From 77b8e1ce84363de8469ff3ec73bd2e11d59e7d8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz=20=28admin=29?= Date: Fri, 2 Dec 2022 16:32:20 +0100 Subject: [PATCH] add friendica nginx config --- vHost_friendica.conf | 131 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 vHost_friendica.conf diff --git a/vHost_friendica.conf b/vHost_friendica.conf new file mode 100644 index 0000000..23b8d10 --- /dev/null +++ b/vHost_friendica.conf @@ -0,0 +1,131 @@ +server { + listen 80; + server_name ; + access_log /var/log/nginx/.acceess.log anonymized; + + index index.php; + root /var/www/; + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + server_name ; + + #ssl on; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/private/schuerz.at.cert; + ssl_certificate /etc/ssl/private/schuerz.at.cert; + ssl_certificate_key /etc/ssl/private/schuerz.at.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; + ssl_prefer_server_ciphers on; + + fastcgi_param HTTPS on; + + index index.php; + charset utf-8; + #access_log /dev/null combined; + # dsgvo allowed logging + access_log /var/log/nginx/.acceess.log anonymized; + #error_log /var/log/nginx/.error.log debug; + error_log /var/log/nginx/.error.log; + #Uncomment the following line to include a standard configuration file + #Note that the most specific rule wins and your standard configuration + #will therefore *add* to this file, but not override it. + #include standard.conf + # allow uploads up to 20MB in size + client_max_body_size 20m; + client_body_buffer_size 128k; + # add_header 'Access-Control-Allow-Origin' 'https://schuerz.at/'; + #add_header 'Access-Control-Allow-Origin' *; + #add_header 'Access-Control-Allow-Origin' '*.schuerz.at'; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Referrer-Policy "same-origin" always; + add_header Permissions-Policy "payment=()" always; + add_header Content-Security-Policy "default-src 'self'; img-src * data:; media-src *; frame-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:" always; + + include mime.types; + + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + #include snippets/maintenance.conf; + + root /var/www/; + + + # make sure webfinger and other well known services aren't blocked + # by denying dot files and rewrite request to the front controller + location ^~ /.well-known/ { + allow all; + rewrite ^ /index.php?pagename=$uri; + } + + location / { + index index.php index.html index.htm; + try_files $uri /index.php?pagename=$uri&$args; + } + + # block these file types + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # or a unix socket + location ~* \.php$ { + # Zero-day exploit defense. + # http://forum.nginx.org/read.php?2,88845,page=3 + # Won't work properly (404 error) if the file is not stored on this + # server, which is entirely possible with php-fpm/php-fcgi. + # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on + # another machine. And then cross your fingers that you won't get hacked. + try_files $fastcgi_script_name =404; + #try_files $uri =404; + + #expires -1; + + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_param PATH_INFO $2; + fastcgi_param HTTPS on; + fastcgi_pass unix:/run/php/php8.1-fpm.sock; + fastcgi_index index.php; + ## TUNE buffers to avoid error ## + fastcgi_buffers 16 32k; + fastcgi_buffer_size 64k; + fastcgi_busy_buffers_size 64k; + } + + # deny access to all dot files + location ~ /\. { + deny all; + } + + location ~ \..*/.*\.php$ { + return 403; + } + + location ~ /.git/ { + deny all; + } + + # block these file types + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + # deny access to the CLI scripts + location ^~ /bin { + deny all; + } + + +} +