Nginx Rewrites for Xenforo Friendly Urls:

For Xenforo to use Friendly Urls via mod_write you'll find official Nginx rewrite rules here. You will need to add additional Nginx rewrite rules within your domain's Nginx vhost configuration file /usr/local/nginx/conf/conf.d/newdomain.com.conf. This file is created when you use Centmin Mod's menu option #2 to 'Add Nginx vhost domain'. Below Nginx rewrite rules are provide as is, without support. If you need further help ask on Nginx forums or Xenforo.com's Server Configuration and Hosting forums.

Xenforo Permissions

If you're using Centmin Mod 123.09beta01+ or higher, it has a tools/autoprotect.sh cronjob to auto protect your non-public web directories which have .htaccess 'deny from all' files. This can falsely block Xenforo setups configured below. So you need to add .autoprotect-bypass files to Xenforo directories as follows.

If you installed Xenforo at /home/nginx/domains/newdomain.com/public, you'd use these SSH commands to just create empty .autoprotect-bypass files to exclude from tools/autoprotect.sh:

touch /home/nginx/domains/newdomain.com/public/library/.autoprotect-bypass
touch /home/nginx/domains/newdomain.com/public/internal_data/.autoprotect-bypass
touch /home/nginx/domains/newdomain.com/public/install/data/.autoprotect-bypass
touch /home/nginx/domains/newdomain.com/public/install/templates/.autoprotect-bypass

You can further secure your already uploaded Xenforo file permissions using the following SSH commands you can run, replacing newdomain.com with yourdomain.com name.

First backup your /public web root file and directory permissions to already created /home/nginx/domains/newdomain.com/backup directory just in case using below SSH command:

getfacl -R -L --absolute-names /home/nginx/domains/newdomain.com/public > /home/nginx/domains/newdomain.com/backup/backup-permissions-$(date +"%d%m%y-%H%M%S").acl

You can restore then using this SSH command where XXXXXX-XXXXXX is the day-month-year-hr-min-sec timestamp from the above backup command:

setfacl --restore=backup-/home/nginx/domains/newdomain.com/backup/backup-permissions-XXXXXX-XXXXXX.acl

Now to change file and directory permissions on Xenforo installation in web root at /public, run SSH commands below. If Xenforo is installed off web root in subdirectory like /forum, then change all instances of /home/nginx/domains/newdomain.com/public/ to /home/nginx/domains/newdomain.com/public/forum/.

find /home/nginx/domains/newdomain.com/public/ -type f -print0 | xargs -0 chmod 0640
find /home/nginx/domains/newdomain.com/public/ -type d -print0 | xargs -0 chmod 0750
find /home/nginx/domains/newdomain.com/public/internal_data/ -type f -print0 | xargs -0 chmod 0660
find /home/nginx/domains/newdomain.com/public/data/ -type f -print0 | xargs -0 chmod 0660
find /home/nginx/domains/newdomain.com/public/internal_data/ -type d -print0 | xargs -0 chmod 0770
find /home/nginx/domains/newdomain.com/public/data/ -type d -print0 | xargs -0 chmod 0770
chmod 0755 /home/nginx/domains/newdomain.com/public

The commands do the following:

  • find all files in /public and chmod 0640 them
  • find all directories in /public and chmod 0750 them
  • find all files in /public/internal_data and chmod 0660 them
  • find all files in /public/data and chmod 0660 them
  • find all directories in /public/internal_data and chmod 0770 them
  • find all directories in /public/data and chmod 0770 them
  • then chmod 0755 the web root /public where Xenforo is installed

open_basedir restrictions

If you run Xenforo 1.5 or Xenforo Media Gallery Addon, you may run into the error message open_basedir restriction in effect which is a form of PHP security that Centmin Mod 1.2.3-eva2000.08+ and higher has enabled by default. FAQ item 26 shows you how to disable open_basedir globally or for just one Nginx vhost site. The relevant line is the 9th line in /usr/local/nginx/conf/php.conf. This line locks you to each Nginx vhost's document web root

fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

Setting up MySQL database settings

Xenforo for best performance uses InnoDB MySQL Engine tables. To enable InnoDB MySQL Engine and Table support by ensuring your MySQL config settings for /etc/my.cnf have the following InnoDB related settings set. If not set in /etc/my.cnf change them to the following and restart MySQL server:

innodb=ON
default-storage-engine = InnoDB

On a fresh Centmin Mod install, you may also want to enable server wide MySQL global UTF-8 support. Enabling this will apply to every MySQL database and tables you create on your MySQL server instance. To change defaults respectively for character set and collation to utf8 and utf8_general_ci, you need to add under [mysqld] group in /etc/my.cnf the following line character-set-server=utf8:

[mysqld]
 character-set-server=utf8

Note: Only MySQL databases and tables created after this change will by default be created as utf8 character set and collations. Any databases before this change, will still be latin1.

Restart MySQL server:

service mysql restart

Or restart with Centmin Mod command shortcut:

mysqlrestart

Xenforo Media Gallery Addon & FFMPEG

If you run Xenforo 1.5 or Xenforo Media Gallery Addon, you will require the installation of FFMPEG. However, XMG Addon doesn't require the full package install with FFMPEG php extension. It only requires the FFMPEG binary path location set in admin settings. As such you can download and install the static FFMPEG binary package instead. Just upload and extract the static FFMPEG binary package contents into your site account i.e. at /home/nginx/domains/newdomain.com/staticffmpeg. Then in Xenforo Media Gallery admin set the path to FFMPEG binary i.e. /home/nginx/domains/newdomain.com/staticffmpeg/ffmpeg

As you have full root access to your server, there is no need to use SFTP/FTP to download and upload. You can do everything from SSH command line. Commands to run in SSH window as root user for Nginx vhost domain newdomain.com:

change to /home/nginx/domains/newdomain.com directory

cd /home/nginx/domains/newdomain.com

download and extract the static FFMPEG binary package

if [ "$(uname -m)" = 'x86_64' ]; then wget -cnv http://johnvansickle.com/ffmpeg/builds/ffmpeg-git-64bit-static.tar.xz; tar xJvf ffmpeg-git-64bit-static.tar.xz; else wget http://johnvansickle.com/ffmpeg/builds/ffmpeg-git-32bit-static.tar.xz; tar xJvf ffmpeg-git-32bit-static.tar.xz; fi

rename extracted folder to staticffmpeg and give files correct permissions

mv ffmpeg-git-2* staticffmpeg
chown -R nginx:nginx staticffmpeg

FFMPEG binary path would end up at /home/nginx/domains/newdomain.com/staticffmpeg/ffmpeg. You can see the full contents of this directory using ls -alh DIRPATH command below.

ls -lah /home/nginx/domains/newdomain.com/staticffmpeg/
total 152M
drwxr-xr-x 3 nginx nginx 4.0K Sep 13 06:00 .
drwxr-s--- 7 nginx nginx 4.0K Sep 13 20:36 ..
-rwxr-xr-x 1 nginx nginx  39M Sep 13 05:42 ffmpeg
-rwxr-xr-x 1 nginx nginx  40M Sep 13 06:00 ffmpeg-10bit
-rwxr-xr-x 1 nginx nginx  39M Sep 13 05:42 ffprobe
-rwxr-xr-x 1 nginx nginx  35M Sep 13 05:42 ffserver
drwxr-xr-x 2 nginx nginx 4.0K Sep 13 05:46 manpages
-rwxr-xr-x 1 nginx nginx 815K Sep 13 05:42 qt-faststart
-rw-r--r-- 1 nginx nginx 2.5K Sep 13 06:00 readme.txt

Nginx Rewrites for Xenforo Friendly Urls:

