Merge branch 'release/1.0.34'

Author: khalwat

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Nginx-Craft Changelog
 
+## 1.0.34 - 2021.04.18
+### Added
+* Added a [Forge Template](https://forge.laravel.com/docs/1.0/servers/nginx-templates.html) `NginxFastCGICacheTemplate.conf`
+* Opt out of Google Federated Learning of Cohorts ("FLoC") via the `Permissions-Policy` header. [ref:](https://amifloced.org/)
+
 ## 1.0.33 - 2021.03.17
 ### Changed
 * Updated the Forge template to use more Forge-provided variables

forge-templates/NginxFastCGICacheTemplate.conf

@@ -0,0 +1,232 @@
+# FastCGI Cache
+fastcgi_cache_path /var/run/nginx-cache/{{ SITE }} levels=1:2 keys_zone={{ SITE }}:100m inactive=1d  use_temp_path=off max_size=100m;
+
+# FORGE CONFIG (DO NOT REMOVE!)
+include forge-conf/{{ SITE }}/before/*;
+
+# Bots to ban via user agent
+map $http_user_agent $limit_bots {
+     default 0;
+     ~*(AhrefsBot|Baiduspider|PaperLiBot) 1;
+}
+
+server {
+    # Listen for both IPv4 & IPv6 requests on port 443 with http2 enabled
+    listen {{ PORT }};
+    listen {{ PORT_V6 }};
+
+    # General virtual host settings
+    server_name {{ DOMAINS }};
+    server_tokens off;
+    root {{ PATH }};
+    index index.html index.htm index.php;
+    charset utf-8;
+
+    # Enable serving of static gzip files as per: http://nginx.org/en/docs/http/ngx_http_gzip_static_module.html
+    gzip_static  on;
+
+    # Enable server-side includes as per: http://nginx.org/en/docs/http/ngx_http_ssi_module.html
+    ssi on;
+
+    # Disable limits on the maximum allowed size of the client request body
+    client_max_body_size 0;
+
+    # Ban certain bots from crawling the site
+    if ($limit_bots = 1) {
+        return 403;
+    }
+
+    # 404 error handler
+    error_page 404 /index.php?$query_string;
+
+    # 301 Redirect URLs with trailing /'s as per https://webmasters.googleblog.com/2010/04/to-slash-or-not-to-slash.html
+    rewrite ^/(.*)/$ /$1 permanent;
+
+    # Change // -> / for all URLs, so it works for our php location block, too
+    merge_slashes off;
+    rewrite (.*)//+(.*) $1/$2 permanent;
+
+    # Handle Do Not Track as per https://www.eff.org/dnt-policy
+    location /.well-known/dnt-policy.txt {
+        try_files /dnt-policy.txt /index.php?p=/dnt-policy.txt;
+    }
+
+    # For WordPress bots/users
+    location ~ ^/(wp-login|wp-admin|wp-config|wp-content|wp-includes|xmlrpc) {
+        return 301 https://wordpress.com/wp-login.php;
+    }
+
+    #Cache everything by default
+    fastcgi_cache_key "$scheme$request_method$host$request_uri";
+    add_header X-Cache-Status $upstream_cache_status;
+    set $no_cache 0;
+    if ($request_method = POST)
+    {
+        set $no_cache 1;
+    }
+    if ($request_uri ~* "/(admin/|cpresources/)")
+    {
+        set $no_cache 1;
+    }
+
+    # Access and error logging
+    access_log off;
+    error_log  /var/log/nginx/{{ SITE }}-error.log error;
+    # If you want error logging to go to SYSLOG (for services like Papertrailapp.com), uncomment the following:
+    #error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=error;
+
+    # FORGE SSL (DO NOT REMOVE!)
+    ssl_certificate /etc/nginx/ssl/{{ SITE }}/XXXXXX/server.crt;
+    ssl_certificate_key /etc/nginx/ssl/{{ SITE }}/XXXXXX/server.key;
+
+    # SSL/TLS configuration, with TLSv1.0 disabled because it is insecure; note that IE 8, 9 & 10 support
+    # TLSv1.1, but it's not enabled by default clients using those browsers will not be able to connect
+    ssl_protocols TLSv1.2 TLSv1.1;
+    ssl_prefer_server_ciphers on;
+    ssl_dhparam /etc/nginx/dhparams.pem;
+    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
+    ssl_buffer_size 4k;
+    ssl_session_timeout 4h;
+    ssl_session_cache shared:SSL:40m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;
+
+    # FORGE CONFIG (DO NOT REMOVE!)
+    include forge-conf/{{ SITE }}/server/*;
+
+    # Load configuration files from nginx-partials
+    # For this to work, you must clone the repo into /home/forge via:
+    # git clone https://github.com/nystudio107/nginx-craft.git /home/forge
+    include /home/forge/nginx-craft/nginx-partials/*.conf;
+
+    # Root directory location handler
+    location / {
+        try_files $uri/index.html $uri $uri/ /index.php?$query_string;
+    }
+
+    # Localized sites, hat tip to Johannes -- https://gist.github.com/johanneslamers/f6d2bc0d7435dca130fc
+
+    # If you are creating a localized site as per: https://craftcms.com/docs/localization-guide
+    # the directives here will help you handle the locale redirection so that requests will
+    # be routed through the appropriate index.php wherein you set the `CRAFT_LOCALE`
