Created
April 1, 2017 01:05
-
-
Save sjardim/5306e6dd40ce02fe28687366b6a45392 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# FORGE CONFIG (DOT NOT REMOVE!) | |
include forge-conf/example.com/before/*; | |
server { | |
server_name example.com www.example.com; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name example.com; | |
root /home/forge/example.com/public; | |
# FORGE SSL (DO NOT REMOVE!) | |
ssl_certificate /etc/nginx/ssl/example.com/188922/server.crt; | |
ssl_certificate_key /etc/nginx/ssl/example.com/188922/server.key; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/nginx/dhparams.pem; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Content-Type-Options "nosniff"; | |
index index.html index.htm index.php; | |
charset utf-8; | |
# FORGE CONFIG (DOT NOT REMOVE!) | |
include forge-conf/example.com/server/*; | |
# ----------------------------------------------------------------------------------------------- | |
# Access Restrictions: Protect ProcessWire system files | |
# ----------------------------------------------------------------------------------------------- | |
# Block access to ProcessWire system files | |
location ~ \.(inc|info|module|sh|sql)$ { | |
deny all; | |
} | |
# Block access to any file or directory that begins with a period | |
location ~ /\. { | |
deny all; | |
} | |
# Block access to protected assets directories | |
location ~ ^/(site|site-[^/]+)/assets/(cache|logs|backups|sessions|config|install|tmp)($|/.*$) { | |
deny all; | |
} | |
# Block acceess to the /site/install/ directory | |
location ~ ^/(site|site-[^/]+)/install($|/.*$) { | |
deny all; | |
} | |
# Block dirs in /site/assets/ dirs that start with a hyphen | |
location ~ ^/(site|site-[^/]+)/assets.*/-.+/.* { | |
deny all; | |
} | |
# Block access to /wire/config.php, /site/config.php, /site/config-dev.php, and /wire/index.config.php | |
location ~ ^/(wire|site|site-[^/]+)/(config|index\.config|config-dev)\.php$ { | |
deny all; | |
} | |
# Block access to any PHP-based files in /templates-admin/ | |
location ~ ^/(wire|site|site-[^/]+)/templates-admin($|/|/.*\.(php|html?|tpl|inc))$ { | |
deny all; | |
} | |
# Block access to any PHP or markup files in /site/templates/ | |
location ~ ^/(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ { | |
deny all; | |
} | |
# Block access to any PHP files in /site/assets/ | |
location ~ ^/(site|site-[^/]+)/assets($|/|/.*\.php)$ { | |
deny all; | |
} | |
# Block access to any PHP files in core or core module directories | |
location ~ ^/wire/(core|modules)/.*\.(php|inc|tpl|module)$ { | |
deny all; | |
} | |
# Block access to any PHP files in /site/modules/ | |
location ~ ^/(site|site-[^/]+)/modules/.*\.(php|inc|tpl|module)$ { | |
deny all; | |
} | |
# Block access to any software identifying txt files | |
location ~ ^/(COPYRIGHT|INSTALL|README|htaccess)\.(txt|md)$ { | |
deny all; | |
} | |
# Block all http access to the default/uninstalled site-default directory | |
location ~ ^/site-default/ { | |
deny all; | |
} | |
# ----------------------------------------------------------------------------------------------- | |
# If the request is for a static file, then set expires header and disable logging. | |
# Give control to ProcessWire if the requested file or directory is non-existing. | |
# ----------------------------------------------------------------------------------------------- | |
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { | |
expires 5d; | |
log_not_found off; | |
access_log off; | |
try_files $uri $uri/ /index.php?it=$uri&$query_string; | |
} | |
# ----------------------------------------------------------------------------------------------- | |
# ProCache Rules | |
# ----------------------------------------------------------------------------------------------- | |
set $cache_uri $request_uri; | |
if ($request_method = POST) { | |
set $cache_uri 'nocache'; | |
} | |
if ($query_string != "") { | |
set $cache_uri 'nocache'; | |
} | |
if ($http_cookie ~* "wires" ) { | |
set $cache_uri 'nocache'; | |
} | |
if ($http_cookie ~* "wires_challenge" ) { | |
set $cache_uri 'nocache'; | |
} | |
# ----------------------------------------------------------------------------------------------- | |
# This location processes all other requests. If the request is for a file or directory that | |
# physically exists on the server, then load the file. Else give control to ProcessWire. | |
# ----------------------------------------------------------------------------------------------- | |
location / { | |
expires -1; | |
try_files /site/assets/ProCache-XXXXXXXXXXXXXXXX/$cache_uri/index.html $uri $uri/ /index.php?it=$uri&$args; | |
} | |
#location / { | |
# try_files $uri $uri/ /index.php?it=$uri&$query_string; | |
#} | |
location = /favicon.ico { access_log off; log_not_found off; } | |
location = /robots.txt { access_log off; log_not_found off; } | |
access_log off; | |
error_log /var/log/nginx/example.com-error.log error; | |
error_page 404 /index.php; | |
location ~ \.php$ { | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
} | |
# FORGE CONFIG (DOT NOT REMOVE!) | |
include forge-conf/example.com/after/*; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment