Skip to content

Instantly share code, notes, and snippets.

@socketz
Last active August 8, 2018 02:57
Show Gist options
  • Save socketz/00ee9d913b1ee6eaf05b475c546f9529 to your computer and use it in GitHub Desktop.
Save socketz/00ee9d913b1ee6eaf05b475c546f9529 to your computer and use it in GitHub Desktop.
Prestashop 1.6.x + Nginx 1.13.x + PHP-FPM 7.0 + SSL Let's Encrypt Configuration Example

Prestashop 1.6.x + Nginx 1.13.x + PHP-FPM 7.0 + SSL Let's Encrypt

Place the files on next paths or other and replace in the files below:

  • /data/nginx/config/global/acme-challenge.conf
  • /data/nginx/config/global/restrictions.conf
  • /data/nginx/config/global/expires.conf
  • /data/nginx/config/snippets/ssl-params.conf
  • /data/nginx/config/conf.d/example.com.conf

Note: "Let's Encrypt" certificates or other SSL certificates should do by yourself

location ~ /.well-known {
allow all;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /data/nginx/www/.well-known/acme-challenge/;
}
location = /.well-known/acme-challenge/ {
return 404;
}
# Global restrictions configuration file.
# Designed to be included in any server {} block.
location = /favicon.ico {
try_files $uri =404;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Expire rules for static content
# No default expire rule. This config mirrors that of apache as outlined in the
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
# the apache rules are defined by type. A consequence of this difference is that
# if you use no file extension in the url and serve html, with apache you get an
# expire time of 0s, with nginx you'd get an expire header of one month in the
# future (if the default expire rule is 1 month). Therefore, do not use a
# default expire rule with nginx unless your site is completely static
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
add_header Cache-Control "max-age=0";
}
# Feed
location ~* \.(?:rss|atom)$ {
add_header Cache-Control "max-age=3600";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
access_log off;
add_header Cache-Control "max-age=2592000";
fastcgi_ignore_headers Set-Cookie;
}
# Media: svgz files are already compressed.
location ~* \.svgz$ {
access_log off;
gzip off;
add_header Cache-Control "max-age=2592000";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
add_header Cache-Control "max-age=31536000";
access_log off;
fastcgi_ignore_headers Set-Cookie;
}
# WebFonts
# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
add_header Cache-Control "max-age=2592000";
access_log off;
}
# SSLv3 is insecure, but it is required by some payment networks
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_certificate /data/ssl/example.com/fullchain.pem; # MODIFY
ssl_certificate_key /data/ssl/example.com/privkey.pem; # MODIFY
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://ocsp.int-x3.letsencrypt.org/; # MODIFY
ssl_trusted_certificate /data/ssl/example.com/chain.pem; # MODIFY
resolver 8.8.8.8 8.8.4.4 valid=300s; # MODIFY IF YOU WANT
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "strict-origin" always;
add_header X-XSS-Protection "1; mode=block";
# This CSP is fully working with Pretashop scripts
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self' https:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https:; style-src 'unsafe-inline' 'self' https:";
ssl_dhparam /data/ssl/certs/dhparam.pem; # MODIFY
server {
listen [::]:80;
listen 80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name example.com;
include snippets/ssl-params.conf;
return 301 https://www.example.com$request_uri;
}
server {
listen [::]:443 ssl deferred;
listen 443 ssl deferred;
server_name www.example.com;
include snippets/ssl-params.conf;
root /data/nginx/www/prestashop;
access_log /data/nginx/log/example.com.access.log;
error_log /data/nginx/log/example.com.error.log;
index index.php index.html; # Letting nginx know which files to try when requesting a folder
include global/acme-challenge.conf # let's encrypt acme-challenge
include global/restrictions.conf;
include global/expires.conf;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6"; # Do people still use Internet Explorer 6? In that case, disable gzip and hope for the best!
gzip_vary on; # Also compress content with other MIME types than "text/html"
gzip_types application/json text/css application/javascript; # We only want to compress json, css and js. Compressing images and such isn't worth it
gzip_proxied any;
gzip_comp_level 6; # Set desired compression ratio, higher is better compression, but slower
gzip_buffers 16 8k; # Gzip buffer size
gzip_http_version 1.0; # Compress every type of HTTP request
rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$1$2$3.jpg last;
rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$1$2$3$4.jpg last;
rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
rewrite ^/c/([0-9]+)(-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*.jpg$ /img/c/$1$2.jpg last;
rewrite ^/c/([a-zA-Z-]+)/[a-zA-Z0-9-]+.jpg$ /img/c/$1.jpg last;
rewrite ^/([0-9]+)(-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*.jpg$ /img/c/$1$2.jpg last;
rewrite ^/images_ie/?([^/]+)\.(jpe?g|png|gif)$ /js/jquery/plugins/fancybox/images/$1.$2 last;
# Spanish Friendly URL's - Replace by yours
rewrite '^/alertas-email$' /index.php?controller=module-mailalerts-account last;
rewrite '^/pagina-no-encontrada$' /index.php?controller=pagenotfound last;
rewrite '^/mas-vendidos$' /index.php?controller=best-sales last;
rewrite '^/contactenos$' /index.php?controller=contact last;
rewrite '^/marcas$' /index.php?controller=manufacturer last;
rewrite '^/nuevos-productos$' /index.php?controller=new-products last;
rewrite '^/contrasena-olvidado$' /index.php?controller=password last;
rewrite '^/promocion$' /index.php?controller=prices-drop last;
rewrite '^/mapa-del-sitio$' /index.php?controller=sitemap last;
rewrite '^/proveedores$' /index.php?controller=supplier last;
rewrite '^/direccion$' /index.php?controller=address last;
rewrite '^/direcciones$' /index.php?controller=addresses last;
rewrite '^/autenticacion$' /index.php?controller=authentication last;
rewrite '^/carro-de-la-compra$' /index.php?controller=cart last;
rewrite '^/descuento$' /index.php?controller=discount last;
rewrite '^/historial-de-pedidos$' /index.php?controller=history last;
rewrite '^/identidad$' /index.php?controller=identity last;
rewrite '^/mi-cuenta$' /index.php?controller=my-account last;
rewrite '^/devolucion-de-productos$' /index.php?controller=order-follow last;
rewrite '^/vales$' /index.php?controller=order-slip last;
rewrite '^/carrito$' /index.php?controller=order last;
rewrite '^/buscar$' /index.php?controller=search last;
rewrite '^/tiendas$' /index.php?controller=stores last;
rewrite '^/pedido-rapido$' /index.php?controller=order-opc last;
rewrite '^/estado-pedido$' /index.php?controller=guest-tracking last;
rewrite '^/confirmacion-pedido$' /index.php?controller=order-confirmation last;
rewrite '^/comparar-productos$' /index.php?controller=products-comparison last;
if (!-e $request_filename){
rewrite ^(.*)$ /index.php?q=$1 last;
}
location /api {
rewrite ^/api/(.*)$ /webservice/dispatcher.php?url=$1 break;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $uri =404;
fastcgi_keep_conn on;
fastcgi_index index.php;
fastcgi_pass php:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment