;

    include conf.d/php5.conf;
    include conf.d/typo3.conf;
}

The actual typo3.conf:

#####
#
# Example configuration file for TYPO3 CMS - for use with NGINX Webserver.
#
# This file includes settings for the following configuration options:
#
# - Compression via TYPO3
# - Security
# - Settings for URL rewriting
#
# If you want to use it, you have to include the following directives into your "server" block, 
# either by manually pasting it there or by using the "include" directive.
#
# IMPORTANT: You may need to change this file depending on your TYPO3 installation!
#
# Lines starting with a # are treated as comment and ignored by the web server.
#
# Questions about this file go to the matching Install mailing list, see
# http://typo3.org/documentation/mailing-lists/
#
####

### Begin: Compression via TYPO3 ###
#
# Compressing resource files will save bandwidth and so improve loading speed especially for users
# with slower internet connections. TYPO3 can compress the .js and .css files for you.
# *) Uncomment the following lines and
# *) Set $TYPO3_CONF_VARS['BE']['compressionLevel'] = '9' for the Backend
# *) Set $TYPO3_CONF_VARS['FE']['compressionLevel'] = '9' together with the TypoScript properties
#    config.compressJs and config.compressCss for GZIP compression of Frontend JS and CSS files.

# Enable gzip compression
#gzip  on;

# Disable gzip compression for browsers that don't support it (in this case MS Internet Explorer 
# before version 6 SV1).
#gzip_disable "MSIE [1-6]\.(?!.*SV1)";

# Set the response header Vary: Accept-Encoding. 
# Some proxies have a bug in that they serve compressed content to browsers that don't support it.
# By setting the Vary: Accept-Encoding header, you instruct proxies to store both a compressed and 
# uncompressed version of the content.
#gzip_vary on;

# Enables or disables gzipping of responses for proxied requests depending on the request and response.
#gzip_proxied any;

# This tells nginx what file types to compress (text/html is always compressed)
#gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

# Add mime-type for compressed js files.
#location ~ \.js\.gzip {
#  types {
#    text/javascript gzip;
#  }
#}

# Add mime-type for compressed css files.
#location ~ \.css\.gzip {
#  types {
#    text/css css;
#  }
#}

### End: Compression via TYPO3 ###

### Begin: Browser caching of resource files ###

# Enable long browser caching for assets. This affects Frontend and Backend and increases performance.
location \.(css|js|gif|png|jpg|svg)$ {
  # etag is supported on nginx >= 1.3.3
  # etag on;
  expires max;
}

### End: Browser caching of resource files ###

### Begin: Security ###
#
# Prevent information disclosure by blocking files possibly containing sensitive information.

# Block access to hidden" directories or files.
location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;
}

# Block access files accidentally left on the server.
location (\.(bak|config|sql(\.zip|\.gz|\.bz2)?|ini|log|sh|inc|swp|t3d)|~)$ {
  deny all;
  access_log off;
  log_not_found off;
}

# Restrict access to deleted files in Recycler directories
location ~ ^/fileadmin/(.*/)?_recycler_/ {
  deny all;
  access_log off;
  log_not_found off;
}

# Restrict access to TypoScript files in default templates directories
location ~ ^/fileadmin/templates/.*(\.txt|\.ts)$ {
  deny all;
  access_log off;
  log_not_found off;
}

# Restrict access to Private extension directories
location ~ ^/typo3conf/ext/[^/]+/Resources/Private/ {
  deny all;
  access_log off;
  log_not_found off;
}

### End: Security ###

### Begin: Settings for url rewriting ###
#
# You need rewriting, if you use a URL-Rewriting extension like realurl or cooluri.

# Rule for versioned static files, configured through:
# - $TYPO3_CONF_VARS['BE']['versionNumberInFilename']
# - $TYPO3_CONF_VARS['FE']['versionNumberInFilename']
#if (!-e $request_filename) {
#  rewrite ^(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ $1.$3 last;
#}

# Main URL rewriting
location / {
  try_files $uri $uri/ /index.php$is_args$args;
}

### End: Settings for url rewriting ###

#3 Updated by Riccardo De Contardi about 3 years ago

  • Category set to Documentation

#5 Updated by Juan Manuel Vergés Solanas over 2 years ago

rewrite ^(.*/)(ajax|alt_clickmenu|alt_db_navframe|alt_doc|alt_file_navframe|browser|db_new|dummy|init|login_frameset|logout|mod|move_el|show_item|tce_db|tce_file|thumbs)\.php$ $1deprecated.php last;

#6 Updated by Christian Weiske about 2 years ago

Pascal: The rule "Block access to hidden" directories or files." breaks RFC 5785 /.well-known/ URLs.

#7 Updated by taywa gmbh over 1 year ago

  • Category changed from Documentation to Install Tool
  • TYPO3 Version changed from 6.2 to 8
  • Complexity set to medium

Also would like a standard Nginx config to replace .htaccess. It should ship with the TYPO3 Source.

#8 Updated by Riccardo De Contardi 10 months ago

  • Related to Task #83704: Add nginx server example added

#9 Updated by Riccardo De Contardi 10 months ago

I report here the configuration proposed by Jan Kiesewetter on #83704 to keep track of it

server {
    listen                80;
    server_name           ${VHOST};
    root                  /app/web;
    client_max_body_size  100M;
    index                 index.php index.html index.htm;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # TYPO3 - Block access to composer files
    location ~* composer\.(?:json|lock) {
        deny all;
    }

    # TYPO3 - Block access to flexform files
    location ~* flexform[^.]*\.xml {
        deny all;
    }

    # TYPO3 - Block access to language files
    location ~* locallang[^.]*\.(?:xml|xlf)$ {
        deny all;
    }

    # TYPO3 - Block access to static typoscript files
    location ~* ext_conf_template\.txt|ext_typoscript_constants\.(?:txt|typoscript)|ext_typoscript_setup\.(?:txt|typoscript) {
        deny all;
    }

    # TYPO3 - Block access to miscellaneous protected files
    location ~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql)$ {
        deny all;
    }

    # TYPO3 - Block access to recycler and temporary directories
    location ~ _(?:recycler|temp)_/ {
        deny all;
    }

    # TYPO3 - Block access to configuration files stored in fileadmin
    location ~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$ {
        deny all;
    }

    # TYPO3 - Block access to libaries, source and temporary compiled data
    location ~ ^(?:vendor|typo3_src|typo3temp/var) {
        deny all;
    }

    # TYPO3 - Block access to protected extension directories
    location ~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ {
        deny all;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
        fastcgi_read_timeout 240;
        fastcgi_pass         php-fpm:9000;
        fastcgi_index        index.php;
        include              fastcgi.conf;
    }
}

Also available in: Atom PDF