Trouble understanding NGINX configuration

Question

I was getting 403 & 404 errors on a Magento application I was working on I tracked down the issue to two blocks in the NGINX configuration, if I comment them out the issues are resolved but I would like to understand better what I'm commenting out.

ISSUE 1

I was getting a 403 error on URLs such as

http://www.example.com/media/wysiwyg/.thumbs/wysiwyg/banner.jpg

I guessed this was due to the below code block & sure enough when I commented it out it worked!

# Deny all attempts to access hidden files
# such as .htaccess, .htpasswd, etc...
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

The issue with this now is that my .gitignore file is now accessible. How can I rewrite this block better? What does ~ /\. mean?

ISSUE 2

I was getting a 404 error on URLs such as:

http://www.example.com/js/gene/braintree/braintree-0.1.js

I discovered if I changed the name of this file to braintree-0.1.min.js I stopped getting the 404 error on it, and when I removed the below block from NGINX it loaded fine with it's origional name, braintree-0.1.js so it must of had something to do with the dots at the end of the file name.

##
# Rewrite for versioned CSS+JS via filemtime
##
location ~* ^.+\.(css|js)$ {
    rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
    expires 31536000s;
    access_log off;
    log_not_found off;
    add_header Pragma public;
    add_header Cache-Control "max-age=31536000, public";
}

I'm not really sure what this block was doing or what ~* ^.+\.(css|js)$ means, I'm sure I just took it off someones blog who recommended it. Any idea what it is doing?

Below is my full NGINX configuration file, thanks in advance for any help and advice you may have :)

server { # Listen on port 80 as well as post 443 for SSL connections. listen 8080; #listen 443 default ssl;

    server_name www.example.com;

    # Specify path to your SSL certificates.
    #ssl_certificate /etc/nginx/certificates/yourcertificate.crt;
    #ssl_certificate_key /etc/nginx/certificates/yourcertificate.key;

    # Path to the files in which you wish to
    # store your access and error logs.
    #access_log /path/to/your/logs/access_log;
    #error_log /path/to/your/logs/error_log;

    # If the site is accessed via mydomain.com
    # automatically redirect to www.magento.localhost.com.
    #if ($host = 'example' ) {
        #rewrite ^/(.*)$ http://www.example/$1permanent;
    #}

    root /var/www/example/;
    auth_basic "Restricted website - authorised access only";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        index index.html index.htm index.php;
        try_files $uri $uri/ @handler;
    }

    #include hhvm.conf;  # INCLUDE HHVM HERE

    # Deny access to specific directories no one
    # in particular needs access to anyways.
    location /app/ { deny all; }
    location /includes/ { deny all; }
    location /lib/ { deny all; }
    location /media/downloadable/ { deny all; }
    location /pkginfo/ { deny all; }
    location /report/config.xml { deny all; }
    location /var/ { deny all; }

    # Allow only those who have a login name and password
    # to view the export folder. Refer to /etc/nginx/htpassword.
    #location /var/export/ {
    #    auth_basic "Restricted";
    #    auth_basic_user_file htpasswd;
    #    autoindex on;
    #}

    location ~* /magmi($|/) {
         auth_basic "Restricted website - authorised access only";
         auth_basic_user_file /etc/nginx/.htpasswd;
         location ~ \.php$ {
                if (!-e $request_filename) {
                    rewrite / /index.php last;
                }
                expires off;

                # --PHP5-FPM CONFIG START (keep fastcgi_param HTTPS OFF)--
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                ##fastcgi_param HTTPS $fastcgi_https;
                #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                # --PHP5-FPM CONFIG START--

                # --HHVM CONFIG START--
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
                # include        fastcgi_params;
                try_files $uri $uri/ @handler;
                # --HHVM CONFIG END--

                fastcgi_param MAGE_RUN_CODE default;
                fastcgi_param MAGE_RUN_TYPE store;
                include fastcgi_params;

         }
    }

    # Deny all attempts to access hidden files
    # such as .htaccess, .htpasswd, etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # This redirect is added so to use Magentos
    # common front handler when handling incoming URLs.
    location @handler {
        rewrite / /index.php;
    }

    # Forward paths such as /js/index.php/x.js
    # to their relevant handler.
    location ~ .php/ {
        rewrite ^(.*.php)/ $1 last;
    }

    ##
    # Rewrite for versioned CSS+JS via filemtime
    ##
    location ~* ^.+\.(css|js)$ {
        rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
        expires 31536000s;
        access_log off;
        log_not_found off;
        add_header Pragma public;
        add_header Cache-Control "max-age=31536000, public";
    }
    ##
    # Aggressive caching for static files
    # If you alter static files often, please use 
    # add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
    ##
    location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
        expires 31536000s;
        access_log off;
        log_not_found off;
        add_header Pragma public;
        add_header Cache-Control "max-age=31536000, public";
    }

       # Handle the exectution of .php files.
    location ~ .php$ {
        if (!-e $request_filename) {
            rewrite / /index.php last;
        }
        expires off;

        # --PHP5-FPM CONFIG START (keep fastcgi_param HTTPS OFF)--
        #fastcgi_pass unix:/var/run/php5-fpm.sock;
        ##fastcgi_param HTTPS $fastcgi_https;
        #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        # --PHP5-FPM CONFIG START--

        # --HHVM CONFIG START--
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #include        fastcgi_params;
        try_files $uri $uri/ @handler; 
        # --HHVM CONFIG END--

        fastcgi_param MAGE_RUN_CODE default;
        fastcgi_param MAGE_RUN_TYPE store;
        include fastcgi_params;
    }
}

Answer 1

What does ~ /. mean?

This of course is explained in many tutorials:

https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms

And official docs:

http://nginx.org/en/docs/beginners_guide.html

http://nginx.org/en/docs/http/request_processing.html

The ~ means a regular expression follows, not an exact match. /. means an escaped dot, so a literal one, not the 'any character' meaning in regular expressions. This matches .thumb like it matches .htaccess and .gitignore

How can I rewrite this block better?

By having it match what you want it to match. For example if you are only concerned with .gitignore, you make it:

~ /\.gitignore

I'm not really sure what this block was doing or what ~* ^.+.(css|js)$ means, I'm sure I just took it off someones blog who recommended it. Any idea what it is doing?

Sure, and you would too if you spend a little time understanding regular expressions.

You now know ~ means a regular expression follows. The asterisk means the regexp is case insensitive. The rest can be explained by many handy online tools like:

https://regex101.com/

You put your regexp in there, and the string you are matching, your js url. It will then tell you:

^ assert position at start of the string

.+ matches any character (except newline)

Quantifier: + Between one and unlimited times, as many times as possible, giving back as needed [greedy]

. matches the character . literally

1st Capturing group (css|js)

1st Alternative:

css css matches the characters css literally (case sensitive)

2nd Alternative: js

js matches the characters js literally (case sensitive)

$ assert position at end of the string

You probably meant to ask how to improve upon that one too. That depends on exactly what you want to achieve.

The lesson here is:

1) Learn some RegExp 2) Don't just "take it off someones blog who recommended it" That's dangerous in the IT world.

Instead of a random blog, try sticking to the (somewhat) official docs:

https://wiki.magento.com/display/m1wiki/Configuring+nginx+for+Magento+1.x

https://github.com/magenx/nginx-config/blob/master/magento/nginx.conf

Magento 2: https://github.com/magento/magento2/blob/develop/nginx.conf.sample