Created
September 3, 2018 08:49
-
-
Save mrunkel/0163fe485965bd97c463e1b57a13c2ec to your computer and use it in GitHub Desktop.
A fully working kirby nginx conf file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen *:443 ssl http2 default_server; | |
server_name <SERVERNAME HERE>; | |
ssl on; | |
# see https://letsencrypt.org/ for an SSL cert | |
ssl_certificate /etc/letsencrypt/certs/<SERVERNAME HERE>_fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/private/<SERVERNAME HERE>.key; | |
# you need to generate this file `sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048` | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 1d; | |
ssl_session_tickets off; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; | |
ssl_prefer_server_ciphers on; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4; | |
# allow large uploads | |
client_max_body_size 40M; | |
# zip the following content | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; | |
gzip on; | |
gzip_buffers 16 8k; | |
gzip_comp_level 6; | |
gzip_http_version 1.1; | |
gzip_proxied any; | |
gzip_vary on; | |
index index.php; | |
access_log /var/log/nginx/<SERVERNAME HERE>-access.log combined; | |
error_log /var/log/nginx/<SERVERNAME HERE>-error.log debug; | |
# this is where your kirby files go, your root directory will vary. | |
root /var/www/frontend-core/current; | |
# set some security headers | |
add_header "Strict-Transport-Security" "max-age=15552000; preload"; | |
add_header "X-Content-Type-Options" "nosniff"; | |
add_header "X-XSS-Protection" "1; mode=block"; | |
location ~ \.php$ { # Send all PHP requests to FPM | |
include /etc/nginx/fastcgi.conf; | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_param DOCUMENT_ROOT $realpath_root; | |
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; | |
fastcgi_buffer_size 128k; | |
fastcgi_buffers 4 128k; | |
fastcgi_index index.php; | |
fastcgi_read_timeout 3600s; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
try_files $uri $uri/ /index.php$is_args$args; | |
include fastcgi_params; | |
} | |
# requests in /panel, get sent to the panel index.php | |
location ~ /panel { | |
index index.html index.htm index.php; | |
try_files $uri $uri/ /panel/index.php?$uri&$args; | |
} | |
# set cache headers for fonts | |
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { | |
index index.html index.htm index.php; | |
add_header Cache-Control "public"; | |
expires 1M; | |
} | |
# set cache headers for large binaries | |
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { | |
index index.html index.htm index.php; | |
add_header Cache-Control "public"; | |
expires 6M; | |
try_files $uri $uri/ /index.php?$uri&$args; | |
} | |
# block direct access to text documents in content folder. | |
location ~ ^/content/.*\.(txt|md|mdown)$ { | |
index index.html index.htm index.php; | |
return 301 /error; | |
} | |
# block access to /content, /site, and /kirby root dirs | |
location ~ ^/(content|site|kirby)$ { | |
index index.html index.htm index.php; | |
return 301 /error; | |
} | |
# block all files that start with .ht (.htaccess, .htpasswd, etc) | |
location ~ /\.ht { | |
deny all; | |
index index.html index.htm index.php; | |
} | |
# don't allow download of files with the following extensions | |
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ { | |
deny all; | |
index index.html index.htm index.php; | |
} | |
# block access to anything in or under /site and /kirby | |
location ~ ^/(site|kirby)/.*$ { | |
index index.html index.htm index.php; | |
return 301 /error; | |
} | |
# block any files that begin with a . (hidden files) | |
location ~ (?:^|/)\. { | |
deny all; | |
index index.html index.htm index.php; | |
} | |
# set cache headers and also support cache busting urls. | |
# (https://github.com/S1SYPHOS/kirby-sri) | |
location ~* ^/assets/(js|css)/(.*?)\.(\d*\.)?(js|css)$ { | |
index index.html index.htm index.php; | |
add_header Cache-Control "public"; | |
expires 1M; | |
try_files /assets/$1/$2.min.$4 /assets/$1/$2.$4 =404; | |
} | |
# load index.php at root | |
location / { | |
index index.html index.htm index.php; | |
try_files $uri $uri/ /index.php?$uri&$args; | |
} | |
charset utf-8; | |
# rewrite any URLs with a trailing slash to remove slash, except in the panel | |
# where it's required. | |
rewrite ^/(?!panel)(.*)/$ /$1 permanent; | |
# don't talk about what kind of server we are | |
server_tokens off; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment