2015-07-25 22:37:10 +09:00
|
|
|
server {
|
2019-05-12 04:04:18 +09:00
|
|
|
listen [::]:80;
|
|
|
|
listen 80;
|
2015-12-28 07:58:10 +09:00
|
|
|
|
2019-05-29 21:14:11 +09:00
|
|
|
# FIXME: Change domain name here (and also make sure you do the same in the next 'server' section)
|
2019-05-12 04:04:18 +09:00
|
|
|
server_name social.example.org;
|
2015-12-28 07:58:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# redirect all traffic to HTTPS
|
2020-07-10 00:39:36 +09:00
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
map $sent_http_content_type $gnusocial_expires_policy {
|
|
|
|
default off;
|
|
|
|
text/css 30d;
|
|
|
|
application/javascript 30d;
|
|
|
|
~image/ 30d;
|
|
|
|
~video/ 30d;
|
2015-12-28 07:58:10 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
2019-05-29 21:14:11 +09:00
|
|
|
# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously.
|
|
|
|
# Set it up with a cert (any cert) before you run the install.
|
2019-05-12 04:04:18 +09:00
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
listen 443 ssl http2;
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# Root
|
2019-08-06 09:43:42 +09:00
|
|
|
# FIXME: Change the path below to where you installed GNU social (GNU social's root + /public)
|
|
|
|
root /var/www/gnusocial/public;
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# Server name
|
2019-05-29 21:14:11 +09:00
|
|
|
# FIXME: Change "social.example.org" to your site's domain name
|
2019-05-12 04:04:18 +09:00
|
|
|
server_name social.example.org;
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# SSL
|
2019-05-29 21:14:11 +09:00
|
|
|
# FIXME: Change the paths to setup your SSL key/cert. See https://cipherli.st/ for more information
|
2019-05-12 04:04:18 +09:00
|
|
|
ssl_certificate ssl/certs/social.example.org.crt;
|
|
|
|
ssl_certificate_key ssl/private/social.example.org.key;
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# Index
|
|
|
|
index index.php;
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2020-07-10 00:39:36 +09:00
|
|
|
# Enable browser caching for JS, CSS, images, audio, video
|
|
|
|
expires $gnusocial_expires_policy;
|
|
|
|
|
2019-08-05 04:14:45 +09:00
|
|
|
# X-Accel/X-Sendfile. Still needs to be enabled in the config
|
2020-07-10 00:39:36 +09:00
|
|
|
location ^~ /file {
|
2019-08-05 04:14:45 +09:00
|
|
|
internal;
|
|
|
|
# FIXME: Change "/path/to/gnusocial/root/" to the folder where
|
|
|
|
# attachments are stored (normally the same as the site root)
|
|
|
|
root /path/to/gnusocial/root/;
|
2020-07-10 00:39:36 +09:00
|
|
|
|
|
|
|
# Enable compression for images, audio, video to save bandwidth
|
|
|
|
# gzip on;
|
|
|
|
# gzip_comp_level 4;
|
2019-08-05 04:14:45 +09:00
|
|
|
}
|
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# PHP
|
2020-03-13 03:03:48 +09:00
|
|
|
# FIXME: Change "php7.X" to your version of fpm
|
2019-08-06 09:43:42 +09:00
|
|
|
location ~ ^/(index|install)\.php(/.*)?$ {
|
2019-07-27 02:29:41 +09:00
|
|
|
#location ^~ /index.php {
|
2019-05-12 04:04:18 +09:00
|
|
|
include fastcgi_params;
|
2015-12-28 07:58:10 +09:00
|
|
|
|
2019-11-01 14:52:21 +09:00
|
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
|
|
set $path_info $fastcgi_path_info;
|
|
|
|
try_files $fastcgi_script_name =404;
|
|
|
|
|
|
|
|
fastcgi_pass unix:/run/php/php7.X-fpm.sock;
|
|
|
|
fastcgi_index index.php;
|
|
|
|
|
|
|
|
fastcgi_param PATH_INFO $path_info;
|
|
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
2019-05-29 21:14:11 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
# Don't allow any PHP file other than index.php to be executed
|
|
|
|
# This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
|
|
|
|
# And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
|
|
|
|
location ~ \.php$ {
|
|
|
|
deny all;
|
2019-05-12 04:04:18 +09:00
|
|
|
}
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# Location
|
|
|
|
location / {
|
|
|
|
try_files $uri $uri/ @index_handler;
|
|
|
|
}
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2020-07-10 00:39:36 +09:00
|
|
|
# If avatars are located at /path/to/gnusocial/root/file (default)
|
|
|
|
location ^~ /avatar {
|
|
|
|
rewrite ^(.*)$ /file/$1 last;
|
|
|
|
}
|
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# Fancy URLs
|
|
|
|
error_page 404 @index_handler;
|
|
|
|
location @index_handler {
|
|
|
|
rewrite ^(.*)$ /index.php?p=$1 last;
|
|
|
|
}
|
2015-12-28 07:58:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
# Restrict access that is unnecessary anyway
|
|
|
|
location ~ /\.(ht|git) {
|
|
|
|
deny all;
|
|
|
|
}
|
2015-07-25 22:37:10 +09:00
|
|
|
|
2019-05-12 04:04:18 +09:00
|
|
|
#
|
|
|
|
# Hardening (optional)
|
|
|
|
#
|
|
|
|
# add_header Strict-Transport-Security "max-age=15768000; preload;";
|
|
|
|
# add_header X-Content-Type-Options nosniff;
|
|
|
|
# add_header Referrer-Policy strict-origin-when-cross-origin;
|
|
|
|
# add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
|
|
|
|
# add_header X-Permitted-Cross-Domain-Policies none;
|
|
|
|
# add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
|
|
|
|
#
|
|
|
|
# client_max_body_size 15M;
|
|
|
|
# client_body_buffer_size 128k;
|
|
|
|
# gzip_vary on;
|
|
|
|
}
|