friendica/mods/sample-nginx.config

105 lines
3.1 KiB
Plaintext

From: Olaf Conradi
Hey @Friendica Support,
Just wanted to share my #nginx configuration for #friendica with you guys.
I noticed most of the existing configurations that are floating on the web for #nginx do not deny access to local files. Most of them use the following construct.
location / {
try_files $uri $uri/ index.php?q=$request_uri
}
This serves files like images statically, but also gives everyone access to the source code of your ~friendica ~friendica installation (tpl templates, sql files, etc). One should deny all locations except for images, javascript and css files. Setting these deny rules is tedious and needs maintenance when new directories are added.
It's easier to route everything through the front controller except those known file types.
Below is my configuration. First I forward non-SSL traffic to SSL.
server {
server_name friendica.example.net;
index index.php;
root /mnt/friendica/www;
rewrite ^ https://friendica.example.net$request_uri? permanent;
}
Next is the SSL server part.
server {
listen 443 ssl;
server_name friendica.example.net;
index index.php;
root /mnt/friendica/www;
ssl on;
ssl_certificate /etc/nginx/ssl/friendica.example.net.chain.pem;
ssl_certificate_key /etc/nginx/ssl/example.net.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
# allow uploads up to 20MB in size
client_max_body_size 20m;
client_body_buffer_size 128k;
# rewrite to front controller as default rule
location / {
rewrite ^/(.*) /index.php?q=$1 last;
}
# make sure webfinger isn't blocked by denying dot files
# and rewrite to front controller
location = /.well-known/host-meta {
allow all;
rewrite ^/(.*) /index.php?q=$1 last;
}
# statically serve these file types when possible
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
location ~* \.(jpg|jpeg|gif|png|css|js|ico|htm|html)$ {
expires 30d;
try_files $uri /index.php?q=$uri&$args;
}
# block these file types
location ~* \.(tpl|md|git|tgz) {
deny all;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
# deny access to all dot files (including .htaccess)
location ~ /\. {
deny all;
}
}
That's it.
#nginx #friendica @Friendica Support
I found one bug after posting when I noticed 404's coming in for certain image files. Avatars need a fallback to go through the front controller.
# statically serve these file types when possible
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
location ~* \.(jpg|jpeg|gif|png|css|js|ico|htm)$ {
expires 30d;
try_files $uri /index.php?q=$request_uri?;
}