да, конечно
первым делом запрещаем то, что запрещено .htaccess-ами:
location ^~ /admin/admin_forms/action {
return 403;
}
location ^~ /admin/Advertisement/action {
return 403;
}
location ^~ /admin/backup/action {
return 403;
}
location ^~ /admin/cache/action {
return 403;
}
location ^~ /admin/constants/action {
return 403;
}
location ^~ /admin/counter/action {
return 403;
}
location ^~ /admin/documents/action {
return 403;
}
location ^~ /admin/EventsJournal/action {
return 403;
}
location ^~ /admin/ExecSqlQuery/action {
return 403;
}
location ^~ /admin/file_manager/action {
return 403;
}
location ^~ /admin/Forms/action {
return 403;
}
location ^~ /admin/Forums/action {
return 403;
}
location ^~ /admin/helpdesk/action {
return 403;
}
location ^~ /admin/InformationSystems/action {
return 403;
}
location ^~ /admin/ip/action {
return 403;
}
location ^~ /admin/lib/action {
return 403;
}
location ^~ /admin/lists/action {
return 403;
}
location ^~ /admin/Maillist/action {
return 403;
}
location ^~ /admin/modules/action {
return 403;
}
location ^~ /admin/polls/action {
return 403;
}
location ^~ /admin/Search/action {
return 403;
}
location ^~ /admin/shop/action {
return 403;
}
location ^~ /admin/site/action {
return 403;
}
location ^~ /admin/Site_users/action {
return 403;
}
location ^~ /admin/structure/action {
return 403;
}
location ^~ /admin/support/action {
return 403;
}
location ^~ /admin/tag/action {
return 403;
}
location ^~ /admin/templates/data_templates/action {
return 403;
}
location ^~ /admin/templates/templates/action {
return 403;
}
location ^~ /admin/typograph/action {
return 403;
}
location ^~ /admin/update/action {
return 403;
}
location ^~ /admin/users_access/action {
return 403;
}
location ^~ /admin/wysiwyg/fm/action {
return 403;
}
location ^~ /admin/xsl/action {
return 403;
}
location ^~ /cron {
return 403;
}
location ^~ /hostcmsfiles/backup {
return 403;
}
location ^~ /hostcmsfiles/cache {
return 403;
}
location ^~ /hostcmsfiles/captcha/fonts {
return 403;
}
location ^~ /hostcmsfiles/data_templates {
return 403;
}
location ^~ /hostcmsfiles/documents {
return 403;
}
location ^~ /hostcmsfiles/lib {
return 403;
}
location ^~ /hostcmsfiles/logs {
return 403;
}
location ^~ /hostcmsfiles/shop/pay {
return 403;
}
location ^~ /hostcmsfiles/structure {
return 403;
}
location ^~ /hostcmsfiles/tmp {
return 403;
}
location ^~ /hostcmsfiles/update {
return 403;
}
location ^~ /hostcmsfiles/xsl {
return 403;
}
location ^~ /modules {
return 403;
}
location ~* ^/upload/helpdesk_[0-9]*/attachments/ {
return 403;
}
location ^~ /upload/private {
return 403;
}
location ~* ^/upload/shop_[0-9]*/eitems/ {
return 403;
}
location ~* ^/(hostcmsfiles|templates|upload(|/(banners|users)))/[^/]*\.(php|php3|php4|phtml)$ {
return 403;
}
далее, статику обрабатываем так, как здесь на форумах рекомендуют (как минимум отдельным location!!!), а .php вот так:
здесь если что-нибудь не находим (кроме обрабатываемой отдельным location статики), отправляем запрос на /index.php
location / {
error_page 404 = @PHP52;
try_files $uri $uri/ =404;
}
тут, идёт передача запроса на PHP-FPM, а если файл не найден, то /index.php
location ~* \.php$ {
try_files $uri @PHP52;
include include/fastcgi_param;
fastcgi_index index.php;
fastcgi_pass_request_body off;
client_body_in_file_only clean;
fastcgi_pass unix:/local/tmp/php52-fpm.socket;
}
а здесь идёт передача любого запроса на /index.php в корне сайта
location @PHP52 {
include include/fastcgi_param;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_index index.php;
fastcgi_pass_request_body off;
client_body_in_file_only clean;
fastcgi_pass unix:/local/tmp/php52-fpm.socket;
}
единственныо правило я не переписал:
RewriteCond %{REQUEST_METHOD} !POST
RewriteCond %{HTTP_COOKIE} !^.*PHPSESSID=.*$
RewriteCond %{DOCUMENT_ROOT}/cache_html/%{HTTP_HOST}%{REQUEST_URI}%{QUERY_STRING}index.html -f
RewriteRule ^(.*)$ /cache_html/%{HTTP_HOST}%{REQUEST_URI}%{QUERY_STRING}index.html
если очень нужно, то можно и этим заморочиться
P.S.: везде мелькает php52/PHP52, потому, что HostCMS с PHP старше ветки 5.2 не дружит (верней не дружат Zend-овские шифры, скрипты надо перекодировать)
PHP-FPM собран вот так:
Configure Command => './configure' '--disable-debug' '--disable-rpath' '--disable-static' '--enable-bcmath=shared' '--enable-calendar=shared' '--enable-cgi' '--enable-cli' '--enable-ctype=shared' '--enable-dba=shared' '--enable-dom=shared' '--enable-exif=shared' '--enable-filter' '--enable-fpm' '--enable-ftp=shared' '--enable-gd-native-ttf' '--enable-hash' '--enable-inline-optimization' '--enable-json=shared' '--enable-libxml' '--enable-mbregex' '--enable-mbstring=shared' '--enable-pcntl=shared' '--enable-pdo=shared' '--enable-posix=shared' '--enable-session' '--enable-shared' '--enable-shmop=shared' '--enable-simplexml' '--enable-soap=shared' '--enable-sockets=shared' '--enable-sqlite-utf8' '--enable-sysvmsg=shared' '--enable-sysvsem=shared' '--enable-sysvshm=shared' '--enable-tokenizer=shared' '--enable-wddx=shared' '--enable-xml' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-zip=shared' '--prefix=/opt/php52' '--with-bz2=shared' '--with-cdb' '--with-config-file-path=/opt/php52/etc' '--with-config-file-scan-dir=/opt/php52/etc/conf.d' '--with-curl=shared' '--with-db4' '--with-freetype-dir' '--with-gd=shared' '--with-gettext=shared' '--with-gmp=shared' '--with-gnu-ld' '--with-iconv=shared' '--with-imap-ssl' '--with-imap=shared' '--with-jpeg-dir=/usr' '--with-kerberos' '--with-ldap-sasl=/usr' '--with-ldap=shared' '--with-libdir=lib64' '--with-libedit=shared,/usr' '--with-mcrypt=shared' '--with-mhash' '--with-mm' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysql=shared,/usr' '--with-mysqli=shared' '--with-openssl=shared' '--with-pcre-regex=/usr' '--with-pdo_sqlite=shared,/usr' '--with-pdo-mysql=shared,/usr' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-pdo-pgsql=shared,/usr' '--with-pgsql=shared,/usr' '--with-pic' '--with-png-dir' '--with-pspell=shared' '--with-snmp=shared' '--with-sqlite=shared' '--with-t1lib' '--with-tidy=shared,/usr' '--with-unixODBC=shared,/usr' '--with-xmlrpc=shared' '--with-xpm-dir' '--with-xsl=shared' '--with-zlib-dir' '--with-zlib=shared' '--enable-dbase=shared' '--enable-fastcgi' '--enable-force-cgi-redirect' '--enable-spl' '--with-ncurses=shared' '--without-gdbm'