Cluesblues67
/
gnu-social
forkattu lähteestä someonewithpc/gnu-social


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
							# server {

#     server_name social.localhost;

#     # redirect all traffic to HTTPS
#     rewrite ^ https://$host$request_uri? permanent;
# }

server {
    listen [::]:80;
    listen 80;

    # Root
    root /var/www/gnusocial/public;

    # Server name
    server_name social.localhost;

    # Index
    index index.php;

    # X-Accel/X-Sendfile. Still needs to be enabled in the config
    location /file {
        internal;
        # FIXME: Change "/path/to/gnusocial/root/" to the folder where
        # attachments are stored (normally the same as the site root)
        root /var/www/gnusocial;
    }

    # PHP
    location ~ ^/(index|install)\.php(/.*)?$ {
        include fastcgi_params;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;

        fastcgi_pass php:9000;
        fastcgi_index index.php;

        fastcgi_param PATH_INFO $path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Don't allow any PHP file other than index.php to be executed
    # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
    # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
    location ~ \.php$ {
        deny all;
    }

    # Location
    location / {
        try_files $uri $uri/ @index_handler;
    }

    # Fancy URLs
    error_page 404 @index_handler;
    location @index_handler {
        rewrite ^(.*)$ /index.php?p=$1 last;
    }

    # Restrict access that is unnecessary anyway
    location ~ /\.(ht|git) {
        deny all;
    }

#
# Hardening (optional)
#
#    add_header Strict-Transport-Security "max-age=15768000; preload;";
#    add_header X-Content-Type-Options nosniff;
#    add_header Referrer-Policy strict-origin-when-cross-origin;
#    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
#    add_header X-Permitted-Cross-Domain-Policies none;
#    add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
#
#    client_max_body_size 15M;
#    client_body_buffer_size 128k;
#    gzip_vary on;
#
#    location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
#        gzip on;
#        gzip_comp_level 4;
#        add_header Cache-Control "public";
#        expires 30d;
#        access_log off;
#        log_not_found off;
#    }
}