nginx.conf.sample 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116
  1. server {
  2. listen [::]:80;
  3. listen 80;
  4. # FIXME: Change domain name here (and also make sure you do the same in the next 'server' section)
  5. server_name social.example.org;
  6. # redirect all traffic to HTTPS
  7. return 301 https://$host$request_uri;
  8. }
  9. map $sent_http_content_type $gnusocial_expires_policy {
  10. default off;
  11. text/css 30d;
  12. application/javascript 30d;
  13. ~image/ 30d;
  14. ~video/ 30d;
  15. }
  16. server {
  17. # HTTPS is mandatory on GNU social unless you are using Tor network. Seriously.
  18. # Set it up with a cert (any cert) before you run the install.
  19. listen [::]:443 ssl http2;
  20. listen 443 ssl http2;
  21. # Root
  22. # FIXME: Change the path below to where you installed GNU social (GNU social's root + /public)
  23. root /var/www/gnusocial/public;
  24. # Server name
  25. # FIXME: Change "social.example.org" to your site's domain name
  26. server_name social.example.org;
  27. # SSL
  28. # FIXME: Change the paths to setup your SSL key/cert. See https://cipherli.st/ for more information
  29. ssl_certificate ssl/certs/social.example.org.crt;
  30. ssl_certificate_key ssl/private/social.example.org.key;
  31. # Index
  32. index index.php;
  33. # Enable browser caching for JS, CSS, images, audio, video
  34. expires $gnusocial_expires_policy;
  35. # X-Accel/X-Sendfile. Still needs to be enabled in the config
  36. location ^~ /file {
  37. internal;
  38. # FIXME: Change "/path/to/gnusocial/root/" to the folder where
  39. # attachments are stored (normally the same as the site root)
  40. root /path/to/gnusocial/root/;
  41. # Enable compression for images, audio, video to save bandwidth
  42. # gzip on;
  43. # gzip_comp_level 4;
  44. }
  45. # PHP
  46. # FIXME: Change "php7.X" to your version of fpm
  47. location ~ ^/(index|install)\.php(/.*)?$ {
  48. #location ^~ /index.php {
  49. include fastcgi_params;
  50. fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  51. set $path_info $fastcgi_path_info;
  52. try_files $fastcgi_script_name =404;
  53. fastcgi_pass unix:/run/php/php7.X-fpm.sock;
  54. fastcgi_index index.php;
  55. fastcgi_param PATH_INFO $path_info;
  56. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  57. }
  58. # Don't allow any PHP file other than index.php to be executed
  59. # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
  60. # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
  61. location ~ \.php$ {
  62. deny all;
  63. }
  64. # Location
  65. location / {
  66. try_files $uri $uri/ @index_handler;
  67. }
  68. # If avatars are located at /path/to/gnusocial/root/file (default)
  69. location ^~ /avatar {
  70. rewrite ^(.*)$ /file/$1 last;
  71. }
  72. # Fancy URLs
  73. error_page 404 @index_handler;
  74. location @index_handler {
  75. rewrite ^(.*)$ /index.php?p=$1 last;
  76. }
  77. # Restrict access that is unnecessary anyway
  78. location ~ /\.(ht|git) {
  79. deny all;
  80. }
  81. #
  82. # Hardening (optional)
  83. #
  84. # add_header Strict-Transport-Security "max-age=15768000; preload;";
  85. # add_header X-Content-Type-Options nosniff;
  86. # add_header Referrer-Policy strict-origin-when-cross-origin;
  87. # add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
  88. # add_header X-Permitted-Cross-Domain-Policies none;
  89. # add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
  90. #
  91. # client_max_body_size 15M;
  92. # client_body_buffer_size 128k;
  93. # gzip_vary on;
  94. }