diff --git a/conf/nginx.conf b/conf/nginx.conf index e425fd0..7e17cb5 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,77 +1,66 @@ -location ^~ YNH_WWW_PATH { - alias YNH_WWW_FINALPATH/; + root ROOT_PATH; + server_name https://APP_URL; add_header "X-Frame-Options" "SAMEORIGIN"; add_header "X-XSS-Protection" "1; mode=block"; add_header "X-Content-Type-Options" "nosniff"; - - # Don't log robots.txt or favicon.ico files - location = YNH_WWW_FINALPATH/favicon.ico { log_not_found off; access_log off; } - location = YNH_WWW_FINALPATH/robots.txt { allow all; access_log off; log_not_found off; } - - try_files $uri $uri/ /YNH_WWW_ROOTAPP/index.php?$query_string; - - index YNH_WWW_ROOTPATH/index.php YNH_WWW_ROOTPATH/index.html YNH_WWW_ROOTPATH/index.htm; - - location ~ \.ht { + index index.php index.html index.htm; + + + # Don't log robots.txt or favicon.ico files + location = /favicon.ico { log_not_found off; access_log off; } + location = /robots.txt { allow all; access_log off; log_not_found off; } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + location ~ /\.ht { deny all; } - location ~ \.git { + location ~ /\.git { deny all; } - - location YNH_WWW_ROOTPATH/src { + location /src { deny all; } - location YNH_WWW_ROOTPATH/gen-src { + location /gen-src { deny all; } - location YNH_WWW_ROOTPATH/files/fonts { + location /files/fonts { deny all; } - location YNH_WWW_ROOTPATH/files/private { + location /files/private { deny all; } - location YNH_WWW_ROOTPATH/cache { + location /cache { deny all; } - location YNH_WWW_ROOTPATH/bin { + location /bin { deny all; } - location YNH_WWW_ROOTPATH/samples { + location /samples { deny all; } - location YNH_WWW_ROOTPATH/tests { + location /tests { deny all; } - location YNH_WWW_ROOTPATH/vendor { + location /vendor { deny all; } - location YNH_WWW_ROOTPATH/conf { + location /conf { deny all; } - location YNH_WWW_ROOTPATH/logs { + location /logs { deny all; } + # Deny every non-public files in themes - location ~ YNH_WWW_ROOTPATH/themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { + location ~ /themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { deny all; } - location ~ YNH_WWW_ROOTPATH/themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { + location ~ /themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { deny all; } - location ~ YNH_WWW_ROOTPATH/install.php/ { - try_files $uri $uri/ /install.php?$query_string; - } - location ~ YNH_WWW_ROOTPATH/dev.php/ { - try_files $uri $uri/ /dev.php?$query_string; - } - location ~ YNH_WWW_ROOTPATH/preview.php/ { - try_files $uri $uri/ /preview.php?$query_string; - } - location ~ YNH_WWW_ROOTPATH/clear_cache.php/ { - try_files $uri $uri/ /clear_cache.php?$query_string; - } - # Enable Expire on Themes public assets + + # Enable Expire on Themes public assets location ~* ^/themes/*.*\.(?:ico|css|js|woff2?|eot|ttf|otf|svg|gif|jpe?g|png)$ { expires 30d; access_log off; @@ -87,8 +76,8 @@ location ^~ YNH_WWW_PATH { add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } - } - # Enable Expire on native documents files + } + # Enable Expire on native documents files location ~* ^/files/*.*\.(?:ico|gif|jpe?g|png)$ { expires 15d; access_log off; @@ -105,7 +94,31 @@ location ^~ YNH_WWW_PATH { add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } - location ~ ^/index\.php(/|$) { + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to front-end controller + # (do not forget to pass GET parameters). + try_files $uri $uri/ /index.php?$query_string; + } + + location ~ /install.php/ { + try_files $uri $uri/ /install.php?$query_string; + } + location ~ /dev.php/ { + try_files $uri $uri/ /dev.php?$query_string; + } + location ~ /preview.php/ { + try_files $uri $uri/ /preview.php?$query_string; + } + location ~ /clear_cache.php/ { + try_files $uri $uri/ /clear_cache.php?$query_string; + } + + # + # Production entry point. + # + location ~ ^/index\.php(/|$) { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.+\.php)(/.+)$; # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini @@ -133,7 +146,3 @@ location ^~ YNH_WWW_PATH { fastcgi_pass unix:/var/run/php5-fpm.sock; include fastcgi_params; } - - # Include SSOWAT user panel. - # include conf.d/yunohost_panel.conf.inc; -}