Created
May 15, 2017 11:11
-
-
Save jhit/b7589917f167546e7edb37b5056da2d3 to your computer and use it in GitHub Desktop.
Nginx Configuration for JTL-Shop 4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user www-data; | |
| worker_processes auto; | |
| pid /run/nginx.pid; | |
| worker_rlimit_nofile 100000; | |
| events { | |
| worker_connections 4096; | |
| multi_accept on; | |
| use epoll; | |
| } | |
| http { | |
| ## | |
| # Basic Settings | |
| ## | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| reset_timedout_connection on; | |
| server_tokens off; | |
| server_names_hash_bucket_size 64; | |
| server_name_in_redirect off; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| fastcgi_buffers 256 16k; | |
| fastcgi_buffer_size 128k; | |
| fastcgi_connect_timeout 3s; | |
| fastcgi_send_timeout 120s; | |
| fastcgi_read_timeout 120s; | |
| fastcgi_busy_buffers_size 256k; | |
| fastcgi_temp_file_write_size 256k; | |
| ## | |
| # SSL Settings | |
| ## | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | |
| # für mehr Abwärtskompatibilität: | |
| #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
| ssl_prefer_server_ciphers on; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_buffer_size 4k; | |
| ssl_session_timeout 180m; | |
| ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| open_file_cache max=200000 inactive=20s; | |
| open_file_cache_valid 60s; | |
| open_file_cache_min_uses 2; | |
| open_file_cache_errors on; | |
| client_max_body_size 64M; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_disable "msie6"; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_comp_level 6; | |
| gzip_buffers 16 32k; | |
| gzip_http_version 1.1; | |
| gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream _php { | |
| # php via socket - Pfad entsprechend anpassen | |
| server unix:/var/run/php/php7.0-fpm.sock; | |
| # alternativ via localhost/port: | |
| #server 127.0.0.1:9000 | |
| } | |
| server { | |
| listen *:443 http2; | |
| listen *:80; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | |
| # für mehr Abwärtskompatibilität: | |
| #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
| ssl_prefer_server_ciphers on; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_certificate /etc/nginx/ssl/certificate.crt; | |
| ssl_certificate_key /etc/nginx/ssl/certificate.key; | |
| # oder beispielsweise mit Let's encrypt: | |
| #ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
| #ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
| # optional: OCSP stapling | |
| # zertifikat zu finden unter https://github.com/letsencrypt/website/blob/master/certs/lets-encrypt-x3-cross-signed.pem | |
| #ssl_stapling on; | |
| #ssl_stapling_verify on; | |
| #ssl_trusted_certificate /etc/letsencrypt/live/example.com/lets-encrypt-x3-cross-signed.pem; | |
| #resolver 8.8.4.4 8.8.8.8; | |
| # optional: DHE - generieren via "openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096" | |
| # ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; | |
| add_header X-Content-Type-Options nosniff; | |
| add_header X-XSS-Protection "1; mode=block"; | |
| #add_header Content-Security-Policy "default-src https:; connect-src https:; font-src https: data:; frame-src https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:;"; | |
| #add_header X-Frame-Options SAMEORIGIN; | |
| #add_header Public-Key-Pins 'pin-sha256="<FILLMEOUT>"; pin-sha256="<FILLMEOUT>";max-age=5184000; includeSubDomains'; | |
| server_name example.com | |
| root /var/www/shop; | |
| index index.php index.html; | |
| error_log /var/log/nginx/example_errors.log notice; | |
| access_log /var/log/nginx/example_access.log combined buffer=16k; | |
| include /etc/nginx/fastcgi_params; | |
| location ~* \.(eot|ttf|woff|woff2|svg|css|less)$ { | |
| expires max; | |
| add_header Access-Control-Allow-Origin *; | |
| add_header Pragma public; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| location @img_proxy { | |
| rewrite ^(.*)$ /index.php; | |
| } | |
| location ~ \.(gif|jpg|jpeg|png)$ { | |
| root /var/www/example; | |
| try_files $uri @img_proxy; | |
| expires max; | |
| add_header Pragma public; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| location ~* \.(js|css|ico)$ { | |
| expires max; | |
| add_header Pragma public; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| location = /robots.txt { | |
| allow all; | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri $uri/ =404; | |
| fastcgi_pass _php; | |
| } | |
| rewrite ^/includes/libs/minify/([a-z]=.*) /includes/libs/minify/index.php?$1 last; | |
| rewrite ^/min/([a-z]=.*) /min/index.php?$1 last; | |
| rewrite ^/asset/(.*) /includes/libs/minify/index.php?g=$1 last; | |
| rewrite ^/((urllist|sitemap_).*\.(xml|txt)(\.gz)?)$ /includes/sitemap.php?datei=$1 break; | |
| location / { | |
| try_files $uri $uri/ /index.php?q=$uri&$args; | |
| } | |
| location /includes { | |
| location ~cron_inc.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~sitemap.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~preisverlaufgraph.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~preisverlaufgraph_ofc.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~newslettertracker.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/minify/index.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/kk_dropper/version/(.*)/adminmenu/kk_upload.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/jtl_amazon/version/(.*)/frontend/ipn.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/jtl_amazon/version/(.*)/frontend/feed.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~modules/notify.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~modules/libs/kcfinder-2.5.4/themes { | |
| fastcgi_pass _php; | |
| } | |
| location ~modules/paypal/PayPal.class.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~modules/safetypay{ | |
| fastcgi_pass _php; | |
| } | |
| location ~captcha/captcha.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder/browse.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder/upload.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder/css.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder/js_localize.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder-2.5.4/browse.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder-2.5.4/upload.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder-2.5.4/css.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder-2.5.4/js_localize.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~libs/kcfinder-2.5.4/js/browser/joiner.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~ext/uploads_cb.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/jtl_cdn/(.*)/ajax.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/jtl_search/(.*)/suggest.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/jtl_search/(.*)/suggestforward.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/jtl_ustdownload/(.*)/set_default.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~plugins/evo_editor/(.*)/api.php{ | |
| fastcgi_pass _php; | |
| } | |
| location ~ \.php$ { | |
| deny all; | |
| } | |
| } | |
| location /classes { | |
| location ~ \.php$ { | |
| deny all; | |
| } | |
| } | |
| location /templates { | |
| location ~ \.php$ { | |
| deny all; | |
| } | |
| location ~ \.tpl$ { | |
| deny all; | |
| } | |
| } | |
| location /jtllogs { | |
| deny all; | |
| } | |
| location /update { | |
| deny all; | |
| } | |
| location /uploads { | |
| deny all; | |
| } | |
| location ~ /\. { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| location /xhgui { | |
| try_files $uri $uri/ /xhgui/webroot/index.php?$uri&$args; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment