Blesta + Nginx - The Easy Way Tutorial

[ServZoo]

So, I'm not an expert on Blesta or NGINX, but I have learned the easy way to make the two work and wanted to share. Credit to cloudrck for starting the project on github (I have used a lot of his work in the config.)

 

1.) Fire up a fresh install of Ubuntu 14.04 64-Bit (DigitalOcean works great for testing)

 

2.) Install EasyEngine (easy way to setup a LEMP server)

curl -sL rt.cx/ee | sudo bash

ee system install

3.) Create your site with EasyEngine

ee site create youdomainname.com --mysql

4.) Install Ioncube

cd /usr/local
sudo wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
sudo tar xzf ioncube_loaders_lin_x86-64.tar.gz

mv /usr/local/ioncube/* /usr/lib/php5/20121212/

nano /etc/php5/fpm/php.ini

zend_extension = /usr/lib/php5/20121212/ioncube_loader_lin_5.5.so

service php5-fpm restart

5.) Apply PHP 5.5 Hotfix

 

Prepare your files before you upload. Copy the "blesta" folder from the PHP5.5 Hotfix folder to the main "blesta" folder. This will overwrite the files that need to be replaced.

 

Zip up your "blesta" folder contents and upload to your new server instance.

 

6.) Edit your NGINX Conf

cd /etc/nginx/sites-available/
cp *yourdomain.com *yourdomain.com.backup
nano

You can use the following NGINX config as a starting point (it should work out of the box for you after you edit the paths.)

# MYSQL NGINX CONFIGURATION
server {
        listen 80;
        listen 443 ssl;
        server_name *your FQN*;
        access_log   /var/log/nginx/*log directory & file* rt_cache;
        error_log    /var/log/nginx/*log directory & file*;

        root *local directory for Blesta install*;
        index index.php index.htm index.html;

        server_name *your FQN*;
        ssl_certificate *SSL Cert File*.crt;
        ssl_certificate_key *SSL Key File*.key;

 location / {
        error_page     404 = @blesta; #IF file doesn't exist
        log_not_found  off;
    }
    #Core rewrite
    location @blesta {
        rewrite ^(.*)$ /index.php last;
#       rewrite ^(.*)$ /index.php/(.*) /$1  permanent;
    }
 location ~ \.php$ {
        try_files $uri =404;
        # Tweak for Nginx to work with PHP from vendors
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        fastcgi_connect_timeout 60;
        fastcgi_send_timeout 180;
        fastcgi_read_timeout 180;
        # Buffer settings increase to compensate for increased time/size due to SSL
        fastcgi_buffer_size 128k;
        fastcgi_buffers 4 256k; #
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
        fastcgi_index index.php;
        include fastcgi_params;
    }

# Disallow access to any file with .pdt extension
location ~ (\.pdt) {
    return 403;
}

if (!-e $request_filename){
rewrite ^(.*)$ /index.php;
}

#Core rewrite
location @blesta {
        rewrite ^(.*)$/index.php/(.*) /$1  permanent;
}
        include common/locations.conf;

}

Now save the file as *yourdomain.com (Press CRTL-X, then Y and type it in.)

 

This should have overwritten the current config (the one you just made a backup of.)

 

7.) Test & Restart NGINX

nginx -t
(if all goes well, you will see successful)

If successful, then restart

service nginx restart

8.) Set database password and create a database (assuming using root user for this tutorial)

mysqladmin -u root password YOURnewPASSWORD

mysql -u root -p
*ENTER PASSWORD*

create database DATABASEname;
flush privileges;
exit

9.) Install Blesta

 

Follow installation instructions.

 

10.) Make the SEF URL's work

cd /var/www/*yourdomain.com/htdocs
nano lib/init.php 

Find the HTACCESS line and replace with this:
define("HTACCESS", true);

Note: This tutorial does not address security or hardening in any way. I will leave that up to you. I am simply sharing a good starting point to get Blesta up and running. I'm using Ubuntu in this instance as it works great for starting out with EasyEngine and UFW.

 

Feel free to add to this and let me know if I have missed anything!

[Blesta Addons]

Thanks Fort the share .

[Michael]

Thanks mate that's a great addition to the contribute hopefully will help a lot of people .

[Paul]

Nice tutorial, thanks for the contribution!

