Created
October 5, 2018 11:45
-
-
Save cristiroma/bd8eb19272d282ddbe4461874d75d752 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| server_name example.com; | |
| listen 80; | |
| # Exception rule for certbot renewal | |
| location ^~ /.well-known/acme-challenge/ { | |
| default_type "text/plain"; | |
| root /usr/share/nginx/html/letsencrypt; | |
| try_files $uri $uri/ =404; | |
| break; | |
| } | |
| location = /.well-known/acme-challenge/ { | |
| return 404; | |
| } | |
| # Redirect traffic to HTTPS | |
| location / { | |
| return 301 https://example.com$request_uri; | |
| } | |
| } | |
| server { | |
| server_name example.com; | |
| listen 443 ssl; | |
| root /var/www/html/example.com/docroot; | |
| # Protect site with basic authentication | |
| satisfy any; | |
| allow 192.168.0.1; | |
| deny all; | |
| auth_basic "State your business server"; | |
| auth_basic_user_file /etc/nginx/basic-auth.passwords; | |
| # END | |
| ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
| include /etc/letsencrypt/options-ssl-nginx.conf; | |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
| index index.php; | |
| # Ignore favicon logging and errors | |
| location = /favicon.ico { access_log off; log_not_found off; } | |
| location = /android-chrome-192x192.png { access_log off; log_not_found off; } | |
| location = /android-chrome-512x512.png { access_log off; log_not_found off; } | |
| location = /apple-touch-icon.png { access_log off; log_not_found off; } | |
| location = /browserconfig.xml { access_log off; log_not_found off; } | |
| location = /favicon-16x16.png { access_log off; log_not_found off; } | |
| location = /favicon-32x32.png { access_log off; log_not_found off; } | |
| location = /mstile-150x150.png { access_log off; log_not_found off; } | |
| location = /safari-pinned-tab.svg { access_log off; log_not_found off; } | |
| location = /site.webmanifest { access_log off; log_not_found off; } | |
| location = /robots.txt { allow all; access_log off; log_not_found off; } | |
| if ($request_uri ~ "/index.php") { | |
| rewrite ^ /$1 permanent; | |
| } | |
| # Block access to TXT and LOG files | |
| location ~* \.(txt|log)$ { return 403; } | |
| # Block access to hidden files and directories | |
| location ~ (^|/)\. { return 403; } | |
| # Security headers | |
| location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ { | |
| add_header Access-Control-Allow-Origin "*"; | |
| expires 7d; | |
| access_log off; | |
| } | |
| location /sites/default/files/sync { | |
| auth_basic "Restricted Content"; | |
| auth_basic_user_file /etc/nginx/conf.d/.htpasswd; | |
| # Enable file serving optimizations | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| # try_files $uri @rewrite; # For Drupal <= 6 | |
| try_files $uri =404; | |
| } | |
| location / { | |
| # Enable file serving optimizations | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| # try_files $uri @rewrite; # For Drupal <= 6 | |
| try_files $uri /index.php?$query_string; # For Drupal >= 7 | |
| expires max; | |
| } | |
| #add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| #add_header X-Content-Type-Options "nosniff" always; | |
| add_header Referrer-Policy "no-referrer-when-downgrade" always; | |
| #add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; | |
| location @rewrite { | |
| # Some modules enforce no slash (/) at the end of the URL | |
| # Else this rewrite block wouldn't be needed (GlobalRedirect) | |
| rewrite ^/(.*)$ /index.php?q=$1; | |
| } | |
| # TODO add rate limiting for /user | |
| # limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s; | |
| # limit_req_zone $server_name zone=perserver:10m rate=10r/s; | |
| location ~ index.php|/core/install.php$ { | |
| try_files $uri =404; | |
| sendfile off; | |
| tcp_nopush off; | |
| tcp_nodelay off; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-Host $host:$server_port; | |
| proxy_set_header X-Forwarded-Server $host; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-Proto "https"; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| proxy_set_header Proxy ""; | |
| include fastcgi_params; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_index index.php; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_param HTTP_PROXY ""; | |
| fastcgi_intercept_errors off; | |
| fastcgi_keep_conn on; | |
| fastcgi_pass 127.0.0.1:9000; | |
| } | |
| # Block direct access to PHP files | |
| location ~ \.php$ { | |
| return 403; | |
| } | |
| location ~ ^/sites/.*/files/styles/ { | |
| try_files $uri @rewrite; | |
| } | |
| # Handle private files through Drupal | |
| location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 | |
| try_files $uri /index.php?$query_string; | |
| } | |
| location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { | |
| try_files $uri @rewrite; | |
| expires max; | |
| log_not_found off; | |
| access_log off; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment