SuiteCRM 8 nginx conf

There was a statement by a SuiteCRM maintainer, that nginx was not supported with SuiteCRM 8 and one should use an Apache server.

https://community.suitecrm.com/t/suitecrm-8-beta-install-questions/79383/158

Well, here is a working nginx server conf that handles legacy and all types of API requests:

server {
        listen 80; # adjust to your needs
        listen [::]:80;
        root /path/to/SuiteCRM/public;
        index  index.php index.html index.htm;
        server_name  localhost;

        client_max_body_size 100M;



        location / {
            # try to serve file directly, fallback to index.php
            try_files $uri /index.php$is_args$args;

            # optionally disable falling back to PHP script for the asset directories;
            # nginx will return a 404 error when files are not found instead of passing the
            # request to Symfony (improves performance but Symfony's 404 page is not displayed)
            # location /bundles {
            #     try_files $uri =404;
            # }

            location ~ ^/index\.php(/|$) {
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                include fastcgi_params;
                fastcgi_pass 127.0.0.1:9074; # adjust to your needs
                fastcgi_param  HTTPS $https;
                fastcgi_intercept_errors on;

                fastcgi_temp_file_write_size 10m;
                fastcgi_busy_buffers_size    512k;
                fastcgi_buffer_size          512k;
                fastcgi_buffers           16 512k;
                fastcgi_read_timeout 1200;
                fastcgi_param HTTP_AUTHORIZATION $http_authorization;

                # optionally set the value of the environment variables used in the application
                # fastcgi_param APP_ENV prod;
                # fastcgi_param APP_SECRET <app-secret-id>;
                # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";

                # When you are using symlinks to link the document root to the
                # current version of your application, you should pass the real
                # application path instead of the path to the symlink to PHP
                # FPM.
                # Otherwise, PHP's OPcache may not properly detect changes to
                # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
                # for more information).
                fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                fastcgi_param DOCUMENT_ROOT $realpath_root;
                # Prevents URIs that include the front controller. This will 404:
                # http://domain.tld/index.php/some-path
                # Remove the internal directive to allow URIs like this
                internal;

            }

            # return 404 for all other php files not matching the front controller
            # this prevents access to other php files you don't want to be accessible.
            location ~ \.php$ {
                return 404;
            }
        }

        location ^~ /legacy/ {
            try_files $uri $uri/ /index.php?$args;

            location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                include fastcgi_params;
                fastcgi_pass 127.0.0.1:9074; # adjust to your needs
                fastcgi_param  HTTPS $https;

                fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                fastcgi_param DOCUMENT_ROOT $realpath_root;
            }
        }

        location ~ /Api/(?!(graphql)) {
            alias /path/to/SuiteCRM/public/legacy; # !important

            index index.php;
            try_files $uri @rewrite_api;

            location ~ .php {
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                include fastcgi_params;
                fastcgi_pass 127.0.0.1:9074; # adjust to your needs
                fastcgi_param  HTTPS $https;

                fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                fastcgi_param DOCUMENT_ROOT $realpath_root;
            }
        }

        location @rewrite_api {
            rewrite ^/Api/(.*)?$ /Api/index.php/$1 last;
        }

    }

Hi @myfluxi,

Welcome to the community and thank you for trying out SuiteCRM 8 RC.

Thanks for the guide!

@D3rv @chriswithadot the above may help with some of the questions you’ve posted previously.

Though I think there maybe a couple of scenarios were you may find issues, due to some legacy code.

Hey, thanks for this base config, it works decently!

Just note that:

• Logs are public (/legacy/suitecrm.log)
• If using OAuth2, the keys would also be accessible on /Api/V8/OAuth2/private.key

In order to fix this, I changed location ~ \.php$ by location ~ \.(php|key|log)$ in the necessary places.

Please rotate your OAuth keys after doing that :-D.

