nginx-craft
An Nginx virtual host configuration for Craft CMS that implements a number of best-practices.
Overview
What it handles
The Nginx-Craft configuration handles:
- Redirecting from HTTP to HTTPS
- Canonical domain rewrites from www.SOMEDOMAIN.com to SOMEDOMAIN.com
- 301 Redirect URLs with trailing /'s as per https://webmasters.googleblog.com/2010/04/to-slash-or-not-to-slash.html
- Setting
PATH_INFO
properly via php-fpm -> PHP - Setting
HTTP_HOST
to mitigate HTTP_HOST Security Issues - "Far-future" Expires headers
- Enable serving of static gzip files via gzip_static
- Adding XSS and other security headers
- Gzip compression
- Filename-based cache busting for static resources
- IPv4 and IPv6 support
- http2 support
- Reasonable SSL cipher suites and TLS protocols
- Localized sites
- Server-side includes
- Optionally includes Dotenvy generated
.env
files
Assumptions made
The following are assumptions made in this configuration:
- The site is https
- The SSL certificate is from LetsEncrypt.com
- The canonical domain is SOMEDOMAIN.com (no www.)
- Nginx is version 1.9.5 or later (and thus supports http2)
- Paths are standard Ubuntu, change as needed
- You're using php7.1 via php-fpm
- You have
'omitScriptNameInUrls' => true,
in yourcraft/general.php
If any of these assumptions are invalid, make the appropriate changes.
Note: We disable TLSv1.0 because it is insecure, but IE 8, 9 & 10 need to have support for TLSv1.1 manually enabled or they will not be able to connect.
What's included
This Nginx configuration comes in two parts:
sites-available/somedomain.com.conf
- an Nginx virtual host configuration file tailored for Craft CMS; it will require some minor customization for your domainnginx-partials
- some Nginx configuration partials used by all of the virtual hosts, logically segregated. These don't need to be changed, but can be selectively disabled by changing the suffix to.off
(or anything other than.conf
)
Using Nginx-Craft
- Obtain an SSL certificate for your domain via LetsEncrypt.com (or via other certificate authorities). LetsEncrypt.com is free, and it's automated. You will need a basic server up and running that responds to port 80 to do this, LetsEnecrypt/Nginx tutorial
- Create a
dhparam.pem
viasudo openssl dhparam -out /etc/nginx/dhparams.pem 2048
- Download your Issuer certificate via
mkdir /etc/nginx/ssl; sudo wget -O /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
- Upload the entire
nginx-partials
folder to/etc/nginx/
- Rename the
somedomain.com.conf
file toyourdomain.com.conf
- Do a search & replace in
yourdomain.com.conf
to changeSOMEDOMAIN
->yourdomain
- Tweak any paths that may need changing on your server
- Change the
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
line to reflect whatever version of PHP you're running - Restart nginx via
sudo nginx -s reload
If you're using Forge, it takes care of a number of these things for you, but still needs tuning.
The same applies for CloudWays, ServerPilot, Homestead, MAMP, etc.
A Forge Template is provided in forge-templates/NginxTemplate.conf
that you can use to automate setting up your Forge servers.
For this to work, you must clone the repo into /home/forge
via:
git clone https://github.com/nystudio107/nginx-craft.git /home/forge
For further information on TLS optimization, see the How to properly configure your nginx for TLS article.
Forge & opcache
N.B.: Forge now has opcache
functionality baked-in, you can enable it via the Server settings, so this information is largely deprecated.
If you're using Forge, understand that opcache
is off by default. To enable it, go to your server in Forge, click on Edit Files and choose Edit PHP FPM Configuration and search on opcache
. Here are the defaults I use; tweak them to suit your needs:
[opcache]
; Determines if Zend OPCache is enabled
opcache.enable=1
; Determines if Zend OPCache is enabled for the CLI version of PHP
;opcache.enable_cli=0
; The OPcache shared memory storage size.
opcache.memory_consumption=256
; The amount of memory for interned strings in Mbytes.
opcache.interned_strings_buffer=16
; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 100000 are allowed.
opcache.max_accelerated_files=8000
; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
opcache.save_comments=0
More about tweaking opcache
can be found in the Fine-Tune Your Opcache Configuration to Avoid Caching Suprises article. The Best Zend OpCache Settings/Tuning/Config article is very useful as well.
Local Development
While all of the configuration in the somedomain.com.conf
will work fine in local development as well, some people might want a simpler setup for local development.
There is a basic_localdev.com.conf
that you can use for a basic Nginx configuration that will work with Craft without any of the bells, whistles, or optimizations found in the somedomain.com.conf
.
While this is suitable for getting up and running quickly for local development, do not use it in production. There are a number of performance optimizations missing from it.
Brought to you by nystudio107