Nginx Configuration

⌘K
  2. Home
  4. Docs
  6. Botmerze – AI Support &#0...
  8. Instruction
  10. Nginx Configuration

Nginx Configuration

Save as /etc/nginx/sites-available/botmerze:

server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;

    # Domain root holds index.php; Laravel is inside /core
    root /home/<domain>/public_html;
    index index.php index.html;

    # ── Security headers ─────────────────────────────────────────
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    client_max_body_size 100M;

    access_log /var/log/nginx/botmerze-access.log;
    error_log  /var/log/nginx/botmerze-error.log;

    # ── BLOCK direct access to Laravel core ──────────────────────
    # /core contains .env, source code, storage — never serve it.
    location ^~ /core/ {
        deny all;
        return 404;
    }

    # ── Block dotfiles (.env, .git, etc.) ────────────────────────
    location ~ /\.(?!well-known).* {
        deny all;
        return 404;
    }

    # ── Block sensitive Laravel paths even at root ───────────────
    location ~* /(\.env|\.env\..*|composer\.(json|lock)|package(-lock)?\.json|artisan)$ {
        deny all;
        return 404;
    }

    # ── Front controller ─────────────────────────────────────────
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # ── PHP handler ──────────────────────────────────────────────
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO       $fastcgi_path_info;

        fastcgi_read_timeout 300;
        fastcgi_buffer_size  16k;
        fastcgi_buffers      4 16k;
    }

    # ── Long-cache static assets ─────────────────────────────────
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }
}

Enable & reload:

sudo ln -s /etc/nginx/sites-available/botmerze /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl reload nginx

✅ With the rules above, https://yourdomain.com/core/.env returns 404, while https://yourdomain.com/ continues to serve the BotMerze application normally.

Was this article helpful to you? No Yes

How can we help?