+
+    # Enable this by un-commenting it, and changing the language codes as appropriate
+    # Add a new location @XXrewrites and location /XX/ block for each language that
+    # you need to support
+
+    #location @enrewrites {
+    #    rewrite ^/en/(.*)$ /en/index.php?$query_string? last;
+    #}
+    #
+    #location /en/ {
+    #    try_files $uri $uri/ @enrewrites;
+    #}
+
+    # Craft-specific location handlers to ensure AdminCP requests route through index.php
+    # If you change your `cpTrigger`, change it here as well
+    location ^~ /admin {
+        try_files $uri $uri/ @phpfpm_nocache;
+    }
+    location ^~ /index.php/admin {
+        try_files $uri $uri/ @phpfpm_nocache;
+    }
+    location ^~ /cpresources {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    location ^~ /actions {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # php-fpm configuration
+    location ~ [^/]\.php(/|$) {
+        try_files $uri $uri/ /index.php?$query_string;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        # Change this to whatever version of php you are using
+        fastcgi_pass {{ PROXY_PASS }};
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param HTTP_HOST {{ SITE }};
+
+        # Don't allow browser caching of dynamically generated content
+        add_header Last-Modified $date_gmt;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+        if_modified_since off;
+        expires off;
+        etag off;
+        # Load security.conf from nginx-partials again, because add_header used in this location
+        # block removes any already added headers https://nginx.org/en/docs/http/ngx_http_headers_module.html
+        include /home/forge/nginx-partials/security.conf;
+
+        # Use Dotenvy to generate the .env variables as per: https://github.com/nystudio107/dotenvy
+        # and then uncomment this line to include them:
+        # include /home/forge/SOMEDOMAIN/.env_nginx.txt
+
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+        fastcgi_connect_timeout 300;
+        fastcgi_send_timeout 300;
+        fastcgi_read_timeout 300;
+
+        # FastCGI Cache settings
+        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+        fastcgi_cache {{ SITE }};
+        fastcgi_hide_header Set-Cookie;
+        fastcgi_cache_valid 200 1d;
+        fastcgi_cache_use_stale updating error timeout invalid_header http_500;
+        fastcgi_cache_bypass $no_cache;
+        fastcgi_no_cache $no_cache;
+    }
+
+    # php-fpm configuration for non-cached content
+    location @phpfpm_nocache {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        # Change this to whatever version of php you are using
+        fastcgi_pass {{ PROXY_PASS }};
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param PATH_INFO $query_string;
+        fastcgi_param SCRIPT_FILENAME $realpath_root/index.php;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param HTTP_HOST {{ SITE }};
+
+        # Don't allow browser caching of dynamically generated content
+        add_header X-Cache-Status $upstream_cache_status;
+        add_header Last-Modified $date_gmt;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
+        if_modified_since off;
+        expires off;
+        etag off;
+        # Load security.conf from nginx-partials again, because add_header used in this location
+        # block removes any already added headers https://nginx.org/en/docs/http/ngx_http_headers_module.html
+        include /home/forge/nginx-craft/nginx-partials/security.conf;
+
+        # Use Dotenvy to generate the .env variables as per: https://github.com/nystudio107/dotenvy
+        # and then uncomment this line to include them:
+        # include /home/forge/SOMEDOMAIN/.env_nginx.txt
+
+        fastcgi_intercept_errors off;
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+        fastcgi_connect_timeout 300;
+        fastcgi_send_timeout 300;
+        fastcgi_read_timeout 300;
+
+        # No FastCGI Cache
+        fastcgi_cache_bypass 1;
+        fastcgi_no_cache 1;
+    }
+
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+# FORGE CONFIG (DO NOT REMOVE!)
+include forge-conf/{{ SITE }}/after/*;

nginx-partials/security.conf

@@ -5,6 +5,8 @@ add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer-when-downgrade" always;
+# Opt out of Google Federated Learning of Cohorts ("FLoC"). ref:(https://amifloced.org/)
+add_header Permissions-Policy "interest-cohort=()" always;
 
 # Add Content-Security-Policy HTTP response header. Helps reduce XSS risks on
 # modern browsers by declaring what dynamic resources are allowed to load via a