socketz/0_nginx_example_config.md

## 0_nginx_example_config.md

      
    Raw
  

              0_nginx_example_config.md
            
          
    Prestashop 1.6.x + Nginx 1.13.x + PHP-FPM 7.0 + SSL Let's Encrypt

For Docker: https://hub.docker.com/r/nazarpc/webserver/

Place the files on next paths or other and replace in the files below:


/data/nginx/config/global/acme-challenge.conf
/data/nginx/config/global/restrictions.conf
/data/nginx/config/global/expires.conf
/data/nginx/config/snippets/ssl-params.conf
/data/nginx/config/conf.d/example.com.conf

Note: "Let's Encrypt" certificates or other SSL certificates should do by yourself


## 1_acme-challenge.conf
location ~ /.well-known {
    allow all;
}

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root         /data/nginx/www/.well-known/acme-challenge/;
}

location = /.well-known/acme-challenge/ {
    return 404;
}

## 2_restrictions.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
        try_files $uri =404;
        log_not_found off;
        access_log off;
}

location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
        deny all;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
}

## 3_expires.conf
# Expire rules for static content

# No default expire rule. This config mirrors that of apache as outlined in the
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
# the apache rules are defined by type. A consequence of this difference is that
# if you use no file extension in the url and serve html, with apache you get an
# expire time of 0s, with nginx you'd get an expire header of one month in the
# future (if the default expire rule is 1 month). Therefore, do not use a
# default expire rule with nginx unless your site is completely static

# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
  add_header Cache-Control "max-age=0";
}

# Feed
location ~* \.(?:rss|atom)$ {
  add_header Cache-Control "max-age=3600";
}

# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
  access_log off;
  add_header Cache-Control "max-age=2592000";
  fastcgi_ignore_headers Set-Cookie;
}

# Media: svgz files are already compressed.
location ~* \.svgz$ {
  access_log off;
  gzip off;
  add_header Cache-Control "max-age=2592000";
}

# CSS and Javascript
location ~* \.(?:css|js)$ {
  add_header Cache-Control "max-age=31536000";
  access_log off;
  fastcgi_ignore_headers Set-Cookie;
}

# WebFonts
# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
 add_header Cache-Control "max-age=2592000";
 access_log off;
}

## 4_ssl-params.conf
# SSLv3 is insecure, but it is required by some payment networks
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;

ssl_certificate /data/ssl/example.com/fullchain.pem; # MODIFY
ssl_certificate_key /data/ssl/example.com/privkey.pem; # MODIFY

ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org/; # MODIFY
ssl_trusted_certificate /data/ssl/example.com/chain.pem; # MODIFY
resolver 8.8.8.8 8.8.4.4 valid=300s; # MODIFY IF YOU WANT
resolver_timeout 5s;

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "strict-origin" always;
add_header X-XSS-Protection "1; mode=block";

# This CSP is fully working with Pretashop scripts
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self' https:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https:; style-src 'unsafe-inline' 'self' https:";

ssl_dhparam /data/ssl/certs/dhparam.pem; # MODIFY

## 5_example.com.conf
server {
  listen [::]:80;
  listen 80;

  server_name example.com www.example.com;

  return 301 https://www.example.com$request_uri;
}

server {
  listen [::]:443 ssl;
  listen 443 ssl;

  server_name example.com;

  include snippets/ssl-params.conf;

  return 301 https://www.example.com$request_uri;
}

server {
    listen [::]:443 ssl deferred;
    listen 443 ssl deferred;


    server_name www.example.com;

    include snippets/ssl-params.conf;

    root /data/nginx/www/prestashop;
    access_log /data/nginx/log/example.com.access.log;
    error_log /data/nginx/log/example.com.error.log;

    index index.php index.html; # Letting nginx know which files to try when requesting a folder

    include global/acme-challenge.conf # let's encrypt acme-challenge
    include global/restrictions.conf;
    include global/expires.conf;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";                                             # Do people still use Internet Explorer 6? In that case, disable gzip and hope for the best!
    gzip_vary on;                                                     # Also compress content with other MIME types than "text/html"
    gzip_types application/json text/css application/javascript;      # We only want to compress json, css and js. Compressing images and such isn't worth it
    gzip_proxied any;
    gzip_comp_level 6;                                                # Set desired compression ratio, higher is better compression, but slower
    gzip_buffers 16 8k;                                               # Gzip buffer size
    gzip_http_version 1.0;                                            # Compress every type of HTTP request

    rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$                 /img/p/$1/$1$2$3.jpg last;
    rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$          /img/p/$1/$2/$1$2$3$4.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$   /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$            /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$     /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$          /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$   /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$    /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
    rewrite ^/c/([0-9]+)(-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*.jpg$   /img/c/$1$2.jpg last;
    rewrite ^/c/([a-zA-Z-]+)/[a-zA-Z0-9-]+.jpg$                 /img/c/$1.jpg last;
    rewrite ^/([0-9]+)(-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*.jpg$     /img/c/$1$2.jpg last;
    rewrite ^/images_ie/?([^/]+)\.(jpe?g|png|gif)$              /js/jquery/plugins/fancybox/images/$1.$2 last;

    # Spanish Friendly URL's - Replace by yours
    rewrite '^/alertas-email$' /index.php?controller=module-mailalerts-account last;
    rewrite '^/pagina-no-encontrada$' /index.php?controller=pagenotfound last;
    rewrite '^/mas-vendidos$' /index.php?controller=best-sales last;
    rewrite '^/contactenos$' /index.php?controller=contact last;
    rewrite '^/marcas$' /index.php?controller=manufacturer last;
    rewrite '^/nuevos-productos$' /index.php?controller=new-products last;
    rewrite '^/contrasena-olvidado$' /index.php?controller=password last;
    rewrite '^/promocion$' /index.php?controller=prices-drop last;
    rewrite '^/mapa-del-sitio$' /index.php?controller=sitemap last;
    rewrite '^/proveedores$' /index.php?controller=supplier last;
    rewrite '^/direccion$' /index.php?controller=address last;
    rewrite '^/direcciones$' /index.php?controller=addresses last;
    rewrite '^/autenticacion$' /index.php?controller=authentication last;
    rewrite '^/carro-de-la-compra$' /index.php?controller=cart last;
    rewrite '^/descuento$' /index.php?controller=discount last;
    rewrite '^/historial-de-pedidos$' /index.php?controller=history last;
    rewrite '^/identidad$' /index.php?controller=identity last;
    rewrite '^/mi-cuenta$' /index.php?controller=my-account last;
    rewrite '^/devolucion-de-productos$' /index.php?controller=order-follow last;
    rewrite '^/vales$' /index.php?controller=order-slip last;
    rewrite '^/carrito$' /index.php?controller=order last;
    rewrite '^/buscar$' /index.php?controller=search last;
    rewrite '^/tiendas$' /index.php?controller=stores last;
    rewrite '^/pedido-rapido$' /index.php?controller=order-opc last;
    rewrite '^/estado-pedido$' /index.php?controller=guest-tracking last;
    rewrite '^/confirmacion-pedido$' /index.php?controller=order-confirmation last;
    rewrite '^/comparar-productos$' /index.php?controller=products-comparison last;

    if (!-e $request_filename){
        rewrite ^(.*)$ /index.php?q=$1 last;
    }

    location /api {
        rewrite ^/api/(.*)$ /webservice/dispatcher.php?url=$1 break;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        try_files $uri =404;
        fastcgi_keep_conn on;
        fastcgi_index index.php;
        fastcgi_pass php:9000;
        include fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    }
}
	location ~ /.well-known {
	allow all;
	}

	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /data/nginx/www/.well-known/acme-challenge/;
	}

	location = /.well-known/acme-challenge/ {
	return 404;
	}
	# Global restrictions configuration file.
	# Designed to be included in any server {} block.
	location = /favicon.ico {
	try_files $uri =404;
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}
	# Expire rules for static content

	# No default expire rule. This config mirrors that of apache as outlined in the
	# html5-boilerplate .htaccess file. However, nginx applies rules by location,
	# the apache rules are defined by type. A consequence of this difference is that
	# if you use no file extension in the url and serve html, with apache you get an
	# expire time of 0s, with nginx you'd get an expire header of one month in the
	# future (if the default expire rule is 1 month). Therefore, do not use a
	# default expire rule with nginx unless your site is completely static

	# cache.appcache, your document html and data
	location ~* \.(?:manifest\|appcache\|html?\|xml\|json)$ {
	add_header Cache-Control "max-age=0";
	}

	# Feed
	location ~* \.(?:rss\|atom)$ {
	add_header Cache-Control "max-age=3600";
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|mp4\|ogg\|ogv\|webm\|htc)$ {
	access_log off;
	add_header Cache-Control "max-age=2592000";
	fastcgi_ignore_headers Set-Cookie;
	}

	# Media: svgz files are already compressed.
	location ~* \.svgz$ {
	access_log off;
	gzip off;
	add_header Cache-Control "max-age=2592000";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	add_header Cache-Control "max-age=31536000";
	access_log off;
	fastcgi_ignore_headers Set-Cookie;
	}

	# WebFonts
	# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
	location ~* \.(?:ttf\|ttc\|otf\|eot\|woff\|woff2)$ {
	add_header Cache-Control "max-age=2592000";
	access_log off;
	}
	# SSLv3 is insecure, but it is required by some payment networks
	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;

	ssl_certificate /data/ssl/example.com/fullchain.pem; # MODIFY
	ssl_certificate_key /data/ssl/example.com/privkey.pem; # MODIFY

	ssl_session_timeout 1440m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org/; # MODIFY
	ssl_trusted_certificate /data/ssl/example.com/chain.pem; # MODIFY
	resolver 8.8.8.8 8.8.4.4 valid=300s; # MODIFY IF YOU WANT
	resolver_timeout 5s;

	# Disable preloading HSTS for now. You can use the commented out header line that includes
	# the "preload" directive if you understand the implications.
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header Referrer-Policy "strict-origin" always;
	add_header X-XSS-Protection "1; mode=block";

	# This CSP is fully working with Pretashop scripts
	add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self' https:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https:; style-src 'unsafe-inline' 'self' https:";

	ssl_dhparam /data/ssl/certs/dhparam.pem; # MODIFY
	server {
	listen [::]:80;
	listen 80;

	server_name example.com www.example.com;

	return 301 https://www.example.com$request_uri;
	}

	server {
	listen [::]:443 ssl;
	listen 443 ssl;

	server_name example.com;

	include snippets/ssl-params.conf;

	return 301 https://www.example.com$request_uri;
	}

	server {
	listen [::]:443 ssl deferred;
	listen 443 ssl deferred;


	server_name www.example.com;

	include snippets/ssl-params.conf;

	root /data/nginx/www/prestashop;
	access_log /data/nginx/log/example.com.access.log;
	error_log /data/nginx/log/example.com.error.log;

	index index.php index.html; # Letting nginx know which files to try when requesting a folder

	include global/acme-challenge.conf # let's encrypt acme-challenge
	include global/restrictions.conf;
	include global/expires.conf;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6"; # Do people still use Internet Explorer 6? In that case, disable gzip and hope for the best!
	gzip_vary on; # Also compress content with other MIME types than "text/html"
	gzip_types application/json text/css application/javascript; # We only want to compress json, css and js. Compressing images and such isn't worth it
	gzip_proxied any;
	gzip_comp_level 6; # Set desired compression ratio, higher is better compression, but slower
	gzip_buffers 16 8k; # Gzip buffer size
	gzip_http_version 1.0; # Compress every type of HTTP request

	rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$1$2$3.jpg last;
	rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
	rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
	rewrite ^/c/([0-9]+)(-[_a-zA-Z0-9-])/[_a-zA-Z0-9-].jpg$ /img/c/$1$2.jpg last;
	rewrite ^/c/([a-zA-Z-]+)/[a-zA-Z0-9-]+.jpg$ /img/c/$1.jpg last;
	rewrite ^/([0-9]+)(-[_a-zA-Z0-9-])/[_a-zA-Z0-9-].jpg$ /img/c/$1$2.jpg last;
	rewrite ^/images_ie/?([^/]+)\.(jpe?g\|png\|gif)$ /js/jquery/plugins/fancybox/images/$1.$2 last;

	# Spanish Friendly URL's - Replace by yours
	rewrite '^/alertas-email$' /index.php?controller=module-mailalerts-account last;
	rewrite '^/pagina-no-encontrada$' /index.php?controller=pagenotfound last;
	rewrite '^/mas-vendidos$' /index.php?controller=best-sales last;
	rewrite '^/contactenos$' /index.php?controller=contact last;
	rewrite '^/marcas$' /index.php?controller=manufacturer last;
	rewrite '^/nuevos-productos$' /index.php?controller=new-products last;
	rewrite '^/contrasena-olvidado$' /index.php?controller=password last;
	rewrite '^/promocion$' /index.php?controller=prices-drop last;
	rewrite '^/mapa-del-sitio$' /index.php?controller=sitemap last;
	rewrite '^/proveedores$' /index.php?controller=supplier last;
	rewrite '^/direccion$' /index.php?controller=address last;
	rewrite '^/direcciones$' /index.php?controller=addresses last;
	rewrite '^/autenticacion$' /index.php?controller=authentication last;
	rewrite '^/carro-de-la-compra$' /index.php?controller=cart last;
	rewrite '^/descuento$' /index.php?controller=discount last;
	rewrite '^/historial-de-pedidos$' /index.php?controller=history last;
	rewrite '^/identidad$' /index.php?controller=identity last;
	rewrite '^/mi-cuenta$' /index.php?controller=my-account last;
	rewrite '^/devolucion-de-productos$' /index.php?controller=order-follow last;
	rewrite '^/vales$' /index.php?controller=order-slip last;
	rewrite '^/carrito$' /index.php?controller=order last;
	rewrite '^/buscar$' /index.php?controller=search last;
	rewrite '^/tiendas$' /index.php?controller=stores last;
	rewrite '^/pedido-rapido$' /index.php?controller=order-opc last;
	rewrite '^/estado-pedido$' /index.php?controller=guest-tracking last;
	rewrite '^/confirmacion-pedido$' /index.php?controller=order-confirmation last;
	rewrite '^/comparar-productos$' /index.php?controller=products-comparison last;

	if (!-e $request_filename){
	rewrite ^(.*)$ /index.php?q=$1 last;
	}

	location /api {
	rewrite ^/api/(.*)$ /webservice/dispatcher.php?url=$1 break;
	}

	location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	try_files $uri =404;
	fastcgi_keep_conn on;
	fastcgi_index index.php;
	fastcgi_pass php:9000;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}
	}