Skip to content

Instantly share code, notes, and snippets.

@bastianallgeier
Last active November 30, 2023 10:14
  • Star 46 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save bastianallgeier/c2e1f1e519f5f2943ec4 to your computer and use it in GitHub Desktop.
nginx setup
# block content
location ~ ^/content/(.*).(txt|md|mdown)$ {
rewrite ^/content/(.*).(txt|md|mdown)$ /error redirect;
}
# block all files in the site folder from being accessed directly
location ~ ^/site/(.*)$ {
rewrite ^/site/(.*)$ /error redirect;
}
# block all files in the kirby folder
location ~ ^/kirby/(.*)$ {
rewrite ^/kirby/(.*)$ /error redirect;
}
# site links
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# panel links
location /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
@bastianallgeier
Copy link
Author

Oh, I just saw your comment. Is there a reason you used the ?q=$uri&$args line only for site links?

@bastianallgeier
Copy link
Author

Ok, I replaced my first draft with your suggestions but removed the q= to avoid broken queries containing a q var. It works well for me this way.

@JimmyRittenborg
Copy link

I've found that (for whatever reason) the above statements for blocking direct access to certain parts of kirby didn't work for me -but these does:

# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error redirect;

# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error redirect;

# site links
location / {
    try_files $uri $uri/ /index.php?$uri&$args;
}

# panel links
location /panel {
    try_files $uri $uri/ /panel/index.php?$uri&$args;
}

# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}

@JimmyRittenborg
Copy link

Instead of redirecting, which hints that the folders and files actually exists, i've added last which behave just like if an URL just gets miss-spelled - and I've also added that folders like /kirby doesn't hints its existence by redirecting to /kirby/

# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;

# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;

# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;

# site links
location / {
    try_files $uri $uri/ /index.php?$uri&$args;
}

# panel links
location /panel {
    try_files $uri $uri/ /panel/index.php?$uri&$args;
}

# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}

I think we're about getting to a point where Kirby can be either shipped, documented or both with a NginX config instruction with these basic security precautions 👍

@JimmyRittenborg
Copy link

JimmyRittenborg commented Jun 7, 2016

Okay, so a pretty important change here.

Kirby Routes (for example Plugin Assets) won't work properly with the above Nginx configs, as they're using try_files just in the root instead of from the root, like

location / {
    autoindex off;
    try_files $uri $uri/ /index.php?$uri&$args;
}

..of cause had to be this

location ~ / {
    autoindex off;
    try_files $uri $uri/ /index.php?$uri&$args;
}

also location /panel should probably be location ~ /panel and be defined before the new more general # site links section for the panel to work.

Also see https://forum.getkirby.com/t/plugin-assets-wont-load-kirby-routes-on-nginx/4318/8

So to sum it all up

# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;

# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;

# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;

# removes trailing slashes (prevents SEO duplicate content issues)
if (!-d $request_filename) {
    rewrite ^/(.+)/$ /$1 permanent;
}

# panel links
location ~ /panel {
    try_files $uri $uri/ /panel/index.php?$uri&$args;
}

# site links
location ~ / {
    try_files $uri $uri/ /index.php?$uri&$args;
}

# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}

@wottpal
Copy link

wottpal commented Oct 14, 2016

Hey @JimmyRittenborg, thanks for your improvements on this nginx config. How would all this look if Kirby is installed in a subdirectory of my domain? Do I have to add the dir-name in every rule or is there a simpler way? (Wrapping everything in location ~ /subdir { .. } doesn't seem to work :(

Dennis

@dnspnjrs
Copy link

dnspnjrs commented Jun 2, 2017

Hi all. Ive been searching and searching. Finally ended up here with this answer.

I have a nginx server configured on localhost and kirby running. For the most part it runs fine but ive encounterd a little annoying detail. It doesnt seem to work with a few specific links:

localhost:8080/panel/ - works
localhost:8080/panel - does not work

Any body an idea on why this would be failing?

# site links
location / {
 autoindex off;
 try_files $uri $uri/ /index.php?$uri&$args;
}

# panel links
 location /panel {
 try_files $uri $uri/ /panel/index.php?$uri&$args;
}

Edit:

The redirect in nginx does work in some way. but it directs to localhost/panel instead of localhost:8080/panel.

@setagana
Copy link

setagana commented Jul 6, 2017

@JimmyRittenborg Are you able to share your full .conf file including the above code? I'm new to nginx and struggling to see how this comes together with things like error pages and fastcgi. Many thanks in advance.

@automaticalldramatic
Copy link

@wottpal can you share what you did for a sub-directory configuration. I couldn't get panel to work on nginx running on AWS

@dcschmid
Copy link

dcschmid commented Feb 1, 2020

Is there a nginx config for kirby 3?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment