diff options
Diffstat (limited to 'linux/conf/nginx/sites-enabled')
| -rw-r--r-- | linux/conf/nginx/sites-enabled/default.conf | 96 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/email.conf | 63 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/forum.conf | 39 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/frontpage.conf | 40 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/git.conf | 24 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/ports.conf | 55 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/shop.conf | 86 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/task.conf | 21 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/vexim.conf | 39 | ||||
| -rw-r--r-- | linux/conf/nginx/sites-enabled/wiki.conf | 39 |
10 files changed, 502 insertions, 0 deletions
diff --git a/linux/conf/nginx/sites-enabled/default.conf b/linux/conf/nginx/sites-enabled/default.conf new file mode 100644 index 0000000..f7a6928 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/default.conf @@ -0,0 +1,96 @@ +server { +#if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) { +# return 410; +#} + +##listen 443 ssl http2; + server_name tribu.semdestino.org; + + listen 80 default_server; + listen 443 ssl default_server; +# listen [::]:443 ssl http2; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; + + root /etc/nginx/html/; + + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; + + +#proxy_redirect off; +#proxy_set_header Host $http_host; +proxy_set_header X-Forwarded-Host $http_host; +#proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + + location /doc { + alias /srv/www/doc; + index index.html; + autoindex on; + } + + location /mirror { + proxy_pass http://ports.ank; + } + + location /pub { + proxy_pass http://wiki.server.ank:8080; + } + location ^~ /.well-known { + # ACME challenge + proxy_pass http://wiki.server.ank; + } + location /wiki { + proxy_pass http://wiki.server.ank:8080; + } + + location /git { + proxy_pass http://git.server.ank:8080; + } + + location /forum/ { + proxy_pass http://forum.server.ank:8080/; + } + + location /task { + proxy_pass http://task.server.ank:8080; + } + + location /shop { + proxy_pass http://shop.server.ank:8080; + } + + location /vexim/ { + proxy_pass http://vexim.server.ank:8080/; + } + + location /email { + proxy_pass http://email.server.ank:8080; + } + + location /awstats { + proxy_pass http://awstats.server.ank:8080; + } + + location /stats { + proxy_pass http://stats.server.ank:8080; + } + + location / { + proxy_pass http://frontpage.server.ank:8080/; + } +} diff --git a/linux/conf/nginx/sites-enabled/email.conf b/linux/conf/nginx/sites-enabled/email.conf new file mode 100644 index 0000000..5b34d7c --- /dev/null +++ b/linux/conf/nginx/sites-enabled/email.conf @@ -0,0 +1,63 @@ +server { + listen 8080; + server_name email.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email_err,nohostname debug; + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + + # Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } + + # Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + + location ~ ^/email/(bin|SQL)/ { + deny all; + } + + # Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } + + # Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/linux/conf/nginx/sites-enabled/forum.conf b/linux/conf/nginx/sites-enabled/forum.conf new file mode 100644 index 0000000..14350e3 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/forum.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name forum.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/forum; + + location / { + index index.php; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/linux/conf/nginx/sites-enabled/frontpage.conf b/linux/conf/nginx/sites-enabled/frontpage.conf new file mode 100644 index 0000000..7f7e66a --- /dev/null +++ b/linux/conf/nginx/sites-enabled/frontpage.conf @@ -0,0 +1,40 @@ +server { + listen 8080; + server_name frontpage.server.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage_err,nohostname debug; + + root /srv/www/frontpage; + + index index.html index.php; + + location / { + index index.html; + try_files $uri $uri/ index.html index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/linux/conf/nginx/sites-enabled/git.conf b/linux/conf/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..f9d2d97 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/git.conf @@ -0,0 +1,24 @@ +server { + listen 8080; + server_name git.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + root /srv/www/gitweb; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location / { + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/linux/conf/nginx/sites-enabled/ports.conf b/linux/conf/nginx/sites-enabled/ports.conf new file mode 100644 index 0000000..829d710 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/ports.conf @@ -0,0 +1,55 @@ +server { + listen 80; + server_name localhost ports.ank default_host; + + access_log /var/log/nginx/ports_access.log; + error_log /var/log/nginx/ports_error.log; + + location /mirror/archive { + autoindex on; + alias /usr/ports/archive; + } + + location /mirror/packages { + autoindex on; + alias /usr/ports/packages; + } + + location /mirror/distfiles { + autoindex on; + alias /usr/ports/distfiles; + } + + location /mirror/bugs { + autoindex on; + alias /usr/ports/pkgbuild; + types { + text/plain log; + } + } + + location /mirror/installed { + autoindex on; + alias /usr/ports/installed; + default_type text/plain; + } + + location /mirror/releases { + autoindex on; + alias /usr/ports/releases; + } + + location /mirror/ { + return 301 https://tribu.semdestino.org/wiki/Main/Mirror; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } +} + diff --git a/linux/conf/nginx/sites-enabled/shop.conf b/linux/conf/nginx/sites-enabled/shop.conf new file mode 100644 index 0000000..de34e40 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/shop.conf @@ -0,0 +1,86 @@ +server { + listen 8080; + server_name shop.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_shop,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_shop_err,nohostname debug; + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + + location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/linux/conf/nginx/sites-enabled/task.conf b/linux/conf/nginx/sites-enabled/task.conf new file mode 100644 index 0000000..8b15ee5 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/task.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.server.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/linux/conf/nginx/sites-enabled/vexim.conf b/linux/conf/nginx/sites-enabled/vexim.conf new file mode 100644 index 0000000..d113cdc --- /dev/null +++ b/linux/conf/nginx/sites-enabled/vexim.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name vexim.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim_err,nohostname debug; + + root /srv/www/vexim; + + location / { + index index.php; + autoindex off; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/linux/conf/nginx/sites-enabled/wiki.conf b/linux/conf/nginx/sites-enabled/wiki.conf new file mode 100644 index 0000000..1e3b4d1 --- /dev/null +++ b/linux/conf/nginx/sites-enabled/wiki.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name wiki.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} |