Nginx configuration for Pydio with SSL

Update 2014-07-19:
Adjusted the order of the statement to fix public downloads.
Update 2014-07-02:
Corrected permission. thanks to Koen Vermeer and Maruprez for reporting the issue.

As interest for nginx is growing, I thought it way it time to update my Pydio tutorial with the nginx configuration.

Generate a self-signed SSL certificate:

On Debian:

mkdir -p /etc/ssl/localcerts
apt-get install openssl
openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/localcerts/nginx_pydio.pem -keyout /etc/ssl/localcerts/nginx_pydio.key

Adjust the permissions:

chmod 600 /etc/ssl/localcerts/*
chown -R www-data:root /etc/ssl/localcerts

Create configuration file:

/etc/nginx/sites-available/pydio.conf

server {
    listen 80;
    listen 443 ssl;

    server_name c.domain.com;
    ssl_certificate     /etc/ssl/localcerts/nginx_pydio.pem;
    ssl_certificate_key /etc/ssl/localcerts/nginx_pydio.key;

    root /usr/share/ajaxplorer/;
    index index.php;

   if ($server_port = 80) {
     rewrite ^ https://$host$request_uri permanent;
   }

client_max_body_size 512M;
access_log /var/log/nginx/c.martin-denizet.com.access.log;
error_log /var/log/nginx/c.martin-denizet.com.error.log;

location / {
}


location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff|svg)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ \.php {
try_files $uri =404;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  SCRIPT_FILENAME    $request_filename;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}


location ~ ^/data/public/.*$ {allow all;}

location ~ ^/(conf|data) {deny all;}
location /robots.txt  { access_log off; log_not_found off; }
location /favicon.ico { access_log off; log_not_found off; }
location ~ /\.          { access_log off; log_not_found off; deny all; }
location ~ ~$           { access_log off; log_not_found off; deny all; }


}
My root is /usr/share/ajaxplorer/ but it may not be the case on a new install! Be careful to replace this path with your installation path.
You will also need to replace c.domain.com with your domain.

Activate the configuration:

ln -s /etc/nginx/sites-available/pydio.conf /etc/nginx/sites-enabled/pydio.conf
service nginx restart

 

9 Comments

  1. Koen Vermeer May 15, 2014 5:55 pm  Reply

    With this setup, I get the ‘security breach’ error saying that the data folder is not correctly protected. Am I right to conclude that that check is simply wrong, given that you have the deny all statement for /data/?

  2. Maruprez July 1, 2014 10:57 pm  Reply

    I get the same warning while running Pydio Diagnostic Tool

    “it seems that your data/ folder is not correctly protected….”

    Please could you confirm, that it’s not a configuration issue?

    Thanks

    • Martin DENIZET July 1, 2014 11:33 pm  Reply

      Thank you for notifying me. I didn’t have the problem at the time I wrote this article. I’ll have a look.

      • Martin DENIZET July 2, 2014 12:30 am  Reply

        There is indeed a problem with the configuration.
        The check tool /usr/share/pydio/core/tests/startup.phtml tests that the location data/cache/index.html return a code 200. which it does.
        I’ll be looking for a fix in the configuration.

    • Martin DENIZET July 2, 2014 2:51 am  Reply

      Indeed, the configuration I taken from http://pyd.io/nginx/ is wrong. I updated the configuration file and now it passes the tests.
      I’ll run other tests to make sure everything behaves as expected.
      Thanks again for reporting the issue.

  3. Alexey November 16, 2014 8:10 pm  Reply

    What’s about nginx rewrite rules for webdav???
    I wasn’t lucky to get it working – always get sabredav message – “Not authenticated!”

    • Martin DENIZET November 19, 2014 5:23 pm  Reply

      Sorry Alexey, I didn’t configure Pydio with webdav so I’m not aware of the configuration requirements for it.
      If you know the changes to be made, I’ll be looking forward hear about it 😀
      Cheers,

  4. dorset November 19, 2014 11:59 am  Reply

    Thanks for your article.
    It solved my problem.The ‘security breach’ error disappear.
    But there is a little error in the following conf.

    location ~ ^/(conf|data|plugins) {deny all;}

    The plugins dir must be accessible by web.

    • Martin DENIZET November 19, 2014 5:19 pm  Reply

      Hello,
      Thank you for pointing that out :)! I updated the article.
      Cheers,

Leave a Reply