Been a long time user of webtrees and recently migrated my server from Apache2 to nginx 1.27.3 and wanted to share my config file if others needed a starting point. NOTE: this is an excessive configuration that is "standard" for all my sites. Be sure to change your "root", "server_name", "logs", and "certificates" to your actual values...
Requirements
nginx >=1.25
webtrees >= 2.2
php-fpm (can be 8.2-8.4)
Pretty URL's = 1
Conf
Code:
upstream php-handler {
server unix:/run/php/php8.3-fpm.sock;
}
server {
server_name webtrees.my.domain;
root /var/www/webtrees/public;
listen 80;
server_tokens off;
return 301 https://$server_name$request_uri;
}
server {
### Default config ###
server_name webtrees.my.domain;
root /var/www/webtrees/public;
access_log /var/log/nginx/webtrees_access.log;
error_log /var/log/nginx/webtrees_error.log info;
listen 443 ssl;
http2 on;
server_tokens off;
### SSL config ###
ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
### Performance tuning config ###
client_max_body_size 36M;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
client_body_buffer_size 256k;
### GZip config###
# Already handled by webtrees
### Default headers ###
# Already handled by webtrees
#add_header Referrer-Policy "no-referrer" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header Permissions-Policy "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self)";
add_header Content-Security-Policy "default-src 'self'; font-src 'self'; media-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https: data: blob:; worker-src *; frame-src 'none'; connect-src 'self'";
fastcgi_hide_header X-Powered-By;
### Proxy php rules ###
# What file should nginx use to serve files
index index.php index.html /index.php$request_uri;
# Always allow access to our robots.txt file and don't log any requests here
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# For "pretty URL's" rewrite everything to the index.php file
location / {
rewrite ^ /index.php last;
}
# Actually pass the requests to the backend
location = /index.php {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
}
