Skip to content

Instantly share code, notes, and snippets.

@BillBrower

BillBrower/kirby.conf

Last active March 26, 2024 19:47
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save BillBrower/105496d435c8d82114a61908666bab5e to your computer and use it in GitHub Desktop.
Save BillBrower/105496d435c8d82114a61908666bab5e to your computer and use it in GitHub Desktop.
Download ZIP
Nginx configuration for Kirby CMS
Raw
kirby.conf
server {
listen 80;
server_name kirby.dev www.kirby.dev;
root /path/to/www/kirby;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Route LetsEncrypt ACME Challenges to the right place
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
try_files $uri /404;
}
# Route everything else through SSL
location ~* ^/(.*)$ {
return 301 https://$server_name/$1$is_args$args;
}
}
server {
charset utf-8;
server_name kirby.dev www.kirby.dev;
root /path/to/www/kirby;
listen 443 ssl;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers On;
ssl_certificate /etc/letsencrypt/live/kirby.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kirby.dev/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/kirby.dev/chain.pem;
ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8; # Google Resolver
index index.php index.html index.htm;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;
# Block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;
# Block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;
# Panel links
location /panel {
autoindex off;
try_files $uri $uri/ /panel/index.php?$query_string;
}
# Site links
location / {
autoindex off;
try_files $uri $uri/ /index.php?$query_string; #$uri&$args;
}
# PHP scripts
location ~ \.php$ {
# Set CORS headers
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
}
@BillBrower
Copy link
Author

BillBrower commented May 18, 2017
edited

The Nginx configuration we use for all of our Kirby websites at Krit.

We use certbot to automatically renew LetsEncrypt SSL certs and this config is setup for that. If you like to do that too here is a good write up on how to set it up.

If you needs CORS replace '*' with the origin you'll be using, otherwise strip the CORS headers out.

Based on mikewink's Kirby Nginx configuration: https://gist.github.com/mikewink/6a4367371a45047ef23e

Modifications:

  • added SSL
  • added support for LetsEncrypt ACME Challenges
  • defined error pages
  • added CORS headers to the PHP block
  • turned off hinting for Kirby related folders
  • added a location block to prevent clients from accessing hidden files
  • added a location block to prevent clients from accessing backup/config/source files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment