gnu-social/docker/nginx/nginx.conf

server {

    listen [::]:80;
    listen 80;

    server_name %hostname%;

    # redirect all traffic to HTTPS
    rewrite ^ https://$host$request_uri? permanent;
}

server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/%hostname%/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/%hostname%/privkey.pem;

    # Let's Encrypt best practices
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    root /var/www/social/public;

    # Server name
    server_name %hostname%;

    # Index
    index index.php;

    # X-Accel/X-Sendfile. Still needs to be enabled in the config
    location /file {
        internal;
        root /var/www/social;
    }

    # PHP
    location ~ ^/(index|install)\.php(/.*)?$ {
        include fastcgi_params;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;

        fastcgi_pass php:9000;
        fastcgi_index index.php;

        fastcgi_param PATH_INFO $path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Don't allow any PHP file other than index.php to be executed
    # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
    # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
    location ~ \.php$ {
        deny all;
    }

    # Location
    location / {
        try_files $uri $uri/ @index_handler;
    }

    # Fancy URLs
    error_page 404 @index_handler;
    location @index_handler {
        rewrite ^(.*)$ /index.php?p=$1 last;
    }

    # Restrict access that is unnecessary anyway
    location ~ /\.(ht|git) {
        deny all;
    }

#
# Hardening (optional)
#
    add_header Strict-Transport-Security "max-age=15768000; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy strict-origin-when-cross-origin;
    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes

    client_max_body_size 15M;
    client_body_buffer_size 128k;
    gzip_vary on;

    location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
        gzip on;
        gzip_comp_level 4;
        add_header Cache-Control "public";
        expires 30d;
        access_log off;
        log_not_found off;
    }
}
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00			`server {`

			`listen [::]:80;`
			`listen 80;`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00			`server_name %hostname%;`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00			`# redirect all traffic to HTTPS`
			`rewrite ^ https://$host$request_uri? permanent;`
			`}`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00
			`server {`

[DOCKER] Fixed docker environment to properly configure the app environment 2020-05-06 12:04:59 +00:00			`listen [::]:443 ssl http2;`
			`listen 443 ssl http2;`

[TOOLS][DOCKER] Rewrite the configuration script to use whiptail/dialog, and refactor 2021-03-20 23:09:50 +00:00			`ssl_certificate /etc/letsencrypt/live/%hostname%/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/%hostname%/privkey.pem;`
[DOCKER] Fixed docker environment to properly configure the app environment 2020-05-06 12:04:59 +00:00
			`# Let's Encrypt best practices`
			`include /etc/letsencrypt/options-ssl-nginx.conf;`
			`ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00
			`root /var/www/social/public;`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00
			`# Server name`
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00			`server_name %hostname%;`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00
			`# Index`
			`index index.php;`

			`# X-Accel/X-Sendfile. Still needs to be enabled in the config`
			`location /file {`
			`internal;`
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00			`root /var/www/social;`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00			`}`

			`# PHP`
			`location ~ ^/(index\|install)\.php(/.*)?$ {`
			`include fastcgi_params;`

			`fastcgi_split_path_info ^(.+?\.php)(/.*)$;`
			`set $path_info $fastcgi_path_info;`
			`try_files $fastcgi_script_name =404;`

			`fastcgi_pass php:9000;`
			`fastcgi_index index.php;`

			`fastcgi_param PATH_INFO $path_info;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`}`

			`# Don't allow any PHP file other than index.php to be executed`
			`# This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable`
			# And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
			`location ~ \.php$ {`
			`deny all;`
			`}`

			`# Location`
			`location / {`
			`try_files $uri $uri/ @index_handler;`
			`}`

			`# Fancy URLs`
			`error_page 404 @index_handler;`
			`location @index_handler {`
			`rewrite ^(.*)$ /index.php?p=$1 last;`
			`}`

			`# Restrict access that is unnecessary anyway`
			`location ~ /\.(ht\|git) {`
			`deny all;`
			`}`

			`#`
			`# Hardening (optional)`
			`#`
[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt 2020-05-05 01:23:55 +00:00			`add_header Strict-Transport-Security "max-age=15768000; preload;";`
			`add_header X-Content-Type-Options nosniff;`
			`add_header Referrer-Policy strict-origin-when-cross-origin;`
			`add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";`
			`add_header X-Permitted-Cross-Domain-Policies none;`
			`add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes`

			`client_max_body_size 15M;`
			`client_body_buffer_size 128k;`
			`gzip_vary on;`

			`location ~* \.(?:css\|js\|woff\|svg\|gif\|png\|webp\|ttf\|ico\|jpe?g)$ {`
			`gzip on;`
			`gzip_comp_level 4;`
			`add_header Cache-Control "public";`
			`expires 30d;`
			`access_log off;`
			`log_not_found off;`
			`}`
[DOCKER] Added preliminary docker container 2020-03-01 20:51:14 +00:00			`}`