gulien/nginx-configuration-blueprint-symfony.md

## nginx-configuration-blueprint-symfony.md

      
    Raw
  

              nginx-configuration-blueprint-symfony.md
            
          
    Simple example on how to update the php-fpm.conf file for a Symfony application.
It should be used for the kickoff-docker-php.

  
## orbit-build.yml
# add this line on top of the stack of the command "nginx-build".
- orbit generate -t modules/nginx/conf.d/php-fpm.blueprint.conf -o modules/nginx/conf.d/php-fpm.conf -e Config,config/.env {{ if debug }}-d{{ end }}

## php-fpm.blueprint.conf
server {
    listen 80;
    server_name _;
    charset utf-8;

    root /var/www/html/web;

    # Uploads to 100M
    client_max_body_size 100m;

    location / {
        {{- if eq "local" .EnvFiles.Config.ENV }}
        try_files $uri /app_dev.php$is_args$args;
        {{- else }}
        try_files $uri /app.php$is_args$args;
        {{- end }}
    }

    ## Begin - Security

    # don't send the nginx version number in error pages and Server header
    server_tokens off;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Frame-Options SAMEORIGIN;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: ; style-src 'self' fonts.googleapis.com 'unsafe-inline' 'unsafe-eval'; font-src 'self' fonts.googleapis.com fonts.gstatic.com; child-src 'none'; object-src 'self'; connect-src 'self'";

    # deny all direct access for these folders
    location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
    # deny running scripts inside core vendor folder
    location ~* /(vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny access to specific files in the root folder
    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
    ## End - Security

    ## Begin - PHP
    {{- if eq "local" .EnvFiles.Config.ENV }}
    location ~ ^/(app_dev|config)\.php(/|$) {
        fastcgi_pass php-fpm:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
    }
    {{- else }}
    location ~ ^/app\.php(/|$) {
        fastcgi_pass php-fpm:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        internal;
    }
    {{- end }}

    location ~ \.php$ { return 404; }

    ## End - PHP

    location ~* ^.+\.(ico|js|gif|jpg|jpeg|png|bmp)$ {
        expires 30d;
    }
}
	# add this line on top of the stack of the command "nginx-build".
	- orbit generate -t modules/nginx/conf.d/php-fpm.blueprint.conf -o modules/nginx/conf.d/php-fpm.conf -e Config,config/.env {{ if debug }}-d{{ end }}
	server {
	listen 80;
	server_name _;
	charset utf-8;

	root /var/www/html/web;

	# Uploads to 100M
	client_max_body_size 100m;

	location / {
	{{- if eq "local" .EnvFiles.Config.ENV }}
	try_files $uri /app_dev.php$is_args$args;
	{{- else }}
	try_files $uri /app.php$is_args$args;
	{{- end }}
	}

	## Begin - Security

	# don't send the nginx version number in error pages and Server header
	server_tokens off;

	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Frame-Options SAMEORIGIN;
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: ; style-src 'self' fonts.googleapis.com 'unsafe-inline' 'unsafe-eval'; font-src 'self' fonts.googleapis.com fonts.gstatic.com; child-src 'none'; object-src 'self'; connect-src 'self'";

	# deny all direct access for these folders
	location ~* /(.git\|cache\|bin\|logs\|backup\|tests)/.*$ { return 403; }
	# deny running scripts inside core vendor folder
	location ~* /(vendor)/.*\.(txt\|xml\|md\|html\|yaml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$ { return 403; }
	# deny access to specific files in the root folder
	location ~ /(LICENSE.txt\|composer.lock\|composer.json\|nginx.conf\|web.config\|htaccess.txt\|\.htaccess) { return 403; }
	## End - Security

	## Begin - PHP
	{{- if eq "local" .EnvFiles.Config.ENV }}
	location ~ ^/(app_dev\|config)\.php(/\|$) {
	fastcgi_pass php-fpm:9000;
	fastcgi_split_path_info ^(.+\.php)(/.*)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
	fastcgi_param DOCUMENT_ROOT $realpath_root;
	}
	{{- else }}
	location ~ ^/app\.php(/\|$) {
	fastcgi_pass php-fpm:9000;
	fastcgi_split_path_info ^(.+\.php)(/.*)$;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
	fastcgi_param DOCUMENT_ROOT $realpath_root;
	internal;
	}
	{{- end }}

	location ~ \.php$ { return 404; }

	## End - PHP

	location ~* ^.+\.(ico\|js\|gif\|jpg\|jpeg\|png\|bmp)$ {
	expires 30d;
	}
	}