Merge pull request #544 from oohlaf/nginx

Nginx
This commit is contained in:
Thomas Willingham 2012-12-16 08:38:27 -08:00
commit babbcd890e

View file

@ -1,19 +1,32 @@
From: Olaf Conradi ##
Hey @Friendica Support, # Friendica Nginx configuration
# by Olaf Conradi
#
# On Debian based distributions you can add this file to
# /etc/nginx/sites-available
#
# Then customize to your needs. To enable the configuration
# symlink it to /etc/nginx/sites-enabled and reload Nginx
# using /etc/init.d/nginx reload
##
Just wanted to share my #nginx configuration for #friendica with you guys. ##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
#
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
##
I noticed most of the existing configurations that are floating on the web for #nginx do not deny access to local files. Most of them use the following construct. ##
# This configuration assumes your domain is example.net
location / { # You have a separate subdomain friendica.example.net
try_files $uri $uri/ index.php?q=$request_uri # You want all friendica traffic to be https
} # You have an SSL certificate and key for your subdomain
# You have PHP FastCGI Process Manager (php5-fpm) running on localhost
This serves files like images statically, but also gives everyone access to the source code of your ~friendica ~friendica installation (tpl templates, sql files, etc). One should deny all locations except for images, javascript and css files. Setting these deny rules is tedious and needs maintenance when new directories are added. # You have Friendica installed in /mnt/friendica/www
##
It's easier to route everything through the front controller except those known file types.
Below is my configuration. First I forward non-SSL traffic to SSL.
server { server {
server_name friendica.example.net; server_name friendica.example.net;
@ -22,7 +35,14 @@ server {
rewrite ^ https://friendica.example.net$request_uri? permanent; rewrite ^ https://friendica.example.net$request_uri? permanent;
} }
Next is the SSL server part. ##
# Configure Friendica with SSL
#
# All requests are routed to the front controller
# except for certain known file types like images, css, etc.
# Those are served statically whenever possible with a
# fall back to the front controller (needed for avatars, for example)
##
server { server {
listen 443 ssl; listen 443 ssl;
@ -45,60 +65,47 @@ server {
# rewrite to front controller as default rule # rewrite to front controller as default rule
location / { location / {
rewrite ^/(.*) /index.php?q=$1 last; rewrite ^/(.*) /index.php?q=$uri&$args last;
} }
# make sure webfinger isn't blocked by denying dot files # make sure webfinger and other well known services aren't blocked
# and rewrite to front controller # by denying dot files and rewrite request to the front controller
location = /.well-known/host-meta { location ^~ /.well-known/ {
allow all; allow all;
rewrite ^/(.*) /index.php?q=$1 last; rewrite ^/(.*) /index.php?q=$uri&$args last;
} }
# statically serve these file types when possible # statically serve these file types when possible
# otherwise fall back to front controller # otherwise fall back to front controller
# allow browser to cache them # allow browser to cache them
# added .htm for advanced source code editor library # added .htm for advanced source code editor library
location ~* \.(jpg|jpeg|gif|png|css|js|ico|htm|html)$ { location ~* \.(jpg|jpeg|gif|png|css|js|htm|html)$ {
expires 30d; expires 30d;
try_files $uri /index.php?q=$uri&$args; try_files $uri /index.php?q=$uri&$args;
} }
# block these file types # block these file types
location ~* \.(tpl|md|git|tgz|log|out) { location ~* \.(tpl|md|tgz|log|out)$ {
deny all; deny all;
} }
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~* \.php$ { location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# # With php5-cgi alone:
# With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000; # fastcgi_pass 127.0.0.1:9000;
# With php5-fpm: # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
} }
# deny access to all dot files (including .htaccess) # deny access to all dot files
location ~ /\. { location ~ /\. {
deny all; deny all;
} }
} }
That's it.
#nginx #friendica @Friendica Support
I found one bug after posting when I noticed 404's coming in for certain image files. Avatars need a fallback to go through the front controller.
# statically serve these file types when possible
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
location ~* \.(jpg|jpeg|gif|png|css|js|ico|htm)$ {
expires 30d;
try_files $uri /index.php?q=$request_uri?;
}