Skip to content

Instantly share code, notes, and snippets.

@pricejn2
Forked from memtkmcc/gravcms_vhost_common.conf
Last active February 20, 2019 17:17
Show Gist options
  • Save pricejn2/0103ef3ebbaa855f2c10b5cd7af82269 to your computer and use it in GitHub Desktop.
Save pricejn2/0103ef3ebbaa855f2c10b5cd7af82269 to your computer and use it in GitHub Desktop.
#######################################################
### nginx Grav CMS basic configuration start
#######################################################
###
### Add recommended HTTP headers
###
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
###
### Deny crawlers.
###
if ($is_crawler) {
return 403;
}
###
### Include high load protection config if exists.
###
include /data/conf/nginx_high_load.c*;
###
### Include high level local configuration override if exists.
###
include /var/aegir/config/server_master/nginx/post.d/nginx_force_include*;
###
### Include PHP-FPM version override logic if exists.
###
include /var/aegir/config/server_master/nginx/post.d/fpm_include*;
###
### Allow to use non-default PHP-FPM version for the site
### listed in the special include file.
###
if ($user_socket = '') {
set $user_socket "www72";
}
###
### Catch all unspecified requests.
###
location / {
try_files $uri $uri/ /index.php?_url=$uri;
}
###
### Send all non-static requests to php-fpm, restricted to known php file.
###
location = /index.php {
limit_conn limreq 888;
add_header X-Device "$device";
add_header X-GeoIP-Country-Code "$geoip_country_code";
add_header X-GeoIP-Country-Name "$geoip_country_name";
add_header X-Speed-Cache "$upstream_cache_status";
add_header X-Speed-Cache-UID "$cache_uid";
add_header X-Speed-Cache-Key "$key_uri";
add_header X-NoCache "$nocache_details";
add_header X-This-Proto "$http_x_forwarded_proto";
add_header X-Server-Name "$main_site_name";
add_header X-Response-Status "$status";
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
tcp_nopush off;
keepalive_requests 0;
try_files $uri =404; ### check for existence of php file first
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/var/run/$user_socket.fpm.socket;
###
### Use Nginx cache for all visitors.
###
set $nocache "";
if ( $nocache_details ~ (?:AegirCookie|Args|Skip) ) {
set $nocache "NoCache";
}
fastcgi_cache speed;
fastcgi_cache_methods GET HEAD; ### Nginx default, but added for clarity
fastcgi_cache_min_uses 1;
fastcgi_cache_key "$scheme$is_bot$device$host$request_method$key_uri$cache_uid$http_x_forwarded_proto$sent_http_x_local_proto$cookie_respimg";
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 301 1m;
fastcgi_cache_valid 302 403 404 1s;
fastcgi_cache_lock on;
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header X-Accel-Expires;
fastcgi_pass_header X-Accel-Redirect;
fastcgi_no_cache $cookie_NoCacheID $http_authorization $http_pragma $nocache;
fastcgi_cache_bypass $cookie_NoCacheID $http_authorization $http_pragma $nocache;
fastcgi_cache_use_stale error http_500 http_503 invalid_header timeout updating;
}
###
### Security
###
# deny all direct access for these folders
location ~* /(.git|cache|bin|logs|backups)/.*$ {
return 404;
}
# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ {
return 404;
}
# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ {
return 404;
}
# deny access to specific files in the root folder
location ~ /(LICENSE|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) {
return 404;
}
###
### Serve & no-log static files & images directly.
###
location ~* ^.+\.(?:css|js|htc|xml|jpe?g|gif|png|ico|bmp|svg|swf|pdf|docx?|xlsx?|tiff?|txt|rtf|cgi|bat|pl|dll|aspx?|class|otf|ttf|woff|eot|less)$ {
access_log off;
expires 30d;
tcp_nodelay off;
try_files $uri =404;
}
###
### Serve & log bigger media/static/archive files directly.
###
location ~* ^.+\.(?:avi|mpe?g|mov|wmv|mp3|ogg|ogv|wav|midi|zip|tar|t?gz|rar|dmg|exe|apk|pxl|ipa)$ {
tcp_nodelay off;
tcp_nopush off;
expires 30d;
try_files $uri =404;
}
###
### Pseudo-streaming server-side support for Flash Video (FLV) files.
###
location ~* ^.+\.flv$ {
flv;
tcp_nodelay off;
tcp_nopush off;
expires 30d;
try_files $uri =404;
}
###
### Pseudo-streaming server-side support for H.264/AAC files.
###
location ~* ^.+\.(?:mp4|m4a)$ {
mp4;
mp4_buffer_size 1m;
mp4_max_buffer_size 5m;
tcp_nodelay off;
tcp_nopush off;
expires 30d;
try_files $uri =404;
}
###
### Deny access to any not listed above php files with 404 error.
###
location ~* ^.+\.php$ {
return 404;
}
#######################################################
### nginx Grav CMS configuration end
#######################################################
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment