amanjuman · October 26, 2020 14:00
diff --git a/OpenEMR Nginx Configuration b/OpenEMR Nginx Configuration
 server
 {
 	# Listen
 	listen 80;
 	listen [::]:80;
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name subdomain.domain.tld;
 	root /var/www/subdomain.domain.tld;
 	index index.html index.php;

 	# SSL
 	ssl_certificate /etc/letsencrypt/live/subdomain.domain.tld/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/subdomain.domain.tld/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/subdomain.domain.tld/fullchain.pem;

 	# HTTP to HTTPS redirection
 	if ($scheme != "https")
 	{
 		return 301 https://$host$request_uri;
 	}

 	# Permalink Support
 	location / 
 	{
 		try_files $uri $uri/ /index.php?$args;
 	}

 	# PHP Upsteam
 	location ~ \.php$ 
 	{
 		include snippets/fastcgi-php.conf;
 		## For PHP 7.2
 		fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 		include fastcgi_params;
 		fastcgi_buffer_size 16k;
 		fastcgi_buffers 4 16k;
 		fastcgi_intercept_errors on;
 		fastcgi_read_timeout 120;
 	}
 	
 	# Nginx Logging
 	access_log /var/log/nginx/subdomain.domain.tld-access.log;
 	error_log /var/log/nginx/subdomain.domain.tld-error.log warn;

 	# Disable Hidden FIle Access Except Lets Encrypt Verification
 	location ~ /\.well-known 
 	{ 
 		allow all;
 	}

 	# Deny Access to Certain Directories
 	location ~* ^/(contrib|tests)
 	{ 
 		deny all;
 		return 404;
 	}

 	# Deny Access to Writable Files/Directories
 	location ~* ^/sites/*/(documents|edi|era)
 	{ 
 		deny all;
 		return 404; 
 	}

 	# Robot Text Logging Off
 	location = /robots.txt
 	{
 	    allow all;
 	    log_not_found off;
 	    access_log off;
 	}

 	# Fav ICON Disable
 	location = /favicon.ico 
 	{
 	    log_not_found off;
 	    access_log off;
 	}

 	# Cache
 	location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf|svg)$
 	{
 		expires 7d;
 		add_header Cache-Control "public, no-transform";
 		log_not_found off;
 		access_log off;
 	}

 	# Stop Deep Linking or Hotlinking
 	location /images/ 
 	{
 	valid_referers none blocked subdomain.domain.tld;
 	if ($invalid_referer) 
 		{
 			return   403;
 		}
 	}

 	# Enable Authentication for important folders
 	#location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php 
 	#{
 	#	auth_basic				"Restricted Access"; 
 	#	auth_basic_user_file	/path/to/.htpasswd;
 	#	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
 	#	fastcgi_pass php; 
 	#	include fastcgi_params; 
 	#}

 	# Or Deny access to these files
 	#location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php 
 	#{ 
 	#	deny all; 
 	#	return 404; 
 	#}
 }
	server
	{
	# Listen
	listen 80;
	listen [::]:80;
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name subdomain.domain.tld;
	root /var/www/subdomain.domain.tld;
	index index.html index.php;

	# SSL
	ssl_certificate /etc/letsencrypt/live/subdomain.domain.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/subdomain.domain.tld/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/subdomain.domain.tld/fullchain.pem;

	# HTTP to HTTPS redirection
	if ($scheme != "https")
	{
	return 301 https://$host$request_uri;
	}

	# Permalink Support
	location /
	{
	try_files $uri $uri/ /index.php?$args;
	}

	# PHP Upsteam
	location ~ \.php$
	{
	include snippets/fastcgi-php.conf;
	## For PHP 7.2
	fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	fastcgi_buffer_size 16k;
	fastcgi_buffers 4 16k;
	fastcgi_intercept_errors on;
	fastcgi_read_timeout 120;
	}

	# Nginx Logging
	access_log /var/log/nginx/subdomain.domain.tld-access.log;
	error_log /var/log/nginx/subdomain.domain.tld-error.log warn;

	# Disable Hidden FIle Access Except Lets Encrypt Verification
	location ~ /\.well-known
	{
	allow all;
	}

	# Deny Access to Certain Directories
	location ~* ^/(contrib\|tests)
	{
	deny all;
	return 404;
	}

	# Deny Access to Writable Files/Directories
	location ~* ^/sites/*/(documents\|edi\|era)
	{
	deny all;
	return 404;
	}

	# Robot Text Logging Off
	location = /robots.txt
	{
	allow all;
	log_not_found off;
	access_log off;
	}

	# Fav ICON Disable
	location = /favicon.ico
	{
	log_not_found off;
	access_log off;
	}

	# Cache
	location ~* \.(jpg\|jpeg\|png\|gif\|ico\|css\|js\|pdf\|svg)$
	{
	expires 7d;
	add_header Cache-Control "public, no-transform";
	log_not_found off;
	access_log off;
	}

	# Stop Deep Linking or Hotlinking
	location /images/
	{
	valid_referers none blocked subdomain.domain.tld;
	if ($invalid_referer)
	{
	return 403;
	}
	}

	# Enable Authentication for important folders
	#location ~* ^/(admin\|setup\|acl_setup\|acl_upgrade\|sl_convert\|sql_upgrade\|gacl/setup\|ippf_upgrade\|sql_patch)\.php
	#{
	# auth_basic "Restricted Access";
	# auth_basic_user_file /path/to/.htpasswd;
	# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# fastcgi_pass php;
	# include fastcgi_params;
	#}

	# Or Deny access to these files
	#location ~* ^/(admin\|setup\|acl_setup\|acl_upgrade\|sl_convert\|sql_upgrade\|gacl/setup\|ippf_upgrade\|sql_patch)\.php
	#{
	# deny all;
	# return 404;
	#}
	}