nginx php-fpm bitrix

Дата | 26.05.2016

Рабочий конфиг. nginx для запуска bitrix.

root@site_loc:/usr/src # cat /usr/local/etc/php-fpm.conf | egrep -v '^$|;'
[global]
pid = run/php-fpm.pid
events.mechanism = kqueue
[www]
user = use222
group = use222
listen = /tmp/www.sock
listen.owner = use222
listen.group = use222
pm = dynamic
pm.max_children = 455
pm.start_servers = 18
pm.min_spare_servers = 18
pm.max_spare_servers = 19
pm.max_requests = 4000
security.limit_extensions = .php .php3 .php4 .php5
# Соккет для второго сайт, отдельно будим его обрабатывать.
[premiumsmoke]
user = use222
group = use222
listen = /tmp/smoke.sock
listen.owner = use222
listen.group = use222
pm = dynamic
pm.max_children = 355
pm.start_servers = 15
pm.min_spare_servers = 15
pm.max_spare_servers = 17
pm.max_requests = 3500
security.limit_extensions = .php .php3 .php4 .php5
php_admin_value[mbstring.func_overload]=0
php_admin_value[mbstring.internal_encoding]=latin
root@site_loc:/usr/src # cat /usr/local/etc/nginx/nginx.conf
user use222 use222;
worker_processes 8;
timer_resolution 100ms;
worker_rlimit_nofile  8192;
worker_priority -5;
#
    error_log /mnt/log/nginx/error.log error;
    pid        /var/run/nginx.pid;
events {
    worker_connections  3048;
    use kqueue;
    multi_accept on;
}
http {
    limit_req_zone  $binary_remote_addr zone=one:10m rate=8r/s;
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
#
    include       /usr/local/etc/nginx/mime.types;
    default_type application/octet-stream;
#   access_log /mnt/log/nginx/access.log;
    access_log off;
    log_format compression '$remote_addr - [$time_local] '
                          '"$request" $status '
                          '"$http_user_agent"';
#
   map $request_method $bad_method {
        default 1;
        ~(?i)(GET|HEAD|POST) 0;
}
# Add here all user agents that are to be blocked.
   map $http_user_agent $bad_bot {
       default 0;

~(?i)(httrack|WinHTTrack|htmlparser|libwww|Python|perl|urllib|Zeus|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopier|WebCopy|webcraw|LWP::simple|Havij)
1;
}
# Bad referers.
    map $http_referer $bad_referer {
        default 0;
        ~(?i)(babes|click|forsale|jewelry|nudit|organic|poker|amnesty|poweroversoftware|webcam|zippo|casino|replica) 1;
}
#
    sendfile       on;
    tcp_nopush     on;
    tcp_nodelay    on;
    server_tokens off;
    client_body_timeout 15;
    send_timeout 5;
    client_max_body_size 30m;
    keepalive_timeout  25;
    keepalive_requests 100;
    reset_timedout_connection on;
    fastcgi_buffer_size 156k;
    fastcgi_buffers 16 156k;
   fastcgi_read_timeout 900;
#
    add_header X-Frame-Options SAMEORIGIN;
    add_header Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block;";
    add_header X-Content-Security-Policy "allow 'self';";
    add_header X-WebKit-CSP "allow 'self';";
    add_header X-Content-Type-Options nosniff;
#
    gzip  on;
    gzip_disable "MSIE [1-6]\.";
    gzip_min_length 1100;
    gzip_buffers 4 8k;
    gzip_comp_level 7;
    gzip_http_version 1.1;
    gzip_proxied any;
    gzip_types text/plain application/xhtml+xml text/css application/xml application/xml+rss text/javascript application/javascript application/x-javascript
#
    include /usr/local/etc/nginx/conf.d/*.conf;
    include /usr/local/etc/nginx/sites-enabled_old/*;
}
root@site_loc:/usr/src # cat /usr/local/etc/nginx/sites-enabled_old/site.local
server {
        listen 1.1.2.1:80;
        root /usr/local/www/default;
}

server {
        listen 1.1.2.1:80;
        server_name www.site.local;
        return 301 http://site.local$request_uri;
}

server {
listen 1.1.2.1:80;
open_file_cache max=430000 inactive=120s;
open_file_cache_valid 360s;
open_file_cache_min_uses 1;
open_file_cache_errors   on;
server_name site.local;
access_log /mnt/log/nginx/access_akbpower.log;
root /usr/local/www/site.local;
index index.html index.php;

rewrite ^([^.\?]*[^/])$ $1/ permanent;

if ($request_uri ~ "^(/(?!personal|search).*)index\.(?:php|html)") {
 return 301 $1;
}

# Deny access based on HTTP method
if ($bad_method = 1) { return 444; }

# Deny access based on the User-Agent header
if ($bad_bot = 1) { return 403; }

# Deny access based on the Referer header
if ($bad_referer = 1) { return 403; }

location / {
        root /usr/local/www/site.local;
        index index.php;
        error_page 404 = /404.php;
}

location ~ \.php$ {
        fastcgi_pass    unix:/tmp/www.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /usr/local/www/site.local/$fastcgi_script_name;
        include        fastcgi_params;
if (!-f $request_filename) {
        rewrite  ^(.*)$  /404.php last;
  }
}

location ^~ /bitrix/admin/ {
        index index.php;
        satisfy any;
        allow 4.3.1.9;
        deny all;
        auth_basic           "closed site";
        auth_basic_user_file /usr/local/.htpasswd;
location ~ \.php$ {
        fastcgi_pass unix:/tmp/www.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $request_filename;
#       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_ignore_client_abort off;
   }
}

location = /favicon.ico {
        log_not_found off;
        access_log off;
}

location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
}

location ~* ^/bitrix/components/bitrix/player/mediaplayer/player$ {
        add_header Access-Control-Allow-Origin *;
}

location ~* ^/(upload|bitrix/images|bitrix/tmp) {
        expires 30d;
        access_log off;
}

location = /404.html {
        access_log off ;
}

location ~* \.(swf|zip|rar|arj|cab|exe|dll|ico|jpg|jpeg|gif|bmp|png|mp3|avi|mov|mpg|mpeg|txt|amr|mmf|wml|wbmp|mid|midi|3gp)$ {
        expires 30d;
        charset utf-8;
        source_charset utf-8;
        access_log off;
}

location ~ (/\.ht|/bitrix/modules|bitrix/managed_cache|bitrix/local_cache|bitrix/stack_cache|/upload/support/not_image|/bitrix/php_interface) {
        deny all;
        access_log off;
}

location ~* ^/upload/1c_[^/]+/ { deny all; }
#location ~* /\.\./ { deny all; }
location ~* ^/bitrix/html_pages/\.config\.php { deny all; }
location ~* ^/bitrix/html_pages/\.enabled { deny all; }
location ^~ /upload/support/not_image   { internal; }
#location ~* ^/bitrix/cache              { deny all; }
#location ~* .*$       { deny all; }

location ~ /.svn/ {
        deny all;
        access_log off;
}

location ~ /\.ht {
        deny  all;
        access_log off;
}
}

Тут можно посмотреть какие редиректы можно добавить к конфигу nginx редиректы nginx.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *