-
-
Save DarrylDias/be8955970f4b37fdd682 to your computer and use it in GitHub Desktop.
server { | |
# Server name | |
server_name example.com; | |
# Server Port | |
listen 80; | |
# Webroot | |
root /var/www/; | |
# Index file | |
index index.php; | |
# PHP setup with query string support | |
location / { | |
try_files $uri $uri/ /index.php?$args; | |
} | |
# Deny access to sensitive folders | |
location ~* /(packages|storage|tmp)/.*$ { | |
return 403; | |
} | |
# Deny access to files with the following extensions | |
location ~* \.(db|json|lock|dist|md)$ { | |
return 403; | |
} | |
# Deny access to following files | |
location ~ /(config.php|composer.lock|composer.json|LICENSE|\.htaccess) { | |
return 403; | |
} | |
# Leverage browser caching of media files for 30 days | |
location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ { | |
access_log off; | |
expires 30d; | |
add_header Pragma public; | |
add_header Cache-Control "public, mustrevalidate, proxy-revalidate"; | |
} | |
# Uncomment the lines below depending on the PHP version you are using. | |
# PHP-FPM settings for PHP 7 | |
# location ~ \.php$ { | |
# try_files $uri =404; | |
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; | |
# fastcgi_index index.php; | |
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# include fastcgi_params; | |
# fastcgi_param HTTP_MOD_REWRITE On; | |
# } | |
# PHP-FPM settings for PHP 5 | |
# location ~ \.php$ { | |
# try_files $uri =404; | |
# fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# fastcgi_index index.php; | |
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# include fastcgi_params; | |
# fastcgi_param HTTP_MOD_REWRITE On; | |
# } | |
} |
location ~ /(config.php|pagekit
also blocks pagekit-logo-large.svg
@ToeiRei +1 I have same issue
Just figure out how to fix this
server {
# Server name
server_name example.com;
# Server Port
listen 80;
# Webroot
root /var/www/;
# Index file
index index.php;
# PHP setup with query string support
location / {
try_files $uri $uri/ /index.php?$args;
}
# Leverage browser caching of media files for 30 days
location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff|svg)$ {
access_log off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
}
# Deny access to sensitive folders
location ~* /(packages|storage|tmp)/.*$ {
return 403;
}
# Deny access to files with the following extensions
location ~* \.(db|json|lock|dist|md)$ {
return 403;
}
# Deny access to following files
location ~ /(config.php|pagekit|composer.lock|composer.json|LICENSE|\.htaccess) {
return 403;
}
# Uncomment the lines below depending on the PHP version you are using.
# PHP-FPM settings for PHP 7
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# fastcgi_param HTTP_MOD_REWRITE On;
# }
# PHP-FPM settings for PHP 5
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# fastcgi_param HTTP_MOD_REWRITE On;
# }
}
+1 Pagekit doesn't load any JS/CSS
location ~* /(packages|storage|tmp)/.*$ {
This is wrong, as it will block access to any resources needed to display the webpage properly. If you want to block access just to raw packages and storage directories but allow anything else inside them, then you don't need to list them in location blocks at all. By default nginx does not provide a directory listing page like Apache does, unless the autoindex on;
directive is set in http, or context of server or location block OR unless the directory has a defined index file inside, in which case it will get displayed instead.
Therefore all you need to do is to block access to tmp and anything below it,
location ~* /tmp/.*$ {
deny all;
}
location ~* /(packages|storage|tmp)/.*$ {
This is wrong, as it will block access to any resources needed to display the webpage properly. If you want to block access just to raw packages and storage directories but allow anything else inside them, then you don't need to list them in location blocks at all. By default nginx does not provide a directory listing page like Apache does, unless the
autoindex on;
directive is set in http, or context of server or location block OR unless the directory has a defined index file inside, in which case it will get displayed instead.Therefore all you need to do is to block access to tmp and anything below it,
location ~* /tmp/.*$ { deny all; }
Thanks! That fixed it from me! I was trying to migrate from Apache to Nginx (in docker) but ran into trouble. But you solved it for me! 👍
On Debian 11 Bullseye it doesnt work for me with nginx.
Here my nginx site-enabled config:
# Default server configuration
#
# Redirect all HTTP traffic to HTTPS
server {
listen 80;
listen [::]:80;
server_name demo.example.cloud;
return 301 https://$host$request_uri;
}
server {
# SSL configuration
# nginx docs: https://gist.github.com/nrollr/9a39bb636a820fb97eec2ed85e473d38
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
access_log /var/log/nginx/demo/access.log;
error_log /var/log/nginx/demo/error.log;
server_name demo.example.cloud;
ssl_certificate /etc/letsencrypt/live/demo.example.cloud/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/demo.example.cloud/privkey.pem;
# Enable server-side protection against BEAST attacks
#ssl_protocols TLSv1.2;
#ssl_prefer_server_ciphers on;
#ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
root /var/www/pagekit;
# Index file
index index.php;
# PHP setup with query string support
location / {
try_files $uri /index.php?$args;
}
# Deny access to sensitive folders
location ~* /tmp/.*$ {
deny all;
}
# Deny access to files with the following extensions
location ~* \.(db|json|lock|dist|md)$ {
return 403;
}
# Deny access to following files
location ~ /(config.php|composer.lock|composer.json|LICENSE|\.access) {
return 403;
}
# Leverage browser caching of media files for 30 days
location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
access_log off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
}
}
Not sure why GitHub did not notify me even after having so many comments on this gist.