nginx.conf 2.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
  1. server {
  2. listen [::]:80;
  3. listen 80;
  4. server_name %hostname%;
  5. # redirect all traffic to HTTPS
  6. rewrite ^ https://$host$request_uri? permanent;
  7. }
  8. server {
  9. listen [::]:443 ssl http2;
  10. listen 443 ssl http2;
  11. ssl_certificate /etc/letsencrypt/live/%hostname_root%/fullchain.pem;
  12. ssl_certificate_key /etc/letsencrypt/live/%hostname_root%/privkey.pem;
  13. # Let's Encrypt best practices
  14. include /etc/letsencrypt/options-ssl-nginx.conf;
  15. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  16. root /var/www/social/public;
  17. # Server name
  18. server_name %hostname%;
  19. # Index
  20. index index.php;
  21. # X-Accel/X-Sendfile. Still needs to be enabled in the config
  22. location /file {
  23. internal;
  24. root /var/www/social;
  25. }
  26. # PHP
  27. location ~ ^/(index|install)\.php(/.*)?$ {
  28. include fastcgi_params;
  29. fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  30. set $path_info $fastcgi_path_info;
  31. try_files $fastcgi_script_name =404;
  32. fastcgi_pass php:9000;
  33. fastcgi_index index.php;
  34. fastcgi_param PATH_INFO $path_info;
  35. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  36. }
  37. # Don't allow any PHP file other than index.php to be executed
  38. # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
  39. # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
  40. location ~ \.php$ {
  41. deny all;
  42. }
  43. # Location
  44. location / {
  45. try_files $uri $uri/ @index_handler;
  46. }
  47. # Fancy URLs
  48. error_page 404 @index_handler;
  49. location @index_handler {
  50. rewrite ^(.*)$ /index.php?p=$1 last;
  51. }
  52. # Restrict access that is unnecessary anyway
  53. location ~ /\.(ht|git) {
  54. deny all;
  55. }
  56. #
  57. # Hardening (optional)
  58. #
  59. add_header Strict-Transport-Security "max-age=15768000; preload;";
  60. add_header X-Content-Type-Options nosniff;
  61. add_header Referrer-Policy strict-origin-when-cross-origin;
  62. add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
  63. add_header X-Permitted-Cross-Domain-Policies none;
  64. add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
  65. client_max_body_size 15M;
  66. client_body_buffer_size 128k;
  67. gzip_vary on;
  68. location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
  69. gzip on;
  70. gzip_comp_level 4;
  71. add_header Cache-Control "public";
  72. expires 30d;
  73. access_log off;
  74. log_not_found off;
  75. }
  76. }