LostKobrakai · May 22, 2023 21:07
diff --git a/01-processwire.vhost b/01-processwire.vhost
 server {
  ## [Default Nginx Configuration]
  
  # .htaccess 8.1
  charset utf-8;
  
  # .htaccess 3.
  location = /favicon.ico { log_not_found off; access_log off; }
  location = /robots.txt { log_not_found off; access_log off; }
  
  # .htaccess 4.
  # add_header X-Frame-Options SAMEORIGIN always; # Set by ProcessWire core
  add_header X-XSS-Protection "1; mode=block";
  # add_header X-Content-Type-Options "nosniff";

  # -----------------------------------------------------------------------------------------------
  # .htaccess 5.
  # -----------------------------------------------------------------------------------------------

  # Block access to ProcessWire system files
  location ~ \.(inc|info|info\.json|module|sh|sql)$ { deny all; }
  # Block access to composer files
  location ~ composer\.(json|lock)$ { deny all; }
  # Block access to any file or directory that begins with a period (except well-known)
  location ~ (^|/)\.(?!well-known)|^\..*$ { deny all; }
  
  # -----------------------------------------------------------------------------------------------
  # .htaccess 15.
  # -----------------------------------------------------------------------------------------------

  # Block access to protected assets directories
  location ~ ^/(site|site-[^/]+)/assets/(cache|logs|backups|sessions|config|install|tmp)($|/.*$) { deny all; }
  # Block acceess to the /site/install/ directory
  location ~ ^/(site|site-[^/]+)/install($|/.*$) { deny all; }
  # Block dirs in /site/assets/ dirs that start with a hyphen
  location ~ ^/(site|site-[^/]+)/assets.*/-.+/.* { deny all; }
  # Block access to /wire/config.php, /site/config.php, /site/config-dev.php, and /wire/index.config.php
  location ~ ^/(wire|site|site-[^/]+)/(config|index\.config|config-dev)\.php$ { deny all; }
  # Block access to any PHP-based files in /templates-admin/
  location ~ ^/(wire|site|site-[^/]+)/templates-admin($|/|/.*\.(php|html?|tpl|inc))$ { deny all; }
  # Block access to any PHP or markup files in /site/templates/
  location ~ ^/(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ { deny all; }
  # Block access to any PHP files in /site/assets/
  location ~ ^/(site|site-[^/]+)/assets($|/|/.*\.php)$ { deny all; }
  # Block access to any PHP files in core or core module directories
  location ~ ^/wire/(core|modules)/.*\.(php|inc|tpl|module)$ { deny all; }
  # Block access to any PHP files in /site/modules/
  location ~ ^/(site|site-[^/]+)/modules/.*\.(php|inc|tpl|module)$ { deny all; }
  # Block access to any software identifying txt files
  location ~ ^/(COPYRIGHT|INSTALL|README|htaccess)\.(txt|md)$ { deny all; }
  # Block all http access to the default/uninstalled site-default directory
  location ~ ^/site-default/ { deny all; }

  # -----------------------------------------------------------------------------------------------
  # If the request is for a static file, then set expires header and disable logging.
  # Give control to ProcessWire if the requested file or directory is non-existing.
  # -----------------------------------------------------------------------------------------------

  location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ {
    expires 24h;
    log_not_found off;
    access_log off;
    try_files $uri /index.php?it=$uri&$args;
  }

  # -----------------------------------------------------------------------------------------------
  # This location processes all other requests. If the request is for a file or directory that
  # physically exists on the server, then load the file. Else give control to ProcessWire.
  # -----------------------------------------------------------------------------------------------

  location / {
    try_files $uri $uri/ /index.php?it=$uri&$args;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    
    # .htaccess 10.
    fastcgi_param HTTP_MOD_REWRITE On;
    
    fastcgi_param X-Real-IP  $remote_addr;
    fastcgi_param X-Forwarded-For $remote_addr;
    fastcgi_param Host $host;
    
    fastcgi_pass unix:/var/run/example.com_fpm.sock;
  }
 }
diff --git a/02-http-https.vhost b/02-http-https.vhost
 server {
  listen 80;
  listen [::]:80;
  
  server_name example.org;
  return 301 https://example.org$request_uri;
 }

 server{
  listen 443 ssl;
  listen [::]:443 ssl;
  
  ssl_certificate /etc/ssl/cert.crt;
  ssl_certificate_key /etc/ssl/key.key;
  ## [Other ssl things]
    
  ## [Above config]
 }
diff --git a/03-to-www.vhost b/03-to-www.vhost
 server {
  listen 80;
  listen [::]:80;
  
  server_name example.org;
  return 301 http://www.example.org$request_uri;
 }

 server{
  listen 80;
  listen [::]:80;
  
  server_name www.example.org;
    
  ## [Above config]
 }
diff --git a/04-to-non-www.vhost b/04-to-non-www.vhost
 server {
  listen 80;
  listen [::]:80;
  
  server_name www.example.org;
  return 301 http://example.org$request_uri;
 }

 server{
  listen 80;
  listen [::]:80;
  
  server_name example.org;
    
  ## [Above config]
 }
	server {
	## [Default Nginx Configuration]

	# .htaccess 8.1
	charset utf-8;

	# .htaccess 3.
	location = /favicon.ico { log_not_found off; access_log off; }
	location = /robots.txt { log_not_found off; access_log off; }

	# .htaccess 4.
	# add_header X-Frame-Options SAMEORIGIN always; # Set by ProcessWire core
	add_header X-XSS-Protection "1; mode=block";
	# add_header X-Content-Type-Options "nosniff";

	# -----------------------------------------------------------------------------------------------
	# .htaccess 5.
	# -----------------------------------------------------------------------------------------------

	# Block access to ProcessWire system files
	location ~ \.(inc\|info\|info\.json\|module\|sh\|sql)$ { deny all; }
	# Block access to composer files
	location ~ composer\.(json\|lock)$ { deny all; }
	# Block access to any file or directory that begins with a period (except well-known)
	location ~ (^\|/)\.(?!well-known)\|^\..*$ { deny all; }

	# -----------------------------------------------------------------------------------------------
	# .htaccess 15.
	# -----------------------------------------------------------------------------------------------

	# Block access to protected assets directories
	location ~ ^/(site\|site-[^/]+)/assets/(cache\|logs\|backups\|sessions\|config\|install\|tmp)($\|/.*$) { deny all; }
	# Block acceess to the /site/install/ directory
	location ~ ^/(site\|site-[^/]+)/install($\|/.*$) { deny all; }
	# Block dirs in /site/assets/ dirs that start with a hyphen
	location ~ ^/(site\|site-[^/]+)/assets./-.+/. { deny all; }
	# Block access to /wire/config.php, /site/config.php, /site/config-dev.php, and /wire/index.config.php
	location ~ ^/(wire\|site\|site-[^/]+)/(config\|index\.config\|config-dev)\.php$ { deny all; }
	# Block access to any PHP-based files in /templates-admin/
	location ~ ^/(wire\|site\|site-[^/]+)/templates-admin($\|/\|/.*\.(php\|html?\|tpl\|inc))$ { deny all; }
	# Block access to any PHP or markup files in /site/templates/
	location ~ ^/(site\|site-[^/]+)/templates($\|/\|/.*\.(php\|html?\|tpl\|inc))$ { deny all; }
	# Block access to any PHP files in /site/assets/
	location ~ ^/(site\|site-[^/]+)/assets($\|/\|/.*\.php)$ { deny all; }
	# Block access to any PHP files in core or core module directories
	location ~ ^/wire/(core\|modules)/.*\.(php\|inc\|tpl\|module)$ { deny all; }
	# Block access to any PHP files in /site/modules/
	location ~ ^/(site\|site-[^/]+)/modules/.*\.(php\|inc\|tpl\|module)$ { deny all; }
	# Block access to any software identifying txt files
	location ~ ^/(COPYRIGHT\|INSTALL\|README\|htaccess)\.(txt\|md)$ { deny all; }
	# Block all http access to the default/uninstalled site-default directory
	location ~ ^/site-default/ { deny all; }

	# -----------------------------------------------------------------------------------------------
	# If the request is for a static file, then set expires header and disable logging.
	# Give control to ProcessWire if the requested file or directory is non-existing.
	# -----------------------------------------------------------------------------------------------

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|eot\|woff\|ttf)$ {
	expires 24h;
	log_not_found off;
	access_log off;
	try_files $uri /index.php?it=$uri&$args;
	}

	# -----------------------------------------------------------------------------------------------
	# This location processes all other requests. If the request is for a file or directory that
	# physically exists on the server, then load the file. Else give control to ProcessWire.
	# -----------------------------------------------------------------------------------------------

	location / {
	try_files $uri $uri/ /index.php?it=$uri&$args;
	}

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;

	# .htaccess 10.
	fastcgi_param HTTP_MOD_REWRITE On;

	fastcgi_param X-Real-IP $remote_addr;
	fastcgi_param X-Forwarded-For $remote_addr;
	fastcgi_param Host $host;

	fastcgi_pass unix:/var/run/example.com_fpm.sock;
	}
	}
	server {
	listen 80;
	listen [::]:80;

	server_name example.org;
	return 301 https://example.org$request_uri;
	}

	server{
	listen 443 ssl;
	listen [::]:443 ssl;

	ssl_certificate /etc/ssl/cert.crt;
	ssl_certificate_key /etc/ssl/key.key;
	## [Other ssl things]

	## [Above config]
	}