Configuraciones específicas de NGINX para varios CMSs/software

Creamos las reglas adecuadas para que los .php de /phpmyadmin/ se sirvan del document_root específico, y el "location" para que los ficheros e imágenes se sirvan de /usr/share/phpmyadmin:

# cat /etc/nginx/phpmyadmin.conf 

location ~ "^/phpmyadmin/.*\.php" {
    allow 127.0.0.1;
    # agregar mas IPs
    deny all;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /usr/share/$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
}

location ~ ^/phpmyadmin($|/$|/.*$) {
    root /usr/share/;
    index index.php;
}

# cat sites-enabled/default 

server {
    listen   80;
    server_name dominio.com;

    access_log  /var/log/nginx/dominio.access.log;
    root   /var/www/dominio/;
    index  index.php index.html;

    include /etc/nginx/phpmyadmin.conf;

    # Scripts en PHP:
    location ~ "\.php$" {
       fastcgi_pass   127.0.0.1:9000;
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
       include /etc/nginx/fastcgi_params;
    }
}

Configuramos nginx para hacer ProxyPass de todo /phpmyadmin/. Además podemos aceptar las IPs origen concretas deseadas.

cat /etc/nginx/sites-enabled# cat 000-dominio.es
 
server {
    listen 80;
    server_name www.dominio.es;

    access_log /var/log/nginx/www.dominio.es.access.log;
    error_log /var/log/nginx/www.dominio.es.error.log;

    root /var/www/dominio/;
    index index.php index.html;

    # Phpmyadmin
    include /etc/nginx/phpmyadmin.conf;
    
    # No dar acceso a ficheros ocultos (tampoco los ht access de Apache)
    location ~ /\. { 
       deny all; 
       access_log off; 
       log_not_found off; 
    }
    
    location ~* \.(jpg|jpeg|pjpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|
                   txt|tar|mid|midi|wav|bmp|rtf|swf|flv|mp4|js|css|htm|html|xml)$ {
        #expires 1d;
        try_files $uri $uri/ @backend;
    }

    location @backend {
        proxy_pass  http://127.0.0.1:81;
        include     /etc/nginx/proxy.conf;
    }

    location / {
       proxy_pass   http://127.0.0.1:81;
       include      /etc/nginx/proxy.conf;
    }

}

Creamos el fichero /etc/nginx/phpmyadmin.conf:

# cat /etc/nginx/phpmyadmin.conf 
location ~ ^/phpmyadmin($|/$|/.*$) {
    root /usr/share/;
    index index.php;
    allow 127.0.0.1;
    deny all;

    proxy_pass   http://127.0.0.1:81;
    include      /etc/nginx/proxy.conf;
}

Configuramos Apache:

# grep phpmyadmin /etc/apache2/sites-enabled/001-dominio

        Include /etc/apache2/conf.d/phpmyadmin.conf

# cat /etc/apache2/conf.d/phpmyadmin.conf

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
	Options FollowSymLinks
	DirectoryIndex index.php

        order deny,allow
        allow from 127.0.0.1
        deny from all

	<IfModule mod_php5.c>
		AddType application/x-httpd-php .php

		php_flag magic_quotes_gpc Off
		php_flag track_vars On
		php_flag register_globals Off
		php_value include_path .
	</IfModule>

</Directory>

# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authn_file.c>
    AuthType Basic
    AuthName "phpMyAdmin Setup"
    AuthUserFile /etc/phpmyadmin/htpasswd.setup
    </IfModule>
    Require valid-user
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
    Order Deny,Allow
    Deny from All
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Order Deny,Allow
    Deny from All
</Directory>

# cat /etc/nginx/sites-enabled/000-webmail

server {
    listen 80;
    server_name correoweb.dominio.com webmail.dominio.com;
    access_log /var/log/nginx/webmail.dominio.com.access.log;
    error_log /var/log/nginx/webmail.dominio.com.error.log;
    root /usr/share/squirrelmail/;

    # Scripts en PHP:
    location ~ "\.php$" {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /usr/share/squirrelmail/$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }

    location /attachments { 
        deny all; 
    } 

    location /plugins/squirrelspell/modules { 
       deny all; 
    } 

    location / {
       index index.php index.html;
       root  /usr/share/squirrelmail/;
    }
}

# cat /etc/nginx/sites-enabled/000-postfixadmin

server {
    listen 80;
    server_name postfixadmin.dominio.com;
    access_log /var/log/nginx/postfixadmin.dominio.com.access.log;
    error_log /var/log/nginx/postfixadmin.dominio.com.error.log;
    root /usr/share/postfixadmin/;

    location /
    {
       allow 212.101.64.178;
       allow 212.101.64.4;
       deny all;
       index index.php;
       root /usr/share/postfixadmin/;
    }

    # Scripts en PHP:
    location ~ "\.php$" {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /usr/share/postfixadmin/$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }
}

# cat /etc/nginx/sites-enabled/000-dominio.es.conf

server {
    listen 80 default;
    server_name www.dominio.es;
    access_log  /var/log/nginx/www.dominio.es.access.log;
    error_log  /var/log/nginx/www.dominio.es.error.log;
    root /var/www/dominio.es/;
    index index.php;

    include /etc/nginx/phpmyadmin.conf;

    # Ejemplo para servir imagenes estaticas fuera de EZ;
    location ~* ^/Imagenes/(web1|web2)/.*$ {
       root /var/www/static/;
       break;
    }

    location / {
        # Reglas rewrite EZ Publish
        include /etc/nginx/rewrite_nginx.conf;
    }

    # Bloque de proxypass
    include /etc/nginx/proxypass-php.conf;
}

# cat /etc/nginx/proxypass-php.conf 
    # Scripts en PHP:
    location ~ "^/[^/]*\.php$" {

        set $script "index.php";

        if ( $uri ~ "^/(.*\.php)" ) {
          set $script $1;
        }

        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }

# cat /etc/nginx/rewrite_nginx.conf

    # Lineas largas partidas para hacerlo legible: unirlas en config final.
    
    # Reglas proxypass EZPublish
    rewrite ^/content/treemenu/?$ /index_treemenu.php last;
    rewrite ^/openx/(.*) /openx/$1 break;
    rewrite ^/css/(.*) /css/$1 break;
    rewrite ^/images/(.*) /images/$1 break;
    rewrite ^/var/si-blocks/(.*) /var/si-blocks/$1 break;
    rewrite ^/var/storage/(.*) /var/storage/$1 break;
    rewrite ^/var/([^/]+)/storage/(.*) /var/$1/storage/$2 break;
    rewrite ^/var/cache/texttoimage/(.*) /var/cache/texttoimage/$1 break;
    rewrite "^/var/([^/]+)/cache/texttoimage/(.*)$" "/var/$1/cache/texttoimage/$2" break;
    rewrite ^/var/cache/ezhumancaptcha/(.*) /var/cache/ezhumancaptcha/$1 break;
    rewrite ^/var/([^/]+)/cache/(texttoimage|stylesheets|javascript|js|css)/(.*) 
             /var/$1/cache/$2/$3 break;
    rewrite ^/var/([^/]+)/cache/ezhumancaptcha/(.*) /var/$1/cache/ezhumancaptcha/$2 break;
    rewrite ^/var/([^/]+)/cache/(stylesheets|public|js|css|image/javascripts?)/(.*) 
             /var/$1/cache/$2/$3 break;
    rewrite "^/var/cache/debug.html(.*)$" "/var/cache/debug.html$1" break;
    rewrite "^/var/([^/]+)/cache/public/(.*)$" "/var/$1/cache/public/$2" break;
    rewrite "^/var/([^/]+)/cache/debug\.html(.*)$" "/var/$1/cache/debug.html$2" break;
    #rewrite "^/design/([^/]+)/(stylesheets|images|javascript)/(.*)$" 
             "/design/$1/$2/$3" break;
    rewrite ^/design/([^/]+)/(stylesheets|swf|images|js|css|javascript)/(.*) 
             /design/$1/$2/$3 break;
    rewrite ^/share/icons/(.*) /share/icons/$1 break;
    rewrite ^/packages/styles/(.+)/(stylesheets|images|javascript|js|css)/([^/]+)/(.*) 
             /packages/styles/$1/$2/$3/$4 break;
    rewrite ^/extension/([^/]+)/design/([^/]+)/(.*) /extension/$1/design/$2/$3 break;
    rewrite ^/extension/([^/]+)/design/([^/]+)/(stylesheets|images|javascripts|javascript|flash?)/(.*)$ 
            /extension/$1/design/$2/$3/$4 break;
    rewrite ^/packages/styles/(.+)/(stylesheets|images|javascript)/([^/]+)/(.*)$ 
            /packages/styles/$1/$2/$3/$4 break;
    rewrite ^/packages/styles/(.+)/thumbnail/(.*) /packages/styles/$1/thumbnail/$2 break;
    rewrite ^/extension/ezvideoflv/design/standard/flash/player_flv_maxi.swf 
             /extension/ezvideoflv/design/standard/flash/player_flv_maxi.swf break;
    rewrite ^/sitemap(.*)\.xml /sitemap$1.xml  break;
    rewrite ^/sitemap(.*)\.xml\.gz /sitemap$1.xml.gz break;
    rewrite "^/crossdomain\.xml$"  "/crossdomain.xml" break;
    rewrite ^/gss\.xsl /gss.xsl break;
    rewrite ^/favicon\.ico /favicon.ico break;
    rewrite ^/robots\.txt /robots.txt break;
    rewrite ^/google42dbeb008fcb9793\.html /google42dbeb008fcb9793.html break;
    rewrite ^/test\.shtml /test.shtml break;
    rewrite ^/footer\.shtml /footer.shtml break;
    rewrite ^/404\.html /404.html break;
    rewrite ^/phpmyadmin/(.*) /phpmyadmin/$1 break;
    