[cloudrck]

As far as I can tell this line is unneeded The @blesta function takes care of what you're trying to accomplish here. What issues were you having without this?

if (!-e $request_filename){
rewrite ^(.*)$ /index.php;
}

[ServZoo]

 

As far as I can tell this line is unneeded The @blesta function takes care of what you're trying to accomplish here. What issues were you having without this?

if (!-e $request_filename){
rewrite ^(.*)$ /index.php;
}

 

 It broke the CSS for me when I commented it out. I had the same thought as you; it was not necessary, until I noticed my CSS wasn't loading without it.

[cloudrck]

I've found the IF to be very funny acting in Nginx, especially when trying to mimic Apache mod_rewrite such as with the !-e $request_filename line, and should be avoided whenever possible.

 

Try this inside your location / instead

try_files $uri /index.php?$args;

Which version of Nginx are you using, I never had this issue with my confguration.

[ServZoo]

I will test that out on my dev box and see what happens. I love Nginx, but it has given me many gray hairs!

nginx version: nginx/1.6.0

[cloudrck]

I know what you mean, a lot of it has to do with Nginx being new and lacking documentation.

 

This is what I was referring to http://wiki.nginx.org/IfIsEvil

[ServZoo]

Agreed. But, it does such a great job. I have another website that does almost a million views a month and it's literally powered by 3 NGINX servers in a cluster. Just 3 cheap VPS too. Apache would have called home and committed suicide by now. :-)

 

It's on my list to check into tonight. I appreciate the advice! I take all that I can; especially with NGINX. 

[eva2000]

Any of you folks come across this issue http://www.blesta.com/forums/index.php?/topic/4519-nginx-rewrite-oddity-front-end-links-ok-backend-links-not/ ?

[EidolonHost]

Any of you folks come across this issue http://www.blesta.com/forums/index.php?/topic/4519-nginx-rewrite-oddity-front-end-links-ok-backend-links-not/ ?

 

Freshly installed nginx/apache2 setup on eidolonhost.com; nope. Frontend and backend links work A-OK.

[will]

Don't forget to configure your SSL for stronger security! See https://mozilla.github.io/server-side-tls/ssl-config-generator/ to help you decide on what level of security you want to employ. The trade-off that comes with the strongest of security is dropping support for older browsers. For most of Blesta's markets, I suspect you won't be breaking things for very many customers if you go with "modern" security, and chances of breaking things for *any* customers are slim if you go with "intermediate" security. "Old" security includes support for SSLv3 which is known to be broken. Do not use the "old" option unless you absolutely have to.

 

(Warning: if you haven't configued OCSP stapling or HSTS before, I strongly recommend you test them on a non-production server first, as screwing the config up make your site inaccessible... potentially for the duration of max-age. Use a very small max-age while testing.)

 

The config generator mentions a "dhparam.pem." You can generate a DH parameter file with 

openssl dhparam -out dhparam.pem 2048

You want at least 2048 bits in light of the Logjam attack. 

 

We force SSL for all connections to Blesta. (Also, if you want to support ipv6, you'll need to specify that you want to listen on ipv6 interfaces.)

server {
    listen   80;
    listen   [::]:80 ipv6only=on; # This last flag can fix some issues nginx can have with binding to ports.
    server_name mydomain.com;

    return 301 https://$server_name$request_uri; #Force SSL
}

server {
    listen 443; #SSL Only
    listen [::]:443 ipv6only=on; #For ipv6
    server_name mydomain.com;
# The rest of the config goes down here
}

EDIT: If you want to be paranoid (e.g. security bonus points) your config directory should be readable by PHP, but not nginx. Similarly, your SSL certs should be readable by nginx, but not PHP. On top of that, your DB should be protected by your firewall - there's no reason for it to be listening to any requests except local ones.

 

One more thing: you can tell nginx to ignore requests for sensitive files or folders.

location ~ ^/(cache|config|errors|helpers|internal|language|lib|index.php/api|api) {
    deny all;    
    return 404; 
}

# If you're using your API with some kind of external service, you can remove those last two.
# If that service has a static IP, you can add "allow x.x.x.x;" on the previous line, where x.x.x.x is the service's IP.

Edited May 26, 2015 by will

[eva2000]

thanks guys got it sorted with my Centmin Mod LEMP stack and working vhost config i posted at http://www.blesta.com/forums/index.php?/topic/4519-nginx-rewrite-oddity-front-end-links-ok-backend-links-not/#entry33677

 

also have SPDY SSL guide for my Centmin Mod LEMP stack at http://centminmod.com/nginx_configure_https_ssl_spdy.html