add php upstream and harden configuration security

* Add php upstream example * improve static files cache directives * harden security
2018-12-14 19:35:31 +01:00 · 2018-12-14 19:35:31 +01:00 · c497d11364
parent 4acab4a46f
commit c497d11364
1 changed files with 50 additions and 20 deletions
--- a/.nginx.conf
+++ b/.nginx.conf
@ -1,33 +1,64 @@
+## Example configuration:
+# upstream php {
+#    # use tcp connection
+#    # server  127.0.0.1:9090;
+#    # or socket
+#    server   unix:/var/run/php/php7.2-fpm.sock;
+# }
+# server {
+#    listen 80;
+#    server_name forum.domain.tld;
+#    root /var/www/forum.site.tld/public;
+#    include /var/www/forum.domain.tld/.nginx.conf;
+# }
+#
+
 # Pass requests that don't refer directly to files in the filesystem to index.php
 location / {
-  try_files $uri $uri/ /index.php?$query_string;
+    try_files $uri $uri/ /index.php?$args;
 }

+# Pass requests to fastcgi upstream
+# just use the upstream example above 
+location ~ \.php$ {
+    try_files $uri =404;
+    include fastcgi_params;
+    fastcgi_pass php;
+}
 # The following directives are based on best practices from H5BP Nginx Server Configs
 # https://github.com/h5bp/server-configs-nginx
-
 # Expire rules for static content
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
-  add_header Cache-Control "max-age=0";
+    add_header Cache-Control "max-age=0";
 }
-
 location ~* \.(?:rss|atom)$ {
-  add_header Cache-Control "max-age=3600";
+    add_header Cache-Control "max-age=3600";
+}
+# allow browser cache for all static assets  
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
+# enable CORS
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+# do not log 404 errors for static files
+    log_not_found off;
+    expires max;
+}
+# allow browser cache for 30d on css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
+# Security settings for better privacy
+# Deny hidden files & directory, excepted .well-known
+location ~ /\.(?!well-known\/) {
+    deny all;
 }

-location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
-  add_header Cache-Control "max-age=2592000";
-  access_log off;
-}
-
-location ~* \.(?:css|js)$ {
-  add_header Cache-Control "max-age=31536000";
-  access_log off;
-}
-
-location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
-  add_header Cache-Control "max-age=2592000";
-  access_log off;
+# Deny backup extensions & log files and return 403 forbidden
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+    deny all;
 }

 # Gzip compression
@ -36,8 +67,7 @@ gzip_comp_level 5;
 gzip_min_length 256;
 gzip_proxied any;
 gzip_vary on;
-gzip_types
-    application/atom+xml
+gzip_types application/atom+xml
    application/javascript
    application/json
    application/ld+json