-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsample_virtualhost_config_template.conf
More file actions
217 lines (170 loc) · 8.96 KB
/
sample_virtualhost_config_template.conf
File metadata and controls
217 lines (170 loc) · 8.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
#============================
# Sample NGINX server config
#============================
#
# Sample for servers(vhosts) NGINX config, that includes common performance and security optimization directives.
#
#Copyright (c) 2013 Nikita Solovyev
#All rights reserved.
#
#Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
#
#1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
#
#2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
#in the documentation and/or other materials provided with the distribution.
#
#3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived
#from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
#BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
#THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
server {
#Permanent redirect 301 (SEO recommended) from different names
#A special wildcard name in the form “.example.org” can be used
#to match both the exact name “example.org” and the wildcard name “*.example.org”.
#This block applies to connections on port 80 common HTTP
listen 80;
#with Host request header matching the following patterns
server_name *.example.com .example.org .example.net;
#Where to write request log and error log
access_log /var/log/nginx/example.com.typos.access.log;
error_log /var/log/nginx/example.com.typos.error.log notice;
#Rertun 301 redirect to example.com with the same http/https scheme and request URI
return 301 $scheme://example.com$request_uri;
}
server {
#Main server(vhost) block
#This block applies to connections on port 80 common HTTP
listen 80;
#and also applies to connections on port 443 common HTTPS
listen 443 ssl;
#with Host request header matching the following pattern
server_name example.com;
#SSL key and certificate to use for HTTPS connection
#make sure the files are readable by NGINX user and don't require the password
#a good idea is to add CA certificate chain after server certificate to .crt file,
#this helps to identify the certificate as trusted for some browsers
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
#SSL session cache timeout - time to keep parameters in cache for reuse
ssl_session_timeout 5m;
#Sets allowed encryption methods in OpenSSL format, prepending the cipher name with '!' disallows its use
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
#Prefer server ciphers to ciphers proposed by client when establishing SSL connection
#this helps to prevent the use of weak ciphers that might be proposed by the client during session negotiation step
ssl_prefer_server_ciphers on;
#Files to search in each location and serve by defautl the first matched with prior matching to other location blocks with new pattern including this file
index index.php index.html index.htm;
#Base root folder to search for files matching URI
root /var/www/example.com/public;
#Where to write request log and error log
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log notice;
#Add specified charset to Content-Type response header
#charset utf8;
#Apply connection limiting zone defined in http block of nginx.conf, here: limit 20 active requests per single IP address
limit_conn limitzone 20;
#Allow only safe HTTP methods, for others return 403 "Forbidden" error
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 403;
}
#Deny access to all files starting with dot(Apache files, i.e. .htaccess)
location ~ /\. {
#Deny access to everyone for files matching the above pattern
deny all;
access_log off;
log_not_found off;
}
#Directory with user uploads should not allow .php files, therefore on access attempt return 403 "Forbidden" error
location /uploads {
location ~ \.php$ {return 403;}
}
#Specify adresses that are not allowed to access your server in deny directives (i.e. prevent competitors from parsing your site)
#deny 192.168.1.1/24;
#deny 192.168.2.1/24;
#'allow all' is required to allow connections to IPs not matching 'deny' directive
#allow all;
#Special static files
#Disable logging for the following static files to save log storage space and improve overal performance due to less disk access operations
location ~ ^/favicon.ico$ {
#Folder to search for RoundCube favicon
root /var/www/mail.example.com/public/web/skins/default/images;
log_not_found off;
access_log off;
#Add "Expires" and "Cache-Control" headers for static files to lower the number of future clien requests, here static files cache on client side is set to be stored for 30 days
expires 30d;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
#Prevents "hotlinking" of stored images, use with care
location /images/ {
#for files in /images/ allow access only if Referer header corresponds to current server
valid_referers none blocked example.com;
#For invalid referers per previous settings return error 403 "Forbidden"
#this way if the link to the image is specified on another site, the image won't be served as Referer header will be set to other site's name
if ($invalid_referer) {
return 403;
}
}
#Other static files
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|txt)$ {
#Allow checking for existing pre-compressed static files before compression
#Other gzip settings from http block in nginx.conf are taken in account
gzip_static on;
access_log off;
#Add "Expires" and "Cache-Control" headers for static files to lower the number of future clien requests,
#here static files cache is set to be 'max', actually finite but more than 10 years
expires max;
}
#Custom error pages configuration
#Specifies what file to send in responses with corresponding error codes
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
#Specifies where to search for custom error page files
location = /404.html {
root /var/www/example.com/errorpages;
}
location = /50x.html {
root /var/www/example.com/errorpages;
}
#Main location block
location / {
#Common way to rewrite request URI for sites with front controller script
#Depending on software used changing "$uri&$args" to "$request_uri" might help
#Try to find a file requested by URI, if it is not found rewrite the requested URI as the last argument and try to match through all location blocks again
try_files $uri $uri/ /index.php?q=$uri&$args;
#Additional limitation to 10 simultanious active connections per IP
limit_conn limitzone 10;
}
#Common block for proxying to FastCGI server
#Serve PHP scripts via PHP-FPM FastCGI
#Any files ending in .php will be served via FastCGI
location ~ \.php$ {
#Additional limitation to 10 simultanious active connections per IP
#limit_conn limitzone 10;
#Try to find requested *.php file and use it for FastCGI request or return 404 "Not Found" error if it doesn't exist
#this prevents serious security flaw in some FastCGI servers
try_files $uri =404;
#Address of FastCGI server, use UNIX socket for better performance if both NGINX and FastCGI server run on same machine
fastcgi_pass unix:/var/run/php-fpm/example.com.socket;
#Default filename to append to SCRIPT_FILENAME if the request ends with a slash
fastcgi_index index.php;
#Defines format for SCRIPT_FILENAME to be passed to FastCGI server, here it will be the specified in the beginning 'root' folder + the *.php script name from request
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#Include other mapping of NGINX set environment variables to FastCGI variable
include /etc/nginx/fastcgi_params;
#Might be required if PHP was built with --enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
#Time to wait between two successive reads from FastCGI server, default is 60s, uncomment this and modify the value if long running scripts are used
#Note that long running scripts will keep connection open in this case and this decreases overal performance
#fastcgi_read_timeout 360s;
}
}