2020-05-01 15:40:16 +02:00
|
|
|
user www-data www-data;
|
|
|
|
worker_processes 1;
|
|
|
|
|
|
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
pid /var/run/nginx.pid;
|
|
|
|
|
|
|
|
events {
|
|
|
|
worker_connections 1024;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
http {
|
|
|
|
charset utf-8;
|
|
|
|
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
2020-05-06 12:11:46 +02:00
|
|
|
set_real_ip_from {{ site.subnet_gateway_ip }};
|
2020-05-03 14:52:54 +02:00
|
|
|
log_format main '$http_x_real_ip - $remote_user [$time_local] "$request" '
|
2020-05-01 15:40:16 +02:00
|
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
|
|
|
|
##
|
|
|
|
# Basic Settings
|
|
|
|
##
|
|
|
|
|
|
|
|
sendfile on;
|
|
|
|
tcp_nopush on;
|
|
|
|
tcp_nodelay on;
|
|
|
|
keepalive_timeout 15s;
|
|
|
|
types_hash_max_size 2048;
|
|
|
|
server_tokens off;
|
|
|
|
client_max_body_size 10M;
|
|
|
|
client_body_timeout 60;
|
|
|
|
# server_names_hash_bucket_size 64;
|
|
|
|
server_name_in_redirect off;
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
# Gzip Settings
|
|
|
|
##
|
|
|
|
|
|
|
|
gzip on;
|
|
|
|
gzip_disable "msie6";
|
|
|
|
|
|
|
|
gzip_vary on;
|
|
|
|
gzip_proxied any;
|
|
|
|
gzip_comp_level 6;
|
|
|
|
gzip_buffers 16 8k;
|
|
|
|
gzip_http_version 1.1;
|
|
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
|
|
|
|
|
|
|
|
|
|
|
include /etc/nginx/conf.d/*.conf;
|
|
|
|
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen 80 default;
|
|
|
|
listen [::]:80 default;
|
2020-05-06 12:11:46 +02:00
|
|
|
server_name {{ site.url }} www.{{ site.url }};
|
2020-05-01 15:40:16 +02:00
|
|
|
|
|
|
|
root /var/www/html;
|
|
|
|
index index.php;
|
|
|
|
|
|
|
|
# Restrictions
|
|
|
|
location = /favicon.ico {
|
|
|
|
log_not_found off;
|
|
|
|
access_log off;
|
|
|
|
}
|
|
|
|
location = /robots.txt {
|
|
|
|
allow all;
|
|
|
|
log_not_found off;
|
|
|
|
access_log off;
|
|
|
|
}
|
|
|
|
location ~ /\. {
|
|
|
|
deny all;
|
|
|
|
}
|
|
|
|
location = /_.gif {
|
|
|
|
expires max;
|
|
|
|
empty_gif;
|
|
|
|
}
|
|
|
|
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
|
|
|
|
expires max;
|
|
|
|
log_not_found off;
|
|
|
|
}
|
|
|
|
location ~* /(?:uploads|files)/.*\.php$ {
|
|
|
|
deny all;
|
|
|
|
}
|
|
|
|
# XMLRPC is a great way to bruteforce passwords
|
|
|
|
location = /xmlrpc.php {
|
|
|
|
deny all;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
try_files $uri $uri/ /index.php?$args;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ \.php$ {
|
|
|
|
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
|
|
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
|
|
|
|
|
|
# Check that the PHP script exists before passing it
|
|
|
|
# Breaks site...
|
|
|
|
# try_files $fastcgi_script_name =404;
|
|
|
|
|
|
|
|
# Block httpoxy attacks. See https://httpoxy.org/ :
|
|
|
|
fastcgi_param HTTP_PROXY "";
|
|
|
|
|
|
|
|
# Bypass the fact that try_files resets $fastcgi_path_info
|
|
|
|
# see: http://trac.nginx.org/nginx/ticket/321
|
|
|
|
set $path_info $fastcgi_path_info;
|
|
|
|
fastcgi_param PATH_INFO $path_info;
|
|
|
|
|
|
|
|
# Do not diplay errors:
|
|
|
|
# fastcgi_intercept_errors on;
|
|
|
|
|
|
|
|
fastcgi_index index.php;
|
|
|
|
|
|
|
|
include fastcgi_params;
|
|
|
|
|
|
|
|
fastcgi_pass site:9000;
|
|
|
|
|
|
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|