Hi,
I'm wondering if anyone has a "working" config file for Nginx??
Unfortunately I can't run Apache as I host many sites under Nginx in my setup so the move wouldn't be really feasible.
The current config allows me to access: http://site.domain.tld without appending the index.php at the end however I think I need a few re-write rules to get rid of the "index.php" all together for example from:
http://site.domain.tld/index.php?/category/3
I have tried two config variations but they don't work very well...
#server { # listen 80; # .domain.com will match both domain.com and anything.domain.com # server_name site.domain.tld; #rewrite ^ https://$server_name$request_uri? permanent; # It is best to place the root of the server block at the server level, and not the location level # any location block path will be relative to this root. # root /usr/local/www/piwigo; # It's always good to set logs, note however you cannot turn off the error log # setting error_log off; will simply create a file called 'off'. # access_log /var/log/nginx/piwigo.access.log; # error_log /var/log/nginx/piwigo.error.log; # This can also go in the http { } level # index index.html index.htm index.php; # location / { # if you're just using wordpress and don't want extra rewrites # then replace the word @rewrites with /index.php #try_files $uri $uri/ @rewrites; # try_files $uri /index.php; # } # location @rewrites { # Can put some of your own rewrite rules in here # for example rewrite ^/~(.*)/(.*)/? /users/$1/$2 last; # If nothing matches we'll just send it to /index.php # rewrite ^ /index.php last; # } # This block will catch static file requests, such as images, css, js # The ?: prefix is a 'non-capturing' mark, meaning we do not require # the pattern to be captured into $1 which should help improve performance # location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { # Some basic cache-control for static files to be sent to the browser # expires max; # add_header Pragma public; # add_header Cache-Control "public, must-revalidate, proxy-revalidate"; # } # remove the robots line if you want to use wordpress' virtual robots.txt # location = /robots.txt { access_log off; log_not_found off; } # location = /favicon.ico { access_log off; log_not_found off; } # this prevents hidden files (beginning with a period) from being served # location ~ /\. { access_log off; log_not_found off; deny all; } # location ~ \.php { # fastcgi_param SCRIPT_NAME $fastcgi_script_name; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # fastcgi_index index.php; # fastcgi_pass php; # include fastcgi_params; # } #} server { listen 80; server_name site.domain.tld; root /usr/local/www/piwigo; index index.php; location / { try_files $uri /index.php; } location ~* \.php { fastcgi_index index.php; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; include fastcgi_params; fastcgi_pass php; } }
If I click on "visit the gallery" from the admin page, the browser just ends up downloading the index.php file and doesn't actually re-direct the page.
Also uploaded images don't show up, the log claims "fatal php error file not found", however the files are there: $piwigo_home/uploads/date/files.ext
where files.ext is png or jpg... basically image file.
Piwigo version: 2.7.4
PHP version: 5.6.6
MySQL version: 5.5.42
Piwigo URL: http:// <demo site currently not open to web>
If anyone could help I'd be most grateful!
Many thanks.
Offline
Hi,
I don't know whether you're still looking for a solution, but this works for me:
[site http://pub.meulie.net ]
site-config for NGINX:
server{ listen 80; listen [::]:80; gzip_vary on; server_name pub.meulie.net; access_log /var/log/nginx/pub.meulie.net.log; error_log /var/log/nginx/error.log; client_max_body_size 50m; root /var/www/pub.meulie.net/htdocs; include /etc/nginx/conf.d/cloudflare.conf; include global/restrictions.conf; charset UTF-8; location / { index index.php; try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^/picture((/|$).*)$ /picture.php$1 last; rewrite ^/index((/|$).*)$ /index.php$1 last; rewrite ^/i((/|$).*)$ /i.php$1 last; } location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { try_files $script_name = 404; fastcgi_pass 127.0.0.1:9999; fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME /var/www/pub.meulie.net/htdocs$fastcgi_script_name; fastcgi_param PHP_VALUE "newrelic.appname=pub.meulie.net"; include fastcgi_params; } }
Additions to /local/config/config.inc.php:
$conf['question_mark_in_urls'] = false; $conf['php_extension_in_urls'] = false;
Offline
Thanks a lot... sorry for delay on this!
