From 2bde0cd932fe05b92946339a7b6b994527b5e483 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20FIDRY?= Date: Thu, 16 Jun 2016 11:15:18 +0100 Subject: [PATCH] Update Symfony nginx config --- source/start/topics/recipes/symfony.rst | 73 +++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/source/start/topics/recipes/symfony.rst b/source/start/topics/recipes/symfony.rst index 1ac1de49..c579ce1d 100644 --- a/source/start/topics/recipes/symfony.rst +++ b/source/start/topics/recipes/symfony.rst @@ -15,6 +15,79 @@ Secure Symfony 2.0 The following configuration makes all PHP scripts except app.php, app_dev.php and config.php downloadable instead of executing them. This is probably not desired if you'd like to use a tool like phpMyAdmin in the same virtual host. +The minimum configuration to get your application running under Nginx is: + +Secure Symfony 3.x, 2.x +^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: nginx + + server { + server_name domain.tld www.domain.tld; + root /var/www/project/web; + + location / { + # try to serve file directly, fallback to app.php + try_files $uri /app.php$is_args$args; + } + # DEV + # This rule should only be placed on your development environment + # In production, don't include this and don't deploy app_dev.php or config.php + location ~ ^/(app_dev|config)\.php(/|$) { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + # When you are using symlinks to link the document root to the + # current version of your application, you should pass the real + # application path instead of the path to the symlink to PHP + # FPM. + # Otherwise, PHP's OPcache may not properly detect changes to + # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 + # for more information). + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + } + # PROD + location ~ ^/app\.php(/|$) { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + # When you are using symlinks to link the document root to the + # current version of your application, you should pass the real + # application path instead of the path to the symlink to PHP + # FPM. + # Otherwise, PHP's OPcache may not properly detect changes to + # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 + # for more information). + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + # Prevents URIs that include the front controller. This will 404: + # http://domain.tld/app.php/some-path + # Remove the internal directive to allow URIs like this + internal; + } + + # return 404 for all other php files not matching the front controller + # this prevents access to other php files you don't want to be accessible. + location ~ \.php$ { + return 404; + } + + error_log /var/log/nginx/project_error.log; + access_log /var/log/nginx/project_access.log; + } + +Depending on your PHP-FPM config, the ``fastcgi_pass`` can also be ``fastcgi_pass 127.0.0.1:9000``. + +This executes only ``app.php``, ``app_dev.php`` and ``config.php`` in the web directory. All other files ending in ``".php"`` will be denied. + +If you have other PHP files in your web directory that need to be executed, be sure to include them in the location block above. + +After you deploy to production, make sure that you cannot access the ``app_dev.php`` or ``config.php`` scripts (i.e. ``http://example.com/app_dev.php`` and ``http://example.com/config.php``). If you can access these, be sure to remove the DEV section from the above configuration. + +Secure Symfony 2.0 +^^^^^^^^^^^^^^^^^^ + .. code-block:: nginx upstream phpfcgi {