From ce6620dbe4c6761ca3e36afeffc4e2fcc96183a3 Mon Sep 17 00:00:00 2001 From: frju365 Date: Thu, 2 Mar 2017 23:08:40 +0100 Subject: [PATCH] Update nginx.conf --- conf/nginx.conf | 173 ++++++++++++++++-------------------------------- 1 file changed, 57 insertions(+), 116 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 4b4669b..a29c464 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -52,125 +52,26 @@ location ^~ YNH_WWW_PATH { location YNH_WWW_ROOTPATH/logs { deny all; } - - - - - location YNH_WWW_ROOTPATH/flarum { - deny all; - return 404; - } - - location ~* \.php$ { - fastcgi_split_path_info ^(.+.php)(/.+)$; - fastcgi_pass unix:/var/run/php5-fpm-YNH_WWW_ROOTAPP.sock; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param HTTP_PROXY ""; # Fix for https://httpoxy.org/ vulnerability - fastcgi_index index.php; - fastcgi_read_timeout 600; - } - - location ~* \.html$ { - expires -1; - } - - location ~* \.(css|js|gif|jpe?g|png)$ { - expires 1M; - add_header Pragma public; - add_header Cache-Control "public, must-revalidate, proxy-revalidate"; - } - - gzip on; - gzip_http_version 1.1; - gzip_vary on; - gzip_comp_level 6; - gzip_proxied any; - gzip_types application/atom+xml - application/javascript - application/json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/xml; - gzip_buffers 16 8k; - gzip_disable "MSIE [1-6]\.(?!.*SV1)"; - - - # Include SSOWAT user panel. - # include conf.d/yunohost_panel.conf.inc; -} - -root ROOT_PATH; - server_name https://APP_URL; - add_header "X-Frame-Options" "SAMEORIGIN"; - add_header "X-XSS-Protection" "1; mode=block"; - add_header "X-Content-Type-Options" "nosniff"; - index index.php index.html index.htm; - - - # Don't log robots.txt or favicon.ico files - location = /favicon.ico { log_not_found off; access_log off; } - location = /robots.txt { allow all; access_log off; log_not_found off; } - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - location ~ /\.ht { - deny all; - } - location ~ /\.git { - deny all; - } - location /src { - deny all; - } - location /gen-src { - deny all; - } - location /files/fonts { - deny all; - } - location /files/private { - deny all; - } - location /cache { - deny all; - } - location /bin { - deny all; - } - location /samples { - deny all; - } - location /tests { - deny all; - } - location /vendor { - deny all; - } - location /conf { - deny all; - } - location /logs { - deny all; - } - # Deny every non-public files in themes - location ~ /themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { + location ~ YNH_WWW_ROOTPATH/themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { deny all; } - location ~ /themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { + location ~ YNH_WWW_ROOTPATH/themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { deny all; } - - # Enable Expire on Themes public assets + location ~ YNH_WWW_ROOTPATH/install.php/ { + try_files $uri $uri/ /install.php?$query_string; + } + location ~ YNH_WWW_ROOTPATH/dev.php/ { + try_files $uri $uri/ /dev.php?$query_string; + } + location ~ YNH_WWW_ROOTPATH/preview.php/ { + try_files $uri $uri/ /preview.php?$query_string; + } + location ~ YNH_WWW_ROOTPATH/clear_cache.php/ { + try_files $uri $uri/ /clear_cache.php?$query_string; + } + # Enable Expire on Themes public assets location ~* ^/themes/*.*\.(?:ico|css|js|woff2?|eot|ttf|otf|svg|gif|jpe?g|png)$ { expires 30d; access_log off; @@ -186,8 +87,8 @@ root ROOT_PATH; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } - } - # Enable Expire on native documents files + } + # Enable Expire on native documents files location ~* ^/files/*.*\.(?:ico|gif|jpe?g|png)$ { expires 15d; access_log off; @@ -204,7 +105,47 @@ root ROOT_PATH; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } + location ~ ^/index\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + # Prevents URIs that include the front controller. This will 404: + # http://domain.tld/app.php/some-path + # Remove the internal directive to allow URIs like this + internal; + } + # + # Preview, Dev and Install entry points. + # + # In production server, don't deploy dev.php or install.php + # + location ~ ^/(dev|install|preview|clear_cache)\.php(/|$) { + # Enforce OPCache PHP class cache invalidation at each request + #fastcgi_param PHP_VALUE "opcache.revalidate_freq=0"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + } + + # Include SSOWAT user panel. + # include conf.d/yunohost_panel.conf.inc; +} + + + + + + + + + location / { # First attempt to serve request as file, then # as directory, then fall back to front-end controller