Putting it all together
Here's the complete server block with everything included. The listen.conf snippet consolidates SSL, HSTS, and ACME renewal — covered in detail in the Securing Nginx and PHP guide:
server {
include snippets/listen.conf;
server_name mysite.com;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
root /var/www/mysite.com/public_html;
access_log /var/log/nginx/mysite.access.log combined if=$log_ip;
error_log /var/log/nginx/mysite.error.log;
# --- Bludit-specific blocks ---
include snippets/bludit.conf;
# --- Bludit front controller ---
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# --- Housekeeping ---
include snippets/drop.conf;
# --- Static caching ---
include snippets/static.conf;
# --- PHP processing ---
include snippets/php.conf;
}The sitemap is handled inside bludit.conf (see Step 3), so there's no separate block needed in the server config. The client_max_body_size lives in the /admin location inside bludit.conf — scoped to where uploads actually happen.
Step 8: Redirect www to non-www (and HTTP to HTTPS)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.mysite.com;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
return 301 https://mysite.com$request_uri;
}
# Also redirect plain HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name mysite.com www.mysite.com;
return 301 https://mysite.com$request_uri;
}Step 9: Run the Bludit installer
Visit https://mysite.com and Bludit's installer will walk you through setting up an admin user. No database credentials needed — it's all flat files from here.
Optional: Behind Cloudflare
If you use Cloudflare, you'll want to restore real visitor IPs so your access logs and any IP-based features see the actual client, not Cloudflare's proxy addresses. The full setup — real-IP module configuration, IP range auto-updates, and the $binary_remote_addr vs $realip_remote_addr distinction for rate limiting — is covered in the Cloudflare Real IP with Nginx guide.
That's it. Bludit is now running behind Nginx with sensible security defaults, clean URLs, and aggressive static caching — all with flat files and no database.
This guide is maintained as part of a modular, SSL-first framework. Each configuration is audited for production stability and modern security standards.
Compatibility: Tested against current stable releases. While optimized for the stack above, core logic remains relevant for Nginx 1.26+ and PHP 8.2+ environments.
2026-06-07: Renamed bludit_security.conf → bludit.conf. Added /admin location block with expires 0, client_max_body_size 4M, and explicit try_files — /admin is a virtual path that doesn't exist on disk, so try_files is essential for the admin panel to load. Moved client_max_body_size from server-block level into the admin location where uploads happen. Removed ssl_trusted_certificate — Let's Encrypt phased out OCSP stapling and the chain is bundled in fullchain.pem. Renamed static_caching.conf → static.conf. Moved ACME renewal out of drop.conf into listen.conf, with a note about cross-linking to the securing guide. Updated final server block to use listen.conf, $log_ip conditional logging, and snippets/ naming convention. Bumped Nginx to 1.31.1, PHP socket to 8.5.
2026-05-26: Corrected bl-kernel protection rule — replaced the documented ^~ /bl-kernel/*.php prefix location with ~* ^/bl-kernel/.*\.php$ regex location. The Bludit docs carry this over from Apache mod_rewrite syntax; Nginx prefix locations don't evaluate wildcards. Also added fastcgi.conf note to Step 6.
2026-05-21: Production audit — bumped Bludit to 3.22.0, Nginx to 1.30.2, PHP-FPM to 8.5.6. Moved sitemap rule into bludit_security.conf using try_files instead of a separate alias block. Added .well-known/traffic-advice and tdmrep.json exceptions to housekeeping. Replaced inline Cloudflare IP list with a link to the full Cloudflare Real IP guide. Updated limit_conn_zone size to 1m to match current production tuning.