Jump to content

Working Nginx + php-fpm Configuration (No socket errors, plus full working rewrite links)

wired420

By wired420
in Using WHMCS

 Share

Recommended Posts

wired420 Junior Member

wired420

Posted
Posted

I've spent the last two days looking for a working nginx configuration with full friendly URL capability. I couldn't find one. So I trashed the configuration file and learned a little more about nginx myself. So someone else doesn't have to spend days trying to find this. This is my solution for Nginx 1.x with php-fpm 7.2.

  

user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   30;
    types_hash_max_size 2048;
    reset_timedout_connection on;
    client_body_timeout 10;
    send_timeout 3;

    gzip on;
    gzip_min_length 100;
    gzip_proxied expired no-cache no-store private auth any;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml;
    gzip_vary on;
    gzip_disable msie6;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  example.com www.example.com;
        return       301 https://example.com$request_uri;
    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  www.example.com;

        ssl on;
        ssl_certificate "/etc/ssl/crt_ca_bundle_example.com.crt";
        ssl_certificate_key "/etc/ssl/crt_example.com.key";
        ssl_session_cache shared:SSL:2m;
        ssl_session_timeout  120m;
        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES:!RSA+AES:!RSA+3DES';
        ssl_prefer_server_ciphers on;
        ssl_session_tickets off;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate "/etc/ssl/ca_only_bundle.crt";

        resolver 1.1.1.1 8.8.8.8 valid=300s;
        resolver_timeout 3s;

        add_header Strict-Transport-Security "max-age=15552000; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1";

        return 301 https://example.com$request_uri;
    }

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  example.com;

        ssl on;
        ssl_certificate "/etc/ssl/crt_ca_bundle_example.com.crt";
        ssl_certificate_key "/etc/ssl/crt_example.com.key";
        ssl_session_cache shared:SSL:2m;
        ssl_session_timeout  120m;
        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES:!ECDHE+3DES';
        ssl_prefer_server_ciphers on;
        ssl_session_tickets off;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate "/etc/ssl/ca_only_bundle.crt";
        
        resolver 1.1.1.1 8.8.8.8 valid=300s;
        resolver_timeout 3s;

        add_header Strict-Transport-Security "max-age=15552000; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1";

        root /var/www/html;
        index index.php index.html index.htm

        error_page 404 /not_found;


        # Announcements Rewrite
        rewrite ^/announcements/([0-9]+)/[a-zA-Z0-9-]+.html$ /announcements.php?rp=$1 last;
        rewrite ^/announcements$ /announcements.php last;

        # Downloads Rewrite
        rewrite ^/downloads/([0-9]+)/([^/]*)$ /downloads.php?action=displaycat&catid=$1 last;
        rewrite ^/downloads$ /downloads.php last;

        # Knowledgebase Rewrite
        rewrite ^/knowledgebase/([0-9]+)/[a-zA-Z0-9-]+.html$ /knowledgebase.php?action=displayarticle&id=$1 last;
        rewrite ^/knowledgebase/([0-9]+)/([^/]*)$ /knowledgebase.php?action=displaycat&catid=$1 last;
        rewrite ^/knowledgebase$ /knowledgebase.php last;

        location / {
            try_files $uri $uri/ /index.php?$query_string;
            location ~* ^.+\.(pdf|html|swf|css|js)$ {
                expires     30d;
                add_header Cache-Control "public, no-transform";
            }
            location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg)$ {
                expires     365d;
                add_header Cache-Control "public, no-transform";
            }
        }

        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            try_files $uri =404;
            fastcgi_pass unix:/var/run/php-fpm.sock;
            fastcgi_buffers 8 16k;
            fastcgi_buffer_size 32k;
            fastcgi_index index.php;
            include /etc/nginx/fastcgi_params;
            fastcgi_keep_conn on;
        }
    }
}

You will have to modify domains and such to match your own but this setup solved all rewrite problems, and solved all socket closed fpm problems. Setup is in use on a HEAVILY loaded server. Almost twice as fast as was running under Apache (2.3s Load) Nginx (1.18s Load). Also have a configuration for email piping without cPanel if anyone wants. Will post in my own knowledge base as well but I kept being referred by google to out of date articles on this site so I wanted to put it here too.

0
Link to comment
Share on other sites
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept