Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Laravel on Nginx + PHP-FPM (replace APP_DOMAIN)
user www-data www-data;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 100000;
pcre_jit on;
events {
use epoll;
worker_connections 2048;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
resolver 8.8.8.8 8.8.4.4 valid=600s;
resolver_timeout 4s;
# make usage of $https dynamic
map $https $fcgi_https {
on on;
}
# make usage of $scheme dynamic
map $http_x_forwarded_proto $the_scheme {
default $scheme;
https https;
}
log_format multitenant '$remote_addr $remote_user - [$time_local] $http_host "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
# security
server_tokens off;
# performance
sendfile on;
tcp_nopush on;
tcp_nodelay on;
access_log off;
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
keepalive_requests 1024;
keepalive_timeout 120;
send_timeout 60s;
client_header_timeout 60s;
client_body_timeout 60s;
client_max_body_size 100M;
reset_timedout_connection on;
# special munin-node vhost
#include common/munin-node.conf;
# vhosts
include vhosts/*.conf;
}
server {
listen 80;
server_name APP_DOMAIN;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
include secure-ssl.conf;
ssl_certificate /etc/ssl/live/APP_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/ssl/live/APP_DOMAIN/privkey.pem;
ssl_trusted_certificate /etc/ssl/live/APP_DOMAIN/chain.pem;
ssl_dhparam /etc/ssl/live/APP_DOMAIN/dhparam.pem;
server_name APP_DOMAIN;
# set custom headers
include headers.conf;
# disable any usable /index.php request
if ($request_uri ~* "^(.*/)index\.php(/?)(.*)") {
return 301 https://$host/;
}
set $real_scheme $scheme;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
root /app/public;
include drop.conf;
include assets.conf;
# avoid dupe slashes
merge_slashes on;
if ($request_uri ~ "^[^?]*?//") {
rewrite "^" $uri permanent;
}
location / {
rewrite ^/(.*)/+$ /$1 permanent;
try_files /$host$uri $uri /index.html /index.php$is_args$args;
}
# serve any php script
location ~ [^/]\.php(/|$) {
include php.conf;
}
# logging
error_log /logs/error.log error;
access_log /logs/access.log multitenant;
}
# See: https://cipherli.st/ & https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff always;
fastcgi_split_path_info ^(.+\.php)(.*)$;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_pass_header Authorization;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param HOSTNAME $hostname;
fastcgi_param SERVER_NAME $host;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $fcgi_https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# static file compression
gzip_static on;
gzip on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/richtext
text/plain
text/css
text/x-script
text/x-component
text/x-java-source
application/javascript
application/x-javascript
text/javascript
text/js
image/x-icon
text/xml
application/xml
application/rss+xml
application/json
application/xhtml+xml
font/ttf
font/otf
font/woff
font/woff2
image/svg+xml
application/vnd.ms-fontobject
application/ttf
application/x-ttf
application/otf
application/x-otf
application/truetype
application/opentype
application/x-opentype
application/woff
application/eot
application/font
application/font-woff
application/font-sfnt;
gzip_disable "msie6";
gzip_vary on;
brotli_static on;
brotli on;
brotli_types
text/richtext
text/plain
text/css
text/x-script
text/x-component
text/x-java-source
application/javascript
application/x-javascript
text/javascript
text/js
image/x-icon
text/xml
application/xml
application/rss+xml
application/json
application/xhtml+xml
font/ttf
font/otf
font/woff
font/woff2
image/svg+xml
application/vnd.ms-fontobject
application/ttf
application/x-ttf
application/otf
application/x-otf
application/truetype
application/opentype
application/x-opentype
application/woff
application/eot
application/font
application/font-woff
application/font-sfnt;
brotli_comp_level 4;
# static file expire
location ~* \.(css|js|jpg|jpeg|gif|ico|png|bmp|pict|csv|doc|pdf|pls|ppt|tif|tiff|eps|ejs|swf|midi|mid|ttf|eot|woff|woff2|otf|svg|svgz|webp|docx|xlsx|xls|pptx|ps|class|jar)$ {
expires 1y;
add_header Cache-Control public;
include headers.conf;
# deprecated?
if (-f $document_root/$host$uri) {
rewrite ^(.*)$ /$host$1 last;
}
# default to frontend-controller on 404
try_files /$host$uri $uri /index.html /index.php$is_args$args;
}
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
add_header X-UA-Compatible 'IE=Edge,chrome=1' always;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment