cancel
Showing results for 
Search instead for 
Did you mean: 

File permissions 1.9 + NGINX config

File permissions 1.9 + NGINX config

Hi there,

I'm migrating some M1 webshops to another server. I was struggling with the file permissions and webserver config but found a solution that works for me.

Still I would like someone to review the settings and file permissions incase I f'ed up.

I'm running NGINX as a reverse proxy on port 80 for Apache on port 8080. It's a dedicated server on which I run about 50 sites/shops, I'm the only one with command line/ftp access.

I tried the advised permissions and ownership described in the docs. But this results in a 403 error. So tweaked it a little until it worked for me, this resulted in:

Ownership of the files:

chown -R web-server-user-name:apache .

File permissions:

find . -type f -exec chmod 440 {} \;
find . -type d -exec chmod 550 {} \; 
find var/ -type f -exec chmod 644 {} \; 
find js/ -type f -exec chmod 644 {} \;
find media/ -type f -exec chmod 644 {} \;
find var/ -type d -exec chmod 755 {} \; 
find js/ -type d -exec chmod 755 {} \;
find media/ -type d -exec chmod 755 {} \;
chmod 750 includes
chmod 640 includes/config.php

This works for me but I'm not sure it's secure. I had to add the permissions on the /js folder and files to get the image pop-up in the WYSIWYG editor to work.

 

My additional NGINX config for Magento1

location ^~ /app/                { deny all; }
location ^~ /includes/           { deny all; }
location ^~ /lib/                { deny all; }
location ^~ /media/downloadable/ { deny all; }
location ^~ /pkginfo/            { deny all; }
location ^~ /report/config.xml   { deny all; }
location ^~ /var/                { deny all; }
location /var/export/            { deny all; }
location ^~ /downloader/            { deny all; }
location ^~ /rss/catalog            { deny all; }
location ^~ /dev/            { deny all; }

# deny htaccess files
location ~ /\.htaccess {
        deny  all;
        access_log off;
        log_not_found off;
}

##
# Rewrite for versioned CSS+JS via filemtime
##
location ~* ^.+\.(css|js)$ {
#       rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
        expires 31536000s;
        access_log off;
        log_not_found off;
        add_header Pragma public;
        add_header Cache-Control "max-age=31536000, public";
}
##
# Aggressive caching for static files
# If you alter static files often, please use
# add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
##
location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|sw$
        expires 31536000s;
        access_log off;
        log_not_found off;
        add_header Pragma public;
        add_header Cache-Control "max-age=31536000, public";
}

# error pages
error_page  404              /404.html;
location = /404.html {
        root   /usr/share/nginx/html;
}
error_page   500 502 503 504  /50x.html;
location = /50x.html {
        root   /usr/share/nginx/html;
}

location @handler { ## Magento uses a common front handler
        rewrite / /index.php;
}

rewrite ^/minify/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;

It would be a great help if someone with a little more NGINX+Magento1 experience could review these settings/permissions.

 

Best regards,

bleenders

1 REPLY 1

Re: File permissions 1.9 + NGINX config

@BleendersThis looks perfect. If the User of all the files and folder is set to the webserver user (I guess apache) then permission showed in the Magento documentation should work. If you cannot achieve them then 440 and 550 is still a lot better than having 775 and 664. Below is one recommendation.

 

  • Allow Magento admin access only for whitelisted IP. You can put the rule for the same in Nginx conf. Once you do that then Magento admin will be accessible only for whitelisted IP's.
  • Is security is the concern then get a Hardware firewall or WAF which will be a lot cheaper.
- Tarandeep
Problem solved?Please give 'Kudos' and accept 'Answer as Solution'.