123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 |
- server {
- listen [::]:80;
- listen 80;
- server_name %hostname%;
- # redirect all traffic to HTTPS
- rewrite ^ https://$host$request_uri? permanent;
- }
- server {
- listen [::]:443 ssl http2;
- listen 443 ssl http2;
- ssl_certificate /etc/letsencrypt/live/%hostname_root%/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/%hostname_root%/privkey.pem;
- # Let's Encrypt best practices
- include /etc/letsencrypt/options-ssl-nginx.conf;
- ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
- root /var/www/social/public;
- # Server name
- server_name %hostname%;
- # Index
- index index.php;
- # X-Accel/X-Sendfile. Still needs to be enabled in the config
- location /file {
- internal;
- root /var/www/social;
- }
- # PHP
- location ~ ^/(index|install)\.php(/.*)?$ {
- include fastcgi_params;
- fastcgi_split_path_info ^(.+?\.php)(/.*)$;
- set $path_info $fastcgi_path_info;
- try_files $fastcgi_script_name =404;
- fastcgi_pass php:9000;
- fastcgi_index index.php;
- fastcgi_param PATH_INFO $path_info;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # Don't allow any PHP file other than index.php to be executed
- # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
- # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
- location ~ \.php$ {
- deny all;
- }
- # Location
- location / {
- try_files $uri $uri/ @index_handler;
- }
- # Fancy URLs
- error_page 404 @index_handler;
- location @index_handler {
- rewrite ^(.*)$ /index.php?p=$1 last;
- }
- # Restrict access that is unnecessary anyway
- location ~ /\.(ht|git) {
- deny all;
- }
- #
- # Hardening (optional)
- #
- add_header Strict-Transport-Security "max-age=15768000; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header Referrer-Policy strict-origin-when-cross-origin;
- add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
- add_header X-Permitted-Cross-Domain-Policies none;
- add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
- client_max_body_size 15M;
- client_body_buffer_size 128k;
- gzip_vary on;
- location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
- gzip on;
- gzip_comp_level 4;
- add_header Cache-Control "public";
- expires 30d;
- access_log off;
- log_not_found off;
- }
- }
|