user www-data;
# the web hosts have 8 CPU cores
worker_processes 8;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
# multi_accept on;
}
http {
# Basic Settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# decrease side channel leaks
server_tokens off;
root /var/www/www.company-name.com/current;
index index.php;
# add forwarded for to aid debugging
log_format main '$remote_addr - $remote_user $time_local '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
# allow odd HTTP headers from Barracuda devices http://stackoverflow.com/questions/8300136/where-does-the-cuda-cliip-http-header-come-from
underscores_in_headers on;
# requires nginx 1.2.6 or later
# https://newrelic.com/docs/features/request-queuing-and-tracking-front-end-time
fastcgi_param HTTP_X_REQUEST_START "t=${msec}000";
proxy_buffering off;
# PHP back end
upstream backend {
# matches path defined in /etc/php5/fpm/pool.d/www.conf
server unix:/tmp/php-cgi.socket;
}
upstream admin-backend {
# Magento admin requests are passed through to admin-specific hosts
# This keeps long/complex requests out of the public-facing resources
# Admin hosts have higher memory_limit values in php.ini
server 10.1.0.104;
}
server {
server_name www.client-name.com production.alternate-domain.com;
access_log /var/log/nginx/www.company-name.com.access.log main;
error_log /var/log/nginx/www.company-name.com.error.log info;
# 504 is a PHP timeout and must be static
# 502 is momentary during a PHP restart and should be treated like maintenance
# other 50x errors are handled by Magento
error_page 502 504 /errors/company-name/504.html;
listen 80;
listen 443 ssl;
# pass all Magento admin requests to the dedicated admin web hosts
location ~* /(index\.php/admin|admin) {
proxy_pass http://admin-backend;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# this header prevents Magento from redirecting out of admin
add_header Front-End-Https on;
proxy_redirect off;
}
location ~ ^/(.*)sitemap([0-9]*).xml$ {
root /var/www/www.company-name.com/current/sitemaps;
}
location /sitemaps/sitemap.xml { allow all; }
location /sitemaps/image-sitemap.xml { allow all; }
ssl_certificate /etc/ssl/certs/_.company-name.com.crt;
ssl_certificate_key /etc/ssl/private/_.company-name.com.key;
# PCI specified ciphers
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
# PCI specified protocols
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# anti BEAST
ssl_prefer_server_ciphers on;
# the hardware load balancers statefully route SSL
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# header from the hardware load balancers
real_ip_header X-Forwarded-For;
# trust this header from anything inside the subnet; possibly risky
set_real_ip_from 10.1.0.0/24;
# the header is a comma-separated list; the left-most IP is the end user
real_ip_recursive on;
# ensure zero calls are written to disk
client_max_body_size 16m;
client_body_buffer_size 2m;
client_header_buffer_size 16k;
large_client_header_buffers 8 8k;
# default ENV vars
fastcgi_param MAGE_RUN_CODE base;
fastcgi_param MAGE_RUN_TYPE website;
fastcgi_read_timeout 90s;
fastcgi_send_timeout 60s;
fastcgi_index index.php;
# ensures Magento works and provides some protection against malicious files
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
# ensure zero calls are written to disk
fastcgi_buffers 512 16k;
fastcgi_buffer_size 512k;
fastcgi_busy_buffers_size 512k;
# Maintenance HTML page can override Magento
index index.html index.php;
# rewrite API2 calls to api.php (REST only)
rewrite ^/api/rest(.*) /api.php?$1&type=rest;
# Deny protected Magento files
location /app/ { deny all; access_log off; }
location /cert/ { deny all; access_log off; }
location /chef/ { deny all; access_log off; }
location /cron.php { deny all; access_log off; }
location /db_back/ { deny all; access_log off; }
location /downloader/ { deny all; access_log off; }
location /includes/ { deny all; access_log off; }
location /index.php.dev.php { deny all; access_log off; }
location /install.php { deny all; access_log off; }
location /lib/ { deny all; access_log off; }
location /media/downloadable/ { deny all; access_log off; }
location /pagoda/ { deny all; access_log off; }
location /pkginfo/ { deny all; access_log off; }
location /prototype/ { deny all; access_log off; }
location /report/config.xml { deny all; access_log off; }
location /utility/ { deny all; access_log off; }
location /util/ { deny all; access_log off; }
location /var/ { deny all; access_log off; }
# deny access to dotfiles
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Disable PHP execution in var and media
location /var { location ~ \.php$ {return 403;} }
location /media { location ~ \.php$ {return 403;} }
# remove the cache-busting timestamp
location ~* (.+)\.(\d+)\.(js|css|png|jpg|jpeg|gif)$ {
try_files $uri $1.$3;
access_log off;
log_not_found off;
expires 21d;
add_header Cache-Control "public";
}
# do not log static files; regexp should capture alternate cache-busting timestamps
location ~* \.(jpg|jpeg|gif|css|png|js|ico|txt|swf|xml|svg|svgz|mp4|ogg|ogv)(\?[0-9]+)?$ {
access_log off;
log_not_found off;
expires 21d;
add_header Cache-Control "public";
}
# CSS and JS
rewrite ^/minify/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
location /lib/minify/ {
allow all;
}
# the javascript compressor
location ^~ /js/index.php {
access_log off;
expires 30d;
fastcgi_pass backend;
}
# use fastcgi for all php files
location ~ \.php$ {
expires off;
# 404 if the file does not exist
try_files $uri =404;
fastcgi_pass backend;
}
# pass everything else over to PHP-FPM
location / {
# 404 if the file does not exist
try_files $uri $uri/ /index.php =404;
fastcgi_pass backend;
}
}
server {
server_name internal.company-name.com internal.alternate-domain.com;
access_log /var/log/nginx/internal.company-name.com.access.log main;
error_log /var/log/nginx/internal.company-name.com.error.log info;
# 504 is a PHP timeout and must be static
# 502 is momentary during a PHP restart and should be treated like maintenance
# other 50x errors are handled by Magento
error_page 502 504 /errors/company-name/504.html;
listen 80;
listen 443 ssl;
location ~* /(index\.php/admin|admin) {
proxy_pass http://admin-backend;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_redirect off;
}
location ~ ^/(.*)sitemap([0-9]*).xml$ {
root /var/www/www.company-name.com/current/sitemaps;
}
location /sitemaps/sitemap.xml { allow all; }
location /sitemaps/image-sitemap.xml { allow all; }
ssl_certificate /etc/ssl/certs/_.company-name.com.crt;
ssl_certificate_key /etc/ssl/private/_.company-name.com.key;
# PCI specified ciphers
ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
# PCI specified protocols
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# anti BEAST
ssl_prefer_server_ciphers on;
#
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
real_ip_header X-Forwarded-For;
set_real_ip_from 10.1.0.0/24;
real_ip_recursive on;
client_max_body_size 16m;
client_body_buffer_size 2m;
client_header_buffer_size 16k;
large_client_header_buffers 8 8k;
# default ENV vars
fastcgi_param MAGE_RUN_CODE internal;
fastcgi_param MAGE_RUN_TYPE website;
fastcgi_read_timeout 90s;
fastcgi_send_timeout 60s;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 512 16k;
fastcgi_buffer_size 512k;
fastcgi_busy_buffers_size 512k;
# Maintenance HTML page can override PHP
index index.html index.php;
# rewrite API2 calls to api.php (REST only)
rewrite ^/api/rest(.*) /api.php?$1&type=rest;
# Deny protected Magento files
location /app/ { deny all; access_log off; }
location /cert/ { deny all; access_log off; }
location /chef/ { deny all; access_log off; }
location /cron.php { deny all; access_log off; }
location /db_back/ { deny all; access_log off; }
location /downloader/ { deny all; access_log off; }
location /includes/ { deny all; access_log off; }
location /index.php.dev.php { deny all; access_log off; }
location /install.php { deny all; access_log off; }
location /lib/ { deny all; access_log off; }
location /media/downloadable/ { deny all; access_log off; }
location /pagoda/ { deny all; access_log off; }
location /pkginfo/ { deny all; access_log off; }
location /prototype/ { deny all; access_log off; }
location /report/config.xml { deny all; access_log off; }
location /utility/ { deny all; access_log off; }
location /util/ { deny all; access_log off; }
location /var/ { deny all; access_log off; }
# deny access to dotfiles
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Disable PHP execution in var and media
location /var { location ~ \.php$ {return 403;} }
location /media { location ~ \.php$ {return 403;} }
location ~* (.+)\.(\d+)\.(js|css|png|jpg|jpeg|gif)$ {
try_files $uri $1.$3;
access_log off;
log_not_found off;
expires 21d;
add_header Cache-Control "public";
}
# do not log static files; regexp should capture cache-busting timestamps
location ~* \.(jpg|jpeg|gif|css|png|js|ico|txt|swf|xml|svg|svgz|mp4|ogg|ogv)(\?[0-9]+)?$ {
access_log off;
log_not_found off;
expires 21d;
add_header Cache-Control "public";
}
# CSS and JS
rewrite ^/minify/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
location /lib/minify/ {
allow all;
}
# the javascript compressor
location ^~ /js/index.php {
access_log off;
expires 30d;
fastcgi_pass backend;
}
# use fastcgi for all php files
location ~ \.php$ {
expires off;
# 404 if the file does not exist
try_files $uri =404;
fastcgi_pass backend;
}
# pass everything else over to PHP-FPM
location / {
# 404 if the file does not exist
try_files $uri $uri/ /index.php =404;
fastcgi_pass backend;
}
}
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 48 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}