Halaman utama Jelajahi Bantuan
Masuk
diogo
/
gnu-social
Liatin 19
Bintangi 39
Fork 35
Berkas Masalah 116 Tarik Permintaan 5 Wiki
Pohon: b999c1bd62
Ranting Tag
gnu-social
/
docker
/
nginx
/
nginx.conf

nginx.conf 2.7 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. server {
    2. 

  2. 

  3.     listen [::]:80;
    4. 

  4.     listen 80;
    5. 

  5. 

  6.     server_name %hostname%;
    7. 

  7. 

  8.     # redirect all traffic to HTTPS
    9. 

  9.     rewrite ^ https://$host$request_uri? permanent;
    10. 

  10. }
    11. 

  11. 

  12. server {
    13. 

  13. 

  14.     listen [::]:443 ssl http2;
    15. 

  15.     listen 443 ssl http2;
    16. 

  16. 

  17.     ssl_certificate /etc/letsencrypt/live/%hostname%/fullchain.pem;
    18. 

  18.     ssl_certificate_key /etc/letsencrypt/live/%hostname%/privkey.pem;
    19. 

  19. 

  20.     # Let's Encrypt best practices
    21. 

  21.     include /etc/letsencrypt/options-ssl-nginx.conf;
    22. 

  22.     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    23. 

  23. 

  24.     root /var/www/social/public;
    25. 

  25. 

  26.     # Server name
    27. 

  27.     server_name %hostname%;
    28. 

  28. 

  29.     # Index
    30. 

  30.     index index.php;
    31. 

  31. 

  32.     # X-Accel/X-Sendfile. Still needs to be enabled in the config
    33. 

  33.     location /file {
    34. 

  34.         internal;
    35. 

  35.         root /var/www/social;
    36. 

  36.     }
    37. 

  37. 

  38.     # PHP
    39. 

  39.     location ~ ^/(index|install)\.php(/.*)?$ {
    40. 

  40.         include fastcgi_params;
    41. 

  41. 

  42.         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    43. 

  43.         set $path_info $fastcgi_path_info;
    44. 

  44.         try_files $fastcgi_script_name =404;
    45. 

  45. 

  46.         fastcgi_pass php:9000;
    47. 

  47.         fastcgi_index index.php;
    48. 

  48. 

  49.         fastcgi_param PATH_INFO $path_info;
    50. 

  50.         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    51. 

  51.     }
    52. 

  52. 

  53.     # Don't allow any PHP file other than index.php to be executed
    54. 

  54.     # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
    55. 

  55.     # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
    56. 

  56.     location ~ \.php$ {
    57. 

  57.         deny all;
    58. 

  58.     }
    59. 

  59. 

  60.     # Location
    61. 

  61.     location / {
    62. 

  62.         try_files $uri $uri/ @index_handler;
    63. 

  63.     }
    64. 

  64. 

  65.     # Fancy URLs
    66. 

  66.     error_page 404 @index_handler;
    67. 

  67.     location @index_handler {
    68. 

  68.         rewrite ^(.*)$ /index.php?p=$1 last;
    69. 

  69.     }
    70. 

  70. 

  71.     # Restrict access that is unnecessary anyway
    72. 

  72.     location ~ /\.(ht|git) {
    73. 

  73.         deny all;
    74. 

  74.     }
    75. 

  75. 

  76. #
    77. 

  77. # Hardening (optional)
    78. 

  78. #
    79. 

  79.     add_header Strict-Transport-Security "max-age=15768000; preload;";
    80. 

  80.     add_header X-Content-Type-Options nosniff;
    81. 

  81.     add_header Referrer-Policy strict-origin-when-cross-origin;
    82. 

  82.     add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
    83. 

  83.     add_header X-Permitted-Cross-Domain-Policies none;
    84. 

  84.     add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
    85. 

  85. 

  86.     client_max_body_size 15M;
    87. 

  87.     client_body_buffer_size 128k;
    88. 

  88.     gzip_vary on;
    89. 

  89. 

  90.     location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
    91. 

  91.         gzip on;
    92. 

  92.         gzip_comp_level 4;
    93. 

  93.         add_header Cache-Control "public";
    94. 

  94.         expires 30d;
    95. 

  95.         access_log off;
    96. 

  96.         log_not_found off;
    97. 

  97.     }
    98. 

  98. }
    99. 

  99.