diff options
| author | Silvino Silva <silvino@bk.ru> | 2020-03-11 01:12:03 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2020-03-11 01:17:28 +0000 |
| commit | 8a5897ad0a5e82d389c119001e3feaeaf2d0b1c3 (patch) | |
| tree | d0254fa780a2a4b2911cc452f88a2f6db8a2595d | |
| parent | 24fa6cfc200a16a0d81ff4c7af96853db4028650 (diff) | |
| download | doc-8a5897ad0a5e82d389c119001e3feaeaf2d0b1c3.tar.gz | |
nginx configuration update
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/default.conf | 51 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/email.conf (renamed from tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf) | 26 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf | 26 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/forum.conf | 39 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/frontpage.conf | 40 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/git.conf (renamed from tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf) | 14 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/vexim.conf | 39 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/sites-enabled/wiki.conf (renamed from tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf) | 10 | ||||
| -rw-r--r-- | tools/nginx.html | 137 |
9 files changed, 237 insertions, 145 deletions
diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index 1bb8afd..4bf7fa7 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -7,8 +7,8 @@ server { server_name tribu.semdestino.org; listen 80 default_server; - listen 443 ssl default_server; -# listen [::]:443 ssl http2; + listen 443 ssl default_server; +# listen [::]:443 ssl http2; access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; @@ -29,6 +29,7 @@ server { ssl_stapling on; ssl_stapling_verify on; + #proxy_redirect off; #proxy_set_header Host $http_host; #proxy_set_header X-Forwarded-Host $http_host; @@ -43,53 +44,53 @@ server { } location /mirror { - proxy_pass http://c1.ank; + proxy_pass http://ports.ank; } location /pub { - proxy_pass http://wiki.c2.ank:8080; + proxy_pass http://wiki.server.ank:8080; } location ^~ /.well-known { # ACME challenge - proxy_pass http://wiki.c2.ank; + proxy_pass http://wiki.server.ank; } location /wiki { - proxy_pass http://wiki.c2.ank:8080; + proxy_pass http://wiki.server.ank:8080; } location /git { - proxy_pass http://git.c2.ank:8080; + proxy_pass http://git.server.ank:8080; } location /forum/ { - proxy_pass http://forum.c2.ank:8080/; + proxy_pass http://forum.server.ank:8080/; } - #location /task { - # proxy_pass http://task.c2.ank:8080; - #} + location /task { + proxy_pass http://task.server.ank:8080; + } - # location /shop { - # proxy_pass http://shop.c2.ank:8080; - # } + location /shop { + proxy_pass http://shop.server.ank:8080; + } location /vexim/ { - proxy_pass http://vexim.c2.ank:8080/; + proxy_pass http://vexim.server.ank:8080/; } - # location /email { - # proxy_pass http://email.c2.ank:8080; - # } + location /email { + proxy_pass http://email.server.ank:8080; + } - # location /awstats { - # proxy_pass http://awstats.c2.ank:8080; - # } + location /awstats { + proxy_pass http://awstats.server.ank:8080; + } - # location /stats { - # proxy_pass http://stats.c2.ank:8080; - # } + location /stats { + proxy_pass http://stats.server.ank:8080; + } location / { - proxy_pass http://frontpage.c2.ank:8080/; + proxy_pass http://frontpage.server.ank:8080/; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.conf index 3ae544c..5b34d7c 100644 --- a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf +++ b/tools/conf/etc/nginx/sites-enabled/email.conf @@ -1,13 +1,9 @@ server { listen 8080; - server_name email.c2.ank; - -#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; -#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; -#access_log /var/log/nginx/roundcube_access.log; -#error_log /var/log/nginx/roundcube_error.log; - + server_name email.server.ank; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email_err,nohostname debug; location /email { alias /srv/www/email; @@ -15,34 +11,40 @@ server { autoindex off; } -# Favicon + # Favicon location ~ ^/email/favicon.ico$ { root /srv/www/email/skins/classic/images; log_not_found off; access_log off; expires max; } -# Robots file + + # Robots file location ~ ^/email/robots.txt { allow all; log_not_found off; access_log off; } -# Deny Protected directories + + # Deny Protected directories location ~ ^/email/(config|temp|logs)/ { deny all; } + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; } + location ~ ^/email/(bin|SQL)/ { deny all; } -# Hide .md files + + # Hide .md files location ~ ^/email/(.+\.md)$ { deny all; } -# Hide all dot files + + # Hide all dot files location ~ ^/email/\. { deny all; access_log off; diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf deleted file mode 100644 index 2ed362a..0000000 --- a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf +++ /dev/null @@ -1,26 +0,0 @@ -server { - listen 8080; - server_name forum.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; - - root /srv/www/; - - location /forum { - index index.php; - alias /srv/www/forum; - try_files $uri $uri/ index.php$is_args$args; - } - - location ~ ^/forum(.+\.php)$ { ### This location block was the solution - alias /srv/www/forum; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.conf b/tools/conf/etc/nginx/sites-enabled/forum.conf new file mode 100644 index 0000000..14350e3 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name forum.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/forum; + + location / { + index index.php; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/frontpage.conf b/tools/conf/etc/nginx/sites-enabled/frontpage.conf new file mode 100644 index 0000000..7f7e66a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/frontpage.conf @@ -0,0 +1,40 @@ +server { + listen 8080; + server_name frontpage.server.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage_err,nohostname debug; + + root /srv/www/frontpage; + + index index.html index.php; + + location / { + index index.html; + try_files $uri $uri/ index.html index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.conf index 56e6412..f9d2d97 100644 --- a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf +++ b/tools/conf/etc/nginx/sites-enabled/git.conf @@ -1,22 +1,18 @@ server { listen 8080; - server_name git.c2.ank; + server_name git.server.ank; - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; - #access_log /var/log/nginx/git main; - #error_log /var/log/nginx/git_error debug; - - root /srv/www/; + root /srv/www/gitweb; location /git/static { # static files (png/css) served from /usr/share/gitweb/static alias /srv/www/gitweb/static; } - location /git { - alias /srv/www/gitweb; + location / { index gitweb.cgi; fastcgi_split_path_info ^/git()(/?.+)$; fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; diff --git a/tools/conf/etc/nginx/sites-enabled/vexim.conf b/tools/conf/etc/nginx/sites-enabled/vexim.conf new file mode 100644 index 0000000..d113cdc --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/vexim.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name vexim.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim_err,nohostname debug; + + root /srv/www/vexim; + + location / { + index index.php; + autoindex off; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.conf index 1504fa1..1e3b4d1 100644 --- a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf +++ b/tools/conf/etc/nginx/sites-enabled/wiki.conf @@ -1,12 +1,9 @@ server { listen 8080; - server_name wiki.c2.ank; + server_name wiki.server.ank; - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; - - #access_log /var/log/nginx/wiki main; - #error_log /var/log/nginx/wiki_error debug; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; root /srv/www/; @@ -37,7 +34,6 @@ server { try_files $uri /pmwiki.php =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; } } diff --git a/tools/nginx.html b/tools/nginx.html index 21abb90..937be15 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -273,10 +273,18 @@ <pre> server { - listen 80 default_server; + #if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) { + # return 410; + #} server_name tribu.semdestino.org; - + listen 80 default_server; listen 443 ssl default_server; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; + + root /etc/nginx/html/; + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; @@ -291,55 +299,67 @@ ssl_stapling on; ssl_stapling_verify on; - access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; - error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; - - root /etc/html/; - - location /doc { - alias /srv/www/doc; - index index.html; - } - - location /pub { - proxy_pass http://wiki.c2.ank:8080; - } - - location /wiki { - proxy_pass http://wiki.c2.ank:8080; - } - - location /git { - proxy_pass http://git.c2.ank:8080; - } - - location /forum { - proxy_pass http://forum.c2.ank:8080; - } - - location /task { - proxy_pass http://task.c2.ank:8080; - } - - location /shop { - proxy_pass http://shop.c2.ank:8080; - } + #proxy_redirect off; + #proxy_set_header Host $http_host; + #proxy_set_header X-Forwarded-Host $http_host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - location /email { - proxy_pass http://email.c2.ank:8080; + location /doc { + alias /srv/www/doc; + index index.html; + autoindex on; } - location /mirror { - proxy_pass http://c1.ank; - } - - # ACME challenge - location ^~ /.well-known { - proxy_pass http://wiki.c2.ank; - } - - location / { - proxy_pass http://frontpage.c2.ank; + location /mirror { + proxy_pass http://ports.ank; + } + + location /pub { + proxy_pass http://wiki.server.ank:8080; + } + location ^~ /.well-known { + # ACME challenge + proxy_pass http://wiki.server.ank; + } + location /wiki { + proxy_pass http://wiki.server.ank:8080; + } + + location /git { + proxy_pass http://git.server.ank:8080; + } + + location /forum/ { + proxy_pass http://forum.server.ank:8080/; + } + + location /task { + proxy_pass http://task.server.ank:8080; + } + + location /shop { + proxy_pass http://shop.server.ank:8080; + } + + location /vexim/ { + proxy_pass http://vexim.server.ank:8080/; + } + + location /email { + proxy_pass http://email.server.ank:8080; + } + + location /awstats { + proxy_pass http://awstats.server.ank:8080; + } + + location /stats { + proxy_pass http://stats.server.ank:8080; + } + + location / { + proxy_pass http://frontpage.server.ank:8080/; } } </pre> @@ -357,17 +377,16 @@ <pre> server { listen 8080; - server_name wiki.c2.ank; + server_name wiki.server.ank; - access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki,nohostname main; - error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki_err,nohostname debug; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; root /srv/www/; location /pub { alias /srv/www/wiki/pub; } - # ACME challenge location ^~ /.well-known { allow all; @@ -397,20 +416,6 @@ } </pre> - <p>Change /srv/www/default/flyspray/index.php to;</p> - - <pre> - <?php - /* - This is the main script that everything else is included - in. Mostly what it does is check the user permissions - to see what they have access to. - */ - define('IN_FS', true); - $_SERVER['SCRIPT_NAME'] = "/bug/index.php"; - require_once(dirname(__FILE__).'/header.php'); - </pre> - <h2 id="userdir">5. User Directory</h2> <p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p> |