axilleas · August 29, 2015 14:24
diff --git a/mediawiki-nginx.conf b/mediawiki-nginx.conf
 #
 # nginx configuration for virtual host: axilleas.me.
 #

 # http -> https redirection
 server {
 	listen 80;
 	listen [::]:80;

 	# virtual host domains
 	server_name axilleas.me www.axilleas.me;

 	# accept requests only for this domain
 	if ($host !~ ^(axilleas.me|www.axilleas.me)$) {
 		return 444;
 	}

 	# redirect to https
 	return 301 https://$host$request_uri;
 }

 # https and spdy
 server {
 	listen 443 ssl spdy;
 	listen [::]:443 ssl spdy;

 	# virtual host domains
 	server_name axilleas.me www.axilleas.me;

 	# accept requests only for this domain
 	if ($host !~ ^(axilleas.me|www.axilleas.me)$) {
 		return 444;
 	}

 	# certificate and private key
 	ssl_certificate /etc/ssl/ellak/axilleas.me-codomo-bundle.pem;
    ssl_certificate_key /etc/ssl/ellak/axilleas.me-decrypted.key;

 	# random 2048-bit parameter for DH elliptic curves
 	# (re)generate with:
 	# openssl dhparam -outform pem -out dhparam2048.pem 2048
 	ssl_dhparam /etc/vhosts/axilleas.me/ssl/dhparam2048.pem;

 	# include common ssl settings
 	include /etc/nginx/ssl.conf;

 	# ocsp stapling (optional, uncomment if necessary)
 	#ssl_trusted_certificate /etc/ssl/certs/combined.stapling.pem;

 	# public html
 	root /var/www/vhosts/axilleas.me/site/public_html;

 	# access and error logs
 	access_log /var/www/vhosts/axilleas.me/logs/access.log;
 	error_log  /var/www/vhosts/axilleas.me/logs/error.log error;

 	# include standard restrictions
 	include /etc/nginx/restrictions.conf;

 	# application configuration
 	include /etc/nginx/cms.conf;

 	# document root
 	index index.php index.html index.htm;

 	# css and js
 	location ~* ^.+\.(css|js) {
 		# 1 week expires
 		expires 1w;

 		## no external referer
 		valid_referers none blocked
 		               axilleas.me *.axilleas.me;

 		if ($invalid_referer) {
 			return 403;
 		}
 	}

 	location /wiki/ {
 		try_files $uri $uri/ @mediawiki;
 		
 		# Do this inside of a location so it can be negated
 		location ~ \.php$ {
 			try_files $uri $uri/ =404; # Don't let php execute non-existent php files
 			include /etc/nginx/fastcgi_params;
 			fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;
 		}
 	}
 	
 	location /wiki/images {
 		# Separate location for images/ so .php execution won't apply
 		
 		location ~ ^/wiki/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
 			# Thumbnail handler for MediaWiki
 			# This location only matches on a thumbnail's url
 			# If the file does not exist we use @thumb to run the thumb.php script
 			try_files $uri $uri/ @thumb;
 		}
 	}
 	location /wiki/images/deleted {
 		# Deny access to deleted images folder
 		deny	all;
 	}
 	
 	# Deny access to folders MediaWiki has a .htaccess deny in
 	location /wiki/cache       { deny all; }
 	location /wiki/languages   { deny all; }
 	location /wiki/maintenance { deny all; }
 	location /wiki/serialized  { deny all; }
 	
 	# Just in case, hide .svn and .git too
 	location ~ /.(svn|git)(/|$) { deny all; }
 	
 	# Hide any .htaccess files
 	location ~ /.ht { deny all; }
 	
 	# Uncomment the following code if you wish to hide the installer/updater
 	## Deny access to the installer
 	location /wiki/mw-config { deny all; }
 	
 	# Handling for the article path
 	location @mediawiki {
 		include /etc/nginx/fastcgi_params;
 		# article path should always be passed to index.php
 		fastcgi_param SCRIPT_FILENAME	$document_root/wiki/index.php;
 		fastcgi_pass  unix:/var/run/php5-fpm/axilleas.me.sock;
 	}
 	
 	# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
 	location @thumb {
 		# Do a rewrite here so that thumb.php gets the correct arguments
 		rewrite ^/wiki/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /wiki/thumb.php?f=$1&width=$2;
 		rewrite ^/wiki/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /wiki/thumb.php?f=$1&width=$2&archived=1;
 		
 		# Run the thumb.php script
 		include /etc/nginx/fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME	$document_root/wiki/thumb.php;
 		fastcgi_pass  unix:/var/run/php5-fpm/axilleas.me.sock;
 	}


 	# media files
 	location ~* ^.+\.(og?|svg|svgz|eot|otf|woff|mp4|ttf|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
 		# maximum expires
 		expires max;

 		# block hot-linking, allow SE and social media
 		valid_referers none blocked ~\.google\. ~\.yahoo\. ~\.bing\.
 			       ~\.facebook\. ~\.fbcdn\. ~\.twitter\.
 			       axilleas.me *.axilleas.me;

 		if ($invalid_referer) {
 			return 403;
 		}
 	}

 	# disable public access to buddypress docs attachments
 	location /wp-content/uploads/bp-attachments/ {
 		rewrite ^.*uploads/bp-attachments/([0-9]+)/(.*) /?p=$1&bp-attachment=$2 permanent;
 	}

 	# php-fpm support
 	location ~ \.php$ {
 		# make sure to not run php hidden in other files
 		try_files $uri =404;

 		# fastcgi unix socket
 		fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;

 		# include standard parameters
 		include /etc/nginx/fastcgi_params;

 		# increate fastcgi timeout (for mu)
 		fastcgi_read_timeout 360;

 		# include micro-caching configuration
 		include /etc/nginx/microcache.conf;
 	}
 }
	#
	# nginx configuration for virtual host: axilleas.me.
	#

	# http -> https redirection
	server {
	listen 80;
	listen [::]:80;

	# virtual host domains
	server_name axilleas.me www.axilleas.me;

	# accept requests only for this domain
	if ($host !~ ^(axilleas.me\|www.axilleas.me)$) {
	return 444;
	}

	# redirect to https
	return 301 https://$host$request_uri;
	}

	# https and spdy
	server {
	listen 443 ssl spdy;
	listen [::]:443 ssl spdy;

	# virtual host domains
	server_name axilleas.me www.axilleas.me;

	# accept requests only for this domain
	if ($host !~ ^(axilleas.me\|www.axilleas.me)$) {
	return 444;
	}

	# certificate and private key
	ssl_certificate /etc/ssl/ellak/axilleas.me-codomo-bundle.pem;
	ssl_certificate_key /etc/ssl/ellak/axilleas.me-decrypted.key;

	# random 2048-bit parameter for DH elliptic curves
	# (re)generate with:
	# openssl dhparam -outform pem -out dhparam2048.pem 2048
	ssl_dhparam /etc/vhosts/axilleas.me/ssl/dhparam2048.pem;

	# include common ssl settings
	include /etc/nginx/ssl.conf;

	# ocsp stapling (optional, uncomment if necessary)
	#ssl_trusted_certificate /etc/ssl/certs/combined.stapling.pem;

	# public html
	root /var/www/vhosts/axilleas.me/site/public_html;

	# access and error logs
	access_log /var/www/vhosts/axilleas.me/logs/access.log;
	error_log /var/www/vhosts/axilleas.me/logs/error.log error;

	# include standard restrictions
	include /etc/nginx/restrictions.conf;

	# application configuration
	include /etc/nginx/cms.conf;

	# document root
	index index.php index.html index.htm;

	# css and js
	location ~* ^.+\.(css\|js) {
	# 1 week expires
	expires 1w;

	## no external referer
	valid_referers none blocked
	axilleas.me *.axilleas.me;

	if ($invalid_referer) {
	return 403;
	}
	}

	location /wiki/ {
	try_files $uri $uri/ @mediawiki;

	# Do this inside of a location so it can be negated
	location ~ \.php$ {
	try_files $uri $uri/ =404; # Don't let php execute non-existent php files
	include /etc/nginx/fastcgi_params;
	fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;
	}
	}

	location /wiki/images {
	# Separate location for images/ so .php execution won't apply

	location ~ ^/wiki/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
	# Thumbnail handler for MediaWiki
	# This location only matches on a thumbnail's url
	# If the file does not exist we use @thumb to run the thumb.php script
	try_files $uri $uri/ @thumb;
	}
	}
	location /wiki/images/deleted {
	# Deny access to deleted images folder
	deny all;
	}

	# Deny access to folders MediaWiki has a .htaccess deny in
	location /wiki/cache { deny all; }
	location /wiki/languages { deny all; }
	location /wiki/maintenance { deny all; }
	location /wiki/serialized { deny all; }

	# Just in case, hide .svn and .git too
	location ~ /.(svn\|git)(/\|$) { deny all; }

	# Hide any .htaccess files
	location ~ /.ht { deny all; }

	# Uncomment the following code if you wish to hide the installer/updater
	## Deny access to the installer
	location /wiki/mw-config { deny all; }

	# Handling for the article path
	location @mediawiki {
	include /etc/nginx/fastcgi_params;
	# article path should always be passed to index.php
	fastcgi_param SCRIPT_FILENAME $document_root/wiki/index.php;
	fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;
	}

	# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
	location @thumb {
	# Do a rewrite here so that thumb.php gets the correct arguments
	rewrite ^/wiki/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /wiki/thumb.php?f=$1&width=$2;
	rewrite ^/wiki/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /wiki/thumb.php?f=$1&width=$2&archived=1;

	# Run the thumb.php script
	include /etc/nginx/fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root/wiki/thumb.php;
	fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;
	}


	# media files
	location ~* ^.+\.(og?\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf\|swf)$ {
	# maximum expires
	expires max;

	# block hot-linking, allow SE and social media
	valid_referers none blocked ~\.google\. ~\.yahoo\. ~\.bing\.
	~\.facebook\. ~\.fbcdn\. ~\.twitter\.
	axilleas.me *.axilleas.me;

	if ($invalid_referer) {
	return 403;
	}
	}

	# disable public access to buddypress docs attachments
	location /wp-content/uploads/bp-attachments/ {
	rewrite ^.uploads/bp-attachments/([0-9]+)/(.) /?p=$1&bp-attachment=$2 permanent;
	}

	# php-fpm support
	location ~ \.php$ {
	# make sure to not run php hidden in other files
	try_files $uri =404;

	# fastcgi unix socket
	fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;

	# include standard parameters
	include /etc/nginx/fastcgi_params;

	# increate fastcgi timeout (for mu)
	fastcgi_read_timeout 360;

	# include micro-caching configuration
	include /etc/nginx/microcache.conf;
	}
	}