-
-
Save refringe/6545132 to your computer and use it in GitHub Desktop.
server { | |
listen 80; | |
listen [::]:80; | |
server_name domain.com; | |
autoindex off; | |
index index.php index.html; | |
root /srv/www/domain.com/public; | |
access_log /srv/www/domain.com/logs/access.log; | |
error_log /srv/www/domain.com/logs/error.log; | |
location / { | |
try_files $uri $uri/ $uri.php?$args; | |
} | |
location /l/ { | |
rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; | |
} | |
location /t/ { | |
rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; | |
} | |
location /w/ { | |
rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; | |
} | |
location /unsubscribe/ { | |
rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; | |
} | |
location /subscribe/ { | |
rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; | |
} | |
location ~ \.php$ { | |
try_files $uri =404; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
} | |
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ { | |
access_log off; | |
log_not_found off; | |
expires 30d; | |
} | |
} |
Here is a working config for Sendy v5.2.3 and Forge as of 8-28-2021
(1) change "yourdomain.com" to your domain
(2) note that you should use this to get the site installed, then add SSL in Forge, then make sure your sendy includes/config.php file uses "https://" in the APP_PATH
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/sendy.yourdomain.com/before/*;
server {
listen 80;
listen [::]:80;
server_name sendy.yourdomain.com;
root /home/forge/sendy.yourdomain.com/;
# FORGE SSL (DO NOT REMOVE!)
# ssl_certificate;
# ssl_certificate_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
autoindex off;
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/sendy.yourdomain.com/server/*;
location / {
try_files $uri $uri/ $uri.php?$args;
}
location /l/ {
rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last;
}
location /t/ {
rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last;
}
location /w/ {
rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last;
}
location /unsubscribe/ {
rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last;
}
location /subscribe/ {
rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/sendy.yourdomain.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/sendy.yourdomain.com/after/*;
This NGINX config for set up the Sendy into subdirectory:
https://example.com -> /var/www/example.com/public
https://example.com/sendy -> /var/www/sendy
server {
root /var/www/example.com/public;
index index.php index.html;
server_name example.com www.example.com;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
# Sendy
location /sendy {
alias /var/www/sendy;
try_files $uri $uri/ @sendy;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
}
location @sendy {
rewrite /sendy/(l|t|w)/([a-zA-Z0-9\/]+)$ /sendy/$1.php?i=$2 last;
rewrite /sendy/(u?n?subscribe)/(.*)$ /sendy/$1.php?i=$2 last;
rewrite /sendy/(.*)$ /sendy/$1.php last;
}
# End Sendy
}
Reference: https://serversforhackers.com/c/nginx-php-in-subdirectory
Thanks a lot @cartpauj https://gist.github.com/refringe/6545132#gistcomment-2925206 for this. It has helped me to fix.
Bascially all you really need is this
location / {
try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
But to be on the safe side I added everything below:
location / {
try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
location /l/ {
rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last;
}
location /t/ {
rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last;
}
location /w/ {
rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last;
}
location /unsubscribe/ {
rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last;
}
location /subscribe/ {
rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last;
}
location /confirm/ {
rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last;
}
And it works really well.
this will ensure that you are using a pretty URL
location / {
try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
and this will ensure that you are using a pretty URL with sendy settings.
location / {
try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
location /l/ {
rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last;
}
location /t/ {
rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last;
}
location /w/ {
rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last;
}
location /unsubscribe/ {
rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last;
}
location /subscribe/ {
rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last;
}
location /confirm/ {
rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last;
}
I tried a whole bunch of stuff. This is what finally worked for me (with certbot https). Sub-domain install of Sendy using nginx and SSL/TLS.
# Marketing (Sendy) Installation # server { root /var/www/marketing.site.com; index index.php index.html index.htm; server_name marketing.site.com; autoindex off; add_header X-Robots-Tag "noindex, noarchive"; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; allow all; } location ~ /\. { deny all; log_not_found off; access_log off; return 404; } location / { try_files $uri $uri/ /$uri.php$is_args$args; # $is_args converts to a ? if true } location /l/ { rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; } location /t/ { rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; } location /w/ { rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; } location /unsubscribe/ { rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; } location /subscribe/ { rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; } location /confirm/ { rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|xml)$ { access_log off; log_not_found off; expires 30d; } # Added by certbot - remove these when copying this vhost to a new server block # listen [::]:443 ssl http2; # managed by Certbot listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/marketing.site.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/marketing.site.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = marketing.site.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; # listen [::]:80; server_name marketing.site.com; return 404; # managed by Certbot }
Thanks for this, it also worked for me but I found that I could not login. Using chatGPT I added the below after the other "add_header " and I could now login securely.
add_header Content-Security-Policy "upgrade-insecure-requests";
I tried a whole bunch of stuff. This is what finally worked for me (with certbot https). Sub-domain install of Sendy using nginx and SSL/TLS.
# Marketing (Sendy) Installation # server { root /var/www/marketing.site.com; index index.php index.html index.htm; server_name marketing.site.com; autoindex off; add_header X-Robots-Tag "noindex, noarchive"; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; allow all; } location ~ /\. { deny all; log_not_found off; access_log off; return 404; } location / { try_files $uri $uri/ /$uri.php$is_args$args; # $is_args converts to a ? if true } location /l/ { rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last; } location /t/ { rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last; } location /w/ { rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last; } location /unsubscribe/ { rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last; } location /subscribe/ { rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last; } location /confirm/ { rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|xml)$ { access_log off; log_not_found off; expires 30d; } # Added by certbot - remove these when copying this vhost to a new server block # listen [::]:443 ssl http2; # managed by Certbot listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/marketing.site.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/marketing.site.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = marketing.site.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; # listen [::]:80; server_name marketing.site.com; return 404; # managed by Certbot }
That helped. Thanks!
Thanks to everyone who contributed to this.
For anyone that is hosting in Azure App Service for Linux which uses nginx,
What I would advise is to first copy the original nginx file and then edit it based on the config above.
First:
cp /etc/nginx/sites-available/default /home/site/default
The above will copy the default file from the etc/nginx/sites-available
to your deployment folder.
For example, this is what I got:
server {
#proxy_cache cache;
#proxy_cache_valid 200 1s;
listen 8080;
listen [::]:8080;
root /home/site/wwwroot;
index index.php index.html index.htm;
server_name example.com www.example.com;
port_in_redirect off;
location / {
index index.php index.html index.htm hostingstart.html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /html/;
}
# Disable .git directory
location ~ /\.git {
deny all;
access_log off;
log_not_found off;
}
# Add locations of phpmyadmin here.
location ~* [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.[Pp][Hh][Pp])(|/.*)$;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 3600;
fastcgi_read_timeout 3600;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}
Then we can edit it based on the config shared above.
*Note, the main location / ...
should include what you had from the original file. I went through pain because of this.
Also, the config for location ~* [^/]\.php(/|$) {....
should be kept
Final config is:
server {
#proxy_cache cache;
#proxy_cache_valid 200 1s;
listen 8080;
listen [::]:8080;
root /home/site/wwwroot;
index index.php index.html index.htm;
server_name www.example.com;
autoindex off;
port_in_redirect off;
location / {
index index.php index.html index.htm hostingstart.html; #make sure to include this
try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
}
location /l/ {
rewrite ^/l/([a-zA-Z0-9/]+)$ /l.php?i=$1 last;
}
location /t/ {
rewrite ^/t/([a-zA-Z0-9/]+)$ /t.php?i=$1 last;
}
location /w/ {
rewrite ^/w/([a-zA-Z0-9/]+)$ /w.php?i=$1 last;
}
location /unsubscribe/ {
rewrite ^/unsubscribe/(.*)$ /unsubscribe.php?i=$1 last;
}
location /subscribe/ {
rewrite ^/subscribe/(.*)$ /subscribe.php?i=$1 last;
}
location /confirm/ {
rewrite ^/confirm/(.*)$ /confirm.php?i=$1 last;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /html/;
}
# Disable .git directory
location ~ /\.git {
deny all;
access_log off;
log_not_found off;
}
# Did not replace this
location ~* [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.[Pp][Hh][Pp])(|/.*)$;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 3600;
fastcgi_read_timeout 3600;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 30d;
}
}
Then run cp /home/site/default /etc/nginx/sites-available/default && service nginx restart
via SSH
And also add cp /home/site/default /etc/nginx/sites-available/default && service nginx restart
in the Startup Command under Configuration in your Azure Portal
You do realise this is extremely bad practice as you are exposing your http configuration to the world by placing it in your www root directory?
You do realise this is extremely bad practice as you are exposing your http configuration to the world by placing it in your www root directory?
Thanks for catching this!. Not sure how the files are served in nginx.
Moved it to a different folder.
Correction