Last active
August 27, 2017 12:42
-
-
Save ansulev/58160b6422e5ee09dcbf79b60420f832 to your computer and use it in GitHub Desktop.
Nginx site configuration for ProcessWire with forced SSL and www to non-www redirect
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # nginx site config for processwire with forced SSL and www to non-redirect | |
| # redirect from www to non-www forced SSL | |
| # uncomment, save file and restart Nginx to enable | |
| # if unsure use return 302 before using return 301 | |
| server { | |
| server_name domain.com www.domain.com; | |
| return 301 https://$server_name$request_uri; | |
| } | |
| server { | |
| listen 443 ssl; | |
| root /home/nginx/domains/domain.com/public; | |
| server_name domain.com www.domain.com; | |
| ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; | |
| ## redirect https www to https non-www | |
| if ($host = 'www.domain.com' ) { | |
| return 301 https://domain.com$request_uri; | |
| } | |
| client_max_body_size 50m; | |
| access_log /home/nginx/domains/domain.com/log/access.log; | |
| error_log /home/nginx/domains/domain.com/log/error.log; | |
| # ----------------------------------------------------------------------------------------------- | |
| # Set default directory index files | |
| # ----------------------------------------------------------------------------------------------- | |
| index index.php index.html index.htm; | |
| # ----------------------------------------------------------------------------------------------- | |
| # Access Restrictions: Protect ProcessWire system files | |
| # ----------------------------------------------------------------------------------------------- | |
| # Block access to ProcessWire system files | |
| location ~ \.(inc|info|module|sh|sql)$ { | |
| deny all; | |
| } | |
| # Block access to any file or directory that begins with a period | |
| location ~ /\. { | |
| deny all; | |
| } | |
| # Block access to protected assets directories | |
| location ~ ^/(site|site-[^/]+)/assets/(cache|logs|backups|sessions|config|install|tmp)($|/.*$) { | |
| deny all; | |
| } | |
| # Block acceess to the /site/install/ directory | |
| location ~ ^/(site|site-[^/]+)/install($|/.*$) { | |
| deny all; | |
| } | |
| # Block dirs in /site/assets/ dirs that start with a hyphen | |
| location ~ ^/(site|site-[^/]+)/assets.*/-.+/.* { | |
| deny all; | |
| } | |
| # Block access to /wire/config.php, /site/config.php, /site/config-dev.php, and /wire/index.config.php | |
| location ~ ^/(wire|site|site-[^/]+)/(config|index\.config|config-dev)\.php$ { | |
| deny all; | |
| } | |
| # Block access to any PHP-based files in /templates-admin/ | |
| location ~ ^/(wire|site|site-[^/]+)/templates-admin($|/|/.*\.(php|html?|tpl|inc))$ { | |
| deny all; | |
| } | |
| # Block access to any PHP or markup files in /site/templates/ | |
| location ~ ^/(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ { | |
| deny all; | |
| } | |
| # Block access to any PHP files in /site/assets/ | |
| location ~ ^/(site|site-[^/]+)/assets($|/|/.*\.php)$ { | |
| deny all; | |
| } | |
| # Block access to any PHP files in core or core module directories | |
| location ~ ^/wire/(core|modules)/.*\.(php|inc|tpl|module)$ { | |
| deny all; | |
| } | |
| # Block access to any PHP files in /site/modules/ | |
| location ~ ^/(site|site-[^/]+)/modules/.*\.(php|inc|tpl|module)$ { | |
| deny all; | |
| } | |
| # Block access to any software identifying txt files | |
| location ~ ^/(COPYRIGHT|INSTALL|README|htaccess)\.(txt|md)$ { | |
| deny all; | |
| } | |
| # Block all http access to the default/uninstalled site-default directory | |
| location ~ ^/site-default/ { | |
| deny all; | |
| } | |
| # ----------------------------------------------------------------------------------------------- | |
| # If the request is for a static file, then set expires header and disable logging. | |
| # Give control to ProcessWire if the requested file or directory is non-existing. | |
| # ----------------------------------------------------------------------------------------------- | |
| location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { | |
| expires 24h; | |
| log_not_found off; | |
| access_log off; | |
| try_files $uri $uri/ /index.php?it=$uri&$args; | |
| } | |
| # ----------------------------------------------------------------------------------------------- | |
| # This location processes all other requests. If the request is for a file or directory that | |
| # physically exists on the server, then load the file. Else give control to ProcessWire. | |
| # ----------------------------------------------------------------------------------------------- | |
| location / { | |
| try_files $uri $uri/ /index.php?it=$uri&$args; | |
| } | |
| # ----------------------------------------------------------------------------------------------- | |
| # Pass .php requests to fastcgi socket | |
| # ----------------------------------------------------------------------------------------------- | |
| location ~ \.php$ { | |
| # Check if the requested PHP file actually exists for security | |
| try_files $uri =404; | |
| # Fix for server variables that behave differently under nginx/php-fpm than typically expected | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| # Set environment variables | |
| include fastcgi_params; | |
| fastcgi_param PATH_INFO $fastcgi_path_info; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| # Pass request to php-fpm fastcgi socket | |
| #fastcgi_pass unix:/var/run/domain.com_fpm.sock; | |
| fastcgi_pass 127.0.0.1:9000; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment