Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Mautic nginx config
server {
# see: http://wiki.nginx.org/Pitfalls
# see: http://wiki.nginx.org/IfIsEvil
listen 80;
root /app;
index index.html index.htm index.php;
error_page 404 /index.php;
# Make site accessible from http://set-ip-address.xip.io
server_name localhost;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log error;
charset utf-8;
# redirect index.php to root
rewrite ^/index.php/(.*) /$1 permanent;
#######################################
## Start Mautic Specific config #####
#######################################
# redirect some entire folders
rewrite ^/(vendor|translations|build)/.* /index.php break;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
# one option: try_files $uri $uri/ /index.php$is_args$args;
try_files $uri /index.php$is_args$args;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# Deny everything else in /app folder except Assets folder in bundles
location ~ /app/bundles/.*/Assets/ {
allow all;
access_log off;
}
location ~ /app/ { deny all; }
# Deny everything else in /addons or /plugins folder except Assets folder in bundles
location ~ /(addons|plugins)/.*/Assets/ {
allow all;
access_log off;
}
location ~ /(addons|plugins)/ { deny all; }
# Deny all php files in themes folder
location ~* ^/themes/(.*)\.php {
deny all;
}
# Don't log favicon
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Don't log robots
location = /robots.txt {
access_log off;
log_not_found off;
}
# Deny yml, twig, markdown, init file access
location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny all grunt, composer files
location ~* (Gruntfile|package|composer)\.(js|json)$ {
deny all;
access_log off;
log_not_found off;
}
#######################################
## End Mautic Specific config #####
#######################################
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
# try_files $uri =403;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}
@TomRoethlisberger

This comment has been minimized.

Copy link

@TomRoethlisberger TomRoethlisberger commented Jun 2, 2016

Don't you have an issue with this configuration and the ckeditor filemanager? On my instance, I had to add a special rule for allowing the file manager to execute. Did you encounter a similar issue?
Here the code I've added before the /app/bundles/(.*)/Assets rule:

location ~ /app/bundles/CoreBundle/Assets/js/libraries/ckeditor/filemanager/connectors/php/filemanager.php {
allow all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}

@lcruzsv

This comment has been minimized.

Copy link

@lcruzsv lcruzsv commented Jun 23, 2016

@TomRoethlisberger Thanks!. That was just what I was looking for!!!

@jmeyo

This comment has been minimized.

Copy link

@jmeyo jmeyo commented Sep 2, 2016

Regexp for plugins/addons is misleading as it blocks some mautic routes. For example when you want to reload the plugins (xhr like https://someserver.com/s/plugins/reload?_=1472827734097&mauticUserLastActive=1&mauticLastNotificationId=) the rule answers 403.

@mbrinson

This comment has been minimized.

Copy link

@mbrinson mbrinson commented Nov 4, 2016

Same as TomRoethlisberger has commented, this configuration blocks some functionality.
I was unable to install the default plugins. I got this error message:
*21381 access forbidden by rule, client: ##.##.##.##, server: mautic.somedomain.com, request: "GET /s/plugins/reload?_=1478301629487&mauticUserLastActive=1&mauticLastNotificationId= HTTP/1.1"

My question is, is it safe to just remove / comment-out the "deny all" rules that pertain to the addons|plugins folders? Can I temporarily disable them, add the plugins I want, and then re-enable them and the plugins will still work?

@mbrinson

This comment has been minimized.

Copy link

@mbrinson mbrinson commented Nov 17, 2016

Has anyone else run into problems with nginx and their mautic deployment where the mtc.js file will not load from your website due to CORS?
http://enable-cors.org/server_nginx.html

I've added the add_headers, but keep running into different issues. What I'm wondering is if this is something everyone has had to figure out, or if there's something weird about my setup?

@osterkraft

This comment has been minimized.

Copy link

@osterkraft osterkraft commented Nov 17, 2016

@mbrinson I experience same problem with fresh install of 2.2.1 on nginx server, and I'm struggling to find any good resources...

@mbrinson

This comment has been minimized.

Copy link

@mbrinson mbrinson commented Dec 1, 2016

@osterkraft - I discovered the reason for this. By default Mautic has the "Restrict Domains" under "CORS Settings" is set to YES under the "Configuration" -> "System Settings" area, and the "Valid Domains" is left blank. At least, that was the case for me.
I just had to add the full url for the domain for my website where I wanted to enable the tracking. Then all of the CORS problems went away.

@LennyLip

This comment has been minimized.

Copy link

@LennyLip LennyLip commented Jan 23, 2017

@fernandocarletti

This comment has been minimized.

Copy link

@fernandocarletti fernandocarletti commented Feb 9, 2017

@manyk

This comment has been minimized.

Copy link

@manyk manyk commented Feb 27, 2017

@jmeyo - Try to add ^ to force match from the beging.

Example:
location ~ ^/(addons|plugins)/ { deny all; }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.