Created
February 13, 2020 12:49
-
-
Save xZero707/50be65405b30f6a03758125a6927e94a to your computer and use it in GitHub Desktop.
Invision Power Board v4 Nginx configuration file for use with Centminmod.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IPB4 Working NGINX site conf file | |
| # Tested on IPB 4.3+ and Centminmod 123.09beta01 | |
| # This file is for a FORCED SSL site. Non-SSL requests will be directed to SSL. | |
| # Replace domain.com with your IP address or domain name. | |
| # IPv6 is now included. | |
| # Replace IPv4 and IPv6 with the actual addresses. | |
| # Information gathered from | |
| # Centminmod.com / Information pulled from multiple guides. Thx eva2000! | |
| # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide. | |
| # Base building forum thread: https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/ | |
| # Anyone else not mentioned who helped modify and create this file: Thanks! | |
| # Generate your own vhost config for Centmin Mod at https://centminmod.com/vhost.php | |
| # REDIRECT TO HTTPS FROM PORT 80 | |
| # REDIRECT FROM WWW TO NON-WWW WITH FORCED SSL | |
| server { | |
| server_name domain.com www.domain.com; | |
| return 301 https://domain.com$request_uri; | |
| # ERROR LOGS VIA 80 | |
| access_log /home/nginx/domains/domain.com/log/access_via80.log combined buffer=256k flush=5m; | |
| error_log /home/nginx/domains/domain.com/log/error_via80.log; | |
| } | |
| server { | |
| listen 443 ssl http2 reuseport; | |
| server_name www.domain.com domain.com; | |
| # ADDED CNAME ENTRY IN CF FOR WWW TO NON-WWW. | |
| # Will re-direct any SSL requests for www to non-www | |
| # https://centminmod.com/nginx_domain_dns_setup.html#httpsredirect | |
| if ($host = 'www.domain.com' ) { | |
| return 301 https://domain.com$request_uri; | |
| } | |
| # SSL CERTS | |
| ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem; | |
| ssl_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com.crt; | |
| ssl_certificate_key /usr/local/nginx/conf/ssl/domain.com/domain.com.key; | |
| include /usr/local/nginx/conf/ssl_include.conf; | |
| # CLOUDFLARE AUTHENTICATED ORIGIN PULL CERT | |
| # community.centminmod.com/threads/13847/ | |
| ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt; | |
| ssl_verify_client on; | |
| http2_max_field_size 16k; | |
| http2_max_header_size 32k; | |
| # DUAL CERT SUPPORTED SSL CIPHERS | |
| ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; | |
| ssl_prefer_server_ciphers on; | |
| # DEVELOPMENT SITE HEADER | |
| # add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; | |
| # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
| # add_header X-Frame-Options "SAMEORIGIN"; | |
| add_header X-Xss-Protection "1; mode=block" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| # add_header Referrer-Policy "strict-origin-when-cross-origin"; | |
| # spdy_headers_comp 5; | |
| ssl_buffer_size 1369; | |
| ssl_session_tickets on; | |
| # ERROR LOGS VIA 443 | |
| access_log /home/nginx/domains/domain.com/log/access_via443.log combined buffer=256k flush=5m; | |
| error_log /home/nginx/domains/domain.com/log/error_via443.log; | |
| # PAGESPEED | |
| # include /usr/local/nginx/conf/pagespeed.conf; | |
| # include /usr/local/nginx/conf/pagespeedhandler.conf; | |
| # include /usr/local/nginx/conf/pagespeedstatslog.conf; | |
| # CMM AUTOPROTECT | |
| include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf; | |
| # ROOT LOCATION OF PROJECT | |
| root /home/nginx/domains/domain.com/public; | |
| # CLOUDFLARE | |
| # Uncomment cloudflare.conf include if using cloudflare for server and/or vhost site. | |
| include /usr/local/nginx/conf/cloudflare.conf; | |
| # CENTMIN MOD MAINTENANCE PAGES | |
| include /usr/local/nginx/conf/503include-main.conf; | |
| # DEVELOPMENT / SITE LOCKDOWN | |
| # location ~ ^/ { | |
| # auth_basic "Private"; | |
| # auth_basic_user_file /usr/local/nginx/conf/htpasswd_main; | |
| # include /usr/local/nginx/conf/php.conf; | |
| # try_files $uri $uri/ /index.php; | |
| # } | |
| # MASK FAKE ADMIN DIRECTORY | |
| # Must comment this during install. Uncomment after you change the name of the admin directory. | |
| location ~^/admin/(.*)$ { | |
| deny all; | |
| } | |
| # SECURE REAL ADMIN DIRECTORY | |
| # Replace /your_admin_renamed_directory/ with your renamed directory. | |
| location ~ ^/some_catchy_admin_directory_name/.+\.php$ { | |
| auth_basic "Private"; | |
| auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin; | |
| include /usr/local/nginx/conf/php.conf; | |
| } | |
| location / { | |
| # MAINTENANCE PAGES | |
| include /usr/local/nginx/conf/503include-only.conf; | |
| # BLOCK COMMON EXPLOITS / SQL INJECTIONS / ETC. | |
| include /usr/local/nginx/conf/block.conf; | |
| # Enables directory listings when index file not found | |
| # autoindex on; | |
| # Shows file listing times as local time | |
| # autoindex_localtime on; | |
| # Prohibit index.php from being called directly | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| # IP.BOARD API | |
| location /api/ { | |
| # MAINTENANCE PAGES | |
| # include /usr/local/nginx/conf/503include-only.conf; | |
| # block common exploits, sql injections etc | |
| # include /usr/local/nginx/conf/block.conf; | |
| # Deny all access to API | |
| # deny all; | |
| try_files $uri $uri/ /api/index.php?$args; | |
| } | |
| # IP.BOARD PHP/CGI PROTECTION | |
| location ~ ^/uploads/.*\.(?:php\d*|phtml)$ { | |
| deny all; | |
| } | |
| location ~ ^/datastore/.*\.(?:php\d*|phtml)$ { | |
| deny all; | |
| } | |
| # DENY DOT FILES | |
| # Already included in the drop.conf = https://community.centminmod.com/posts/36444/ | |
| # Id highly advise using the block bad bots | |
| # include /usr/local/nginx/conf/blockbots.conf; | |
| include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf; | |
| include /usr/local/nginx/conf/pre-staticfiles-global.conf; | |
| include /usr/local/nginx/conf/staticfiles.conf; | |
| include /usr/local/nginx/conf/php.conf; | |
| include /usr/local/nginx/conf/drop.conf; | |
| include /usr/local/nginx/conf/errorpage.conf; | |
| include /usr/local/nginx/conf/vts_server.conf; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment