Skip to content

Instantly share code, notes, and snippets.

@DarrylDias
Last active January 3, 2023 15:49
Show Gist options
  • Save DarrylDias/be8955970f4b37fdd682 to your computer and use it in GitHub Desktop.
Save DarrylDias/be8955970f4b37fdd682 to your computer and use it in GitHub Desktop.
NGINX config for PageKit. (Tested on Ubuntu) (If for some reason I don't reply to a comment leave a message at https://darryldias.me/contact/)
server {
# Server name
server_name example.com;
# Server Port
listen 80;
# Webroot
root /var/www/;
# Index file
index index.php;
# PHP setup with query string support
location / {
try_files $uri $uri/ /index.php?$args;
}
# Deny access to sensitive folders
location ~* /(packages|storage|tmp)/.*$ {
return 403;
}
# Deny access to files with the following extensions
location ~* \.(db|json|lock|dist|md)$ {
return 403;
}
# Deny access to following files
location ~ /(config.php|composer.lock|composer.json|LICENSE|\.htaccess) {
return 403;
}
# Leverage browser caching of media files for 30 days
location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
access_log off;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
}
# Uncomment the lines below depending on the PHP version you are using.
# PHP-FPM settings for PHP 7
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# fastcgi_param HTTP_MOD_REWRITE On;
# }
# PHP-FPM settings for PHP 5
# location ~ \.php$ {
# try_files $uri =404;
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
# fastcgi_param HTTP_MOD_REWRITE On;
# }
}
@llego
Copy link

llego commented Jul 29, 2020

location ~* /(packages|storage|tmp)/.*$ {

This is wrong, as it will block access to any resources needed to display the webpage properly. If you want to block access just to raw packages and storage directories but allow anything else inside them, then you don't need to list them in location blocks at all. By default nginx does not provide a directory listing page like Apache does, unless the autoindex on; directive is set in http, or context of server or location block OR unless the directory has a defined index file inside, in which case it will get displayed instead.

Therefore all you need to do is to block access to tmp and anything below it,

location ~* /tmp/.*$ {
	deny all;
}

Thanks! That fixed it from me! I was trying to migrate from Apache to Nginx (in docker) but ran into trouble. But you solved it for me! 👍

@Darkentik
Copy link

Darkentik commented Jan 3, 2023

On Debian 11 Bullseye it doesnt work for me with nginx.
Here my nginx site-enabled config:

# Default server configuration
#
# Redirect all HTTP traffic to HTTPS

server {
   listen 80;
   listen [::]:80; 	
   server_name demo.example.cloud;
   return 301 https://$host$request_uri;
}

server {
	# SSL configuration
	# nginx docs: https://gist.github.com/nrollr/9a39bb636a820fb97eec2ed85e473d38
	#
	
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	access_log /var/log/nginx/demo/access.log;
	error_log /var/log/nginx/demo/error.log;

	server_name demo.example.cloud;
	ssl_certificate /etc/letsencrypt/live/demo.example.cloud/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/demo.example.cloud/privkey.pem;
  	
	# Enable server-side protection against BEAST attacks
	#ssl_protocols TLSv1.2;
	#ssl_prefer_server_ciphers on;
	#ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
  			
	root /var/www/pagekit;

	# Index file
	index index.php;
	
	# PHP setup with query string support
	location / {
	  try_files $uri /index.php?$args;
	}

	# Deny access to sensitive folders
	location ~* /tmp/.*$ { 
	  deny all; 
	}

	# Deny access to files with the following extensions
	location ~* \.(db|json|lock|dist|md)$ { 
	  return 403;
	}

	# Deny access to following files  
	location ~ /(config.php|composer.lock|composer.json|LICENSE|\.access) { 
	  return 403; 
	}

	# Leverage browser caching of media files for 30 days
	location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|woff)$ {
	  access_log off;
	  expires 30d;
	  add_header Pragma public;
	  add_header Cache-Control "public, mustrevalidate, proxy-revalidate";
	}

	
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment