gnu-social/DOCUMENTATION/SYSTEM_ADMINISTRATORS/webserver_conf/nginx.conf.sample

98 lines
3.0 KiB
Plaintext

server {
listen [::]:80;
listen 80;
# FIXME: Change domain name here (and also make sure you do the same in the next 'server' section)
server_name social.example.org;
# redirect all traffic to HTTPS
rewrite ^ https://$host$request_uri? permanent;
}
server {
# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously.
# Set it up with a cert (any cert) before you run the install.
listen [::]:443 ssl http2;
listen 443 ssl http2;
# Root
# FIXME: Change the path below to where you installed GNU social (GNU social's root + /public)
root /var/www/gnusocial/public;
# Server name
# FIXME: Change "social.example.org" to your site's domain name
server_name social.example.org;
# SSL
# FIXME: Change the paths to setup your SSL key/cert. See https://cipherli.st/ for more information
ssl_certificate ssl/certs/social.example.org.crt;
ssl_certificate_key ssl/private/social.example.org.key;
# Index
index index.php;
# X-Accel/X-Sendfile. Still needs to be enabled in the config
location /file {
internal;
# FIXME: Change "/path/to/gnusocial/root/" to the folder where
# attachments are stored (normally the same as the site root)
root /path/to/gnusocial/root/;
}
# PHP
location ~ ^/(index|install)\.php(/.*)?$ {
#location ^~ /index.php {
include fastcgi_params;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Don't allow any PHP file other than index.php to be executed
# This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
# And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
location ~ \.php$ {
deny all;
}
# Location
location / {
try_files $uri $uri/ @index_handler;
}
# Fancy URLs
error_page 404 @index_handler;
location @index_handler {
rewrite ^(.*)$ /index.php?p=$1 last;
}
# Restrict access that is unnecessary anyway
location ~ /\.(ht|git) {
deny all;
}
#
# Hardening (optional)
#
# add_header Strict-Transport-Security "max-age=15768000; preload;";
# add_header X-Content-Type-Options nosniff;
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
# add_header X-Permitted-Cross-Domain-Policies none;
# add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
#
# client_max_body_size 15M;
# client_body_buffer_size 128k;
# gzip_vary on;
#
# location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
# gzip on;
# gzip_comp_level 4;
# add_header Cache-Control "public";
# expires 30d;
# access_log off;
# log_not_found off;
# }
}