Skip to content

Instantly share code, notes, and snippets.

@sjardim

sjardim/ProcessWire Nginx configuration on Laravel Forge

Created April 1, 2017 01:05
Show Gist options
  • Save sjardim/5306e6dd40ce02fe28687366b6a45392 to your computer and use it in GitHub Desktop.
Save sjardim/5306e6dd40ce02fe28687366b6a45392 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ProcessWire Nginx configuration on Laravel Forge
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/before/*;
server {
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /home/forge/example.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/example.com/188922/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/188922/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/server/*;
# -----------------------------------------------------------------------------------------------
# Access Restrictions: Protect ProcessWire system files
# -----------------------------------------------------------------------------------------------
# Block access to ProcessWire system files
location ~ \.(inc|info|module|sh|sql)$ {
deny all;
}
# Block access to any file or directory that begins with a period
location ~ /\. {
deny all;
}
# Block access to protected assets directories
location ~ ^/(site|site-[^/]+)/assets/(cache|logs|backups|sessions|config|install|tmp)($|/.*$) {
deny all;
}
# Block acceess to the /site/install/ directory
location ~ ^/(site|site-[^/]+)/install($|/.*$) {
deny all;
}
# Block dirs in /site/assets/ dirs that start with a hyphen
location ~ ^/(site|site-[^/]+)/assets.*/-.+/.* {
deny all;
}
# Block access to /wire/config.php, /site/config.php, /site/config-dev.php, and /wire/index.config.php
location ~ ^/(wire|site|site-[^/]+)/(config|index\.config|config-dev)\.php$ {
deny all;
}
# Block access to any PHP-based files in /templates-admin/
location ~ ^/(wire|site|site-[^/]+)/templates-admin($|/|/.*\.(php|html?|tpl|inc))$ {
deny all;
}
# Block access to any PHP or markup files in /site/templates/
location ~ ^/(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ {
deny all;
}
# Block access to any PHP files in /site/assets/
location ~ ^/(site|site-[^/]+)/assets($|/|/.*\.php)$ {
deny all;
}
# Block access to any PHP files in core or core module directories
location ~ ^/wire/(core|modules)/.*\.(php|inc|tpl|module)$ {
deny all;
}
# Block access to any PHP files in /site/modules/
location ~ ^/(site|site-[^/]+)/modules/.*\.(php|inc|tpl|module)$ {
deny all;
}
# Block access to any software identifying txt files
location ~ ^/(COPYRIGHT|INSTALL|README|htaccess)\.(txt|md)$ {
deny all;
}
# Block all http access to the default/uninstalled site-default directory
location ~ ^/site-default/ {
deny all;
}
# -----------------------------------------------------------------------------------------------
# If the request is for a static file, then set expires header and disable logging.
# Give control to ProcessWire if the requested file or directory is non-existing.
# -----------------------------------------------------------------------------------------------
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ {
expires 5d;
log_not_found off;
access_log off;
try_files $uri $uri/ /index.php?it=$uri&$query_string;
}
# -----------------------------------------------------------------------------------------------
# ProCache Rules
# -----------------------------------------------------------------------------------------------
set $cache_uri $request_uri;
if ($request_method = POST) {
set $cache_uri 'nocache';
}
if ($query_string != "") {
set $cache_uri 'nocache';
}
if ($http_cookie ~* "wires" ) {
set $cache_uri 'nocache';
}
if ($http_cookie ~* "wires_challenge" ) {
set $cache_uri 'nocache';
}
# -----------------------------------------------------------------------------------------------
# This location processes all other requests. If the request is for a file or directory that
# physically exists on the server, then load the file. Else give control to ProcessWire.
# -----------------------------------------------------------------------------------------------
location / {
expires -1;
try_files /site/assets/ProCache-XXXXXXXXXXXXXXXX/$cache_uri/index.html $uri $uri/ /index.php?it=$uri&$args;
}
#location / {
# try_files $uri $uri/ /index.php?it=$uri&$query_string;
#}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/after/*;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment