Created
June 13, 2020 10:27
-
-
Save Lucchetto/27f424ab1037345a9b71d0ac1ee8f561 to your computer and use it in GitHub Desktop.
Ampache and phpmyadmin with nginx server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
# listen to | |
listen [::]:701; #ssl; ipv6 optional with ssl enabled | |
listen 701; #ssl; ipv4 optional with ssl enabled | |
server_name ampcache; | |
charset utf-8; | |
# Logging, error_log mode [notice] is necessary for rewrite_log on, | |
# (very usefull if rewrite rules do not work as expected) | |
error_log /var/log/ampache/error.log; # notice; | |
# access_log /var/log/ampache/access.log; | |
# rewrite_log on; | |
# Use secure SSL/TLS settings, see https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
# ssl_protocols TLSv1.2; | |
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-E CDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
# ssl_prefer_server_ciphers on; | |
# add_header Strict-Transport-Security max-age=15768000; | |
# etc. | |
# Use secure headers to avoid XSS and many other things | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Robots-Tag none; | |
add_header X-Download-Options noopen; | |
add_header X-Permitted-Cross-Domain-Policies none; | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
add_header Referrer-Policy "no-referrer"; | |
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self'; object-src 'self'"; | |
# Avoid information leak | |
server_tokens off; | |
fastcgi_hide_header X-Powered-By; | |
root /var/www/ampache/; | |
index index.php; | |
# Somebody said this helps, in my setup it doesn't prevent temporary saving in files | |
proxy_max_temp_file_size 0; | |
# Rewrite rule for Subsonic backend | |
if ( !-d $request_filename ) { | |
rewrite ^/rest/(.*).view$ /rest/index.php?action=$1 last; | |
rewrite ^/rest/fake/(.+)$ /play/$1 last; | |
} | |
# Rewrite rule for Channels | |
if (!-d $request_filename){ | |
rewrite ^/channel/([0-9]+)/(.*)$ /channel/index.php?channel=$1&target=$2 last; | |
} | |
# Beautiful URL Rewriting | |
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&name=$5 last; | |
rewrite ^/play/ssid/(\w+)/type/(\w+)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&name=$7 last; | |
rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&player=$7&name=$8 last; | |
rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&bitrate=$7player=$8&name=$9 last; | |
rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/client/(.*)/noscrobble/([0-1])/transcode_to/(w+)/bitrate/([0-9]+)/player/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4&client=$5&noscrobble=$6&transcode_to=$7&bitrate=$8&player=$9&name=$10 last; | |
# the following line was needed for me to get downloads of single songs to work | |
rewrite ^/play/ssid/(.*)/type/(.*)/oid/([0-9]+)/uid/([0-9]+)/action/(.*)/name/(.*)$ /play/index.php?ssid=$1&type=$2&oid=$3&uid=$4action=$5&name=$6 last; | |
location /play { | |
if (!-e $request_filename) { | |
rewrite ^/play/art/([^/]+)/([^/]+)/([0-9]+)/thumb([0-9]*)\.([a-z]+)$ /image.php?object_type=$2&object_id=$3&auth=$1 last; | |
} | |
rewrite ^/([^/]+)/([^/]+)(/.*)?$ /play/$3?$1=$2; | |
rewrite ^/(/[^/]+|[^/]+/|/?)$ /play/index.php last; | |
break; | |
} | |
location /rest { | |
limit_except GET POST { | |
deny all; | |
} | |
} | |
location ^~ /bin/ { | |
deny all; | |
return 403; | |
} | |
location ^~ /config/ { | |
deny all; | |
return 403; | |
} | |
location / { | |
limit_except GET POST HEAD{ | |
deny all; | |
} | |
} | |
location ~ ^/.*.php { | |
fastcgi_index index.php; | |
# sets the timeout for requests in [s] , 60s are normally enough | |
fastcgi_read_timeout 600s; | |
include fastcgi_params; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# Mitigate HTTPOXY https://httpoxy.org/ | |
fastcgi_param HTTP_PROXY ""; | |
# has to be set to on if encryption (https) is used: | |
# fastcgi_param HTTPS on; | |
fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
# chose as your php-fpm is configured to listen on | |
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; | |
# fastcgi_pass 127.0.0.1:8000/; | |
} | |
# Rewrite rule for WebSocket | |
location /ws { | |
rewrite ^/ws/(.*) /$1 break; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_pass http://127.0.0.1:8100/; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# You should look at the following URL's in order to grasp a solid understanding | |
# of Nginx configuration files in order to fully unleash the power of Nginx. | |
# https://www.nginx.com/resources/wiki/start/ | |
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ | |
# https://wiki.debian.org/Nginx/DirectoryStructure | |
# | |
# In most cases, administrators will remove this file from sites-enabled/ and | |
# leave it as reference inside of sites-available where it will continue to be | |
# updated by the nginx packaging team. | |
# | |
# This file will automatically load configuration files provided by other | |
# applications, such as Drupal or Wordpress. These applications will be made | |
# available underneath a path with that package name, such as /drupal8. | |
# | |
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. | |
## | |
# Default server configuration | |
# | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
# SSL configuration | |
# | |
# listen 443 ssl default_server; | |
# listen [::]:443 ssl default_server; | |
# | |
# Note: You should disable gzip for SSL traffic. | |
# See: https://bugs.debian.org/773332 | |
# | |
# Read up on ssl_ciphers to ensure a secure configuration. | |
# See: https://bugs.debian.org/765782 | |
# | |
# Self signed certs generated by the ssl-cert package | |
# Don't use them in a production server! | |
# | |
# include snippets/snakeoil.conf; | |
root /var/www/html; | |
# Add index.php to the list if you are using PHP | |
index index.html index.htm index.nginx-debian.html; | |
server_name _; | |
location / { | |
# First attempt to serve request as file, then | |
# as directory, then fall back to displaying a 404. | |
try_files $uri $uri/ =404; | |
} | |
location /phpmyadmin { | |
root /usr/share/; | |
index index.php index.html index.htm; | |
location ~ ^/phpmyadmin/(.+\.php)$ { | |
try_files $uri =404; | |
root /usr/share/; | |
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include /etc/nginx/fastcgi_params; | |
} | |
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { | |
root /usr/share/; | |
} | |
} | |
location /phpMyAdmin { | |
rewrite ^/* /phpmyadmin last; | |
} | |
# pass PHP scripts to FastCGI server | |
# | |
#location ~ \.php$ { | |
# include snippets/fastcgi-php.conf; | |
# | |
# # With php-fpm (or other unix sockets): | |
# fastcgi_pass unix:/run/php/php7.3-fpm.sock; | |
# # With php-cgi (or other tcp sockets): | |
# fastcgi_pass 127.0.0.1:9000; | |
#} | |
# deny access to .htaccess files, if Apache's document root | |
# concurs with nginx's one | |
# | |
#location ~ /\.ht { | |
# deny all; | |
#} | |
} | |
# Virtual Host configuration for example.com | |
# | |
# You can move that to a different file under sites-available/ and symlink that | |
# to sites-enabled/ to enable it. | |
# | |
#server { | |
# listen 80; | |
# listen [::]:80; | |
# | |
# server_name example.com; | |
# | |
# root /var/www/example.com; | |
# index index.html; | |
# | |
# location / { | |
# try_files $uri $uri/ =404; | |
# } | |
#} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment