silverstripe-framework/docs/en/installation/nginx.md

# Nginx

These instructions are also covered in less detail on the
[Nginx Wiki](http://wiki.nginx.org/SilverStripe).

The prerequisite is that you have already installed Nginx and you are
able to run PHP files via the FastCGI-wrapper from Nginx.

Now you need to set up a virtual host in Nginx with the following
configuration settings:

	server {
		listen 80;
		
		# SSL configuration (optional, but recommended for security)
		include ssl
		
		root /var/www/example.com;
		index index.php index.html index.htm;
		
		server_name example.com;
		
		include silverstripe3;
		include htaccess;
	}

Here is the include file `silverstripe3`:

	location / {
		try_files $uri @silverstripe;
	}
	 
	location @silverstripe {
		include fastcgi_params;
		
		# Defend against arbitrary PHP code execution
		# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
		# More info:
		# https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		
		fastcgi_param SCRIPT_FILENAME $document_root/framework/main.php;
		fastcgi_param SCRIPT_NAME /framework/main.php;
		fastcgi_param QUERY_STRING url=$uri&$args;
		
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		fastcgi_buffer_size 32k;
		fastcgi_buffers 4 32k;
		fastcgi_busy_buffers_size 64k;
	}


Here is the include file `htaccess`:

	# Don't serve up any .htaccess files
	location ~ /\.ht {
		deny all;
	}
	
	# Deny access to silverstripe-cache
	location ~ ^/silverstripe-cache {
		deny all;
	}
	
	# Don't execute scripts in the assets
	location ^~ /assets/ {
		try_files $uri $uri/ =404;
	}
	
	# Block access to yaml files
	location ~ \.yml$ {
		deny all;
	}
	
	# cms & framework .htaccess rules
	location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ {
		deny all;
	}
	location ~ ^/(cms|framework)/silverstripe_version$ {
		deny all;
	}
	location ~ ^/framework/.*(main|static-main|rpc|tiny_mce_gzip)\.php$ {
		allow all;
	}

Here is the optional include file `ssl`:

	listen 443 ssl;
	ssl_certificate server.crt;
	ssl_certificate_key server.key;
	ssl_session_timeout 5m;
	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;

The above configuration sets up a virtual host `example.com` with
rewrite rules suited for SilverStripe. The location block named
`@silverstripe` passes all php scripts to the FastCGI-wrapper via a Unix
socket. This example is from a site running Ubuntu with the php5-fpm
package.

Now you can proceed with the SilverStripe installation normally.
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00			`# Nginx`

Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`These instructions are also covered in less detail on the`
			`[Nginx Wiki](http://wiki.nginx.org/SilverStripe).`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`The prerequisite is that you have already installed Nginx and you are`
			`able to run PHP files via the FastCGI-wrapper from Nginx.`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`Now you need to set up a virtual host in Nginx with the following`
			`configuration settings:`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
			`server {`
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`listen 80;`

			`# SSL configuration (optional, but recommended for security)`
			`include ssl`

			`root /var/www/example.com;`
			`index index.php index.html index.htm;`

			`server_name example.com;`
Document that yaml files shouldnt be served directly 2013-01-29 02:11:52 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`include silverstripe3;`
			`include htaccess;`
			`}`

			Here is the include file `silverstripe3`:

			`location / {`
			`try_files $uri @silverstripe;`
			`}`
Document that yaml files shouldnt be served directly 2013-01-29 02:11:52 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`location @silverstripe {`
			`include fastcgi_params;`

			`# Defend against arbitrary PHP code execution`
			`# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini`
			`# More info:`
			`# https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/`
			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`

			`fastcgi_param SCRIPT_FILENAME $document_root/framework/main.php;`
			`fastcgi_param SCRIPT_NAME /framework/main.php;`
			`fastcgi_param QUERY_STRING url=$uri&$args;`

			`fastcgi_pass unix:/var/run/php5-fpm.sock;`
			`fastcgi_index index.php;`
			`fastcgi_buffer_size 32k;`
			`fastcgi_buffers 4 32k;`
			`fastcgi_busy_buffers_size 64k;`
			`}`


			Here is the include file `htaccess`:

			`# Don't serve up any .htaccess files`
			`location ~ /\.ht {`
			`deny all;`
			`}`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`# Deny access to silverstripe-cache`
			`location ~ ^/silverstripe-cache {`
			`deny all;`
			`}`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`# Don't execute scripts in the assets`
			`location ^~ /assets/ {`
			`try_files $uri $uri/ =404;`
			`}`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Document that yaml files shouldnt be served directly 2013-01-29 02:11:52 +01:00			`# Block access to yaml files`
			`location ~ \.yml$ {`
			`deny all;`
			`}`

Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`# cms & framework .htaccess rules`
			`location ~ ^/(cms\|framework\|mysite)/.*\.(php\|php[345]\|phtml\|inc)$ {`
			`deny all;`
			`}`
			`location ~ ^/(cms\|framework)/silverstripe_version$ {`
			`deny all;`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00			`}`
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`location ~ ^/framework/.*(main\|static-main\|rpc\|tiny_mce_gzip)\.php$ {`
			`allow all;`
			`}`

			Here is the optional include file `ssl`:
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			`listen 443 ssl;`
			`ssl_certificate server.crt;`
			`ssl_certificate_key server.key;`
			`ssl_session_timeout 5m;`
			`ssl_protocols SSLv3 TLSv1;`
			`ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
Update documentation of nginx configuration - Avoid using "if" to check for file existence (use try_files instead) - Replicate the behavior of the .htaccess files - TODO: get static error pages to work 2012-12-14 23:26:13 +01:00			The above configuration sets up a virtual host `example.com` with
			`rewrite rules suited for SilverStripe. The location block named`
			`@silverstripe` passes all php scripts to the FastCGI-wrapper via a Unix
			`socket. This example is from a site running Ubuntu with the php5-fpm`
			`package.`
ENHANCEMENT Added sapphire/docs (migrated from https://github.com/chillu/silverstripe-doc-restructuring) 2011-02-07 07:48:44 +01:00
			`Now you can proceed with the SilverStripe installation normally.`