Hi there,
I'm migrating some M1 webshops to another server. I was struggling with the file permissions and webserver config but found a solution that works for me.
Still I would like someone to review the settings and file permissions incase I f'ed up.
I'm running NGINX as a reverse proxy on port 80 for Apache on port 8080. It's a dedicated server on which I run about 50 sites/shops, I'm the only one with command line/ftp access.
I tried the advised permissions and ownership described in the docs. But this results in a 403 error. So tweaked it a little until it worked for me, this resulted in:
Ownership of the files:
chown -R web-server-user-name:apache .
File permissions:
find . -type f -exec chmod 440 {} \;
find . -type d -exec chmod 550 {} \;
find var/ -type f -exec chmod 644 {} \;
find js/ -type f -exec chmod 644 {} \;
find media/ -type f -exec chmod 644 {} \;
find var/ -type d -exec chmod 755 {} \;
find js/ -type d -exec chmod 755 {} \;
find media/ -type d -exec chmod 755 {} \;
chmod 750 includes
chmod 640 includes/config.phpThis works for me but I'm not sure it's secure. I had to add the permissions on the /js folder and files to get the image pop-up in the WYSIWYG editor to work.
My additional NGINX config for Magento1
location ^~ /app/ { deny all; }
location ^~ /includes/ { deny all; }
location ^~ /lib/ { deny all; }
location ^~ /media/downloadable/ { deny all; }
location ^~ /pkginfo/ { deny all; }
location ^~ /report/config.xml { deny all; }
location ^~ /var/ { deny all; }
location /var/export/ { deny all; }
location ^~ /downloader/ { deny all; }
location ^~ /rss/catalog { deny all; }
location ^~ /dev/ { deny all; }
# deny htaccess files
location ~ /\.htaccess {
deny all;
access_log off;
log_not_found off;
}
##
# Rewrite for versioned CSS+JS via filemtime
##
location ~* ^.+\.(css|js)$ {
# rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}
##
# Aggressive caching for static files
# If you alter static files often, please use
# add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
##
location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|sw$
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}
# error pages
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location @handler { ## Magento uses a common front handler
rewrite / /index.php;
}
rewrite ^/minify/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;It would be a great help if someone with a little more NGINX+Magento1 experience could review these settings/permissions.
Best regards,
bleenders