    # Imagenes estaticas (ver virtualhost)
       rewrite ^/Imagenes/(.*)/(.*) /Imagenes/$1/$2 break;

    # Todo lo demas, a index.php
    rewrite "^(.*)$" "/index.php?$1" last;

Configuración de NGINX:

# cat /etc/nginx/sites-enabled/000-www.dominio.es-proxypass 
server {
    listen 80;
    server_name www.dominio.es;
    access_log /var/log/nginx/www.dominio.es.access.log;
    error_log /var/log/nginx/www.dominio.es.error.log;
    root /var/www/www.dominio.es/;
    index index.php index.html;
    error_page 403 404 503 = http://www.dominio.es/404.html;

    include /etc/nginx/phpmyadmin.conf;

    location ~* ^.+.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|
                     tar|mid|midi|wav|bmp|rtf|js|htm|html|swf|flv|xml|wml|xhtml)$ {
        root /var/www/www.dominio.es/;
        try_files $request_uri $request_uri/ @backend;
    }

    location @backend {
        proxy_pass  http://127.0.0.1:81;
        include /etc/nginx/proxy.conf;
    }

    # Resto de la web que no sea contenido estatico o no exista:
    location / {
        proxy_pass   http://127.0.0.1:81;
        include /etc/nginx/proxy.conf;
    }
}

# cat /etc/nginx/proxy.conf 
# Standard proxy settings

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 16k;
proxy_buffers 32 64k;
proxy_busy_buffers_size 128k;

# cat /etc/nginx/phpmyadmin.conf

location ~ ^/phpmyadmin($|/$|/.*$) {
    root /usr/share/;
    index index.php;
    allow 127.0.0.1;
    deny all;

    #auth_basic            "Restricted";
    #auth_basic_user_file  /etc/nginx/htpasswd;

    proxy_pass   http://127.0.0.1:81;
    include      /etc/nginx/proxy.conf;
}

Configuración de Apache (estándar de EZ):

# cat /etc/httpd/vhosts.d/000-www.dominio.es.conf 
<VirtualHost *:81>
        DocumentRoot "/var/www/www.dominio.es/"
        ServerName www.dominio.es
        ServerAlias dominio.es

        Include /etc/httpd/conf.d/awstats.conf
	Alias /stats /var/www/stats

        <IfModule mod_expires.c>
                ExpiresActive On
                ExpiresByType text/javascript "access plus 1 month"
                ExpiresByType application/x-javascript "access plus 1 month"
                ExpiresByType text/css "access plus 1 month"
        </IfModule>

        <Directory /var/www>
                Options -Indexes FollowSymLinks MultiViews +Includes
                AllowOverride None
        </Directory>

        <Files "stats.php">
            AuthName "Estadisticas awstats"
            AuthType Basic
            AuthUserFile /etc/httpd/http_passwords
            require valid-user
        </Files>