If Xenforo forum is installed in public web root i.e. /home/nginx/domains/newdomain.com/public, then you'll need to add and edit the following Nginx rewrites in /usr/local/nginx/conf/conf.d/newdomain.com.conf and remember to replace YOURIPADDRESS with your static IP address:

        location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
         
        }
 
        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
        }

The restart Nginx server for it to take effect:

  service nginx restart

or command shortcut

  ngxrestart

If Xenforo forum is installed off public web root in it's own directory i.e. /forums at /home/nginx/domains/newdomain.com/public/forums, then you'll need to add and edit the following Nginx rewrites in /usr/local/nginx/conf/conf.d/newdomain.com.conf and remember to replace YOURIPADDRESS with your static IP address:

        location /forums/ {
            index index.php index.html index.htm;
            try_files $uri $uri/ /forums/index.php?$uri&$args;

        }

        location /forums/internal_data/ {
        internal;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
        }

        location /forums/library/ {
        internal;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
        }

Protected Xenforo Directories

To secure and protect your Xenforo admin.php and sensistive directories you can also password protect and/or IP address restrict them. Add to your domain's Nginx vhost conf file the following - replacing YOURIPADDRESS with your static IP address:

        location /admin.php {
             auth_basic "Private";
             auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                include /usr/local/nginx/conf/php.conf;
                allow 127.0.0.1;
                allow YOURIPADDRESS;
                deny all;
        }

        location /install/ {
             auth_basic "Private";
             auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                include /usr/local/nginx/conf/php.conf;
                allow 127.0.0.1;
                allow YOURIPADDRESS;
                deny all;
        }        

Create auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php and set your own USERNAME and PASSWORD for htaccess password protection.

 /usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_admin_php USERNAME PASSWORD

Full Centmin Mod .08 and higher Nginx vhost example Xenforo Configuration for newdomain.com in Nginx vhost file at /usr/local/nginx/conf/conf.d/newdomain.com.conf is below. For include file /usr/local/nginx/conf/vts_server.conf it would be either commented out with a hash # or not depending on if you have NGINX_VHOSTSTATS=y enabled in centmin.sh. Default out of box Centmin Mod .08 and higher installs have it enabled by default.

The default redirect for non-www to www is commented out by default. To enable remove the comment hash # for these 5 lines.

#server {
#            listen   80;
#            server_name newdomain.com;
#            return 301 $scheme://www.newdomain.com$request_uri;
#       }

If you want to force redirect from www to non-www change those 5 lines to the following.

#server {
#            listen   80;
#            server_name www.newdomain.com;
#            return 301 $scheme://newdomain.com$request_uri;
#       }

Full /usr/local/nginx/conf/conf.d/newdomain.com.conf file

# Centmin Mod Getting Started Guide
# must read http://centmin.sh/getstarted.html

# redirect from non-www to www 
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   80;
#            server_name newdomain.com;
#            return 301 $scheme://www.newdomain.com$request_uri;
#       }

server {
  server_name newdomain.com www.newdomain.com;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/newdomain.com/log/error.log;

  root /home/nginx/domains/newdomain.com/public;

location / {
     index index.php index.html index.htm;
     try_files $uri $uri/ /index.php?$uri&$args;
}

location /admin.php {
     auth_basic "Private";
     auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
}

location /install/ {
     auth_basic "Private";
     auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
}     

location /internal_data/ {
     internal;
     allow 127.0.0.1;
     allow YOURIPADDRESS;
     deny all;
}

location /library/ {
     internal;
     allow 127.0.0.1;
     allow YOURIPADDRESS;
     deny all;
}  

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

The restart Nginx server for it to take effect:

  service nginx restart

or command shortcut

  ngxrestart

Xenforo HTTPS SPDY SSL Setup

For Xenforo HTTPS SPDY SSL setup, following the Centmin Mod Nginx SPDY SSL setup guide here.

Source: Official Xenforo.com site, mlx 'Setup SEO Full Friendly URLs on nginx' thread