Quite some time ago, I linked already to the cakephp-config-for-nginx/ blog post.
And my post about Apache setup is also now almost 10 years old.
It is time to update also my blog about the latest configuration here, and in particular about Nginx setup for both local and production environments.
Basics
You should always point your domain (or subdomain) to your public directory "webroot", as shown below.
Local setup
For a local setup, you don’t necessarily need HTTPS config.
So for a more simple setup, you can for example do:
server {
listen 80;
server_name sandbox.local;
client_max_body_size 64M;
# root directive should be global
root /home/vagrant/Apps/sandbox/webroot;
index index.php;
access_log /var/log/nginx/sandbox.access.log;
error_log /var/log/nginx/sandbox.error.log;
location / {
try_files $uri \$uri /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; # Specify your PHP version here
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Then you can browse your app as http://sandbox.local for example.
Production setup
Here, we definitely want to do HTTPS.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.sandbox.de;
root /var/www/dereuromark/sandbox/webroot;
index index.php;
location / {
index index.php;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
}
location ~ /\.ht {
deny all;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/sandbox.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sandbox.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/sandbox.access.log;
error_log /var/log/nginx/sandbox.error.log;
# CloudFlare real IP (if behind cloudfare)
include /etc/nginx/cloudflare-real-ip.conf;
}
The example also includes the SSL example using the free "letsencrypt" service.
This is optional but will render your website "safe" and also speeds it up by caching already a lot of resources out of the box.
Cloudflare is optional, as well. It helps to keep the site a bit more safe from attacks and speeds up asset delivery.
If you include this, you might want to use a real IP config to proxy the visitors IP through. Otherwise, you would only see the cloudflare IP.
Check their docs for details, it usually contains something along the lines of
set_real_ip_from ...;
real_ip_header CF-Connecting-IP;
Redirects
You want your website to be only available through one main URL.
In my case, my websites usually always available only using https://www.DOMAIN or subdomains such as https://subdomain.DOMAIN.
Add a server based redirect to the canonical version of your domain, so either with or without www. prefix:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name dereuromark.de;
return 301 https://www.dereuromark.de$request_uri;
}
This snippet always adds a www. prefix. And to simplify, it also directly targets HTTPS.
Also a HTTP to HTTPS (force) redirect makes a lot of sense:
server {
listen 80;
listen [::]:80;
server_name dereuromark.de www.dereuromark.de;
return 301 https://$server_name$request_uri;
}
Note: If you want to avoid one redirect, you could split the last example into both 80 and 443 snippets. But the browser caches 301s anyway, so not too much gain here.
Now search engines won’t index multiple domains/versions, and it also doesn’t allow anyone to browse it through unsafe HTTP access.
Double-check that the browser displays the green "lock" icon and confirms that your site is using HTTPS-only connection/traffic now no matter what domain you type in.
More
Anything left out? Do you have other useful tips, tricks, addons, or tools around Nginx setup?
Add them as comments below.
https://github.com/hophuoctrung/DockerPHP/blob/main/cakephp.nginx.conf
Hi Mark, Can you check this config for me? I found it on github and it doesn’t seem as complicated as you suggested, can I use it? because it is working quite well. I’m new, thanks