TYPO3 Core

Because nginx won't magically pull in configuration because it exists in a file (like .htaccess) that would more be a "documentation". But imho we should still ship it side-by-side with the example .htaccess and not just hide it somewhere in a wiki or even the TYPO3-documentation.

I am not sure where I should put this, otherwise I'd have made a commit. I adapted the .htaccess for apache for nginx and it seems to work quite nice. I am still testing it out, though.

• I didn't copy over the comments from .htacces 1:1, but made some changes to them to fit nginx
• I modified a few regexes to include more things, mostly for the sake of security
• I added a "security" block to provide some basic security-related rules. I felt like this would be the right place.
• There is no php-cgi or php-fpm block included, as I assume a sane environment with php already working, when someone is deploying a TYPO3 setup on nginx. However, I'd suggest to put a second snippet into the documentations folder about the proper setup of php-fpm, since most of the tutorials are vulnerable to arbitrary code execution (see http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP).
• I am not yet satisfied with the versioned static files rules, as an IF gets evaluated on EVERY request, which is a bit of a performance sucker. This may be solvable with try_files.

In addition to the previous points: I've put this configuration into conf.d/typo3.conf next to a php5.conf which contains the said php5-fpm settings. This allows very flexible host setups, as you just need to provide a server-block with root and hostname, and then include the desired configurations. So, my host config file is as simple as:

server {
    server_name ~(.*\.)?mydomain\..*;
    root /var/www/mydomain/public;

    include conf.d/php5.conf;
    include conf.d/typo3.conf;
}

The actual typo3.conf:

#####
#
# Example configuration file for TYPO3 CMS - for use with NGINX Webserver.
#
# This file includes settings for the following configuration options:
#
# - Compression via TYPO3
# - Security
# - Settings for URL rewriting
#
# If you want to use it, you have to include the following directives into your "server" block, 
# either by manually pasting it there or by using the "include" directive.
#
# IMPORTANT: You may need to change this file depending on your TYPO3 installation!
#
# Lines starting with a # are treated as comment and ignored by the web server.
#
# Questions about this file go to the matching Install mailing list, see
# http://typo3.org/documentation/mailing-lists/
#
####

### Begin: Compression via TYPO3 ###
#
# Compressing resource files will save bandwidth and so improve loading speed especially for users
# with slower internet connections. TYPO3 can compress the .js and .css files for you.
# *) Uncomment the following lines and
# *) Set $TYPO3_CONF_VARS['BE']['compressionLevel'] = '9' for the Backend
# *) Set $TYPO3_CONF_VARS['FE']['compressionLevel'] = '9' together with the TypoScript properties
#    config.compressJs and config.compressCss for GZIP compression of Frontend JS and CSS files.

# Enable gzip compression
#gzip  on;

# Disable gzip compression for browsers that don't support it (in this case MS Internet Explorer 
# before version 6 SV1).
#gzip_disable "MSIE [1-6]\.(?!.*SV1)";

# Set the response header Vary: Accept-Encoding. 
# Some proxies have a bug in that they serve compressed content to browsers that don't support it.
# By setting the Vary: Accept-Encoding header, you instruct proxies to store both a compressed and 
# uncompressed version of the content.
#gzip_vary on;

# Enables or disables gzipping of responses for proxied requests depending on the request and response.
#gzip_proxied any;

# This tells nginx what file types to compress (text/html is always compressed)
#gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

# Add mime-type for compressed js files.
#location ~ \.js\.gzip {
#  types {
#    text/javascript gzip;
#  }
#}

# Add mime-type for compressed css files.
#location ~ \.css\.gzip {
#  types {
#    text/css css;
#  }
#}

### End: Compression via TYPO3 ###

### Begin: Browser caching of resource files ###

# Enable long browser caching for assets. This affects Frontend and Backend and increases performance.
location \.(css|js|gif|png|jpg|svg)$ {
  # etag is supported on nginx >= 1.3.3
  # etag on;
  expires max;
}

### End: Browser caching of resource files ###

### Begin: Security ###
#
# Prevent information disclosure by blocking files possibly containing sensitive information.

# Block access to hidden" directories or files.
location ~ /\. {
  deny all;
  access_log off;
  log_not_found off;
}

# Block access files accidentally left on the server.
location (\.(bak|config|sql(\.zip|\.gz|\.bz2)?|ini|log|sh|inc|swp|t3d)|~)$ {
  deny all;
  access_log off;
  log_not_found off;
}

# Restrict access to deleted files in Recycler directories
location ~ ^/fileadmin/(.*/)?_recycler_/ {
  deny all;
  access_log off;
  log_not_found off;
}

# Restrict access to TypoScript files in default templates directories
location ~ ^/fileadmin/templates/.*(\.txt|\.ts)$ {
  deny all;
  access_log off;
  log_not_found off;
}

# Restrict access to Private extension directories
location ~ ^/typo3conf/ext/[^/]+/Resources/Private/ {
  deny all;
  access_log off;
  log_not_found off;
}

### End: Security ###

### Begin: Settings for url rewriting ###
#
# You need rewriting, if you use a URL-Rewriting extension like realurl or cooluri.

# Rule for versioned static files, configured through:
# - $TYPO3_CONF_VARS['BE']['versionNumberInFilename']
# - $TYPO3_CONF_VARS['FE']['versionNumberInFilename']
#if (!-e $request_filename) {
#  rewrite ^(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ $1.$3 last;
#}

# Main URL rewriting
location / {
  try_files $uri $uri/ /index.php$is_args$args;
}

### End: Settings for url rewriting ###

https://github.com/TYPO3/TYPO3.CMS/commit/f00efef1bd93181fe1c594bf169cd8ccb6eb7f63 "translation" for nginx needs to be included also for LTS

rewrite ^(.*/)(ajax|alt_clickmenu|alt_db_navframe|alt_doc|alt_file_navframe|browser|db_new|dummy|init|login_frameset|logout|mod|move_el|show_item|tce_db|tce_file|thumbs)\.php$ $1deprecated.php last;

Pascal: The rule "Block access to hidden" directories or files." breaks RFC 5785 /.well-known/ URLs.

I report here the configuration proposed by Jan Kiesewetter on #83704 to keep track of it

server {
    listen                80;
    server_name           ${VHOST};
    root                  /app/web;
    client_max_body_size  100M;
    index                 index.php index.html index.htm;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # TYPO3 - Block access to composer files
    location ~* composer\.(?:json|lock) {
        deny all;
    }

    # TYPO3 - Block access to flexform files
    location ~* flexform[^.]*\.xml {
        deny all;
    }

    # TYPO3 - Block access to language files
    location ~* locallang[^.]*\.(?:xml|xlf)$ {
        deny all;
    }

    # TYPO3 - Block access to static typoscript files
    location ~* ext_conf_template\.txt|ext_typoscript_constants\.(?:txt|typoscript)|ext_typoscript_setup\.(?:txt|typoscript) {
        deny all;
    }

    # TYPO3 - Block access to miscellaneous protected files
    location ~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql)$ {
        deny all;
    }

    # TYPO3 - Block access to recycler and temporary directories
    location ~ _(?:recycler|temp)_/ {
        deny all;
    }

    # TYPO3 - Block access to configuration files stored in fileadmin
    location ~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$ {
        deny all;
    }

    # TYPO3 - Block access to libaries, source and temporary compiled data
    location ~ ^(?:vendor|typo3_src|typo3temp/var) {
        deny all;
    }

    # TYPO3 - Block access to protected extension directories
    location ~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ {
        deny all;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
        fastcgi_read_timeout 240;
        fastcgi_pass         php-fpm:9000;
        fastcgi_index        index.php;
        include              fastcgi.conf;
    }
}

The latest and working NGINX vHost configuration file for T3 v8, v9 and v10 can be found in the ddrud/ddev GIT repository.
https://github.com/drud/ddev/blob/master/containers/ddev-webserver/files/etc/nginx/nginx_typo3.conf

I will also update the System requirements documentation. (https://docs.typo3.org/m/typo3/guide-installation/master/en-us/In-depth/SystemRequirements/Index.html)

Would anyone be willing to create a patch for this?

I would suggest typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/. This already contains the sample .htaccess for Apache (filename root-htaccess) and sample configuration for IIS (as mentioned in https://docs.typo3.org/m/typo3/guide-installation/master/en-us/In-depth/SystemRequirements/Index.html#web-server-environment)

I think it would be preferable to have a working configuration shipped with each version of TYPO3. Also, if changes are made to the existing configuration, they can be made to the Apache config, IIS config and Nginx configs in one batch to keep these in sync.

This is the config file that Laravel homestead virtual box (https://github.com/laravel/homestead, ) is generating for me which works great (without any TYPO3 specific things):

server {
    listen 80;
    listen 443 ssl http2;
    server_name .typo3.test;
    root "/home/vagrant/Code/typo3/public";

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/typo3.test-error.log error;

    sendfile off;

    client_max_body_size 100m;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_intercept_errors off;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
    }

    location ~ /\.ht {
        deny all;
    }

    ssl_certificate     /etc/nginx/ssl/typo3.test.crt;
    ssl_certificate_key /etc/nginx/ssl/typo3.test.key;
}

Sybille Peters wrote:

Would anyone be willing to create a patch for this?

I would suggest typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/. This already contains the sample .htaccess for Apache (filename root-htaccess) and sample configuration for IIS (as mentioned in https://docs.typo3.org/m/typo3/guide-installation/master/en-us/In-depth/SystemRequirements/Index.html#web-server-environment)

I think it would be preferable to have a working configuration shipped with each version of TYPO3. Also, if changes are made to the existing configuration, they can be made to the Apache config, IIS config and Nginx configs in one batch to keep these in sync.

With nginx there is no default way to load a site config from the app folder like with IIS (web.config) or Apache httpd (.htaccess) therefore TYPO3 can not provide a configuration in the same way as it does for IIS and Apache.

But we could add a good example to the documentation.

ATM. I use this:
https://github.com/t3easy/docker-typo3/blob/master/.docker/web/default.conf
https://github.com/t3easy/docker-typo3/blob/master/.docker/web/typo3.conf

For the most part, I have only translated the IIS config to nginx.

I also include fastcgi.conf which is not available in every environment.
But every nginx config has some environment specific settings that must be ajusted.
At least server_name, root, and fastcgi_pass.

Link to documentation: https://docs.typo3.org/m/typo3/tutorial-getting-started/main/en-us/SystemRequirements/Index.html#web-server