From e34a2cdc0da91fac20fe8efe143f45cd8d70508a Mon Sep 17 00:00:00 2001 From: frju365 Date: Thu, 2 Mar 2017 23:03:24 +0100 Subject: [PATCH 1/3] Update nginx.conf --- conf/nginx.conf | 112 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 111 insertions(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 7e17cb5..4b4669b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,4 +1,114 @@ - root ROOT_PATH; +location ^~ YNH_WWW_PATH { + alias YNH_WWW_FINALPATH/; + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-XSS-Protection" "1; mode=block"; + add_header "X-Content-Type-Options" "nosniff"; + + # Don't log robots.txt or favicon.ico files + location = YNH_WWW_FINALPATH/favicon.ico { log_not_found off; access_log off; } + location = YNH_WWW_FINALPATH/robots.txt { allow all; access_log off; log_not_found off; } + + try_files $uri $uri/ /YNH_WWW_ROOTAPP/index.php?$query_string; + + index YNH_WWW_ROOTPATH/index.php YNH_WWW_ROOTPATH/index.html YNH_WWW_ROOTPATH/index.htm; + + location ~ \.ht { + deny all; + } + location ~ \.git { + deny all; + } + + location YNH_WWW_ROOTPATH/src { + deny all; + } + location YNH_WWW_ROOTPATH/gen-src { + deny all; + } + location YNH_WWW_ROOTPATH/files/fonts { + deny all; + } + location YNH_WWW_ROOTPATH/files/private { + deny all; + } + location YNH_WWW_ROOTPATH/cache { + deny all; + } + location YNH_WWW_ROOTPATH/bin { + deny all; + } + location YNH_WWW_ROOTPATH/samples { + deny all; + } + location YNH_WWW_ROOTPATH/tests { + deny all; + } + location YNH_WWW_ROOTPATH/vendor { + deny all; + } + location YNH_WWW_ROOTPATH/conf { + deny all; + } + location YNH_WWW_ROOTPATH/logs { + deny all; + } + + + + + location YNH_WWW_ROOTPATH/flarum { + deny all; + return 404; + } + + location ~* \.php$ { + fastcgi_split_path_info ^(.+.php)(/.+)$; + fastcgi_pass unix:/var/run/php5-fpm-YNH_WWW_ROOTAPP.sock; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_param HTTP_PROXY ""; # Fix for https://httpoxy.org/ vulnerability + fastcgi_index index.php; + fastcgi_read_timeout 600; + } + + location ~* \.html$ { + expires -1; + } + + location ~* \.(css|js|gif|jpe?g|png)$ { + expires 1M; + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } + + gzip on; + gzip_http_version 1.1; + gzip_vary on; + gzip_comp_level 6; + gzip_proxied any; + gzip_types application/atom+xml + application/javascript + application/json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/xml; + gzip_buffers 16 8k; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + + + # Include SSOWAT user panel. + # include conf.d/yunohost_panel.conf.inc; +} + +root ROOT_PATH; server_name https://APP_URL; add_header "X-Frame-Options" "SAMEORIGIN"; add_header "X-XSS-Protection" "1; mode=block"; From ce6620dbe4c6761ca3e36afeffc4e2fcc96183a3 Mon Sep 17 00:00:00 2001 From: frju365 Date: Thu, 2 Mar 2017 23:08:40 +0100 Subject: [PATCH 2/3] Update nginx.conf --- conf/nginx.conf | 173 ++++++++++++++++-------------------------------- 1 file changed, 57 insertions(+), 116 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 4b4669b..a29c464 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -52,125 +52,26 @@ location ^~ YNH_WWW_PATH { location YNH_WWW_ROOTPATH/logs { deny all; } - - - - - location YNH_WWW_ROOTPATH/flarum { - deny all; - return 404; - } - - location ~* \.php$ { - fastcgi_split_path_info ^(.+.php)(/.+)$; - fastcgi_pass unix:/var/run/php5-fpm-YNH_WWW_ROOTAPP.sock; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param HTTP_PROXY ""; # Fix for https://httpoxy.org/ vulnerability - fastcgi_index index.php; - fastcgi_read_timeout 600; - } - - location ~* \.html$ { - expires -1; - } - - location ~* \.(css|js|gif|jpe?g|png)$ { - expires 1M; - add_header Pragma public; - add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - } - - gzip on; - gzip_http_version 1.1; - gzip_vary on; - gzip_comp_level 6; - gzip_proxied any; - gzip_types application/atom+xml - application/javascript - application/json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/xml; - gzip_buffers 16 8k; - gzip_disable "MSIE [1-6]\.(?!.*SV1)"; - - - # Include SSOWAT user panel. - # include conf.d/yunohost_panel.conf.inc; -} - -root ROOT_PATH; - server_name https://APP_URL; - add_header "X-Frame-Options" "SAMEORIGIN"; - add_header "X-XSS-Protection" "1; mode=block"; - add_header "X-Content-Type-Options" "nosniff"; - index index.php index.html index.htm; - - - # Don't log robots.txt or favicon.ico files - location = /favicon.ico { log_not_found off; access_log off; } - location = /robots.txt { allow all; access_log off; log_not_found off; } - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - location ~ /\.ht { - deny all; - } - location ~ /\.git { - deny all; - } - location /src { - deny all; - } - location /gen-src { - deny all; - } - location /files/fonts { - deny all; - } - location /files/private { - deny all; - } - location /cache { - deny all; - } - location /bin { - deny all; - } - location /samples { - deny all; - } - location /tests { - deny all; - } - location /vendor { - deny all; - } - location /conf { - deny all; - } - location /logs { - deny all; - } - # Deny every non-public files in themes - location ~ /themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { + location ~ YNH_WWW_ROOTPATH/themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { deny all; } - location ~ /themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { + location ~ YNH_WWW_ROOTPATH/themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { deny all; } - - # Enable Expire on Themes public assets + location ~ YNH_WWW_ROOTPATH/install.php/ { + try_files $uri $uri/ /install.php?$query_string; + } + location ~ YNH_WWW_ROOTPATH/dev.php/ { + try_files $uri $uri/ /dev.php?$query_string; + } + location ~ YNH_WWW_ROOTPATH/preview.php/ { + try_files $uri $uri/ /preview.php?$query_string; + } + location ~ YNH_WWW_ROOTPATH/clear_cache.php/ { + try_files $uri $uri/ /clear_cache.php?$query_string; + } + # Enable Expire on Themes public assets location ~* ^/themes/*.*\.(?:ico|css|js|woff2?|eot|ttf|otf|svg|gif|jpe?g|png)$ { expires 30d; access_log off; @@ -186,8 +87,8 @@ root ROOT_PATH; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } - } - # Enable Expire on native documents files + } + # Enable Expire on native documents files location ~* ^/files/*.*\.(?:ico|gif|jpe?g|png)$ { expires 15d; access_log off; @@ -204,7 +105,47 @@ root ROOT_PATH; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } + location ~ ^/index\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + # Prevents URIs that include the front controller. This will 404: + # http://domain.tld/app.php/some-path + # Remove the internal directive to allow URIs like this + internal; + } + # + # Preview, Dev and Install entry points. + # + # In production server, don't deploy dev.php or install.php + # + location ~ ^/(dev|install|preview|clear_cache)\.php(/|$) { + # Enforce OPCache PHP class cache invalidation at each request + #fastcgi_param PHP_VALUE "opcache.revalidate_freq=0"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + } + + # Include SSOWAT user panel. + # include conf.d/yunohost_panel.conf.inc; +} + + + + + + + + + location / { # First attempt to serve request as file, then # as directory, then fall back to front-end controller From 9c3befd082dec3ea3172fe750cc64b67821166aa Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 3 Mar 2017 00:31:19 +0100 Subject: [PATCH 3/3] Update nginx.conf --- conf/nginx.conf | 60 ------------------------------------------------- 1 file changed, 60 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index a29c464..e425fd0 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -137,63 +137,3 @@ location ^~ YNH_WWW_PATH { # Include SSOWAT user panel. # include conf.d/yunohost_panel.conf.inc; } - - - - - - - - - - location / { - # First attempt to serve request as file, then - # as directory, then fall back to front-end controller - # (do not forget to pass GET parameters). - try_files $uri $uri/ /index.php?$query_string; - } - - location ~ /install.php/ { - try_files $uri $uri/ /install.php?$query_string; - } - location ~ /dev.php/ { - try_files $uri $uri/ /dev.php?$query_string; - } - location ~ /preview.php/ { - try_files $uri $uri/ /preview.php?$query_string; - } - location ~ /clear_cache.php/ { - try_files $uri $uri/ /clear_cache.php?$query_string; - } - - # - # Production entry point. - # - location ~ ^/index\.php(/|$) { - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - include fastcgi_params; - # Prevents URIs that include the front controller. This will 404: - # http://domain.tld/app.php/some-path - # Remove the internal directive to allow URIs like this - internal; - } - - # - # Preview, Dev and Install entry points. - # - # In production server, don't deploy dev.php or install.php - # - location ~ ^/(dev|install|preview|clear_cache)\.php(/|$) { - # Enforce OPCache PHP class cache invalidation at each request - #fastcgi_param PHP_VALUE "opcache.revalidate_freq=0"; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - include fastcgi_params; - }