blob: 354c683e1cbcbf83570b96e6179cd71ad7086012 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
## UserFrosting sample nginx configuration file.
## See https://learn.userfrosting.com/going-live/vps-production-environment/application-setup#configure-the-webserver-nginx-
## Redirect HTTP to HTTPS
## Enable this block once you've set up SSL. This will redirect all HTTP requests to HTTPS.
#server {
# listen 80;
# server_name example.com;
# return 301 https://$host$request_uri;
#}
## Main server configuration
server {
## Non-SSL configuration. Not recommended for production!
listen 80;
## Defines the script/file to look for when a request is made to the index of your server name.
index index.php index.html index.htm;
## Begin - Server Info
## Document root directory for your project. Should be set to the directory that contains your index.php.
root /usr/share/nginx/project/public;
server_name example.com;
## End - Server Info
## SSL configuration
## It is STRONGLY RECOMMENDED that you use SSL for all traffic to your UF site.
## Otherwise, you are potentially leaking your users' sensitive info, including passwords!
## See https://letsencrypt.org/ to find out how to get a free, trusted SSL cert for your site.
#
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
## Certificate paths (example for letsencrypt)
#ssl_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/<cert name>/privkey.pem;
## Disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## Enable session resumption to enable low latency for repeat visitors.
#ssl_session_cache shared:SSL:50m;
#ssl_session_timeout 5m;
## Enables server-side protection from BEAST attacks
#ssl_prefer_server_ciphers on;
## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#ssl_dhparam /etc/nginx/dhparam.pem; # google will tell you how to make this
## Ciphers chosen for forward secrecy and compatibility
#ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
## Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
#resolver 8.8.8.8;
#ssl_stapling on;
#ssl_trusted_certificate /etc/letsencrypt/live/<cert name>/fullchain.pem; # same as your ssl_certificate path
## Config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
## End - SSL configuration
access_log /var/log/nginx/access.log;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
## This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
add_header X-XSS-Protection "1; mode=block"; #optional
## Begin - Pagespeed
## See https://learn.userfrosting.com/going-live/vps-production-environment/additional-recommendations
## for information on compiling nginx with the Pagespeed module.
#pagespeed on;
#pagespeed FileCachePath /var/ngx_pagespeed_cache;
#pagespeed Disallow "*.svg*";
## Add additional filters here
#pagespeed EnableFilters prioritize_critical_css;
## Ensure requests for pagespeed optimized resources go to the pagespeed
## handler and no extraneous headers get set.
#location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; }
#location ~ "^/ngx_pagespeed_static/" { }
#location ~ "^/ngx_pagespeed_beacon" { }
## End - Pagespeed
## Begin - Let's Encrypt
## Allow URLs for certbot acme challenge
location ~ /.well-known {
allow all;
}
## End - Let's Encrypt
## Begin - Handle PHP requests
location ~ \.(php)$ {
# Throw away any requests to execute PHP scripts in other directories
# See http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html for why this is needed
location ~ \..*/.*\.php$ {
return 404;
}
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_keep_conn on;
# For FPM (PHP 7)
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
# For FPM (PHP 5.x)
#fastcgi_pass unix:/var/run/php5-fpm.sock;
# For traditional PHP FastCGI (php5-cgi or php7.0-cgi)
#fastcgi_pass 127.0.0.1:9000;
# For HHVM
#fastcgi_pass unix:/var/run/hhvm/hhvm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
## End - Handle PHP requests
## Begin - Caching static files
location ~* \.(png|gif|jpg|jpeg|svg|ico|css|js|woff|ttf|otf|woff2|eot)$ {
include /etc/nginx/mime.types;
expires max;
index index.php;
try_files $uri $uri/ /index.php?$query_string;
}
## End - Caching static files
## Begin - Index
## for subfolders, simply adjust:
## `location /subfolder {`
## and the rewrite to use `/subfolder/index.php`
location / {
include /etc/nginx/mime.types;
index index.php;
try_files $uri $uri/ /index.php?$query_string;
}
## End - Index
}
|
