Конфигурирование nginx, php-fpm, ssl, http2 на ubuntu для 1С:Битрикс.

Nginx, php-fpm, ssl, http2 на ubuntu для 1С:Битрикс

Делал один проект на 1С:Битрикс редакции «Малый бизнес» и решил поделиться конфигурацией хоста под nginx и PHP7. Работает довольно стабильно с версией — 1С-Битрикс: Управление сайтом 16.5.4. По поводу установки SSL еще напишу, по поводу http2 — это из стандартного репозитория ubuntu 16.04, на котором поднят VPS.

#user 'user' virtual host 'site.com' configuration file
 
server {
        listen *:80;
        server_name site.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen *:443 ssl http2;
	server_name site.com;
	keepalive_timeout 75 75;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_password_file /etc/nginx/ssl/ssl.pass;
        ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;
        ssl_dhparam /etc/ssl/dh2048.pem;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        add_header Strict-Transport-Security 'max-age=31536000';
        ssl_stapling on;
        ssl_stapling_verify on;
	charset off;
	gzip on;
	gzip_comp_level 5;
	gzip_types application/x-javascript application/javascript text/css;
	index index.php;

	include /etc/nginx/vhosts-includes/*.conf;
	include /etc/nginx/vhosts-resources/site.com/*.conf;
	
	access_log /var/www/httpd-logs/site.com.access.log;
	error_log /var/www/httpd-logs/site.com.error.log notice;
	
	ssi on;
	set $root_path /path/to/site.com;
	root $root_path;
	
	set $php_sock unix:/var/www/php-fpm/user.sock;
	
	if ( $scheme = "http" ) {
		 rewrite ^/(.*)$	https://$host/$1 permanent;
	}
        
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;
	
	client_max_body_size 1024M;
	client_body_buffer_size 4M;
	
	location / {
		try_files       $uri $uri/ @bitrix;
        }

        location ~* /upload/.*\.(php|php3|php4|php5|php6|phtml|pl|asp|aspx|cgi|dll|exe|shtm|shtml|fcg|fcgi|fpl|asmx|pht|py|psp|rb|var)$ {
                types {
                        text/plain text/plain php php3 php4 php5 php6 phtml pl asp aspx cgi dll exe ico shtm shtml fcg fcgi fpl asmx pht py psp rb var;
                }
        }

        location ~ \.php$ {
                try_files       $uri @bitrix;
                fastcgi_pass    $php_sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f your@email.com";
                include fastcgi_params;
        }
        location @bitrix {
                fastcgi_pass    $php_sock;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root/bitrix/urlrewrite.php;
                fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f your@email.com";
        }
        location ~* /bitrix/admin.+\.php$ {
                try_files       $uri @bitrixadm;
                fastcgi_pass    $php_sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f your@email.com";
                include fastcgi_params;
        }
        location @bitrixadm{
                fastcgi_pass    $php_sock;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root/bitrix/admin/404.php;
                fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f your@email.com";
        }

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }
        #
        # block this locations for any installation
        #

        # ht(passwd|access)
        location ~* /\.ht  { deny all; }

        # repositories
        location ~* /\.(svn|hg|git) { deny all; }

        # bitrix internal locations
        location ~* ^/bitrix/(modules|local_cache|stack_cache|managed_cache|php_interface) {
          deny all;
        }

        # upload files
        location ~* ^/upload/1c_[^/]+/ { deny all; }

        # use the file system to access files outside the site (cache)
        location ~* /\.\./ { deny all; }
        location ~* ^/bitrix/html_pages/\.config\.php { deny all; }
        location ~* ^/bitrix/html_pages/\.enabled { deny all; }

        # Intenal locations
        location ^~ /upload/support/not_image   { internal; }

        # Cache location: composite and general site
        location ~* @.*\.html$ {
          internal;
          # disable browser cache, php manage file
          expires -1y;
          add_header X-Bitrix-Composite "Nginx (file)";
        }

        # Player options, disable no-sniff
        location ~* ^/bitrix/components/bitrix/player/mediaplayer/player$ {
          add_header Access-Control-Allow-Origin *;
        }

        # Accept access for merged css and js
        location ~* ^/bitrix/cache/(css/.+\.css|js/.+\.js)$ {
          expires 30d;
          error_page 404 /404.html;
        }

        # Disable access for other assets in cache location
        location ~* ^/bitrix/cache              { deny all; }

        # Use nginx to return static content from s3 cloud storage
        # /upload/bx_cloud_upload/...amazonaws.com/
        location ^~ /upload/bx_cloud_upload/ {
          location ~ ^/upload/bx_cloud_upload/(http[s]?)\.([^/:]+)\.(s3|s3-us-west-1|s3-eu-west-1|s3-ap-southeast-1|s3-ap-northeast-1)\.amazonaws\.com/(.+)$ {
                internal;
                resolver 8.8.8.8;
                proxy_method GET;
                proxy_set_header    X-Real-IP               $remote_addr;
                proxy_set_header    X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header    X-Forwarded-Server      $host;
                #proxy_max_temp_file_size 0;
                proxy_pass $1://$2.$3.amazonaws.com/$4;
          }
          location ~* .*$       { deny all; }
        }
        # Static content
        location ~* ^/(upload|bitrix/images|bitrix/tmp) {
          expires 30d;
        }

        location  ~* \.(css|js|gif|png|jpg|jpeg|ico|ogg|ttf|woff|eot|otf)$ {
          error_page 404 /404.html;
          expires 30d;
        }

        location = /404.html {
                access_log off ;
        }
	
	listen x.x.x.x:80;
	
}

Дата: 10.05.2017 16:42:36
Автор: Пчелов Юрий