#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { alias __FINALPATH__/; index index.php; client_max_body_size 30m; # Add headers to serve security related headers more_set_headers "Strict-Transport-Security: max-age=15768000"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-Frame-Options: SAMEORIGIN"; more_set_headers "X-XSS-Protection: 1; mode=block"; more_set_headers "X-Download-Options: noopen"; more_set_headers "X-Permitted-Cross-Domain-Policies: none"; # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 ) try_files $uri $uri/ __PATH__/__PATH__/index.php?$query_string; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; # https://learn.getgrav.org/webservers-hosting/servers/nginx#fix-against-httpoxy-vulnerability fastcgi_param HTTP_PROXY ""; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; } location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { expires 30d; more_set_headers "Vary: Accept-Encoding"; log_not_found off; } location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|html|xml|otf|ttf|eot|woff|woff2|svg)$ { access_log off; expires 30d; more_set_headers "Cache-Control: public"; ## No need to bleed constant updates. Send the all shebang in one fell swoop. tcp_nodelay off; ## Set the OS file cache. open_file_cache max=3000 inactive=120s; open_file_cache_valid 45s; open_file_cache_min_uses 2; open_file_cache_errors off; } ## Begin - Security # deny all direct access for these folders location ~* /(.git|cache|bin|logs|backups)/.*$ { return 403; } # deny running scripts inside core system folders location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny running scripts inside user folder location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny access to specific files in the root folder location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; } ## End - Security #--PRIVATE--# Include SSOWAT user panel. #--PRIVATE--include conf.d/yunohost_panel.conf.inc; }