2018-09-03 23:44:41 +02:00
|
|
|
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
|
|
|
|
location __PATH__/ {
|
2022-10-06 00:00:31 +02:00
|
|
|
alias __FINALPATH__/;
|
|
|
|
index index.php;
|
2015-11-11 18:03:16 +01:00
|
|
|
|
2022-10-06 00:02:28 +02:00
|
|
|
# Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
|
|
|
|
client_max_body_size 50M;
|
2015-11-11 18:03:16 +01:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
# Add headers to serve security related headers
|
|
|
|
more_set_headers "Strict-Transport-Security: max-age=15768000";
|
|
|
|
more_set_headers "X-Content-Type-Options: nosniff";
|
|
|
|
more_set_headers "X-Frame-Options: SAMEORIGIN";
|
|
|
|
more_set_headers "X-XSS-Protection: 1; mode=block";
|
|
|
|
more_set_headers "X-Download-Options: noopen";
|
|
|
|
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
|
2015-11-11 18:03:16 +01:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
# Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 )
|
|
|
|
try_files $uri $uri/ __PATH__/__PATH__/index.php?$query_string;
|
2021-07-12 22:47:43 +02:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
location ~ \.php$ {
|
|
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
|
|
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
|
|
|
|
fastcgi_index index.php;
|
|
|
|
include fastcgi_params;
|
|
|
|
# https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability
|
|
|
|
fastcgi_param HTTP_PROXY "";
|
|
|
|
fastcgi_param REMOTE_USER $remote_user;
|
|
|
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
|
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
|
|
}
|
2015-11-11 18:03:16 +01:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
|
|
|
|
expires 30d;
|
|
|
|
more_set_headers "Vary: Accept-Encoding";
|
|
|
|
log_not_found off;
|
|
|
|
}
|
2021-07-08 22:11:22 +02:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ {
|
|
|
|
access_log off;
|
|
|
|
expires 30d;
|
|
|
|
more_set_headers "Cache-Control: public";
|
2021-07-08 22:11:22 +02:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
## No need to bleed constant updates. Send the all shebang in one fell swoop.
|
|
|
|
tcp_nodelay off;
|
2021-07-08 22:11:22 +02:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
## Set the OS file cache.
|
|
|
|
open_file_cache max=3000 inactive=120s;
|
|
|
|
open_file_cache_valid 45s;
|
|
|
|
open_file_cache_min_uses 2;
|
|
|
|
open_file_cache_errors off;
|
|
|
|
}
|
2021-07-08 22:11:22 +02:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
## Begin - Security
|
|
|
|
# deny all direct access for these folders
|
|
|
|
location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; }
|
|
|
|
# deny running scripts inside core system folders
|
|
|
|
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
|
|
|
|
# deny running scripts inside user folder
|
|
|
|
location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
|
|
|
|
# deny access to specific files in the root folder
|
|
|
|
location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
|
|
|
|
## End - Security
|
2015-11-11 18:03:16 +01:00
|
|
|
|
2022-10-06 00:00:31 +02:00
|
|
|
#--PRIVATE--# Include SSOWAT user panel.
|
|
|
|
#--PRIVATE--include conf.d/yunohost_panel.conf.inc;
|
2015-11-11 18:03:16 +01:00
|
|
|
}
|