Prestashop 8.0 Nginx Config Cloudpanel

Here are the key improvements and optimizations I’ve made to Nginx Prestashop 8.0 configuration file:

  1. HTTP/3 and HTTP/2 Improvements:

    • Enabled HTTP/3 (http3 on)
    • Added reuseport parameter to QUIC listeners
    • Properly configured HTTP/2 listeners
  2. Security Enhancements:

    • Added important security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
    • Added Referrer-Policy and Permissions-Policy headers
    • Included commented HSTS header (you can enable if you’re committed to HTTPS-only)
    • Improved HTTPS redirect using return 301 instead of rewrite
  3. Performance Optimizations:

    • Added tcp_nodelay off for static files
    • Improved static file caching configuration
    • Added gzip compression for text-based assets
    • Added Cache-Control header for better browser caching
  4. PHP-FPM Optimization:

    • Organized FastCGI configuration more clearly
    • Added optional FastCGI caching configuration (commented out)
    • Retained your extended timeouts for long-running scripts
  5. Static Files Handling:

    • Improved static file location block with better caching directives
    • Added support for more modern file types
    • Optimized access logging for static files
  6. Admin Panel Security:

    • Added optional basic authentication configuration (commented out)
    • Maintained strict access controls
  7. Code Organization:

    • Better structured configuration with logical grouping
    • Added descriptive comments
    • Removed unnecessary break directive
  8. Error Handling:

    • Maintained fastcgi_intercept_errors
    • Kept detailed error logging configuration

To implement this configuration:

  1. Back up your current configuration
  2. Replace your current configuration with the optimized version
  3. You can run a manual test the configuration: nginx -t
  4. Reload Nginx will happen as soon as you save the file.
server {
    listen 80;
    listen [::]:80;
    listen 443 quic;
    listen 443 ssl http2;
    listen [::]:443 quic;
    listen [::]:443 ssl http2;
    
    # Enable HTTP/3
    http3 on;
    http2 off;
    
    {{ssl_certificate_key}}
    {{ssl_certificate}}
    
    server_name snadbox.hhf.technology;
    {{root}}
    
    # Logging
    {{nginx_access_log}}
    {{nginx_error_log}}
    
    # Force HTTPS redirect
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
    
  
    # Allow Let's Encrypt validation
    location ~ /.well-known {
        auth_basic off;
        allow all;
    }
    
    {{settings}}
    
    # Prestashop image rewrite rules
    rewrite ^/(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$1$2.jpg last;
    rewrite ^/(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$1$2$3.jpg last;
    rewrite ^/(\d)(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$3/$1$2$3$4.jpg last;
    rewrite ^/(\d)(\d)(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5.jpg last;
    rewrite ^/(\d)(\d)(\d)(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6.jpg last;
    rewrite ^/(\d)(\d)(\d)(\d)(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7.jpg last;
    rewrite ^/(\d)(\d)(\d)(\d)(\d)(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8.jpg last;
    rewrite ^/(\d)(\d)(\d)(\d)(\d)(\d)(\d)(\d)(-[\w-]+)?/.+\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9.jpg last;
    rewrite ^/c/([\w.-]+)/.+\.jpg$ /img/c/$1.jpg last;
    
    # Other rewrite rules
    rewrite ^images_ie/?([^/]+)\.(gif|jpe?g|png)$ js/jquery/plugins/fancybox/images/$1.$2 last;
    rewrite ^/api/?(.*)$ /webservice/dispatcher.php?url=$1 last;
    rewrite ^(/install(?:-dev)?/sandbox)/.* /$1/test.php last;
    
    # Admin directory configuration
    location /admin-dev/ {
        try_files $uri $uri/ /admin-dev/index.php$is_args$args;
        
        # Basic authentication (optional)
        # auth_basic "Restricted Access";
        # auth_basic_user_file /etc/nginx/.htpasswd;
    }
    
    # Security: Deny access to sensitive files and directories
    location ~ /\. {
        deny all;
    }
    
    # Deny access to sensitive directories
    location ~ ^/(app|bin|cache|classes|config|controllers|docs|localization|override|src|tests|tools|translations|var|vendor)/ {
        deny all;
    }
    
    location ~ ^/modules/.*/vendor/ {
        deny all;
    }
    
    # Deny access to sensitive files
    location ~ \.(log|tpl|twig|sass|yml)$ {
        deny all;
    }
    
    # Prevent PHP execution in specific directories
    location /img {
        location ~ \.php$ { deny all; }
    }
    
    location /upload {
        location ~ \.php$ { deny all; }
    }
    
    # Include global settings
    include /etc/nginx/global_settings;
    
    # Default try_files directive
    try_files $uri $uri/ /index.php$is_args$args;
    index index.php index.html;
    
    # PHP-FPM configuration
    location ~ [^/]\.php(/|$) {
        # FastCGI configuration
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        try_files $uri =404;
        
        # Increased timeouts for long-running scripts
        fastcgi_read_timeout 3600;
        fastcgi_send_timeout 3600;
        fastcgi_param HTTPS $fastcgi_https;
        fastcgi_pass 127.0.0.1:{{php_fpm_port}};
        fastcgi_param PHP_VALUE "{{php_settings}}";
        
        # FastCGI caching (optional)
        # fastcgi_cache PRESTASHOP;
        # fastcgi_cache_valid 200 60m;
        # fastcgi_cache_use_stale error timeout updating invalid_header http_500;
        # fastcgi_cache_min_uses 1;
        # fastcgi_cache_lock on;
    }
    
    # Static files handling with improved caching
    location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ {
        add_header Access-Control-Allow-Origin "*";
        add_header alt-svc 'h3=":443"; ma=86400';
        add_header Cache-Control "public, no-transform";
        expires max;
        access_log off;
        tcp_nodelay off;
        
    # Remove break directive as it's not needed here
    # if (-f $request_filename) {
    #     break;
    # }
}