I had to make a few adjustments to the Nginx config file you provided:
server{ listen 80; gzip_vary on; server_name <fqdn>; access_log /var/log/nginx-access.log; error_log /var/log/nginx-error.log; client_max_body_size 50m; root /usr/local/www/piwigo; # include /etc/nginx/conf.d/cloudflare.conf; # include global/restrictions.conf; charset UTF-8; location / { index index.php; try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^/picture((/|$).*)$ /picture.php$1 last; rewrite ^/index((/|$).*)$ /index.php$1 last; rewrite ^/i((/|$).*)$ /i.php$1 last; } location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { try_files $script_name = 404; fastcgi_pass php; fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PHP_VALUE "newrelic.appname=<fqdn>"; include fastcgi_params; } }
outside of that it seems to be work fine :-)
Offline
I tried your config but it still is downloading the php file though.. did I do something wrong?
server { listen *:80; server_name fairytailhentaidb.com www.fairytailhentaidb.com; access_log /var/log/nginx/fairytailhentaidbcom.access.log; error_log /var/log/nginx/fairytailhentaidbcom.error.log; root /var/www/vhosts/fairytailhentaidb.com; index index.html index.htm index.php; if ($host !~* ^www\.) { rewrite ^(.*)$ http://www.$host$1 permanent; } location / { index index.php; try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^/picture((/|$).*)$ /picture.php$1 last; rewrite ^/index((/|$).*)$ /index.php$1 last; rewrite ^/i((/|$).*)$ /i.php$1 last; } location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { try_files $script_name = 404; } location ~ [^/]\.php(/|$) { fastcgi_index index.php; include fcgi.conf; fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-fairytailhentaidbcom-php-fcgi-0.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; }
Offline
Could be useful for others, so here it goes.
I enhanced the config to do following:
- block direct access to /_data/i and /upload
- block hotlinks
- block any direct access to image alias URLs (/i/upload/..)
- make sure ws.php upload stuff still works with referal blockers (there are GET requests from server's own IP and Piwigo user agent to /i/upload/)
- compress js and css
local/config/config.inc.php used:
$conf['category_url_style'] = 'id-name'; $conf['picture_url_style'] = 'id-file'; $conf['original_url_protection'] = 'images'; $conf['derivative_url_style'] = 2; $conf['question_mark_in_urls'] = false; $conf['php_extension_in_urls'] = false;
Nginx config:
server { listen 443 ssl; server_name fotos.domain.tld; root /srv/http/piwigo; ssl_certificate /etc/letsencrypt/live/fotos.domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/fotos.domain.tld/privkey.pem; ssl_dhparam /etc/ssl/dh2048.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers FIPS@STRENGTH:!aNULL:!MD5; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options DENY; client_max_body_size 50m; client_body_buffer_size 25m; gzip on; gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css; location ~ ^/favicon.ico$ { log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~ /\. { deny all; access_log off; log_not_found off; } # piwigo distribution files location ~ ^/(README|doc)$ { deny all; } # prevent direct acces to uploaded images, derivates and logs location ~ ^/(_data/(i|logs)|upload)/ { deny all; } location / { index index.php; try_files $uri $uri/ @rewrite; } location @rewrite { rewrite ^/picture((/|$).*)$ /picture.php$1 last; rewrite ^/index((/|$).*)$ /index.php$1 last; rewrite ^/i((/|$).*)$ /i.php$1 last; } location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ { try_files $script_name = 404; include /etc/nginx/fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param PATH_INFO $path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # prevent any hotlinks and direct access to alias URIs (/i/upload/...) # which are not from Piwigo itself (happens when exporting from lightroom via ws.php) # this section needs to go _after_ the php handler, no idea why. set $check_referal ""; # very restrictive valid_referers *.domain.tld; # if you want google etc to be able to show your images: #valid_referers ~google\.com ~bing\.com *.domain.tld if ($invalid_referer) { set $check_referal "invalid"; } if ($http_user_agent !~ "Piwigo") { set $check_referal "${check_referal}+not_piwigo"; } location ~* \.(gif|png|jpe?g)$ { if ($check_referal = "invalid+not_piwigo") { return 403; } try_files $uri $uri/ @rewrite; } }
Last edited by teekay (2016-04-28 13:31:33)
Offline
teekay wrote:
Could be useful for others, so here it goes.
Certainly very useful. Thank you teekay!
Offline
It looks like that many things have changed since the last config was posted here. If I try that with a recent piwgo 13.6, I cannot see any pictures and stylesheets cannot be loaded for the Bootstrap darkroom theme.
I tried to remove everything except the rewrite rules and the culprit seems to be those. While for example images load correctly, if access to _data is granted again, it seems that some rewrite rules are missing, such that the template stylesheets can be loaded correctly.
A plain simple nginx config works as well, but I would like to secure the installation a bit, by removing access to files that do not need to be accessed from the outside.
Furthermore, I would also like to have the rewrite rules working.
Last edited by reox (2023-03-06 12:59:21)
Offline