jhit
5/15/2017 - 11:11 AM

Nginx Configuration for JTL-Shop 4

Nginx Configuration for JTL-Shop 4

user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;
events {
    worker_connections 4096;
    multi_accept on;
    use epoll;
}
http {
    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    reset_timedout_connection on;
    server_tokens off;
    server_names_hash_bucket_size 64;
    server_name_in_redirect off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    fastcgi_buffers 256 16k;
    fastcgi_buffer_size 128k;
    fastcgi_connect_timeout 3s;
    fastcgi_send_timeout 120s;
    fastcgi_read_timeout 120s;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    ##
    # SSL Settings
    ##
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    # für mehr Abwärtskompatibilität:
    #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_buffer_size 4k;
    ssl_session_timeout 180m;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    client_max_body_size 64M;
    
    ##
    # Gzip Settings
    ##
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 32k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
}
upstream _php {
    # php via socket - Pfad entsprechend anpassen
    server unix:/var/run/php/php7.0-fpm.sock;
    # alternativ via localhost/port:
    #server 127.0.0.1:9000
}
server {
    listen *:443 http2;
    listen *:80;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    # für mehr Abwärtskompatibilität:
    #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;
    
    
    # oder beispielsweise mit Let's encrypt:
    #ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    #ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # optional: OCSP stapling
    # zertifikat zu finden unter https://github.com/letsencrypt/website/blob/master/certs/lets-encrypt-x3-cross-signed.pem
    #ssl_stapling on;
    #ssl_stapling_verify on;
    #ssl_trusted_certificate /etc/letsencrypt/live/example.com/lets-encrypt-x3-cross-signed.pem;
    #resolver 8.8.4.4 8.8.8.8;
    
    # optional: DHE - generieren via "openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096"
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    #add_header Content-Security-Policy "default-src https:; connect-src https:; font-src https: data:; frame-src https:; img-src https: data:; media-src https:;  object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:;";
    #add_header X-Frame-Options SAMEORIGIN;
    #add_header Public-Key-Pins 'pin-sha256="<FILLMEOUT>"; pin-sha256="<FILLMEOUT>";max-age=5184000; includeSubDomains';
    server_name example.com
    root   /var/www/shop;
    index index.php index.html;
    error_log /var/log/nginx/example_errors.log notice;
    access_log /var/log/nginx/example_access.log combined buffer=16k;
    include /etc/nginx/fastcgi_params;
    location ~* \.(eot|ttf|woff|woff2|svg|css|less)$ {
        expires max;
        add_header Access-Control-Allow-Origin *;
        add_header Pragma public;
        access_log off;
        log_not_found off;
    }
    location @img_proxy {
        rewrite ^(.*)$ /index.php;
    }
    location ~ \.(gif|jpg|jpeg|png)$ {
        root   /var/www/example;
        try_files $uri @img_proxy;
        expires max;
        add_header Pragma public;
        access_log off;
        log_not_found off;
    }
    location ~* \.(js|css|ico)$ {
        expires max;
        add_header Pragma public;
        access_log off;
        log_not_found off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location ~ \.php$ {
        try_files $uri $uri/ =404;
        fastcgi_pass _php;
    }
    rewrite ^/includes/libs/minify/([a-z]=.*) /includes/libs/minify/index.php?$1 last;
    rewrite ^/min/([a-z]=.*) /min/index.php?$1 last;
    rewrite ^/asset/(.*) /includes/libs/minify/index.php?g=$1 last;
    rewrite ^/((urllist|sitemap_).*\.(xml|txt)(\.gz)?)$ /includes/sitemap.php?datei=$1 break;
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
    location /includes {
        location ~cron_inc.php{
            fastcgi_pass _php;
        }
        location ~sitemap.php{
            fastcgi_pass _php;
        }
        location ~preisverlaufgraph.php{
            fastcgi_pass _php;
        }
        location ~preisverlaufgraph_ofc.php{
            fastcgi_pass _php;
        }
        location ~newslettertracker.php{
            fastcgi_pass _php;
        }
        location ~libs/minify/index.php{
            fastcgi_pass _php;
        }
        location ~plugins/kk_dropper/version/(.*)/adminmenu/kk_upload.php{
            fastcgi_pass _php;
        }
        location ~plugins/jtl_amazon/version/(.*)/frontend/ipn.php{
            fastcgi_pass _php;
        }
        location ~plugins/jtl_amazon/version/(.*)/frontend/feed.php{
            fastcgi_pass _php;
        }
        location ~modules/notify.php{
            fastcgi_pass _php;
        }
        location ~modules/libs/kcfinder-2.5.4/themes {
            fastcgi_pass _php;
        }
        location ~modules/paypal/PayPal.class.php{
            fastcgi_pass _php;
        }
        location ~modules/safetypay{
            fastcgi_pass _php;
        }
        location ~captcha/captcha.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder/browse.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder/upload.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder/css.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder/js_localize.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder-2.5.4/browse.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder-2.5.4/upload.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder-2.5.4/css.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder-2.5.4/js_localize.php{
            fastcgi_pass _php;
        }
        location ~libs/kcfinder-2.5.4/js/browser/joiner.php{
            fastcgi_pass _php;
        }
        location ~ext/uploads_cb.php{
            fastcgi_pass _php;
        }
        location ~plugins/jtl_cdn/(.*)/ajax.php{
            fastcgi_pass _php;
        }
        location ~plugins/jtl_search/(.*)/suggest.php{
            fastcgi_pass _php;
        }
        location ~plugins/jtl_search/(.*)/suggestforward.php{
            fastcgi_pass _php;
        }
        location ~plugins/jtl_ustdownload/(.*)/set_default.php{
            fastcgi_pass _php;
        }
        location ~plugins/evo_editor/(.*)/api.php{
            fastcgi_pass _php;
        }
        location ~ \.php$ {
            deny all;
        }
    }
    location /classes {
        location ~ \.php$ {
            deny all;
        }
    }
    location /templates {
        location ~ \.php$ {
            deny all;
        }
        location ~ \.tpl$ {
            deny all;
        }
    }
    location /jtllogs {
        deny all;
    }
    location /update {
        deny all;
    }
    location /uploads {
        deny all;
    }
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
    location /xhgui {
            try_files $uri $uri/ /xhgui/webroot/index.php?$uri&$args;
    }
}