github
/
flarum
mirror of https://github.com/flarum/flarum
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add php upstream and harden configuration security 

* Add php upstream example 
* improve static files cache directives
* harden security
pull/60/head
VirtuBox 2018-12-14 19:35:31 +01:00 committed by GitHub
parent 4acab4a46f
commit c497d11364
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 50 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
.nginx.conf
View File

@ -1,33 +1,64 @@
## Example configuration:
# upstream php {
# # use tcp connection
# # server 127.0.0.1:9090;
# # or socket
# server unix:/var/run/php/php7.2-fpm.sock;
# }
# server {
# listen 80;
# server_name forum.domain.tld;
# root /var/www/forum.site.tld/public;
# include /var/www/forum.domain.tld/.nginx.conf;
# }
#
# Pass requests that don't refer directly to files in the filesystem to index.php # Pass requests that don't refer directly to files in the filesystem to index.php
location / { location / {
try_files $uri $uri/ /index.php?$query_string; try_files $uri $uri/ /index.php?$args;
} }
# Pass requests to fastcgi upstream
# just use the upstream example above
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php;
}
# The following directives are based on best practices from H5BP Nginx Server Configs # The following directives are based on best practices from H5BP Nginx Server Configs
# https://github.com/h5bp/server-configs-nginx # https://github.com/h5bp/server-configs-nginx
# Expire rules for static content # Expire rules for static content
location ~* \.(?:manifest|appcache|html?|xml|json)$ { location ~* \.(?:manifest|appcache|html?|xml|json)$ {
add_header Cache-Control "max-age=0"; add_header Cache-Control "max-age=0";
} }
location ~* \.(?:rss|atom)$ { location ~* \.(?:rss|atom)$ {
add_header Cache-Control "max-age=3600"; add_header Cache-Control "max-age=3600";
}
# allow browser cache for all static assets
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
# enable CORS
add_header "Access-Control-Allow-Origin" "*";
access_log off;
# do not log 404 errors for static files
log_not_found off;
expires max;
}
# allow browser cache for 30d on css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files & directory, excepted .well-known
location ~ /\.(?!well-known\/) {
deny all;
} }
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { # Deny backup extensions & log files and return 403 forbidden
add_header Cache-Control "max-age=2592000"; location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
access_log off; deny all;
}
location ~* \.(?:css|js)$ {
add_header Cache-Control "max-age=31536000";
access_log off;
}
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
add_header Cache-Control "max-age=2592000";
access_log off;
} }
# Gzip compression # Gzip compression
@ -36,8 +67,7 @@ gzip_comp_level 5;
gzip_min_length 256; gzip_min_length 256;
gzip_proxied any; gzip_proxied any;
gzip_vary on; gzip_vary on;
gzip_types gzip_types application/atom+xml
application/atom+xml
application/javascript application/javascript
application/json application/json
application/ld+json application/ld+json