-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path.htaccess_nginx.conf
309 lines (259 loc) · 8.59 KB
/
.htaccess_nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
# folder /etc/nginx/sites-enabled
# to validate config `sudo nginx -t`
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Specifies the order of index files to look for when a directory is requested
# Nginx will search for index.html, index.htm, or index.php in that order
index index.html index.htm index.php;
# Specifies the domain name for this server block
server_name sh.webmanajemen.com;
# location / {
# # First attempt to serve request as file, then
# # as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
# Handles requests to the root directory
# First, it tries to serve the file or directory requested by $uri or $uri/
# If neither exists, it falls back to passing the request to index.php with the query string parameters
location / {
try_files $uri $uri/ /index.php?$args;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
}
# disable directory listing
autoindex off;
# Set the maximum allowed size of the client request body
client_max_body_size 50M;
# Specific configuration for the favicon.ico file
# Disables error logging if the file is not found and suppresses access logging for requests to favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Match requests for static files such as JavaScript, CSS, images, and icons
# Sets the expiration header to maximum value for caching and suppresses logging
location ~* \.(js|css|png|jpg|jpeg|gif|ico|swf|xml)$ {
expires modified +1d;
log_not_found off;
access_log off;
}
# ignore access to these file patterns
location ~ \.(env|gitignore|gitattributes|gitmodules|sqlite|git|htaccess|ts)$ {
deny all;
}
# restrict file access
location ~ \.(pem|json|py|crt|sock|key|conf|sh|md|ini|sql)$ {
return 403;
}
# Configuration for the robots.txt file
# Allows all user agents, disables error logging if the file is not found, and suppresses access logging
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Configuration for the sitemap.txt file
# Grants access to all users, disables error logging if the file is not found, and suppresses access logging
location = /sitemap.txt {
allow all;
log_not_found off;
access_log off;
}
# Restrict access to other .txt files
location ~ \.txt$ {
# Always allow these patterns
location ~* ^/(robots|sitemap)\.txt$ {
return 200;
}
# if ($http_origin !~ "webmanajemen\.com") {
# return 403;
# }
# Validate Referer header
# if ($http_referer !~ "webmanajemen\.com") {
# return 403;
# }
# Allow access if the _ga cookie is present
# if ($http_cookie !~* _ga) {
# return 403;
# }
# Allow CORS from specific origin
# add_header Access-Control-Allow-Origin "https://webmanajemen.com";
# add_header Access-Control-Allow-Methods "GET, OPTIONS";
# Disallow text file access
return 403;
}
# Allow access to status.json
location = /status.json {
allow all;
# Set cache-control for 5 mins
add_header Cache-Control "public, max-age=300";
}
# Disallow access to temp folder
location ^~ /tmp/ {
deny all;
}
# Disallow access to tests folder
location ^~ /tests/ {
deny all;
}
# Disallow access to python browser folder
location ^~ /python_browser/ {
deny all;
}
# Disallow access to dist folder
location ^~ /dist/ {
deny all;
}
# Disallow access to node_backend folder
location ^~ /node_backend/ {
deny all;
}
# Disallow access to backups folder
location ^~ /backups/ {
deny all;
}
# Disallow access to django_backend folder
location ^~ /django_backend/ {
deny all;
}
# Disallow access to twig source views folder
location ^~ /views/ {
deny all;
}
location ^~ /xl/ {
deny all;
}
location ^~ /node_browser/ {
deny all;
}
location ~ /tmp/.*\.lock$ {
allow all;
}
# Skip caching on html files
location ~ \.html$ {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires "0";
}
}
# server {
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/sh.webmanajemen.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/sh.webmanajemen.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# }
# java server configuration (unused)
# server {
# listen 8880;
# listen [::]:8880;
# server_name sh.webmanajemen.com;
# location / {
# # local listen port
# proxy_pass http://127.0.0.1:8080/;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Port $server_port;
# # proxy_set_header X-Forwarded-Proto https;
# proxy_set_header Host $http_host;
# proxy_redirect off;
# proxy_connect_timeout 240;
# proxy_send_timeout 240;
# proxy_read_timeout 240;
# }
# }
# django non-SSL server configuration
# server {
# listen 8443;
# listen [::]:8443;
# server_name sh.webmanajemen.com;
# location / {
# # proxy_set_header Host $host;
# proxy_set_header Host $host:$server_port;
# # proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_pass http://unix:/var/www/html/tmp/gunicorn.sock;
# }
# location /static/ {
# alias /var/www/html/public/static/;
# }
# location /media/ {
# alias /var/www/html/public/media/;
# }
# }
# django SSL server configuration
# To configure see assets/systemctl/certbot.md
server {
listen 8443 ssl;
listen [::]:8443 ssl;
server_name sh.webmanajemen.com;
# SSL Configuration
ssl_certificate /etc/letsencrypt/live/sh.webmanajemen.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sh.webmanajemen.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-GCM-SHA256:RSA-AES256-SHA256:RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/var/www/html/tmp/gunicorn.sock;
}
location /static/ {
alias /var/www/html/public/static/;
}
location /media/ {
alias /var/www/html/public/media/;
}
}