location __PATHTOCHANGE__ { alias __FINALPATH__/; index index.php; if (!-e $request_filename) { rewrite ^(.+)$ __PATHTOCHANGE__/index.php?q=$1 last; } if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } client_max_body_size 30m; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; location ~* \.(jpg|jpeg|gif|css|png|js|ico|swf|mp3|pdf)$ { # Le contenu statique, est signalé au navigateur comme étant # à garder en cache une semaine. Si il y a un proxy sur la # route, celui-ci est autorisé à faire une copie et à la # cacher. expires 1w; add_header Cache-Control public; } location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php5-fpm-__NAMETOCHANGE__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; } ## Begin - Security # deny all direct access for these folders location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; } # deny running scripts inside core system folders location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny running scripts inside user folder location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny access to specific files in the root folder location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; } ## End - Security #--PRIVATE--# Include SSOWAT user panel. #--PRIVATE--include conf.d/yunohost_panel.conf.inc; }