SSL Zertifikat für lokale Shopware Testumgebung (NGINX)

Heute zeige ich euch wie Ihr schnell und einfach ein SSL Zertifikat für eure lokale Shopware Installation einrichtet. Oft stört der Chromecache hier und man muss ständig den Cache leeren, falls man über die gleiche TLD und Subdomain zwischen dev und production wechselt (Lizenz bedingt o. Ä.)

Achtung: Diese Tutorial bezieht sich auf ein Setup mit NGINX

SSL Zertifikat installieren

sudo mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
sudo openssl genrsa -des3 -passout pass:x -out shopware.pass.key 2048
sudo openssl rsa -passin pass:x -in shopware.pass.key -out shopware.key
sudo rm shopware.pass.key
sudo openssl req -new -key shopware.key -out shopware.csr
sudo openssl x509 -req -days 365 -in shopware.csr -signkey shopware.key -out shopware.crt

 

Ziel konfigurieren

Geht in euer sites-available Verzeichnis des NGINX

cd /etc/nginx/sites-available/

und editiert die conf File, welche eure gewünschte Domain/Projekt enthält:

sudo nano mysite.com

Dort ändert ihr den listen Port auf 443

server {
    listen 443; weitere config....

danach noch die SSL config:

    ssl on;
    ssl_certificate     /etc/nginx/ssl/shopware.crt;
    ssl_certificate_key /etc/nginx/ssl/shopware.key;
    ssl_session_timeout 5m;
    ssl_ciphers               'AES128+EECDH:AES128+EDH:!aNULL';
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

Am Schluss fügt Ihr noch die Weiterleitung für den Port 80 (also falls Ihr mal ohne https eine Seite aufruft) ein:

server {
    listen      80;
    server_name myShopware.com;

    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;
}

Im ganzen:

## Author: Benjamin Cremer
## Shopware nginx rules.
## Heavily Inspired by https://github.com/perusio/drupal-with-nginx/
## Designed to be included in any server {} block.
## Please note that you need a PHP-FPM upstream configured in the http context, and its name set in the $fpm_upstream variable.
## https://github.com/bcremer/shopware-with-nginx

server {
	listen 443;        
        server_name www.mysite.com;
        root /var/www/shopware;


location = /favicon.ico {
    log_not_found off;
    access_log off;
}

 ssl on;
    ssl_certificate     /etc/nginx/ssl/shopware.crt;
    ssl_certificate_key /etc/nginx/ssl/shopware.key;
    ssl_session_timeout 5m;
    ssl_ciphers               'AES128+EECDH:AES128+EDH:!aNULL';
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

## Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

## Deny all attems to access possible configuration files
location ~ \.(tpl|yml|ini|log)$ {
    deny all;
}

## Deny access to media upload folder
location ^~ /media/temp/ {
    deny all;
}

# Shopware caches and logs
location ^~ /var/ {
    deny all;
}

# Deny access to root files
location ~ (autoload\.php|composer\.(json|lock|phar)|CONTRIBUTING\.md|eula.*\.txt|license\.txt|README\.md|UPGRADE\.md)$ {
    return 404;
}

location ^~ /files/documents/ {
    deny all;
}

# Block direct access to ESDs, but allow the follwing download options:
#  * 'PHP' (slow)
#  * 'X-Accel' (optimized)
# Also see http://wiki.shopware.com/ESD_detail_1116.html#Ab_Shopware_4.2.2
location ^~ /files/552211cce724117c3178e3d22bec532ec/ {
    internal;
}

# Shopware install / update
location /recovery/install {
    index index.php;
    try_files $uri /recovery/install/index.php$is_args$args;
}

location /recovery/update/ {
    location /recovery/update/assets {
    }
    if (!-e $request_filename){
        rewrite . /recovery/update/index.php last;
    }
}

location / {
    location ~* "^/themes/Frontend/Responsive/frontend/_public/vendors/fonts/open-sans-fontface/(?:.+)\.(?:ttf|eot|svg|woff)$" {
        expires max;
        add_header Cache-Control "public";
        access_log off;
        log_not_found off;
    }

    location ~* "^/themes/Frontend/Responsive/frontend/_public/src/fonts/(?:.+)\.(?:ttf|eot|svg|woff)$" {
        expires max;
        add_header Cache-Control "public";
        access_log off;
        log_not_found off;
    }

    location ~* "^/web/cache/(?:[0-9]{10})_(?:.+)\.(?:js|css)$" {
        expires max;
        add_header Cache-Control "public";
        access_log off;
        log_not_found off;
    }


    ## All static files will be served directly.
    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|ico|png|svg|html)$ {
        ## Defining rewrite rules
        rewrite files/documents/.* /engine last;
        rewrite backend/media/(.*) /media/$1 last;

        expires 1w;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";

        access_log off;
        # The directive enables or disables messages in error_log about files not found on disk.
        log_not_found off;

        tcp_nodelay off;
        ## Set the OS file cache.
        open_file_cache max=3000 inactive=120s;
        open_file_cache_valid 45s;
        open_file_cache_min_uses 2;
        open_file_cache_errors off;

        ## Fallback to shopware
        ## comment in if needed
        try_files $uri /shopware.php?controller=Media&action=fallback;
    }

    index shopware.php index.php;
    try_files $uri $uri/ /shopware.php$is_args$args;
}

## XML Sitemap support.
location = /sitemap.xml {
    log_not_found off;
    access_log off;
    try_files $uri @shopware;
}

## XML SitemapMobile support.
location = /sitemapMobile.xml {
    log_not_found off;
    access_log off;
    try_files $uri @shopware;
}

## robots.txt support.
location = /robots.txt {
    log_not_found off;
    access_log off;
    try_files $uri @shopware;
}

location @shopware {
    rewrite / /shopware.php;
}

location ~ \.php$ {
    try_files $uri $uri/ =404;

    ## NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    fastcgi_split_path_info ^(.+\.php)(/.+)$;

    ## required for upstream keepalive
    # disabled due to failed connections
    #fastcgi_keep_conn on;

    include fastcgi.conf;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    # Mitigate httpoxy vulnerability, see: https://httpoxy.org/
    fastcgi_param HTTP_PROXY "";

    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;

    client_max_body_size 24M;
    client_body_buffer_size 128k;

    ## Set $fpm_upstream in your server block
    fastcgi_pass unix:/var/run/php/php7.0-micha-fpm.sock;
}

}


server {
    listen      80;
    server_name www.reitsport.ch;

    add_header Strict-Transport-Security max-age=2592000;
    rewrite ^ https://$server_name$request_uri? permanent;
}

Ihr werdet von unterschiedlichen Browsern noch die Warnmeldung bekommen, dass das Zertifikat nicht sicher ist. Für die lokale Entwicklung reicht es aber allemal -hiermit verhindert man einfach, dass sich der böse Chromecache manchmal komisch verhält und man den Hostcache nicht leeren muss.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert