ваш IP: 44.200.94.150

CMS CS-Cart Правильная настройка NGINX

Среди популярных CMS для электронной коммерции, одно из мест лидеров без сомнения занимает CS-CART. И правда, система довольно хорошо написана и имеет развитое общество разработчиков и администраторов. К сожалению, в официальной документации по настройке NGINX указаны не совсем верные данные. Если использовать готовый conf файл от разработчика, система не только не сможет штатно обновиться, но и автоматически не выпуститься сертификат Let's Encrypt (для тех кто пользуется проблема актуальная). Методом проб и ошибок, представляю валидный конфиг:

server {
    listen  <IP АДРЕС СЕРВЕРА>:80;
    server_name <ДОМЕННОЕ ИМЯ> www.<ДОМЕННОЕ ИМЯ>;
    charset utf-8;
	set $root_path /var/www/<ИМЯ ПОЛЬЗОВАТЕЛЯ>/data/www/<ДОМЕННОЕ ИМЯ>;
	root $root_path;
    index  index.php index.html index.htm;
    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length  1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types text/plain application/xml
    application/javascript
    text/css
    text/js
    text/xml
    application/x-javascript
    text/javascript
    application/json
    application/xml+rss;
    client_max_body_size            100m;
    client_body_buffer_size         128k;
    client_header_timeout           3m;
    client_body_timeout             3m;
    send_timeout                    3m;
    client_header_buffer_size       1k;
    large_client_header_buffers     4 16k;
	disable_symlinks if_not_owner from=$root_path;
	include /etc/nginx/vhosts-includes/*.conf;
	include /etc/nginx/vhosts-resources/<ДОМЕННОЕ ИМЯ>/*.conf;
	access_log /var/www/httpd-logs/<ДОМЕННОЕ ИМЯ>.access.log;
	error_log /var/www/httpd-logs/<ДОМЕННОЕ ИМЯ>.error.log notice;
	ssi on;
	return 301 https://$host:443$request_uri;
    error_page 598 = @backend;
    
    if ($host ~* www\.(.*)) {
    rewrite ^/(.*)$ http://<ДОМЕННОЕ ИМЯ>/$1 permanent;
    }

location @backend {
        try_files $uri $uri/ /$2$3 /$3 /index.php  =404;
        fastcgi_pass unix:/var/www/php-fpm/<ИМЯ ПОЛЬЗОВАТЕЛЯ>.sock;
        fastcgi_index index.php;
        fastcgi_read_timeout 360;
        fastcgi_param  QUERY_STRING       $query_string;
        fastcgi_param  REQUEST_METHOD     $request_method;
        fastcgi_param  CONTENT_TYPE       $content_type;
        fastcgi_param  CONTENT_LENGTH     $content_length;
        fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_param  REQUEST_URI        $request_uri;
        fastcgi_param  DOCUMENT_URI       $document_uri;
        fastcgi_param  DOCUMENT_ROOT      $document_root;
        fastcgi_param  SERVER_PROTOCOL    $server_protocol;
        fastcgi_param  HTTPS              $https if_not_empty;
        fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
        fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
        fastcgi_param  REMOTE_ADDR        $remote_addr;
        fastcgi_param  REMOTE_PORT        $remote_port;
        fastcgi_param  SERVER_ADDR        $server_addr;
        fastcgi_param  SERVER_PORT        $server_port;
        fastcgi_param  SERVER_NAME        $server_name;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param  REDIRECT_STATUS    200;
    }
	
    location  / {
        index  index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
    }
    
	location ~ ^/(\w+/)?(\w+/)?api/ {
        rewrite ^/(\w+/)?(\w+/)?api/(.*)$ /api.php?_d=$3&ajax_custom=1&$args last;
        rewrite_log off;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/database/ {
        return 404;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/backups/ {
        return 404;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/restore/ {
        return 404;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/themes_repository/ {
        allow all;
        location ~* \.(tpl|php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/ {
        return 404;
        location ~* /(\w+/)?(\w+/)?(.+\.(js|css|png|jpe?g|gz|yml|xml))$ {
            try_files $uri $uri/ /$2$3 /$3 /index.php?$args;
            allow all;
            access_log off;
            expires 1M;
            add_header Cache-Control public;
            add_header Access-Control-Allow-Origin *;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?app/payments/ {
        return 404;
        location ~ \.php$ {
            return 598;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?app/addons/rus_exim_1c/ {
        return 404;
        location ~ \.php$ {
            return 598;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?app/ {
        return 404;
    }
    
	location ~* /(\w+/)?(\w+/)?(.+\.(jpe?g|jpg|ico|gif|png|css|js|pdf|txt|tar|woff|svg|ttf|eot|csv|zip|xml|yml))$ {
        access_log off;
        try_files $uri $uri/ /$2$3 /$3 /index.php?$args;
        expires max;
        add_header Access-Control-Allow-Origin *;
        add_header Cache-Control public;
    }
    
	location ~ ^/(\w+/)?(\w+/)?design/ {
        allow all;
        location ~* \.(tpl|php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?images/ {
        allow all;
        location ~* \.(php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?js/ {
        allow all;
        location ~* \.(php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?init.php {
        return 404;
    }

