grav_ynh/conf/nginx.conf

#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location __PATH__/ {
		alias __FINALPATH__/;
		index index.php;

		if (!-e $request_filename)
		{
			rewrite ^(.+)$ __PATH__/index.php?q=$1 last;
		}
		if ($scheme = http) {
			rewrite ^ https://$server_name$request_uri? permanent;
		}
		client_max_body_size 30m;

		# Add headers to serve security related headers
		more_set_headers "Strict-Transport-Security: max-age=15768000";
		more_set_headers "X-Content-Type-Options: nosniff";
		more_set_headers "X-Frame-Options: SAMEORIGIN";
		more_set_headers "X-XSS-Protection: 1; mode=block";
		more_set_headers "X-Download-Options: noopen";
		more_set_headers "X-Permitted-Cross-Domain-Policies: none";

		location ~* \.(jpg|jpeg|gif|css|png|js|ico|swf|mp3|pdf)$ {
			# Le contenu statique, est signalé au navigateur comme étant
			# à garder en cache une semaine. Si il y a un proxy sur la
			# route, celui-ci est autorisé à faire une copie et à la
			# cacher.
			expires        1w;
			more_set_headers "Cache-Control: public";
		}
		location ~ [^/]\.php(/|$) {
			fastcgi_split_path_info ^(.+?\.php)(/.*)$;
			fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
			fastcgi_index index.php;
			include fastcgi_params;
			# https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability
			fastcgi_param HTTP_PROXY "";
			fastcgi_param REMOTE_USER $remote_user;
			fastcgi_param PATH_INFO $fastcgi_path_info;
			fastcgi_param SCRIPT_FILENAME $request_filename;
		}

			## Begin - Security
			# deny all direct access for these folders
			location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; }
			# deny running scripts inside core system folders
			location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
			# deny running scripts inside user folder
			location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
			# deny access to specific files in the root folder
			location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
			## End - Security

		#--PRIVATE--# Include SSOWAT user panel.
		#--PRIVATE--include conf.d/yunohost_panel.conf.inc;
}
Protect against alias_traversal & httpoxy 2018-09-03 23:44:41 +02:00			`#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;`
			`location __PATH__/ {`
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`alias __FINALPATH__/;`
			`index index.php;`
Grav for YunoHost 2015-11-11 18:03:16 +01:00
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`if (!-e $request_filename)`
			`{`
Full rewrite 2018-09-03 23:31:52 +02:00			`rewrite ^(.+)$ __PATH__/index.php?q=$1 last;`
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`}`
			`if ($scheme = http) {`
			`rewrite ^ https://$server_name$request_uri? permanent;`
			`}`
			`client_max_body_size 30m;`
Grav for YunoHost 2015-11-11 18:03:16 +01:00
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`# Add headers to serve security related headers`
[fix] use more_set_headers in nginx.conf see #30 2019-10-26 15:09:06 +02:00			`more_set_headers "Strict-Transport-Security: max-age=15768000";`
			`more_set_headers "X-Content-Type-Options: nosniff";`
			`more_set_headers "X-Frame-Options: SAMEORIGIN";`
			`more_set_headers "X-XSS-Protection: 1; mode=block";`
			`more_set_headers "X-Download-Options: noopen";`
			`more_set_headers "X-Permitted-Cross-Domain-Policies: none";`
Grav for YunoHost 2015-11-11 18:03:16 +01:00
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`location ~* \.(jpg\|jpeg\|gif\|css\|png\|js\|ico\|swf\|mp3\|pdf)$ {`
			`# Le contenu statique, est signalé au navigateur comme étant`
			`# à garder en cache une semaine. Si il y a un proxy sur la`
			`# route, celui-ci est autorisé à faire une copie et à la`
			`# cacher.`
Upgrade to v1.6.26, YNH v3.7 permissions system, PHP version handling, fix CI badge (#39) * Fix check_process (#34) * Upgrade to 1.6.26, YNH v3.7 permissions system and PHP version handling (#37) * [upg] grav 1.6.16 Makes the app agnostic regarding the needed PHP version. Includes experimental helpers to install various PHP versions, if needed. Includes Grav v1.6.16 with PHP 7.2. * [enh] adding LDAP login for designated admin It is a bit hacky, since YNH does not have yet LDAP groups support: groups=usernames. To add more users, manually edit the configuration file in the admin. * [enh] use the permissions system * [enh] setting permissions up * [enh] restore php before adding conf file * [enh] avoid adding repo if sury list already exists This prevents getting multiple warning messages about duplicated repos. * [fix] remove order * [fix] testing and setting permissions * [upg] app version and remove php7.0-fpm dependency * Fix check_process (#34) * [upg] permissions configuration for install and upgrade * [upg] grav v1.6.23 * [upg] new permissions system * [fix] check_process is_public * [fix] missing 1 more_set_headers in nginx.conf * [fix] upgrade: allow visitors if was public * [fix] experimental_helpers directory in remove * [fix] retrieve phpversion in remove * [fix] remove old php-fpm config if needed in upgrade * [fix] helpers in subdirectory * [enh] no default group needed * [enh] update all plugins during upgrade * [enh] adding progress messages * [fix] specify phpversion in change_url * [enh] to v3.7 standards * [upg] grav v1.6.26 * [rem] ynh_permission_has_user is now official * [upg] check_process * [fix] php-fpm upgrade * [fix] use YNH_PHP_VERSION instead of phpversion in restore * [fix] php and chown in upgrade * [fix] check_process * [fix] app-upgrade.src * [fix] php-fpm and [rem] progression --time * [fix] restart php-fpm instead of reloading * [fix] user home_dir and permissions * [fix] upgrade publicness * [fix] CI badge on README (#38) * Fix failing check_process (#35) * Fix check_process (#34) * Fix CI badge on README Co-authored-by: tituspijean <tituspijean@outlook.com> Co-authored-by: Kayou <pierre.moltess@gmail.com> Co-authored-by: Alexandre Aubin <alex.aubin@mailoo.org> 2020-07-10 19:22:37 +02:00			`expires 1w;`
			`more_set_headers "Cache-Control: public";`
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`}`
			`location ~ [^/]\.php(/\|$) {`
			`fastcgi_split_path_info ^(.+?\.php)(/.*)$;`
Upgrade to v1.6.26, YNH v3.7 permissions system, PHP version handling, fix CI badge (#39) * Fix check_process (#34) * Upgrade to 1.6.26, YNH v3.7 permissions system and PHP version handling (#37) * [upg] grav 1.6.16 Makes the app agnostic regarding the needed PHP version. Includes experimental helpers to install various PHP versions, if needed. Includes Grav v1.6.16 with PHP 7.2. * [enh] adding LDAP login for designated admin It is a bit hacky, since YNH does not have yet LDAP groups support: groups=usernames. To add more users, manually edit the configuration file in the admin. * [enh] use the permissions system * [enh] setting permissions up * [enh] restore php before adding conf file * [enh] avoid adding repo if sury list already exists This prevents getting multiple warning messages about duplicated repos. * [fix] remove order * [fix] testing and setting permissions * [upg] app version and remove php7.0-fpm dependency * Fix check_process (#34) * [upg] permissions configuration for install and upgrade * [upg] grav v1.6.23 * [upg] new permissions system * [fix] check_process is_public * [fix] missing 1 more_set_headers in nginx.conf * [fix] upgrade: allow visitors if was public * [fix] experimental_helpers directory in remove * [fix] retrieve phpversion in remove * [fix] remove old php-fpm config if needed in upgrade * [fix] helpers in subdirectory * [enh] no default group needed * [enh] update all plugins during upgrade * [enh] adding progress messages * [fix] specify phpversion in change_url * [enh] to v3.7 standards * [upg] grav v1.6.26 * [rem] ynh_permission_has_user is now official * [upg] check_process * [fix] php-fpm upgrade * [fix] use YNH_PHP_VERSION instead of phpversion in restore * [fix] php and chown in upgrade * [fix] check_process * [fix] app-upgrade.src * [fix] php-fpm and [rem] progression --time * [fix] restart php-fpm instead of reloading * [fix] user home_dir and permissions * [fix] upgrade publicness * [fix] CI badge on README (#38) * Fix failing check_process (#35) * Fix check_process (#34) * Fix CI badge on README Co-authored-by: tituspijean <tituspijean@outlook.com> Co-authored-by: Kayou <pierre.moltess@gmail.com> Co-authored-by: Alexandre Aubin <alex.aubin@mailoo.org> 2020-07-10 19:22:37 +02:00			`fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;`
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`fastcgi_index index.php;`
			`include fastcgi_params;`
Protect against alias_traversal & httpoxy 2018-09-03 23:44:41 +02:00			`# https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability`
			`fastcgi_param HTTP_PROXY "";`
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`fastcgi_param REMOTE_USER $remote_user;`
			`fastcgi_param PATH_INFO $fastcgi_path_info;`
			`fastcgi_param SCRIPT_FILENAME $request_filename;`
			`}`
Grav for YunoHost 2015-11-11 18:03:16 +01:00
Upgrade to v1.6.26, YNH v3.7 permissions system, PHP version handling, fix CI badge (#39) * Fix check_process (#34) * Upgrade to 1.6.26, YNH v3.7 permissions system and PHP version handling (#37) * [upg] grav 1.6.16 Makes the app agnostic regarding the needed PHP version. Includes experimental helpers to install various PHP versions, if needed. Includes Grav v1.6.16 with PHP 7.2. * [enh] adding LDAP login for designated admin It is a bit hacky, since YNH does not have yet LDAP groups support: groups=usernames. To add more users, manually edit the configuration file in the admin. * [enh] use the permissions system * [enh] setting permissions up * [enh] restore php before adding conf file * [enh] avoid adding repo if sury list already exists This prevents getting multiple warning messages about duplicated repos. * [fix] remove order * [fix] testing and setting permissions * [upg] app version and remove php7.0-fpm dependency * Fix check_process (#34) * [upg] permissions configuration for install and upgrade * [upg] grav v1.6.23 * [upg] new permissions system * [fix] check_process is_public * [fix] missing 1 more_set_headers in nginx.conf * [fix] upgrade: allow visitors if was public * [fix] experimental_helpers directory in remove * [fix] retrieve phpversion in remove * [fix] remove old php-fpm config if needed in upgrade * [fix] helpers in subdirectory * [enh] no default group needed * [enh] update all plugins during upgrade * [enh] adding progress messages * [fix] specify phpversion in change_url * [enh] to v3.7 standards * [upg] grav v1.6.26 * [rem] ynh_permission_has_user is now official * [upg] check_process * [fix] php-fpm upgrade * [fix] use YNH_PHP_VERSION instead of phpversion in restore * [fix] php and chown in upgrade * [fix] check_process * [fix] app-upgrade.src * [fix] php-fpm and [rem] progression --time * [fix] restart php-fpm instead of reloading * [fix] user home_dir and permissions * [fix] upgrade publicness * [fix] CI badge on README (#38) * Fix failing check_process (#35) * Fix check_process (#34) * Fix CI badge on README Co-authored-by: tituspijean <tituspijean@outlook.com> Co-authored-by: Kayou <pierre.moltess@gmail.com> Co-authored-by: Alexandre Aubin <alex.aubin@mailoo.org> 2020-07-10 19:22:37 +02:00			`## Begin - Security`
			`# deny all direct access for these folders`
			`location ~* /(.git\|cache\|bin\|logs\|backups)/.*$ { return 403; }`
			`# deny running scripts inside core system folders`
			`location ~* /(system\|vendor)/.*\.(txt\|xml\|md\|html\|yaml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$ { return 403; }`
			`# deny running scripts inside user folder`
			`location ~* /user/.*\.(txt\|md\|yaml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$ { return 403; }`
			`# deny access to specific files in the root folder`
			`location ~ /(LICENSE\|composer.lock\|composer.json\|nginx.conf\|web.config\|htaccess.txt\|\.htaccess) { return 403; }`
			`## End - Security`
Grav for YunoHost 2015-11-11 18:03:16 +01:00
Update package README nginx.conf et manifest 2017-03-02 15:49:44 +01:00			`#--PRIVATE--# Include SSOWAT user panel.`
			`#--PRIVATE--include conf.d/yunohost_panel.conf.inc;`
Grav for YunoHost 2015-11-11 18:03:16 +01:00			`}`