CSS not working! 8.0.1

I am really grateful to you for you help. Its working

It seems fine after I changed fastcgi_pass from “fastcgi_pass 127.0.0.1:9074;” to “unix:/var/run/php/php8.0-fpm.sock;”. But there is a problem. Dashboard loading fail, spining circle keeps on going. It didn’t happen while it runs on Apache2.

SpiningCircle716×238 5.7 KB

So I used the nginx configuration provided by author. And your comment. I’ve also checked in <project_root>/public/legacy/.htaccess file to devise a safe to work with nginx.conf file for SuiteCRM 8.2.4 version.

I ended up with this:

upstream php-upstream {
    server changeme;
}

server {
    listen 80;
    listen 443 ssl;
    ssl_certificate changeme;
    ssl_certificate_key changeme;
    root /var/www/suite/public;
    index  index.php index.html index.htm;

    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;

        location /bundles {
            try_files $uri =404;
        }

        location ~ ^/index\.php(/|$) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_pass php-upstream;
            fastcgi_param  HTTPS $https;
            fastcgi_intercept_errors on;

            fastcgi_temp_file_write_size 10m;
            fastcgi_busy_buffers_size    512k;
            fastcgi_buffer_size          512k;
            fastcgi_buffers           16 512k;
            fastcgi_read_timeout 1200;
            fastcgi_param HTTP_AUTHORIZATION $http_authorization;

            # optionally set the value of the environment variables used in the application
            # fastcgi_param APP_ENV prod;
            # fastcgi_param APP_SECRET <app-secret-id>;
            # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";

            # When you are using symlinks to link the document root to the
            # current version of your application, you should pass the real
            # application path instead of the path to the symlink to PHP
            # FPM.
            # Otherwise, PHP's OPcache may not properly detect changes to
            # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
            # for more information).
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param DOCUMENT_ROOT $realpath_root;
            # Prevents URIs that include the front controller. This will 404:
            # http://domain.tld/index.php/some-path
            # Remove the internal directive to allow URIs like this
            internal;
        }

        # return 404 for all other php files not matching the front controller
        # this prevents access to other php files you don't want to be accessible.
        location ~ \.php$ {
            return 404;
        }
    }

    location ^~ /legacy/ {
        location ~ .log$ {
            return 403;
        }

        location ~* .key$ {
            return 403;
        }

        location ~ /not_imported_.*\.txt$ {
            return 403;
        }

        location ~ /(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules|vendor)/+.*\.(php|tpl|phar)$ {
            return 403;
        }

        location ~ /emailmandelivery.php$ {
            return 403;
        }

        location ~ /.git {
            return 403;
        }

        location ~ /+tests {
            return 403;
        }

        location ~ /RoboFile.php$ {
            return 403;
        }

        location ~ /composer.json$ {
            return 403;
        }

        location ~ /composer.lock$ {
            return 403;
        }

        location ~ /upload/ {
            return 403;
        }

        location ~ /+custom/+blowfish {
            return 403;
        }

        location ~ /+cache/+diagnostic {
            return 403;
        }

        location ~ /+files\.md5$ {
            return 403;
        }

        location ~ ^/legacy/ {
            try_files $uri $uri/ /index.php?$args;

            location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                include fastcgi_params;
                fastcgi_pass php-upstream;
                fastcgi_param  HTTPS $https;

                fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                fastcgi_param DOCUMENT_ROOT $realpath_root;
            }
        }
    }

    location ~ /Api/(?!(graphql)) {
        alias /var/www/suite/public/legacy; # !important

        index index.php;
        try_files $uri @rewrite_api;

        location ~ .php {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_pass php-upstream;
            fastcgi_param  HTTPS $https;

            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param DOCUMENT_ROOT $realpath_root;
        }
    }

    location @rewrite_api {
        rewrite ^/Api/(.*)?$ /Api/index.php/$1 last;
    }

    error_log /dev/stdout;
    access_log /dev/stdout;
}

Do any of you see any problems with it?