    location ~* \.(tpl.?)$ {
        return 404;
    }

    location ~ /\.(ht|git) {
        return 404;
    }

    location ~* \.php$ {
        return 598 ;
    }

}

server {
    listen <IP АДРЕС СЕРВЕРА>:443 ssl;
    server_name <ДОМЕННОЕ ИМЯ> www.<ДОМЕННОЕ ИМЯ>;
	ssl_certificate "/var/www/httpd-cert/<ИМЯ ПОЛЬЗОВАТЕЛЯ>/<ДОМЕННОЕ ИМЯ>_le3.crtca";
    ssl_certificate_key "/var/www/httpd-cert/<ИМЯ ПОЛЬЗОВАТЕЛЯ>/<ДОМЕННОЕ ИМЯ>_le3.key";
    ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	add_header Strict-Transport-Security "max-age=31536000;";
	ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
    charset utf-8;
	set $root_path /var/www/<ИМЯ ПОЛЬЗОВАТЕЛЯ>/data/www/<ДОМЕННОЕ ИМЯ>;
	root $root_path;
    index  index.php index.html index.htm;
    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length  1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types text/plain application/xml
    application/javascript
    text/css
    text/js
    text/xml
    application/x-javascript
    text/javascript
    application/json
    application/xml+rss;
    client_max_body_size            100m;
    client_body_buffer_size         128k;
    client_header_timeout           3m;
    client_body_timeout             3m;
    send_timeout                    3m;
    client_header_buffer_size       1k;
    large_client_header_buffers     4 16k;
	disable_symlinks if_not_owner from=$root_path;
	include /etc/nginx/vhosts-includes/*.conf;
	include /etc/nginx/vhosts-resources/<ДОМЕННОЕ ИМЯ>/*.conf;
	access_log /var/www/httpd-logs/<ДОМЕННОЕ ИМЯ>.access.log;
	error_log /var/www/httpd-logs/<ДОМЕННОЕ ИМЯ>.error.log notice;
	ssi on;
    error_page 598 = @backend;
    
    if ($host ~* www\.(.*)) {
    rewrite ^/(.*)$ https://<ДОМЕННОЕ ИМЯ>/$1 permanent;
    }

location @backend {
        try_files $uri $uri/ /$2$3 /$3 /index.php  =404;
        fastcgi_pass unix:/var/www/php-fpm/<ИМЯ ПОЛЬЗОВАТЕЛЯ>.sock;
        fastcgi_index index.php;
        fastcgi_read_timeout 360;
        fastcgi_param  QUERY_STRING       $query_string;
        fastcgi_param  REQUEST_METHOD     $request_method;
        fastcgi_param  CONTENT_TYPE       $content_type;
        fastcgi_param  CONTENT_LENGTH     $content_length;
        fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_param  REQUEST_URI        $request_uri;
        fastcgi_param  DOCUMENT_URI       $document_uri;
        fastcgi_param  DOCUMENT_ROOT      $document_root;
        fastcgi_param  SERVER_PROTOCOL    $server_protocol;
        fastcgi_param  HTTPS              $https if_not_empty;
        fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
        fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
        fastcgi_param  REMOTE_ADDR        $remote_addr;
        fastcgi_param  REMOTE_PORT        $remote_port;
        fastcgi_param  SERVER_ADDR        $server_addr;
        fastcgi_param  SERVER_PORT        $server_port;
        fastcgi_param  SERVER_NAME        $server_name;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param  REDIRECT_STATUS    200;
    }
	
    location  / {
        index  index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
    }
    
	location ~ ^/(\w+/)?(\w+/)?api/ {
        rewrite ^/(\w+/)?(\w+/)?api/(.*)$ /api.php?_d=$3&ajax_custom=1&$args last;
        rewrite_log off;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/database/ {
        return 404;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/backups/ {
        return 404;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/restore/ {
        return 404;
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/themes_repository/ {
        allow all;
        location ~* \.(tpl|php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?var/ {
        return 404;
        location ~* /(\w+/)?(\w+/)?(.+\.(js|css|png|jpe?g|gz|yml|xml))$ {
            try_files $uri $uri/ /$2$3 /$3 /index.php?$args;
            allow all;
            access_log off;
            expires 1M;
            add_header Cache-Control public;
            add_header Access-Control-Allow-Origin *;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?app/payments/ {
        return 404;
        location ~ \.php$ {
            return 598;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?app/addons/rus_exim_1c/ {
        return 404;
        location ~ \.php$ {
            return 598;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?app/ {
        return 404;
    }
    
	location ~* /(\w+/)?(\w+/)?(.+\.(jpe?g|jpg|ico|gif|png|css|js|pdf|txt|tar|woff|svg|ttf|eot|csv|zip|xml|yml))$ {
        access_log off;
        try_files $uri $uri/ /$2$3 /$3 /index.php?$args;
        expires max;
        add_header Access-Control-Allow-Origin *;
        add_header Cache-Control public;
    }
    
	location ~ ^/(\w+/)?(\w+/)?design/ {
        allow all;
        location ~* \.(tpl|php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?images/ {
        allow all;
        location ~* \.(php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?js/ {
        allow all;
        location ~* \.(php.?)$ {
            return 404;
        }
    }
    
	location ~ ^/(\w+/)?(\w+/)?init.php {
        return 404;
    }

    location ~* \.(tpl.?)$ {
        return 404;
    }

    location ~ /\.(ht|git) {
        return 404;
    }

    location ~* \.php$ {
        return 598 ;
    }
}

Данный конфиг используется для двух сайтов на VDS со следующими характеристиками:

OS Debian 9 x64, NGINX+PHP-FPM, SSL Let's Encrypt, переадресация с www на без www, переадресация с http на https.

Кому интересен хороший и недорогой хостинг VDS рекомендую ServTech

Автор: Master Wenom
18 марта 2019
blog comments powered by Disqus