Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
nginx setup
# block content
location ~ ^/content/(.*).(txt|md|mdown)$ {
rewrite ^/content/(.*).(txt|md|mdown)$ /error redirect;
}
# block all files in the site folder from being accessed directly
location ~ ^/site/(.*)$ {
rewrite ^/site/(.*)$ /error redirect;
}
# block all files in the kirby folder
location ~ ^/kirby/(.*)$ {
rewrite ^/kirby/(.*)$ /error redirect;
}
# site links
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# panel links
location /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
@frederikbrudy

This comment has been minimized.

Copy link

frederikbrudy commented Sep 30, 2014

Consider using try instead of if directives. Details on why not to use if: http://wiki.nginx.org/IfIsEvil
With Kirby V1 I'm using a setup with nginx like this:

# site links
location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
}
# panel links
location /panel {
    try_files $uri $uri/ /panel/index.php;
}
@bastianallgeier

This comment has been minimized.

Copy link
Owner Author

bastianallgeier commented Oct 4, 2014

Oh, I just saw your comment. Is there a reason you used the ?q=$uri&$args line only for site links?

@bastianallgeier

This comment has been minimized.

Copy link
Owner Author

bastianallgeier commented Oct 8, 2014

Ok, I replaced my first draft with your suggestions but removed the q= to avoid broken queries containing a q var. It works well for me this way.

@JimmyRittenborg

This comment has been minimized.

Copy link

JimmyRittenborg commented Aug 16, 2015

I've found that (for whatever reason) the above statements for blocking direct access to certain parts of kirby didn't work for me -but these does:

# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error redirect;

# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error redirect;

# site links
location / {
    try_files $uri $uri/ /index.php?$uri&$args;
}

# panel links
location /panel {
    try_files $uri $uri/ /panel/index.php?$uri&$args;
}

# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}
@JimmyRittenborg

This comment has been minimized.

Copy link

JimmyRittenborg commented Aug 21, 2015

Instead of redirecting, which hints that the folders and files actually exists, i've added last which behave just like if an URL just gets miss-spelled - and I've also added that folders like /kirby doesn't hints its existence by redirecting to /kirby/

# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;

# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;

# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;

# site links
location / {
    try_files $uri $uri/ /index.php?$uri&$args;
}

# panel links
location /panel {
    try_files $uri $uri/ /panel/index.php?$uri&$args;
}

# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}

I think we're about getting to a point where Kirby can be either shipped, documented or both with a NginX config instruction with these basic security precautions 👍

@JimmyRittenborg

This comment has been minimized.

Copy link

JimmyRittenborg commented Jun 7, 2016

Okay, so a pretty important change here.

Kirby Routes (for example Plugin Assets) won't work properly with the above Nginx configs, as they're using try_files just in the root instead of from the root, like

location / {
    autoindex off;
    try_files $uri $uri/ /index.php?$uri&$args;
}

..of cause had to be this

location ~ / {
    autoindex off;
    try_files $uri $uri/ /index.php?$uri&$args;
}

also location /panel should probably be location ~ /panel and be defined before the new more general # site links section for the panel to work.

Also see https://forum.getkirby.com/t/plugin-assets-wont-load-kirby-routes-on-nginx/4318/8

So to sum it all up

# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;

# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;

# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;

# removes trailing slashes (prevents SEO duplicate content issues)
if (!-d $request_filename) {
    rewrite ^/(.+)/$ /$1 permanent;
}

# panel links
location ~ /panel {
    try_files $uri $uri/ /panel/index.php?$uri&$args;
}

# site links
location ~ / {
    try_files $uri $uri/ /index.php?$uri&$args;
}

# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}
@wottpal

This comment has been minimized.

Copy link

wottpal commented Oct 14, 2016

Hey @JimmyRittenborg, thanks for your improvements on this nginx config. How would all this look if Kirby is installed in a subdirectory of my domain? Do I have to add the dir-name in every rule or is there a simpler way? (Wrapping everything in location ~ /subdir { .. } doesn't seem to work :(

Dennis

@dnspnjrs

This comment has been minimized.

Copy link

dnspnjrs commented Jun 2, 2017

Hi all. Ive been searching and searching. Finally ended up here with this answer.

I have a nginx server configured on localhost and kirby running. For the most part it runs fine but ive encounterd a little annoying detail. It doesnt seem to work with a few specific links:

localhost:8080/panel/ - works
localhost:8080/panel - does not work

Any body an idea on why this would be failing?

# site links
location / {
 autoindex off;
 try_files $uri $uri/ /index.php?$uri&$args;
}

# panel links
 location /panel {
 try_files $uri $uri/ /panel/index.php?$uri&$args;
}

Edit:

The redirect in nginx does work in some way. but it directs to localhost/panel instead of localhost:8080/panel.

@setagana

This comment has been minimized.

Copy link

setagana commented Jul 6, 2017

@JimmyRittenborg Are you able to share your full .conf file including the above code? I'm new to nginx and struggling to see how this comes together with things like error pages and fastcgi. Many thanks in advance.

@automaticalldramatic

This comment has been minimized.

Copy link

automaticalldramatic commented Sep 16, 2017

@wottpal can you share what you did for a sub-directory configuration. I couldn't get panel to work on nginx running on AWS

@dcschmid

This comment has been minimized.

Copy link

dcschmid commented Feb 1, 2020

Is there a nginx config for kirby 3?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.