Nginx configuration for 6.x in a subdirectory

I am looking for a nginx configuration that is suitable for a Mautic 6.x installation in a subdirectory of the root document. I have minimally tested the configuration that I have currently written. I would appreciate if others would use it to better test it or directly make comments to improve it. Below is the location block that I have written for the mautic directory. It simply needs to be included in a working server block. You replace /mautic/sherbrooke/ every where by the path to your mautic directory relative to the document root.

location /mautic/sherbrooke/ {
     
client_max_body_size 64M;
    error_page 404 /mautic/sherbrooke/index.php;

    # In these Mautic directories ...
    location ~ ^/mautic/sherbrooke/(app|plugins).*(/assets|/Assets)/.* {
       # ... we try the uri and redirect to Mautic index otherwise.
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }

    # In the node_modules directory ...
    location ~ ^/mautic/sherbrooke/node_modules/.*\.js {
       # ... we try the uri and redirect to Mautic index otherwise.
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }

    # The location block below should prevent direct access 
    # (access not using a route) to all Mautic directories. 
    # The previous location blocks should cover exceptions. 
    
    # Otherwise, in these Mautic directories ...
    location ~ ^/mautic/sherbrooke/(app|plugins|node_modules|bin|build|config|media|templates|themes|translations|var|vendor|\.git)/ { 
       # ... no try_files on the requested uri, directly to Mautic index instead.
       try_files /dev/null /mautic/sherbrooke/index.php$is_args$args;
    }
    
    # Having managed Mautic directories...
    location ~ ^/mautic/sherbrooke/.*\.php {   
       # ... the named location @php tries the php uri and redirect to Mautic index otherwise
       try_files /dev/null @php;
    }
    
    # Finally, having no match in all the above, ...
    # ... this tries the (non php) uri and redirect to Mautic index otherwise.
    try_files $uri /mautic/sherbrooke/index.php$is_args$args;

}

location @php {
    # For debugging
    #return 302 http://localhost$document_uri-+-$request_uri-+-$document_root-+-$fastcgi_script_name;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param MAUTIC_NAME sherbrooke;
    fastcgi_read_timeout 360;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php-fpm.loc.tmorg.ca.sock;
    try_files $uri /mautic/sherbrooke/index.php$is_args$args;
}

Some additional points

  • The directive fastcgi_param MAUTIC_NAME sherbrooke; is used to allow multiple instances of Mautic that share the same installation, but different configuration files, databases, caches, logs, etc. It can be ignored here.
  • My main concern is the two first nested location blocks. They allow Mautic to directly access files through Nginx (i.e. without having routes for them). It defines exceptions to the third location block, which makes all requests with a uri path inside a Mautic directory go through Mautic index.php and thus use a route. It is not clear if they cover all the required exceptions. I only tested some simple Mautic tasks.

The proposed configuration did not protect the root of Mautic directory, which is fine if we are careful not putting anything sensitive there. Yet, this bothered me a bit. Here is a version in which, except for carefully determined exceptions which are the subject of this post, all requests with an URI path inside Mautic directory are redirected to Mautic index.php.

location /mautic/sherbrooke/ {
     
    client_max_body_size 64M;
    error_page 404 /mautic/sherbrooke/index.php;

    # First serve /index.php if it is the requested uri.   
    location = /mautic/sherbrooke/index.php {
        try_files /dev/null @php; 
    }

    # In these Mautic directories ...
    location ~ ^/mautic/sherbrooke/(app|plugins).*(/assets|/Assets)/.* {
       # ... we try the uri and redirect to Mautic index otherwise.
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }

    # In the node_modules directory ...
    location ~ ^/mautic/sherbrooke/node_modules/.*\.js {
       # ... we try the uri and redirect to Mautic index otherwise.
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }

    # The location block below should prevent direct access 
    # (access not using a route) to the Mautic directory. 
    # The previous location blocks cover exceptions. 
    
    # Otherwise, in the entire Mautic directory ...
    location ~ ^/mautic/sherbrooke/ { 
       # ... no try_files on the requested uri, directly to Mautic index instead.
       try_files /dev/null /mautic/sherbrooke/index.php$is_args$args;
    }
}

location @php {
    # For debugging
    #return 302 http://localhost$document_uri-+-$request_uri-+-$document_root-+-$fastcgi_script_name;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param MAUTIC_NAME sherbrooke;
    fastcgi_read_timeout 360;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php-fpm.loc.tmorg.ca.sock;
    try_files $uri /mautic/sherbrooke/index.php$is_args$args;
}

More exceptions added. They were detected looking at errors in the browser console. Here is the new location block:

location /mautic/sherbrooke/ {
     
    client_max_body_size 64M;
    error_page 404 /mautic/sherbrooke/index.php;

    # First serve /index.php if it is the requested uri.   
    location = /mautic/sherbrooke/index.php {
        try_files /dev/null @php; 
    }

    ########################################################
    # Exceptions to the general rule (see below). 
    
    location ~ ^/mautic/sherbrooke/(app|plugins).*(/assets|/Assets)/.* {
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }
    location ~ ^/mautic/sherbrooke/themes/.* {
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }
    location ~ ^/mautic/sherbrooke/(node_modules|media/libraries)/.*\.js {
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }
    
    ########################################################
    # General rule: no try_files on the requested uri.
     
    location ~ ^/mautic/sherbrooke/ { 
       try_files /dev/null /mautic/sherbrooke/index.php$is_args$args;
    }
}

location @php {
    # For debugging
    #return 302 http://localhost$document_uri-+-$request_uri-+-$document_root-+-$fastcgi_script_name;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param MAUTIC_NAME sherbrooke;
    fastcgi_read_timeout 360;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php-fpm.loc.tmorg.ca.sock;
    try_files $uri /mautic/sherbrooke/index.php$is_args$args;
}

The ultimate purpose of the post is to get exceptions for the prod environment, and a larger set of exceptions for the dev environment: even in development it is useful to test the prod settings. Below, I add to the dev exceptions some that are needed for the prod environment.

location /mautic/sherbrooke/ {
     
    client_max_body_size 64M;
    error_page 404 /mautic/sherbrooke/index.php;

    # First serve /index.php if it is the requested uri.   
    location = /mautic/sherbrooke/index.php {
        try_files /dev/null @php; 
    }

    ########################################################
    # Exceptions to the general rule (see below). 
    
    location ~ ^/mautic/sherbrooke/(app|plugins).*(/assets|/Assets)/.* {
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }
    location ~ ^/mautic/sherbrooke/themes/.* {
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }
    location ~ ^/mautic/sherbrooke/.*\.(js|css) {
       try_files $uri /mautic/sherbrooke/index.php$is_args$args;
    }
    
    ########################################################
    # General rule: no try_files on the requested uri.
     
    location ~ ^/mautic/sherbrooke/ { 
       try_files /dev/null /mautic/sherbrooke/index.php$is_args$args;
    }
}

location @php {
    # For debugging
    #return 302 http://localhost$document_uri-+-$request_uri-+-$document_root-+-$fastcgi_script_name;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param MAUTIC_NAME sherbrooke;
    fastcgi_read_timeout 360;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php-fpm.loc.tmorg.ca.sock;
    try_files $uri /mautic/sherbrooke/index.php$is_args$args;
}