From 031a491abdb4af0a98abd7f56558c229821298fd Mon Sep 17 00:00:00 2001 From: Diogo Cordeiro Date: Sat, 11 May 2019 20:04:18 +0100 Subject: [PATCH] Improved version of nginx sample config by XRevan86 --- nginx.conf.sample | 131 ++++++++++++++++++++++++++++------------------ 1 file changed, 81 insertions(+), 50 deletions(-) diff --git a/nginx.conf.sample b/nginx.conf.sample index baeecb7757..bf787e6983 100644 --- a/nginx.conf.sample +++ b/nginx.conf.sample @@ -1,68 +1,99 @@ server { - listen 80; - listen [::]:80; + listen [::]:80; + listen 80; - # FIXME: change domain name here (and also make sure you do the same in the next 'server' section) - server_name social.example.org; +# FIXME: change domain name here (and also make sure you do the same in the next 'server' section) + server_name social.example.org; - # redirect all traffic to HTTPS - rewrite ^ https://$server_name$request_uri? permanent; +# redirect all traffic to HTTPS + rewrite ^ https://$host$request_uri? permanent; } server { - # Use HTTPS. Seriously. Set it up with a cert (any cert) before you run the install. - listen 443 ssl; +# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously. Set it up with a cert (any cert) before you run the install. + listen [::]:443 ssl http2; + listen 443 ssl http2; - # Server name - # Change "social.example.org" to your site's domain name - server_name social.example.org; +# Root +# Change the path below to where you installed +# GNU social + root /path/to/gnusocial/root; - # SSL - # Uncomment and change the paths to setup - # your SSL key/cert. See https://cipherli.st/ - # for more information - ssl_certificate ssl/certs/social.example.org.crt; - ssl_certificate_key ssl/private/social.example.org.key; +# Server name +# Change "social.example.org" to your site's domain name +# GNU social MUST be installed in the domain root + server_name social.example.org; - # Logs - # Uncomment and change the paths to setup - # logging - #access_log /path/to/access.log; - #error_log /path/to/error.log; +# SSL +# Uncomment and change the paths to setup +# your SSL key/cert. See https://cipherli.st/ +# for more information + ssl_certificate ssl/certs/social.example.org.crt; + ssl_certificate_key ssl/private/social.example.org.key; - # Root - # Change the path below to where you installed - # GNU social - root /path/to/gnusocial/root; +# Logs +# Uncomment and change the paths to setup +# logging +#access_log /path/to/access.log; +#error_log /path/to/error.log; - # Index - index index.php; +# Index + index index.php; - # PHP - location ~ \.php { - include snippets/fastcgi-php.conf; +# PHP + location /index.php { + include fastcgi_params; + include snippets/fastcgi-php.conf; - # This should be the same value as in your (optional) /etc/php5/fpm/pool.d/$server.conf - fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; - # Remove the "fastcgi_pass" line above and uncomment - # the one below to use TCP sockets instead of Unix sockets - #fastcgi_pass 127.0.0.1:9000; - } + # Further optional configuration + #fastcgi_buffer_size 128K; + #fastcgi_buffers 4 256K; + #fastcgi_busy_buffers_size 256K; + #fastcgi_read_timeout 600s; + #fastcgi_send_timeout 300s; + #fastcgi_connect_timeout 75s; + #http2_push_preload on; + } - # Location - location / { - try_files $uri $uri/ @gnusocial; - } +# Location + location / { + try_files $uri $uri/ @index_handler; + } - # Fancy URLs - location @gnusocial { - rewrite ^(.*)$ /index.php?p=$1 last; - } +# Fancy URLs + error_page 404 @index_handler; + location @index_handler { + rewrite ^(.*)$ /index.php?p=$1 last; + } - # Restrict access that is unnecessary anyway - location ~ /\.(ht|git) { - deny all; - } +# Restrict access that is unnecessary anyway + location ~ /\.(ht|git) { + deny all; + } + +# +# Hardening (optional) +# +# add_header Strict-Transport-Security "max-age=15768000; preload;"; +# add_header X-Content-Type-Options nosniff; +# add_header Referrer-Policy strict-origin-when-cross-origin; +# add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;"; +# add_header X-Permitted-Cross-Domain-Policies none; +# add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes +# +# client_max_body_size 15M; +# client_body_buffer_size 128k; +# gzip_vary on; +# +# location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ { +# gzip on; +# gzip_comp_level 4; +# add_header Cache-Control "public"; +# expires 30d; +# access_log off; +# log_not_found off; +# } } -