Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
NGINX config for PageKit. (Tested on Ubuntu) (If for some reason I don't reply to a comment leave a message at https://darryldias.me/contact/)
server {
# Server name
server_name example.com;
# Server Port
listen 80;
# Webroot
root /var/www/;
# Index file
index index.php;
# PHP setup with query string support
location / {
try_files $uri $uri/ /index.php?$args;
}
# Deny access to sensitive folders
location ~* /(packages|storage|tmp)/.*$ {
return 403;
}
# Deny access to files with the following extensions
location ~* \.(db|json|lock|dist|md)$ {
return 403;
}
# Deny access to following files
location ~ /(config.php|composer.lock|composer.json|LICENSE|\.htaccess) {
return 403;
}
# Leverage browser caching of media files for 30 days
location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
access_log off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
}
# Uncomment the lines below depending on the PHP version you are using.
# PHP-FPM settings for PHP 7
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# fastcgi_param HTTP_MOD_REWRITE On;
# }
# PHP-FPM settings for PHP 5
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# fastcgi_param HTTP_MOD_REWRITE On;
# }
}
@DarrylDias
Copy link
Author

Not sure why GitHub did not notify me even after having so many comments on this gist.

@ToeiRei
Copy link

ToeiRei commented Jul 12, 2017

location ~ /(config.php|pagekit also blocks pagekit-logo-large.svg

@vinhtq
Copy link

vinhtq commented Jul 14, 2017

@ToeiRei +1 I have same issue

@vinhtq
Copy link

vinhtq commented Jul 14, 2017

Just figure out how to fix this


server {
    
   # Server name
   server_name example.com;
    
   # Server Port
   listen 80;
    
   # Webroot
   root /var/www/;
    
   # Index file
   index index.php;
    
   # PHP setup with query string support
  location / {
   try_files $uri $uri/ /index.php?$args;
  }
   # Leverage browser caching of media files for 30 days
   location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff|svg)$ {
   access_log off;
   expires 30d;
   add_header Pragma public;
   add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
  }
    
  # Deny access to sensitive folders
   location ~* /(packages|storage|tmp)/.*$ {
   return 403;
  }
    
   
   # Deny access to files with the following extensions
   location ~* \.(db|json|lock|dist|md)$ {
   return 403;
   }
   
  # Deny access to following files
  location ~ /(config.php|pagekit|composer.lock|composer.json|LICENSE|\.htaccess) {
  return 403;
  }
    
  # Uncomment the lines below depending on the PHP version you are using.
  
 # PHP-FPM settings for PHP 7
  
 #  location ~ \.php$ {
 #    try_files $uri =404;
 #    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
 #    fastcgi_index index.php;
 #    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 #    include fastcgi_params;
 #    fastcgi_param  HTTP_MOD_REWRITE  On;
 #  }
  
  
 # PHP-FPM settings for PHP 5
  
 #  location ~ \.php$ {
 #    try_files $uri =404;
 #    fastcgi_pass unix:/var/run/php5-fpm.sock;
 #    fastcgi_index index.php;
 #    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 #    include fastcgi_params;
 #    fastcgi_param  HTTP_MOD_REWRITE  On;
 #  }
  
 }

@yangfan21-zz
Copy link

+1 Pagekit doesn't load any JS/CSS

@Every0ne
Copy link

Every0ne commented Jan 17, 2019

location ~* /(packages|storage|tmp)/.*$ {

This is wrong, as it will block access to any resources needed to display the webpage properly. If you want to block access just to raw packages and storage directories but allow anything else inside them, then you don't need to list them in location blocks at all. By default nginx does not provide a directory listing page like Apache does, unless the autoindex on; directive is set in http, or context of server or location block OR unless the directory has a defined index file inside, in which case it will get displayed instead.

Therefore all you need to do is to block access to tmp and anything below it,

location ~* /tmp/.*$ {
	deny all;
}

@llego
Copy link

llego commented Jul 29, 2020

location ~* /(packages|storage|tmp)/.*$ {

This is wrong, as it will block access to any resources needed to display the webpage properly. If you want to block access just to raw packages and storage directories but allow anything else inside them, then you don't need to list them in location blocks at all. By default nginx does not provide a directory listing page like Apache does, unless the autoindex on; directive is set in http, or context of server or location block OR unless the directory has a defined index file inside, in which case it will get displayed instead.

Therefore all you need to do is to block access to tmp and anything below it,

location ~* /tmp/.*$ {
	deny all;
}

Thanks! That fixed it from me! I was trying to migrate from Apache to Nginx (in docker) but ran into trouble. But you solved it for me! 👍

@Darkentik
Copy link

Darkentik commented Jan 3, 2023

On Debian 11 Bullseye it doesnt work for me with nginx.
Here my nginx site-enabled config:

# Default server configuration
#
# Redirect all HTTP traffic to HTTPS

server {
   listen 80;
   listen [::]:80; 	
   server_name demo.example.cloud;
   return 301 https://$host$request_uri;
}

server {
	# SSL configuration
	# nginx docs: https://gist.github.com/nrollr/9a39bb636a820fb97eec2ed85e473d38
	#
	
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	access_log /var/log/nginx/demo/access.log;
	error_log /var/log/nginx/demo/error.log;

	server_name demo.example.cloud;
	ssl_certificate /etc/letsencrypt/live/demo.example.cloud/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/demo.example.cloud/privkey.pem;
  	
	# Enable server-side protection against BEAST attacks
	#ssl_protocols TLSv1.2;
	#ssl_prefer_server_ciphers on;
	#ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
  			
	root /var/www/pagekit;

	# Index file
	index index.php;
	
	# PHP setup with query string support
	location / {
	  try_files $uri /index.php?$args;
	}

	# Deny access to sensitive folders
	location ~* /tmp/.*$ { 
	  deny all; 
	}

	# Deny access to files with the following extensions
	location ~* \.(db|json|lock|dist|md)$ { 
	  return 403;
	}

	# Deny access to following files  
	location ~ /(config.php|composer.lock|composer.json|LICENSE|\.access) { 
	  return 403; 
	}

	# Leverage browser caching of media files for 30 days
	location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
	  access_log off;
	  expires 30d;
	  add_header Pragma public;
	  add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
	}

	
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment