magento · magenx · Nov 30, 2015 · Nov 30, 2015 · Nov 30, 2015 · Nov 30, 2015
diff --git a/nginx/README.md b/nginx/README.md
@@ -0,0 +1,37 @@
+TESTING<br/>
+you have to install latest nginx package from official nginx repository<br/>
+>http://nginx.org/en/linux_packages.html#mainline<br/>
+
+to enable configuration you have to run these commands:<br/>
+```cd /etc/nginx/sites-enabled/```<br/>
+```ln -s /etc/nginx/sites-avalable/default.conf ./default.conf```<br/>
+```ln -s /etc/nginx/sites-avalable/magento2.conf ./magento2.conf```<br/>
+```nginx -t```<br/>
+if no errors detected, then<br/>
+```service nginx restart```
+
+<br/>
+for ssl configuration in nginx.conf you must: <br/>
+1 - open ```cd /etc/ssl/certs``` <br/>
+2 - generate dhparam file ```openssl dhparam -out dhparams.pem 2048``` <br/>
+3 - enable in nginx.conf ```ssl_dhparam /etc/ssl/certs/dhparams.pem;``` <br/>
+
+config:<br/>
+```conf.d/assets.conf``` => settings for any static assets<br/>
+```conf.d/error_page.conf``` => configure custom error pages<br/>
+```conf.d/extra_protect.conf``` => protecting everything<br/>
+```conf.d/hhvm.conf``` => hhvm vs php-fpm port/route mapping<br/>
+```conf.d/maintenance.conf``` => global maintenance<br/>
+```conf.d/multishop.conf``` => settings for multistore code<br/>
+```conf.d/pagespeed.conf``` => pagespeed module settings<br/>
+```conf.d/php_backend.conf``` => global settings for php execution<br/>
+```conf.d/port.conf``` => configure http port<br/>
+```conf.d/setup.conf``` => magento web setup/update (before web installation create dummy ```admin``` cookie as httponly)<br/>
+```conf.d/spider.conf``` => bad user agents mapping<br/>
+```conf.d/status.conf``` => nginx/php-fpm status locations<br/>
+
+```www/default.conf``` => catch non-existent server name<br/>
+```www/magento2.conf``` => magento virtual host/server configuration file<br/>
+
+```fastcgi_params``` => global fastcgi parameters<br/>
+```nginx.conf``` => main nginx configuration file<br/>
diff --git a/nginx/conf.d/assets.conf b/nginx/conf.d/assets.conf
@@ -0,0 +1,18 @@
+	## images
+	location ~* /.*\.(jpg|jpeg|png|gif|svg|js|css|ico|txt)$ {
+		expires max;
+		log_not_found off;
+		access_log off;
+		add_header ETag "";
+		add_header Cache-Control "public";
+		}
+
+	## fonts
+	location ~* /.*\.(swf|eot|ttf|otf|woff|woff2)$ {
+		expires max;
+		log_not_found off;
+		access_log off;
+		add_header ETag "";
+		add_header Access-Control-Allow-Origin *;
+		add_header Cache-Control "public";
+		}
diff --git a/nginx/conf.d/error_page.conf b/nginx/conf.d/error_page.conf
@@ -0,0 +1,6 @@
+# error_page 403 /403.html;
+# location = /403.html {
+#   root /var/www/html/error_page;
+#   internal;
+#   access_log   /var/log/nginx/403.log  error403;
+#   }
diff --git a/nginx/conf.d/extra_protect.conf b/nginx/conf.d/extra_protect.conf
@@ -0,0 +1,34 @@
+# deny all internal locations also default phpmyadmin
+location ~ ^/(app|bin|var|nginx|phpserver|vendor|php[mM]y[aA]dmin|pma)/ { deny all; }
+
+# deny access per default .htaccess rules
+location ~ /media/(customer/|downloadable/|import/|theme_customization/.*\.xml) { deny all; }
+location ~* /(media|static)/.*\.php$ { deny all; }
+location ~ /errors/.*\.xml { deny all; }
+location ~ Gruntfile\.js { deny all; }
+
+## deny cron and files with the obvious names. favorite entry points for hackers and script kiddie
+location ~* ^/(cron|phpminiadmin|pma|sqlyog|adminer.+)\.php { deny all; }
+
+# deny auth and composer
+location ~ (auth|package|composer)\.(json|lock)$ { deny all; }
+
+# deny files that only for internal use (work with ssh or use ftp to download)
+#location ~ /\. { return 444; } # <= block everythig that starts with \.<dot
+location ~ /\.(svn|git|hg|htpasswd|bash|ssh|php_cs) { return 444; }
+location ~ ^/.*\.(sh|pl|swp|phar|log|ini|sql|conf|yml|zip|tar|.+gz)$ { return 444; }
+
+# limit requests and return GONE 410 for search bots (if you need something more - use firewall/iptables)
+location ~ ^/(wishlist|customer|catalogsearch|newsletter|contact|sendfriend|catalog/product_compare|review/product/post|(fire|one.+)?checkout)/  {
+        limit_req zone=goeasy burst=5;
+        limit_req_status 429;
+        if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|rogerbot|Yahoo|YandexBot") { return 410; }
+        try_files $uri $uri/ /index.php?$args;
+        }
+
+## Wordpress files and locations protection
+location ~ /wp-config\.php { deny all; }
+location ~ /wp-includes/(.*)\.php { deny all; }
+location ~ /wp-admin/includes(.*)$ { deny all; }
+location ~ /xmlrpc\.php { deny all; }
+location ~ /wp-content/uploads/(.*)\.php(.?) { deny all; }
diff --git a/nginx/conf.d/hhvm.conf b/nginx/conf.d/hhvm.conf
@@ -0,0 +1,6 @@
+## Map HHVM and FPM ports
+    map $request_uri $port_switch {
+        default                         9001; #HHVM
+        ~^/(onestep|fire)?checkout/     9000; #FPM
+        ~^/(index\.php/)?admin/         9000; #FPM
+        }
diff --git a/nginx/conf.d/maintenance.conf b/nginx/conf.d/maintenance.conf
@@ -0,0 +1,12 @@
+# if ($remote_addr !~ "^(1.2.3.4|1.2.3.4)$") {
+# 	return 503;
+# 	}
+
+# error_page 503 @maintenance;	
+
+# location @maintenance {
+# 	rewrite ^(.*)$ /error_page/503.html break;
+# 	internal;
+# 	access_log off;
+# 	log_not_found off;
+# 	}
diff --git a/nginx/conf.d/multishop.conf b/nginx/conf.d/multishop.conf
@@ -0,0 +1,15 @@
+map $http_host $MAGE_RUN_CODE {
+hostnames;
+        .magento.com default;
+        .magento.de store_de;
+        .magento.fr store_fr;
+        promo.magento.com promo;
+}
+
+map $http_host $MAGE_RUN_TYPE {
+hostnames;
+        .magento.com store;
+        .magento.de store;
+        .magento.fr store;
+        promo.magento.com website;
+}
diff --git a/nginx/conf.d/pagespeed.conf b/nginx/conf.d/pagespeed.conf
@@ -0,0 +1,20 @@
+pagespeed  on;
+pagespeed  FileCachePath  "/var/tmp/";
+pagespeed  LogDir "/var/log/pagespeed";
+
+# to optimize images use: https://github.com/mikebrittain/Wesley
+pagespeed  EnableFilters convert_gif_to_png;
+pagespeed  EnableFilters insert_image_dimensions;
+pagespeed  EnableFilters lazyload_images;
+
+pagespeed  EnableFilters collapse_whitespace;
+pagespeed  EnableFilters remove_comments;
+pagespeed  EnableFilters flatten_css_imports;
+
+pagespeed  EnableFilters insert_dns_prefetch;
+pagespeed  EnableFilters extend_cache;
+
+pagespeed  StatisticsLogging on;
+
+pagespeed  RetainComment "esi*";
+pagespeed  Disallow "*index.php/admin/*"
diff --git a/nginx/conf.d/php_backend.conf b/nginx/conf.d/php_backend.conf
@@ -0,0 +1,12 @@
+## php backend settings
+fastcgi_pass    127.0.0.1:9000; #swap :9000 with :$port_switch when configuring hhvm/php-fpm routes;
+fastcgi_index   index.php;
+include         fastcgi_params;
+
+## specific security and compatibility headers
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-UA-Compatible 'IE=Edge,chrome=1';
+add_header X-Processing-Time $request_time;
+#add_header Strict-Transport-Security "max-age=31556926; includeSubDomains; preload"; #<= uncomment if you run https only
diff --git a/nginx/conf.d/setup.conf b/nginx/conf.d/setup.conf
@@ -0,0 +1,11 @@
+location ~ ^/(setup|update) {
+    root $MAGE_ROOT;
+    include /etc/nginx/conf.d/assets.conf;
+    location ~ ^/(setup|update)/index.php {
+        if ($cookie_admin = '') { return 404; }
+        include  /etc/nginx/conf.d/php_backend.conf;
+    }
+    location ~ ^/(setup|update)/(?!pub/). {
+        deny all;
+    }
+}
diff --git a/nginx/conf.d/spider.conf b/nginx/conf.d/spider.conf
@@ -0,0 +1,29 @@
+map $http_user_agent $bad_client {
+    default 0;
+  ~*(360Spider)  1;
+  ~*(aiHitBot|AhrefsBot) 1;
+  ~*(betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG) 1;
+  ~*(CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo) 1;
+  ~*(Default|DIIbot|DISCo|discobot) 1;
+  ~*(Exabot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE) 1;
+  ~*(FlashGet|Findxbot) 1;
+  ~*(GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|GuzzleHttp) 1;
+  ~*(heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack) 1;
+  ~*(ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot) 1;
+  ~*(JetCar) 1;
+  ~*(larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|lwp-trivial) 1;
+  ~*(Maxthon$|Mail.RU_Bot|MegaIndex.ru|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Microsoft|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage) 1;
+  ~*(Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch) 1;
+  ~*(Octopus) 1;
+  ~*(PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|PHPCrawl|PleaseCrawl|psbot|python-requests) 1;
+  ~*(RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler) 1;
+  ~*(SBIder|Scrapy|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|sitecheck.internetseer.com|SiteSnagger) 1;
+  ~*(SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap) 1;
+  ~*(tAkeOut|Teleport|Toata|TwengaBot|Typhoeus) 1;
+  ~*(URI::Fetch|User-Agent) 1;
+  ~*(voltron|Vagabondo|VoidEYE) 1;
+  ~*(webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WhatsApp) 1;
+  ~*(WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE) 1;
+  ~*(XSpider) 1;
+  ~*(zermelo|Zeus|Zeus.*Webster|ZyBorg) 1;
+}
diff --git a/nginx/conf.d/status.conf b/nginx/conf.d/status.conf
@@ -0,0 +1,13 @@
+location /nginx_status {
+    stub_status on;
+    access_log off;
+    allow 127.0.0.1;
+    deny all;
+    }
+  location ~ ^/(status|ping)$ {
+    include /etc/nginx/conf.d/php_backend.conf;
+    fastcgi_intercept_errors on;
+    access_log off;
+    allow 127.0.0.1;
+    deny all;
+    }
diff --git a/nginx/fastcgi_params b/nginx/fastcgi_params
@@ -0,0 +1,29 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+#fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# magento timeouts
+fastcgi_connect_timeout 65;
+fastcgi_send_timeout 7200;
+fastcgi_read_timeout 7200;
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -0,0 +1,81 @@
+user  nginx;
+worker_processes  auto;
+worker_rlimit_nofile 100000;
+
+pid  /var/run/nginx.pid;
+
+events {
+    worker_connections  2000;
+    multi_accept on;
+    use epoll;
+       }
+
+http   {
+    index  index.html index.php;
+    include  /etc/nginx/mime.types;
+    types { application/font-woff2  woff2; }
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';
+    log_format  error403  '$remote_addr - [$time_local] "$request"';					  
+
+    keepalive_timeout   5;
+    autoindex		off;
+    server_tokens       off;
+    port_in_redirect	off;
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+
+    client_max_body_size 64m;
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    ## Flood protection example (see conf.d/extra_protect.conf)
+    limit_req_zone $binary_remote_addr zone=goeasy:35m rate=1r/s;
+
+    ## Cache open FD
+    open_file_cache max=10000 inactive=3600s;
+    open_file_cache_valid 7200s;
+    open_file_cache_min_uses 2;
+
+    ## Gzipping is an easy way to reduce page weight
+    gzip                on;
+    gzip_vary           on;
+    gzip_proxied        any;
+    gzip_types          application/javascript application/x-javascript application/rss+xml text/javascript text/css image/x-icon image/svg+xml;
+    gzip_buffers        16 8k;
+    gzip_comp_level     6;
+
+    ##  SSL global settings
+    #ssl_session_cache		shared:SSL:45m;
+    #ssl_session_timeout	15m;
+    #ssl_protocols		TLSv1 TLSv1.1 TLSv1.2;
+    #ssl_ciphers                "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
+    #ssl_prefer_server_ciphers	on;
+    #ssl_dhparam 		/etc/ssl/certs/dhparams.pem;
+
+    #ssl_stapling on;
+    #resolver 8.8.8.8 8.8.4.4 valid=3600s;
+    #resolver_timeout 5s;
+
+    ## Use when Varnish in front
+    #set_real_ip_from 127.0.0.1;
+    #real_ip_header X-Forwarded-For;
+
+    ## Multi shop code configuration
+    #include /etc/nginx/conf.d/multishop.conf;
+
+    ## Map status to exclude from access log
+    map $status $writelog { 404 0; 410 0; 429 0; 444 0; default 1; }
+
+    ## Map bad user agents
+    include /etc/nginx/conf.d/spider.conf;
+
+    ## Map HHVM|php-fpm routes
+    #include /etc/nginx/conf.d/hhvm.conf;
+
+    ## Main domain configuration
+    include /etc/nginx/sites-enabled/*.conf;
+
+}
diff --git a/nginx/sites-available/default.conf b/nginx/sites-available/default.conf
@@ -0,0 +1,11 @@
+server {
+    include /etc/nginx/conf.d/port.conf;
+    return 444;
+}
+
+#server {
+#    listen 443 ssl default;
+#    ssl_certificate     /etc/ssl/fake.crt;
+#    ssl_certificate_key /etc/ssl/fake.key;
+#    return 444;
+#}