Improved version of nginx sample config by XRevan86
This commit is contained in:
Diogo Cordeiro
parent
1536d3ef29
commit
031a491abd
@ -1,68 +1,99 @@
|
|||||||
server {
|
server {
|
||||||
listen 80;
|
listen [::]:80;
|
||||||
listen [::]:80;
|
listen 80;
|
||||||
|
|
||||||
# FIXME: change domain name here (and also make sure you do the same in the next 'server' section)
|
# FIXME: change domain name here (and also make sure you do the same in the next 'server' section)
|
||||||
server_name social.example.org;
|
server_name social.example.org;
|
||||||
|
|
||||||
# redirect all traffic to HTTPS
|
# redirect all traffic to HTTPS
|
||||||
rewrite ^ https://$server_name$request_uri? permanent;
|
rewrite ^ https://$host$request_uri? permanent;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
# Use HTTPS. Seriously. Set it up with a cert (any cert) before you run the install.
|
# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously. Set it up with a cert (any cert) before you run the install.
|
||||||
listen 443 ssl;
|
listen [::]:443 ssl http2;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
|
||||||
# Server name
|
# Root
|
||||||
# Change "social.example.org" to your site's domain name
|
# Change the path below to where you installed
|
||||||
server_name social.example.org;
|
# GNU social
|
||||||
|
root /path/to/gnusocial/root;
|
||||||
|
|
||||||
# SSL
|
# Server name
|
||||||
# Uncomment and change the paths to setup
|
# Change "social.example.org" to your site's domain name
|
||||||
# your SSL key/cert. See https://cipherli.st/
|
# GNU social MUST be installed in the domain root
|
||||||
# for more information
|
server_name social.example.org;
|
||||||
ssl_certificate ssl/certs/social.example.org.crt;
|
|
||||||
ssl_certificate_key ssl/private/social.example.org.key;
|
|
||||||
|
|
||||||
# Logs
|
# SSL
|
||||||
# Uncomment and change the paths to setup
|
# Uncomment and change the paths to setup
|
||||||
# logging
|
# your SSL key/cert. See https://cipherli.st/
|
||||||
#access_log /path/to/access.log;
|
# for more information
|
||||||
#error_log /path/to/error.log;
|
ssl_certificate ssl/certs/social.example.org.crt;
|
||||||
|
ssl_certificate_key ssl/private/social.example.org.key;
|
||||||
|
|
||||||
# Root
|
# Logs
|
||||||
# Change the path below to where you installed
|
# Uncomment and change the paths to setup
|
||||||
# GNU social
|
# logging
|
||||||
root /path/to/gnusocial/root;
|
#access_log /path/to/access.log;
|
||||||
|
#error_log /path/to/error.log;
|
||||||
|
|
||||||
# Index
|
# Index
|
||||||
index index.php;
|
index index.php;
|
||||||
|
|
||||||
# PHP
|
# PHP
|
||||||
location ~ \.php {
|
location /index.php {
|
||||||
include snippets/fastcgi-php.conf;
|
include fastcgi_params;
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
|
||||||
# This should be the same value as in your (optional) /etc/php5/fpm/pool.d/$server.conf
|
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
|
||||||
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||||
|
|
||||||
# Remove the "fastcgi_pass" line above and uncomment
|
# Further optional configuration
|
||||||
# the one below to use TCP sockets instead of Unix sockets
|
#fastcgi_buffer_size 128K;
|
||||||
#fastcgi_pass 127.0.0.1:9000;
|
#fastcgi_buffers 4 256K;
|
||||||
}
|
#fastcgi_busy_buffers_size 256K;
|
||||||
|
#fastcgi_read_timeout 600s;
|
||||||
|
#fastcgi_send_timeout 300s;
|
||||||
|
#fastcgi_connect_timeout 75s;
|
||||||
|
#http2_push_preload on;
|
||||||
|
}
|
||||||
|
|
||||||
# Location
|
# Location
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ @gnusocial;
|
try_files $uri $uri/ @index_handler;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Fancy URLs
|
# Fancy URLs
|
||||||
location @gnusocial {
|
error_page 404 @index_handler;
|
||||||
rewrite ^(.*)$ /index.php?p=$1 last;
|
location @index_handler {
|
||||||
}
|
rewrite ^(.*)$ /index.php?p=$1 last;
|
||||||
|
}
|
||||||
|
|
||||||
# Restrict access that is unnecessary anyway
|
# Restrict access that is unnecessary anyway
|
||||||
location ~ /\.(ht|git) {
|
location ~ /\.(ht|git) {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Hardening (optional)
|
||||||
|
#
|
||||||
|
# add_header Strict-Transport-Security "max-age=15768000; preload;";
|
||||||
|
# add_header X-Content-Type-Options nosniff;
|
||||||
|
# add_header Referrer-Policy strict-origin-when-cross-origin;
|
||||||
|
# add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
|
||||||
|
# add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
|
# add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
|
||||||
|
#
|
||||||
|
# client_max_body_size 15M;
|
||||||
|
# client_body_buffer_size 128k;
|
||||||
|
# gzip_vary on;
|
||||||
|
#
|
||||||
|
# location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
|
||||||
|
# gzip on;
|
||||||
|
# gzip_comp_level 4;
|
||||||
|
# add_header Cache-Control "public";
|
||||||
|
# expires 30d;
|
||||||
|
# access_log off;
|
||||||
|
# log_not_found off;
|
||||||
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user