diff options
Diffstat (limited to 'main/webserver-configs/nginx.conf')
| -rwxr-xr-x | main/webserver-configs/nginx.conf | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/main/webserver-configs/nginx.conf b/main/webserver-configs/nginx.conf new file mode 100755 index 0000000..354c683 --- /dev/null +++ b/main/webserver-configs/nginx.conf @@ -0,0 +1,127 @@ +## UserFrosting sample nginx configuration file. +## See https://learn.userfrosting.com/going-live/vps-production-environment/application-setup#configure-the-webserver-nginx- + +## Redirect HTTP to HTTPS +## Enable this block once you've set up SSL. This will redirect all HTTP requests to HTTPS. +#server { +# listen 80; +# server_name example.com; +# return 301 https://$host$request_uri; +#} + +## Main server configuration +server { + ## Non-SSL configuration. Not recommended for production! + listen 80; + ## Defines the script/file to look for when a request is made to the index of your server name. + index index.php index.html index.htm; + + ## Begin - Server Info + ## Document root directory for your project. Should be set to the directory that contains your index.php. + root /usr/share/nginx/project/public; + server_name example.com; + ## End - Server Info + + ## SSL configuration + ## It is STRONGLY RECOMMENDED that you use SSL for all traffic to your UF site. + ## Otherwise, you are potentially leaking your users' sensitive info, including passwords! + ## See https://letsencrypt.org/ to find out how to get a free, trusted SSL cert for your site. + # + #listen 443 ssl http2; + #listen [::]:443 ssl http2; + ## Certificate paths (example for letsencrypt) + #ssl_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/live/<cert name>/privkey.pem; + ## Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ## Enable session resumption to enable low latency for repeat visitors. + #ssl_session_cache shared:SSL:50m; + #ssl_session_timeout 5m; + ## Enables server-side protection from BEAST attacks + #ssl_prefer_server_ciphers on; + ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + #ssl_dhparam /etc/nginx/dhparam.pem; # google will tell you how to make this + ## Ciphers chosen for forward secrecy and compatibility + #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ## Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) + #resolver 8.8.8.8; + #ssl_stapling on; + #ssl_trusted_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem; # same as your ssl_certificate path + ## Config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + ## End - SSL configuration + + access_log /var/log/nginx/access.log; + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + ## This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. + add_header X-XSS-Protection "1; mode=block"; #optional + + ## Begin - Pagespeed + ## See https://learn.userfrosting.com/going-live/vps-production-environment/additional-recommendations + ## for information on compiling nginx with the Pagespeed module. + #pagespeed on; + #pagespeed FileCachePath /var/ngx_pagespeed_cache; + #pagespeed Disallow "*.svg*"; + ## Add additional filters here + #pagespeed EnableFilters prioritize_critical_css; + ## Ensure requests for pagespeed optimized resources go to the pagespeed + ## handler and no extraneous headers get set. + #location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } + #location ~ "^/ngx_pagespeed_static/" { } + #location ~ "^/ngx_pagespeed_beacon" { } + ## End - Pagespeed + + ## Begin - Let's Encrypt + ## Allow URLs for certbot acme challenge + location ~ /.well-known { + allow all; + } + ## End - Let's Encrypt + + ## Begin - Handle PHP requests + location ~ \.(php)$ { + # Throw away any requests to execute PHP scripts in other directories + # See http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html for why this is needed + location ~ \..*/.*\.php$ { + return 404; + } + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_keep_conn on; + # For FPM (PHP 7) + fastcgi_pass unix:/run/php/php7.0-fpm.sock; + # For FPM (PHP 5.x) + #fastcgi_pass unix:/var/run/php5-fpm.sock; + # For traditional PHP FastCGI (php5-cgi or php7.0-cgi) + #fastcgi_pass 127.0.0.1:9000; + # For HHVM + #fastcgi_pass unix:/var/run/hhvm/hhvm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + ## End - Handle PHP requests + + ## Begin - Caching static files + location ~* \.(png|gif|jpg|jpeg|svg|ico|css|js|woff|ttf|otf|woff2|eot)$ { + include /etc/nginx/mime.types; + expires max; + + index index.php; + try_files $uri $uri/ /index.php?$query_string; + } + ## End - Caching static files + + ## Begin - Index + ## for subfolders, simply adjust: + ## `location /subfolder {` + ## and the rewrite to use `/subfolder/index.php` + location / { + include /etc/nginx/mime.types; + index index.php; + try_files $uri $uri/ /index.php?$query_string; + } + ## End - Index +} |