Last active
March 26, 2024 19:47
-
-
Save BillBrower/105496d435c8d82114a61908666bab5e to your computer and use it in GitHub Desktop.
Nginx configuration for Kirby CMS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| server_name kirby.dev www.kirby.dev; | |
| root /path/to/www/kirby; | |
| access_log /var/log/nginx/access.log; | |
| error_log /var/log/nginx/error.log; | |
| # Route LetsEncrypt ACME Challenges to the right place | |
| location ^~ /.well-known/acme-challenge/ { | |
| allow all; | |
| default_type "text/plain"; | |
| try_files $uri /404; | |
| } | |
| # Route everything else through SSL | |
| location ~* ^/(.*)$ { | |
| return 301 https://$server_name/$1$is_args$args; | |
| } | |
| } | |
| server { | |
| charset utf-8; | |
| server_name kirby.dev www.kirby.dev; | |
| root /path/to/www/kirby; | |
| listen 443 ssl; | |
| ssl_protocols TLSv1.2; | |
| ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
| ssl_prefer_server_ciphers On; | |
| ssl_certificate /etc/letsencrypt/live/kirby.dev/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/kirby.dev/privkey.pem; | |
| ssl_trusted_certificate /etc/letsencrypt/live/kirby.dev/chain.pem; | |
| ssl_session_cache shared:SSL:128m; | |
| add_header Strict-Transport-Security "max-age=31557600; includeSubDomains"; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8; # Google Resolver | |
| index index.php index.html index.htm; | |
| error_page 404 /404.html; | |
| error_page 500 502 503 504 /50x.html; | |
| location = /50x.html { | |
| root /usr/share/nginx/html; | |
| } | |
| access_log /var/log/nginx/access.log; | |
| error_log /var/log/nginx/error.log; | |
| # Don't hint these as folders | |
| rewrite ^/(content|site|kirby)$ /error last; | |
| # Block content | |
| rewrite ^/content/(.*).(txt|md|mdown)$ /error last; | |
| # Block all files in the site and kirby folder from being accessed directly | |
| rewrite ^/(site|kirby)/(.*)$ /error last; | |
| # Panel links | |
| location /panel { | |
| autoindex off; | |
| try_files $uri $uri/ /panel/index.php?$query_string; | |
| } | |
| # Site links | |
| location / { | |
| autoindex off; | |
| try_files $uri $uri/ /index.php?$query_string; #$uri&$args; | |
| } | |
| # PHP scripts | |
| location ~ \.php$ { | |
| # Set CORS headers | |
| if ($request_method = 'OPTIONS') { | |
| add_header 'Access-Control-Allow-Origin' '*'; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| add_header 'Access-Control-Max-Age' 1728000; | |
| add_header 'Content-Type' 'text/plain charset=UTF-8'; | |
| add_header 'Content-Length' 0; | |
| return 204; | |
| } | |
| if ($request_method = 'POST') { | |
| add_header 'Access-Control-Allow-Origin' '*'; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| } | |
| if ($request_method = 'GET') { | |
| add_header 'Access-Control-Allow-Origin' '*'; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
| } | |
| try_files $uri =404; | |
| fastcgi_pass unix:/var/run/php5-fpm.sock; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_param PATH_INFO $fastcgi_script_name; | |
| include fastcgi_params; | |
| } | |
| # Prevent clients from accessing hidden files (starting with a dot) | |
| # This is particularly important if you store .htpasswd files in the site hierarchy | |
| location ~ (?:^|/)\. { | |
| deny all; | |
| } | |
| # Prevent clients from accessing to backup/config/source files | |
| location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ { | |
| deny all; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Nginx configuration we use for all of our Kirby websites at Krit.
We use certbot to automatically renew LetsEncrypt SSL certs and this config is setup for that. If you like to do that too here is a good write up on how to set it up.
If you needs CORS replace '*' with the origin you'll be using, otherwise strip the CORS headers out.
Based on mikewink's Kirby Nginx configuration: https://gist.github.com/mikewink/6a4367371a45047ef23e
Modifications: