Skip to content
GitLab
Closed
Issue created by bmortier@bmortierMaintainer

nginx + php-fpm with fusiondirectory

I have had some problems with fusiondirectory and I use nginx and php-fpm, with the help of bilbo and others we got it running. Bilbo requested 'could you enter a bug in forge.fusiondirectory.org for your use with ngnix so we can publicly document these'.

The problems I faced was that we were adding the mail module but when I attempted to add the service to a serve the menu options were not available. Once I restarted php-fpm they were then there.

My setup: Ubuntu 14.04LTS, php5.6, (a list of modules installed can be found here: http://take.ms/8GOIK).

my /etc/php5/fpm/php.ini opcache options are:

[opcache] opcache.enable_cli = 0 opcache.memory_consumption = 1024 opcache.max_accelerated_files = 65407 opcache.validate_timestamps = 0 opcache.revalidate_path = On opcache.error_log = /dev/null opcache.log_verbosity_level = 1

nginx server config wise I was able to use my standard vhost file with a few tweaks due to my setup, my setup includes Cloudflare --> AWS ELB --> nginx --> php-fpm.

server {

  #CLOUDFLARE SPECIFIC
  #https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-
  set_real_ip_from 103.21.244.0/22;
  set_real_ip_from 103.22.200.0/22;
  set_real_ip_from 103.31.4.0/22;
  set_real_ip_from 104.16.0.0/12;
  set_real_ip_from 108.162.192.0/18;
  set_real_ip_from 131.0.72.0/22;
  set_real_ip_from 141.101.64.0/18;
  set_real_ip_from 162.158.0.0/15;
  set_real_ip_from 172.64.0.0/13;
  set_real_ip_from 173.245.48.0/20;
  set_real_ip_from 188.114.96.0/20;
  set_real_ip_from 190.93.240.0/20;
  set_real_ip_from 197.234.240.0/22;
  set_real_ip_from 198.41.128.0/17;
  set_real_ip_from 199.27.128.0/21;
  set_real_ip_from 2400:cb00::/32;
  set_real_ip_from 2606:4700::/32;
  set_real_ip_from 2803:f800::/32;
  set_real_ip_from 2405:b500::/32;
  set_real_ip_from 2405:8100::/32;

  # use any of the following two
  #real_ip_header CF-Connecting-IP;
  real_ip_header X-Forwarded-For;

  #ssl is force but no ssl config? We handle this with cloudflare and our AWS ELB.
  listen 80;

  #I enforce ssl in nginx, no need to hit hte app for this.
  set $thttps $https;
  set $tscheme $scheme;
  if ($http_x_forwarded_proto = https) {
    set $thttps on;
    set $tscheme "https";
  }
  if ($http_x_forwarded_proto != https) {
    set $rewrite_non_ssl on;
  }
  if ($rewrite_non_ssl = on) {
    rewrite (.*) https://$http_host$1 permanent;
  }

  server_name fusion.dev;

  root /usr/share/fusiondirectory/html;
  index index.php;

  error_log  syslog:server=unix:/dev/log,facility=local6,severity=error,tag=nginx;
  access_log syslog:server=unix:/dev/log,facility=local6,severity=info,tag=nginx syslog;

  add_header X-Backend-Server $hostname;

  if ($http_user_agent ~* scrapbot|baiduspider|yandex|naver|sogou|youdao|majestic) {
    return 403;
  }

  # these locations would be hidden by .htaccess normally
  location ^~ /app/                { deny all; }
  location ^~ /includes/           { deny all; }
  location ^~ /lib/                { deny all; }
  location ^~ /media/downloadable/ { deny all; }
  location ^~ /pkginfo/            { deny all; }
  location ^~ /report/config.xml   { deny all; }
  location ^~ /var/                { deny all; }

  # serve static files directly
  location ~* \.(jpe?g|gif|css|png|ico|pdf|zip|tar|t?gz|mp3|wav|swf|eot|otf|ttf|woff|svg)$ {
    expires max;
    add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    add_header Access-Control-Allow-Origin *;
  }

  location ~* \.(css|js)$ {
    expires 7d;
  }

  # for robots.txt
  location /robots.txt {
    access_log  off;
    auth_basic  off;
  }

  # do not serve hidden files
  location  /. {
    return 404;
  }

  # do not serve sensitive files
  location ~* \.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$ {
    deny all;
  }

    location ~ ^/.*\.php(/|$) {
    expires        off;  # do not cache dynamic content
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_param  SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param  DOCUMENT_ROOT   $realpath_root;
    include        /etc/nginx/fastcgi_params; # see /etc/nginx/fastcgi_params
    fastcgi_param  REMOTE_ADDR $http_cf_connecting_ip; ###### Cloudflare specific, otherwise fastcgi_param  REMOTE_ADDR X-Forwarded-For;
    fastcgi_param  HTTP_X_REQUEST_START "t=${msec}";   #new relic request data

    fastcgi_param  HTTPS $thttps;

    add_header     X-Whom   $hostname;
    add_header     X-Server $hostname;
  }
}

(from redmine: issue id 4735, created on 2016-04-15, closed on 2016-04-21)