diff --git a/conf/nginx.conf b/conf/nginx.conf index 7e17cb5..4b4669b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,4 +1,114 @@ - root ROOT_PATH; +location ^~ YNH_WWW_PATH { + alias YNH_WWW_FINALPATH/; + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-XSS-Protection" "1; mode=block"; + add_header "X-Content-Type-Options" "nosniff"; + + # Don't log robots.txt or favicon.ico files + location = YNH_WWW_FINALPATH/favicon.ico { log_not_found off; access_log off; } + location = YNH_WWW_FINALPATH/robots.txt { allow all; access_log off; log_not_found off; } + + try_files $uri $uri/ /YNH_WWW_ROOTAPP/index.php?$query_string; + + index YNH_WWW_ROOTPATH/index.php YNH_WWW_ROOTPATH/index.html YNH_WWW_ROOTPATH/index.htm; + + location ~ \.ht { + deny all; + } + location ~ \.git { + deny all; + } + + location YNH_WWW_ROOTPATH/src { + deny all; + } + location YNH_WWW_ROOTPATH/gen-src { + deny all; + } + location YNH_WWW_ROOTPATH/files/fonts { + deny all; + } + location YNH_WWW_ROOTPATH/files/private { + deny all; + } + location YNH_WWW_ROOTPATH/cache { + deny all; + } + location YNH_WWW_ROOTPATH/bin { + deny all; + } + location YNH_WWW_ROOTPATH/samples { + deny all; + } + location YNH_WWW_ROOTPATH/tests { + deny all; + } + location YNH_WWW_ROOTPATH/vendor { + deny all; + } + location YNH_WWW_ROOTPATH/conf { + deny all; + } + location YNH_WWW_ROOTPATH/logs { + deny all; + } + + + + + location YNH_WWW_ROOTPATH/flarum { + deny all; + return 404; + } + + location ~* \.php$ { + fastcgi_split_path_info ^(.+.php)(/.+)$; + fastcgi_pass unix:/var/run/php5-fpm-YNH_WWW_ROOTAPP.sock; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_param HTTP_PROXY ""; # Fix for https://httpoxy.org/ vulnerability + fastcgi_index index.php; + fastcgi_read_timeout 600; + } + + location ~* \.html$ { + expires -1; + } + + location ~* \.(css|js|gif|jpe?g|png)$ { + expires 1M; + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } + + gzip on; + gzip_http_version 1.1; + gzip_vary on; + gzip_comp_level 6; + gzip_proxied any; + gzip_types application/atom+xml + application/javascript + application/json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/xml; + gzip_buffers 16 8k; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + + + # Include SSOWAT user panel. + # include conf.d/yunohost_panel.conf.inc; +} + +root ROOT_PATH; server_name https://APP_URL; add_header "X-Frame-Options" "SAMEORIGIN"; add_header "X-XSS-Protection" "1; mode=block";