Last active
February 20, 2019 17:16
-
-
Save memtkmcc/c9b43899b8861dbb8d79db35823727b0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
####################################################### | |
### nginx Grav CMS basic configuration start | |
####################################################### | |
### | |
### Add recommended HTTP headers | |
### | |
add_header Access-Control-Allow-Origin *; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block" always; | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
### | |
### Deny crawlers. | |
### | |
if ($is_crawler) { | |
return 403; | |
} | |
### | |
### Include high load protection config if exists. | |
### | |
include /data/conf/nginx_high_load.c*; | |
### | |
### Include high level local configuration override if exists. | |
### | |
include /data/disk/o1/config/server_master/nginx/post.d/nginx_force_include*; | |
### | |
### Include PHP-FPM version override logic if exists. | |
### | |
include /data/disk/o1/config/server_master/nginx/post.d/fpm_include*; | |
### | |
### Allow to use non-default PHP-FPM version for the site | |
### listed in the special include file. | |
### | |
if ($user_socket = '') { | |
set $user_socket "o1"; | |
} | |
### | |
### Catch all unspecified requests. | |
### | |
location / { | |
try_files $uri $uri/ /index.php?_url=$uri; | |
} | |
### | |
### Send all non-static requests to php-fpm, restricted to known php file. | |
### | |
location = /index.php { | |
limit_conn limreq 888; | |
add_header X-Device "$device"; | |
add_header X-GeoIP-Country-Code "$geoip_country_code"; | |
add_header X-GeoIP-Country-Name "$geoip_country_name"; | |
add_header X-Speed-Cache "$upstream_cache_status"; | |
add_header X-Speed-Cache-UID "$cache_uid"; | |
add_header X-Speed-Cache-Key "$key_uri"; | |
add_header X-NoCache "$nocache_details"; | |
add_header X-This-Proto "$http_x_forwarded_proto"; | |
add_header X-Server-Name "$main_site_name"; | |
add_header X-Response-Status "$status"; | |
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block" always; | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
tcp_nopush off; | |
keepalive_requests 0; | |
try_files $uri =404; ### check for existence of php file first | |
include fastcgi_params; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; | |
fastcgi_pass unix:/var/run/$user_socket.fpm.socket; | |
### | |
### Use Nginx cache for all visitors. | |
### | |
set $nocache ""; | |
if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) { | |
set $nocache "NoCache"; | |
} | |
fastcgi_cache speed; | |
fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity | |
fastcgi_cache_min_uses 1; | |
fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg"; | |
fastcgi_cache_valid 200 10s; | |
fastcgi_cache_valid 301 1m; | |
fastcgi_cache_valid 302 403 404 1s; | |
fastcgi_cache_lock on; | |
fastcgi_ignore_headers Cache-Control Expires; | |
fastcgi_pass_header Set-Cookie; | |
fastcgi_pass_header X-Accel-Expires; | |
fastcgi_pass_header X-Accel-Redirect; | |
fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache; | |
fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache; | |
fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating; | |
} | |
### | |
### Security | |
### | |
# deny all direct access for these folders | |
location ~* /(.git|cache|bin|logs|backups)/.*$ { | |
return 404; | |
} | |
# deny running scripts inside core system folders | |
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { | |
return 404; | |
} | |
# deny running scripts inside user folder | |
location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { | |
return 404; | |
} | |
# deny access to specific files in the root folder | |
location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { | |
return 404; | |
} | |
### | |
### Serve & no-log static files & images directly. | |
### | |
location ~* ^.+\.(?:css|js|htc|xml|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|tiff?|txt|rtf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff|eot|less)$ { | |
access_log off; | |
expires 30d; | |
tcp_nodelay off; | |
try_files $uri =404; | |
} | |
### | |
### Serve & log bigger media/static/archive files directly. | |
### | |
location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ { | |
tcp_nodelay off; | |
tcp_nopush off; | |
expires 30d; | |
try_files $uri =404; | |
} | |
### | |
### Pseudo-streaming server-side support for Flash Video (FLV) files. | |
### | |
location ~* ^.+\.flv$ { | |
flv; | |
tcp_nodelay off; | |
tcp_nopush off; | |
expires 30d; | |
try_files $uri =404; | |
} | |
### | |
### Pseudo-streaming server-side support for H.264/AAC files. | |
### | |
location ~* ^.+\.(?:mp4|m4a)$ { | |
mp4; | |
mp4_buffer_size 1m; | |
mp4_max_buffer_size 5m; | |
tcp_nodelay off; | |
tcp_nopush off; | |
expires 30d; | |
try_files $uri =404; | |
} | |
### | |
### Deny access to any not listed above php files with 404 error. | |
### | |
location ~* ^.+\.php$ { | |
return 404; | |
} | |
####################################################### | |
### nginx Grav CMS configuration end | |
####################################################### | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment