Menu
Welcome, Guest
Username: Password: Remember me

TOPIC: suiteCRM nginx config

suiteCRM nginx config 4 years 5 months ago #16083

  • FoxDEV
  • FoxDEV's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Thank you received: 6
  • Karma: 1
following we want share our https(443) nginx config. at least we have a performance boost about 200-400% with suitecrm

Ubuntu 12.04 - minimal
nginx version: nginx/1.6.2
php-fpm: PHP 5.6.6-1
mySQL 5.5.41

nginx vhost config:
server {
  listen yourdomain.com:443;

    root /var/www/yourdomain;
    index index.php index.html index.htm;
    server_name yourdomain.com.de;
     location = /favicon.ico {
                log_not_found off;
                access_log off;
       }
       location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
       }
       # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
       location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
       }

       # Add trailing slash to */wp-admin requests.
       rewrite /wp-admin$ $scheme://$host$uri/ permanent;
       location ~*  \.(jpg|jpeg|png|gif|css|js|ico)$ {
                expires max;
                log_not_found off;
       }
    error_log /var/log/nginx/yourdomain_error.log;

    ssl on;
        ssl_certificate /etc/ssl/com/yourdomain/yourdomain_com_de_bundle.crt;
        ssl_certificate_key /etc/ssl/com/yourdomain/yourdomain_com_de.key; 
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

location / {
    if (!-d $request_filename){
        set $rule_0 true; 
    }
    if (!-f $request_filename){
        set $rule_0 true;
    }
    if ($rule_0){
        rewrite ^/rest/(.*)$ /api/rest.php?__sugar_url=$1 last;
        rewrite ^/cache/api/metadata/lang_(.._..)_(.*)_public.json$ /rest/v10/lang/public/$1?platform=$2 last;
        rewrite ^/cache/api/metadata/lang_(.._..)_([^_]*).json$ /rest/v10/lang/$1?platform=$2 last;
        rewrite ^/portal/(.*)$ /portal2/$1 last;
        rewrite ^/portal$ /portal/? permanent;
    }

    try_files $uri $uri/ index.php;
}


  location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass   unix:/var/run/php5-fpm.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    fastcgi_param  QUERY_STRING     $query_string;
    fastcgi_param  REQUEST_METHOD   $request_method;
    fastcgi_param  CONTENT_TYPE     $content_type;
    fastcgi_param  CONTENT_LENGTH   $content_length;
    fastcgi_intercept_errors        on;
    fastcgi_ignore_client_abort     off;
    fastcgi_connect_timeout 60;
    fastcgi_send_timeout 180;
    fastcgi_read_timeout 180;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 256k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
  }   
}


nginx.conf
user www-data;
worker_processes 8;
pid /run/nginx.pid;

events {
	worker_connections 768;
	 multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 2;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	##
	# File Cache Settings
	##

	open_file_cache max=5000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;
	fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:10m max_size=1000m inactive=60m;
	# set client body size to 2M #
	client_max_body_size 200M;

	##
	# SSL Settings
	##
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_static on;
	gzip_disable "msie6";
	gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_proxied any;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
	gzip_buffers 16 8k;
	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

hope it helps to speed up.
The administrator has disabled public write access.
The following user(s) said Thank You: Will, klou, Jim, mikebeck, simbanic, lardconcepts

suiteCRM nginx config 4 years 4 months ago #16393

  • klou
  • klou's Avatar
  • Offline
  • Senior Member
  • Posts: 51
  • Thank you received: 4
  • Karma: 4
Sticky please!
The administrator has disabled public write access.

suiteCRM nginx config 3 years 7 months ago #27121

  • lardconcepts
  • lardconcepts's Avatar
  • Offline
  • New Member
  • Posts: 14
  • Karma: 0
Hmmm, there seems to be a few problems with that config. The nginx.conf doesn't need to be touched, there's some irrelevant stuff about fastcgi_cache which isn't used, a stray Wordpress directive and so on. Here's the key parts that worked for me:
server {
 
# .... usual stuff goes here

	index index.php index.html index.htm;

	# Block access to stuff in the root
	location ~* \.(pl|cgi|py|sh|lua|log|md5)$ {
        return 444;
}
	
	# Block access to data folders
	location ~ /(soap|cache|upload|xtemplate|data|examples|include|log4php|metadata|modules|diagnostic|blowfish|emailmandelivery)/.*\.(php|pl|py|jsp|asp|sh|cgi|tpl|log|md5)$ {
    return 444;
}
	
	
	include snippets/gzip_expires_etc.conf;


location / { 
	try_files $uri $uri/ =404; 
	index index.html index.htm index.php; 
} 	
	

  location ~ \.php$ {
    try_files $uri =404;
	fastcgi_pass unix:/var/run/fpm.sock;
  }   
}

Does all that make sense? No need for all those rewrites and IFs.

Getting " Server response time: 0.12 seconds" on a $5 VPS with A+ class SSL running.

If you'd like a more full and complete config, please let me know.
Last Edit: 3 years 7 months ago by lardconcepts.
The administrator has disabled public write access.

suiteCRM nginx config 3 years 7 months ago #27135

  • lardconcepts
  • lardconcepts's Avatar
  • Offline
  • New Member
  • Posts: 14
  • Karma: 0
Gah! I spotted an ommision in there - I didn't realise you couldn't edit after a certain period. I'll make a link as a "gist" on github which I can keep up to date, and then ask to edit the page to reflect that.
The administrator has disabled public write access.

suiteCRM nginx config 3 years 7 months ago #27645

  • fbdaytona2
  • fbdaytona2's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Interested to know if you are still on nginx and have not had issues over the last 10 months? thanks in advance
The administrator has disabled public write access.

suiteCRM nginx config 3 years 2 weeks ago #35619

  • Guerrilla
  • Guerrilla's Avatar
  • Offline
  • New Member
  • Posts: 12
  • Karma: 0
lardconcepts wrote:
Gah! I spotted an ommision in there - I didn't realise you couldn't edit after a certain period. I'll make a link as a "gist" on github which I can keep up to date, and then ask to edit the page to reflect that.

Can I have link to gist please
The administrator has disabled public write access.

suiteCRM nginx config 3 years 1 week ago #35954

  • lardconcepts
  • lardconcepts's Avatar
  • Offline
  • New Member
  • Posts: 14
  • Karma: 0
Hi there; try something like this:

gist.github.com/lardconcepts/ae8ca9f248842be067141a9e7a505a98

Not sure if it works now - I gave up on SuiteCRM as the support in the forums seemed non-existant and the software was too quirky.

I now use a different CRM which is free up to 100 customers and it just works great with nothing to install.

Good luck!
Last Edit: 3 years 1 week ago by lardconcepts.
The administrator has disabled public write access.

suiteCRM nginx config 2 years 3 months ago #46851

  • angrymob
  • angrymob's Avatar
  • Offline
  • Premium Member
  • Posts: 130
  • Thank you received: 36
  • Karma: 13
I have a similar setup. We are currently developing on SuiteCRM 7.8.3 to enhance and migrate our current SuiteCRM 7.4.3 install. Our dev and future production environment will consist of:

CentOS7
PHP7
Nginx
php-fpm
MariaDB (Separate server on CentOS7)


I used letsencrypt/certbot to generate ssl certs.

My config files change as I install letsencrypt.

No SSL
/etc/nginx/conf.d/sub.mydomain.tld.conf
The server is only accesible from a specific IP except for the ./well-known directory
server {


        listen   [::]:80;
	listen 80;

        root /var/www/vhosts/sub.mydomain.tld/httpdocs;
        index index.php index.html index.htm;
        server_name  sub.mydomain.tld;
	client_max_body_size 500m;#allows file uploads up to 500 megs

        location / {
                try_files $uri $uri/ /index.html;
		allow x.x.x.x;
		allow 127.0.0.1;
	        deny all;
		#allow all;
        }

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
              root /usr/share/nginx/www;
        }

        location ~ .php$ {
                try_files $uri =404;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

	location /.well-known {
               allow all;
	}
}

I run letsencrypt certonly command with the webroot plugin. Plenty of docs online on how to do this.
letsencrypt certonly -a webroot --webroot-path=/var/www/vhosts/sub.mydomain.tld/httpdocs -d sub.mydomain.tld

Once this is done. I remove or rename /etc/nginx/conf.d/sub.mydomain.tld.conf to
/etc/nginx/conf.d/ssl_sub.mydomain.tld.conf

With contents of
server {


        listen   [::]:443;
	listen 443 http2 ssl;

	server_name  sub.mydomain.tld;
	ssl_certificate /etc/letsencrypt/live/sub.mydomain.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/sub.mydomain.tld/privkey.pem;        

	########################################################################
	# from https://cipherli.st/                                            #
	# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
	########################################################################

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	# Disable preloading HSTS for now.  You can use the commented out header line that includes
	# the "preload" directive if you understand the implications.
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	##################################
	# END https://cipherli.st/ BLOCK #
	##################################
	
	ssl_dhparam /etc/ssl/certs/dhparam.pem;	

	root /var/www/vhosts/sub.mydomain.tld/httpdocs;
        index index.php index.html index.htm;
	client_max_body_size 500m;#allows file uploads up to 500 megs

        location / {
                try_files $uri $uri/ /index.html;
		allow x.x.x.x;
		allow 127.0.0.1;
	        deny all;
		#allow all;
        }

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
              root /usr/share/nginx/www;
        }

        location ~ .php$ {
                try_files $uri =404;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

	location /.well-known {
               allow all;
	}

}

This works excellent, it was a pain to wrap my head around nginx and php7 and php-fpm. Once it was running it was a noticeable difference.
The administrator has disabled public write access.
The following user(s) said Thank You: ChrisC
Time to create page: 0.109 seconds
Powered by Kunena Forum