        RewriteEngine On

        # URLs no de nginx
        Rewriterule ^/stats/.* - [L]
        Rewriterule ^/awstats/.* - [L]

        # Reglas EZ Publish
        Rewriterule ^/apc_info.php($|/$|/.*) - [L]
        Rewriterule ^/phpmyadmin($|/$|/.*) - [L]
        RewriteRule ^/sitemap(.*)\.xml - [L]
        RewriteRule ^/sitemap(.*)\.xml\.gz - [L]
        RewriteRule ^/gss\.xsl - [L]
        RewriteRule ^/awstats.* - [L]
        RewriteRule ^/cgi-bin/awstats.* - [L]
        Rewriterule ^/var/([^/]+/)?storage/images-versioned/.*  /index_cluster.php  [L]
        Rewriterule ^/var/([^/]+/)?storage/images/.*            /index_cluster.php  [L]
        Rewriterule ^/extension/ezvideoflv/design/standard/flash/player_flv_maxi.swf - [L]
        RewriteRule content/treemenu/?$ /index_treemenu.php [L]
        Rewriterule ^/openx/.* - [L]
        Rewriterule ^/stats\.php - [L]
        Rewriterule ^/css/.* - [L]
        Rewriterule ^/images/.* - [L]
        Rewriterule ^/var/si-blocks/.* - [L]
        Rewriterule ^/var/storage/.* - [L]
        Rewriterule ^/var/[^/]+/storage/.* - [L]
        RewriteRule ^/var/cache/texttoimage/.* - [L]
        RewriteRule ^/var/cache/ezhumancaptcha/.* - [L]
        RewriteRule ^/var/[^/]+/cache/(texttoimage|stylesheets|javascript|js|css)/.* - [L]
        RewriteRule ^/var/[^/]+/cache/ezhumancaptcha/.* - [L]
        RewriteRule ^/var/[^/]+/cache/(stylesheets|public|js|css|image/javascripts?)/.* - [L]
        Rewriterule ^/extension/ezvideoflv/design/standard/flash/player_flv_maxi.swf - [L]
        Rewriterule ^/design/[^/]+/(stylesheets|swf|images|js|css|javascript)/.* - [L]
        Rewriterule ^/share/icons/.* - [L]
        Rewriterule ^/packages/styles/.+/(stylesheets|images|javascript|js|css)/[^/]+/.* - [L]
        RewriteRule ^/extension/[^/]+/design/[^/]+/(stylesheets|images|javascripts?)/.* - [L]
        Rewriterule ^/extension/[^/]+/design/[^/]+/.* - [L]
        RewriteRule ^/packages/styles/.+/thumbnail/.* - [L]
        RewriteRule ^/favicon\.ico - [L]
        RewriteRule ^/robots\.txt - [L]
        RewriteRule ^/test\.shtml - [L]
        RewriteRule ^/footer\.shtml - [L]
        RewriteRule ^/404\.html - [L]
        # Uncomment the following lines when using popup style debug.
        # RewriteRule ^/var/cache/debug\.html.* - [L]
        # RewriteRule ^/var/[^/]+/cache/debug\.html.* - [L]
        RewriteRule .* /index.php

        # Linea larga partida: unir.
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
                  \"%{User-Agent}i\" proxy:%h" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" client-ip-request

        CustomLog /var/log/httpd/www.dominio.es-access.log combined env=!client-ip-request
        CustomLog /var/log/httpd/www.dominio.es-access.log proxy env=client-ip-request
        ErrorLog /var/log/httpd/www.dominio.es-error.log

</VirtualHost>

# cat /etc/nginx/sites-enabled/000-web.conf

server {
    listen 80;
    server_name www.dominio.es;
    access_log /var/log/nginx/www.dominio.es.access.log;
    error_log /var/log/nginx/www.dominio.es.error.log;
    root /var/www/www.dominio.es;
    index index.php;

    include /etc/nginx/wordpress/restrictions.conf;
    include /etc/nginx/wordpress/wordpress-ms-subdir.conf;
}

Configuraciones específicas Wordpress:

# cat /etc/nginx/wordpress/restrictions.conf 

# Global restrictions configuration file.
# Designed to be included in any server {} block.</p>
location = /favicon.ico {
	log_not_found off;
	access_log off;
}

location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
}

# Deny all attempts to access hidden files:
location ~ /\. {
	deny all;
	access_log off;
	log_not_found off;
}

# cat /etc/nginx/wordpress/wordpress-ms-subdir.conf 

# WordPress multisite subdirectory rules.
# Designed to be included in any server {} block.

# This order might seem weird - this is attempted to match
# last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
	try_files $uri $uri/ /index.php?$args;
}

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
	expires 24h;
	log_not_found off;
}

# Pass uploaded files to wp-includes/ms-files.php.
rewrite /files/$ /index.php last;

# For multisite:  Use a caching plugin/script that creates symlinks
# to the correct subdirectory structure to get some performance gains.
set $cachetest "$document_root/wp-content/cache/ms-filemap/${host}${uri}";
if ($uri ~ /$) {
	set $cachetest "";
}
if (-f $cachetest) {
	# Rewrites the URI and stops rewrite processing so it
        # doesn't start over and attempt to pass it to the next rule.
	rewrite ^ /wp-content/cache/ms-filemap/${host}${uri} break;
}

if ($uri !~ wp-content/plugins) {
	rewrite /files/(.+)$ /wp-includes/ms-files.php?file=$1 last;
}

# Uncomment one of the lines below for the appropriate caching plugin (if used).
# include global/wordpress-ms-subdir-wp-super-cache.conf;
# include global/wordpress-ms-subdir-w3-total-cache.conf;

# Rewrite multisite '.../wp-.*' and '.../*.php'.
if (!-e $request_filename) {
	rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
	rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
}

# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
	try_files $uri =404;
        include /etc/nginx/fastcgi_params;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	include fastcgi_params;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#	fastcgi_intercept_errors on;
        fastcgi_pass   127.0.0.1:9000;
}

<Volver a Página de NGINX>