Points
3
Solutions
0
In this tutorial I will explain the basics for configuring Nginx for Xenfor 2.3.x
This version does not support the CF proxyThis tutorial describes the provided Nginx configuration for a XenForo 2 installation running directly behind Nginx.
The reference configuration file is [nginx-xenforo.conf](nginx-xenforo.conf).
Its purpose is to provide a clean production-oriented base with:
- HTTP to HTTPS redirection
- XenForo front-controller routing
- browser caching for static assets
- gzip compression
- basic security headers
- PHP-FPM handling
Environment Assumptions
- Application: XenForo 2.x
- Web server: Nginx
- PHP runtime: PHP-FPM
- Reverse proxy/CDN: none
- Site installed at web root
- HTTPS enabled in production
Files Included
- [nginx-xenforo.conf](nginx-xenforo.conf): Nginx virtual host template for XenForo
What The Configuration Does ?
1. Redirects HTTP to HTTPSThe first server block listens on port 80 and redirects all traffic to HTTPS.
This keeps canonical access on TLS and supports HSTS safely once HTTPS is confirmed to be working.
2. Serves XenForo Through `index.php`
The main `location /` block uses `try_files` so that:
- existing files are served directly
- existing directories are served directly
- all other requests are passed to XenForo through `index.php`
This is the expected Nginx behavior for friendly URLs.
3. Adds Cache Rules for Static Files
Static assets such as images, CSS, JavaScript, and fonts receive long-lived caching headers.
This improves browser-side performance and reduces repeated transfers for versioned assets.
4. Handles XenForo Dynamic Asset Endpoints
A dedicated location block is included for:
- `/css.php`
- `/js.php`
These endpoints are passed to PHP-FPM and receive cache headers.
5. Enables Gzip Compression
Text-based responses and SVG/font assets are compressed where appropriate.
6. Applies Basic Security Headers
The config sets these headers:
- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: SAMEORIGIN`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy`
- `Strict-Transport-Security`
- `Content-Security-Policy`
These are reasonable defaults, but the CSP is still a compatibility-oriented policy and should be tested against your add-ons and external integrations.
Values You Must Change !
Before enabling the config, review and update these items in [nginx-xenforo.conf](nginx-xenforo.conf):
- `server_name`
- `root`
- `ssl_certificate`
- `ssl_certificate_key`
- `fastcgi_pass`
Typical examples:
- Replace `example.com` with your real domain
- Replace `/var/www/xenforo/public` with your actual XenForo public directory
- Replace `unix:/run/php/php8.2-fpm.sock` with your installed PHP-FPM socket or TCP upstream
Example Deployment Path
A common deployment flow on Debian or Ubuntu is:
1. Place [nginx-xenforo.conf](nginx-xenforo.conf) into `/etc/nginx/sites-available/your-site.conf`
2. Edit the file for your domain, certificate, root path, and PHP-FPM version
3. Create a symlink into `/etc/nginx/sites-enabled/`
4. Run `nginx -t`
5. Reload Nginx with `systemctl reload nginx`
Validation Checklist
After deployment, verify the following:
1. HTTP redirects to HTTPS
2. Friendly URLs load correctly
3. CSS, JavaScript, images, and attachments load normally
4. Admin and moderator pages work correctly
5. PHP requests execute through the intended PHP-FPM pool
6. Static files return the expected cache headers
7. Security headers are present on normal responses and relevant error responses
8. No add-on functionality is broken by the CSP
Operational Notes
CSP
The provided CSP is intentionally compatible rather than strict.
If you use third-party scripts, embeds, payment widgets, SSO, analytics, or custom add-ons, you may need to extend specific directives.
If you want a stricter policy, roll it out carefully and validate the browser console after each change.
HSTS
The config uses:
- `max-age=31536000`
Do not add `includeSubDomains` or `preload` unless the entire domain space is fully HTTPS-only and intentionally managed that way.
PHP-FPM
The example uses a Unix socket for PHP 8.2:
- `unix:/run/php/php8.2-fpm.sock`
Your server may instead use another PHP version or a TCP upstream such as `127.0.0.1:9000`.
Upload Limits
The config sets:
- `client_max_body_size 64m`
Increase this if your XenForo instance accepts larger attachments.
Final Note
(I use it on my test server and it works correctly.)
(I use it on my test server and it works correctly.)
As a bonus for members, here's the configuration file for this tutorial: nginx-xenforo.conf
