wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[NGINX conf] Fix PHP files being served as files.

Browse Source
This commit is contained in:
Diogo Cordeiro 2019-05-29 13:14:11 +01:00
parent 4ca32628f7
commit bb175f3d4e
1 changed files with 26 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
nginx.conf.sample
View File

@ -2,7 +2,7 @@ server {
listen [::]:80; listen [::]:80;
listen 80; listen 80;
# FIXME: change domain name here (and also make sure you do the same in the next 'server' section) # FIXME: Change domain name here (and also make sure you do the same in the next 'server' section)
server_name social.example.org; server_name social.example.org;
# redirect all traffic to HTTPS # redirect all traffic to HTTPS
@ -10,52 +10,56 @@ server {
} }
server { server {
# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously. Set it up with a cert (any cert) before you run the install. # HTTPS is mandatory on GNU social unless you are using Tor network. Seriously.
# Set it up with a cert (any cert) before you run the install.
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
listen 443 ssl http2; listen 443 ssl http2;
# Root # Root
# Change the path below to where you installed # FIXME: Change the path below to where you installed GNU social
# GNU social
root /path/to/gnusocial/root; root /path/to/gnusocial/root;
# Server name # Server name
# Change "social.example.org" to your site's domain name # FIXME: Change "social.example.org" to your site's domain name
# GNU social MUST be installed in the domain root # GNU social MUST be installed in the domain root
server_name social.example.org; server_name social.example.org;
# SSL # SSL
# Uncomment and change the paths to setup # FIXME: Change the paths to setup your SSL key/cert. See https://cipherli.st/ for more information
# your SSL key/cert. See https://cipherli.st/
# for more information
ssl_certificate ssl/certs/social.example.org.crt; ssl_certificate ssl/certs/social.example.org.crt;
ssl_certificate_key ssl/private/social.example.org.key; ssl_certificate_key ssl/private/social.example.org.key;
# Logs # Logs
# Uncomment and change the paths to setup # FIXME: Uncomment and change the paths to setup logging
# logging # access_log /path/to/access.log;
#access_log /path/to/access.log; # error_log /path/to/error.log;
#error_log /path/to/error.log;
# Index # Index
index index.php; index index.php;
# PHP # PHP
location /index.php { location ~ /index.php {
include fastcgi_params; include fastcgi_params;
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_FILENAME $request_filename;
# Further optional configuration # Further optional configuration
#fastcgi_buffer_size 128K; # fastcgi_buffer_size 128K;
#fastcgi_buffers 4 256K; # fastcgi_buffers 4 256K;
#fastcgi_busy_buffers_size 256K; # fastcgi_busy_buffers_size 256K;
#fastcgi_read_timeout 600s; # fastcgi_read_timeout 600s;
#fastcgi_send_timeout 300s; # fastcgi_send_timeout 300s;
#fastcgi_connect_timeout 75s; # fastcgi_connect_timeout 75s;
#http2_push_preload on; # http2_push_preload on;
}
# Don't allow any PHP file other than index.php to be executed
# This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
# And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
location ~ \.php$ {
deny all;
} }
# Location # Location
@ -97,3 +101,4 @@ server {
# log_not_found off; # log_not_found off;
# } # }
} }