diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..b218787 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,148 @@ + root ROOT_PATH; + server_name https://APP_URL + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-XSS-Protection" "1; mode=block"; + add_header "X-Content-Type-Options" "nosniff"; + index index.php index.html index.htm; + + + # Don't log robots.txt or favicon.ico files + location = /favicon.ico { log_not_found off; access_log off; } + location = /robots.txt { allow all; access_log off; log_not_found off; } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + location ~ /\.ht { + deny all; + } + location ~ /\.git { + deny all; + } + location /src { + deny all; + } + location /gen-src { + deny all; + } + location /files/fonts { + deny all; + } + location /files/private { + deny all; + } + location /cache { + deny all; + } + location /bin { + deny all; + } + location /samples { + deny all; + } + location /tests { + deny all; + } + location /vendor { + deny all; + } + location /conf { + deny all; + } + location /logs { + deny all; + } + + # Deny every non-public files in themes + location ~ /themes/(.+)\.(php|yml|twig|xlf|rzn|rzt|rzg)$ { + deny all; + } + location ~ /themes/([^/.]+)/(Resources|Command|Tests|Controllers|Entities|Form|Model|Services)/ { + deny all; + } + + # Enable Expire on Themes public assets + location ~* ^/themes/*.*\.(?:ico|css|js|woff2?|eot|ttf|otf|svg|gif|jpe?g|png)$ { + expires 30d; + access_log off; + add_header "Pragma" "public"; + add_header "Cache-Control" "public"; + add_header "Vary" "Accept-Encoding"; + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-XSS-Protection" "1; mode=block"; + add_header "X-Content-Type-Options" "nosniff"; + + if ($request_method = 'GET') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + } + } + # Enable Expire on native documents files + location ~* ^/files/*.*\.(?:ico|gif|jpe?g|png)$ { + expires 15d; + access_log off; + add_header "Pragma" "public"; + add_header "Cache-Control" "public"; + add_header "Vary" "Accept-Encoding"; + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-XSS-Protection" "1; mode=block"; + add_header "X-Content-Type-Options" "nosniff"; + + if ($request_method = 'GET') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + } + } + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to front-end controller + # (do not forget to pass GET parameters). + try_files $uri $uri/ /index.php?$query_string; + } + + location ~ /install.php/ { + try_files $uri $uri/ /install.php?$query_string; + } + location ~ /dev.php/ { + try_files $uri $uri/ /dev.php?$query_string; + } + location ~ /preview.php/ { + try_files $uri $uri/ /preview.php?$query_string; + } + location ~ /clear_cache.php/ { + try_files $uri $uri/ /clear_cache.php?$query_string; + } + + # + # Production entry point. + # + location ~ ^/index\.php(/|$) { + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + # Prevents URIs that include the front controller. This will 404: + # http://domain.tld/app.php/some-path + # Remove the internal directive to allow URIs like this + internal; + } + + # + # Preview, Dev and Install entry points. + # + # In production server, don't deploy dev.php or install.php + # + location ~ ^/(dev|install|preview|clear_cache)\.php(/|$) { + # Enforce OPCache PHP class cache invalidation at each request + #fastcgi_param PHP_VALUE "opcache.revalidate_freq=0"; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + }