diff options
Diffstat (limited to 'tools/conf/etc/nginx/sites-enabled')
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/default.conf | 157 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/email.conf | 63 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/forum.conf | 39 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/frontpage.conf | 40 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/git.conf | 24 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/git.localhost.conf | 25 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/ports.conf | 55 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/shop.conf | 86 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/task.conf | 21 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/vexim.conf | 39 | ||||
-rw-r--r-- | tools/conf/etc/nginx/sites-enabled/wiki.conf | 39 |
11 files changed, 481 insertions, 107 deletions
diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index c35b0cd..f7a6928 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,15 +1,24 @@ server { +#if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) { +# return 410; +#} -#listen 443 ssl http2; - listen 443 ssl; +##listen 443 ssl http2; + server_name tribu.semdestino.org; -# listen 80; - server_name machine.example; + listen 80 default_server; + listen 443 ssl default_server; +# listen [::]:443 ssl http2; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; + + root /etc/nginx/html/; + + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; -# listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/machine.example/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/machine.example/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/machine.example/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -20,84 +29,68 @@ server { ssl_stapling on; ssl_stapling_verify on; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; +#proxy_redirect off; +#proxy_set_header Host $http_host; +proxy_set_header X-Forwarded-Host $http_host; +#proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - root /srv/www; - location /ports/distfiles { - alias /usr/ports/distfiles; + location /doc { + alias /srv/www/doc; + index index.html; + autoindex on; } - location /ports/packages { - alias /usr/ports/distfiles; - } - - location /doc { - alias /srv/www/doc; - index index.html; - } - - location /git/static { -# static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - expires 30d; - } - - location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } - - location /task { - index index.php; - alias /srv/www/flyspray; - try_files $uri $uri/ index.php$is_args$args; - } - - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/flyspray; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } - - location / { - alias /srv/www/pmwiki/; - index pmwiki.php; - try_files $uri $uri/ /pmwiki.php$is_args$args; - } - -# ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/pmwiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; - } - - - location ~ \.php$ { - alias /srv/www/pmwiki; - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /mirror { + proxy_pass http://ports.ank; + } + + location /pub { + proxy_pass http://wiki.server.ank:8080; + } + location ^~ /.well-known { + # ACME challenge + proxy_pass http://wiki.server.ank; + } + location /wiki { + proxy_pass http://wiki.server.ank:8080; + } + + location /git { + proxy_pass http://git.server.ank:8080; + } + + location /forum/ { + proxy_pass http://forum.server.ank:8080/; + } + + location /task { + proxy_pass http://task.server.ank:8080; + } + + location /shop { + proxy_pass http://shop.server.ank:8080; + } + + location /vexim/ { + proxy_pass http://vexim.server.ank:8080/; + } + + location /email { + proxy_pass http://email.server.ank:8080; + } + + location /awstats { + proxy_pass http://awstats.server.ank:8080; + } + + location /stats { + proxy_pass http://stats.server.ank:8080; + } + + location / { + proxy_pass http://frontpage.server.ank:8080/; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.conf b/tools/conf/etc/nginx/sites-enabled/email.conf new file mode 100644 index 0000000..5b34d7c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.conf @@ -0,0 +1,63 @@ +server { + listen 8080; + server_name email.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email_err,nohostname debug; + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + + # Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } + + # Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + + location ~ ^/email/(bin|SQL)/ { + deny all; + } + + # Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } + + # Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.conf b/tools/conf/etc/nginx/sites-enabled/forum.conf new file mode 100644 index 0000000..14350e3 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name forum.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/forum; + + location / { + index index.php; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/frontpage.conf b/tools/conf/etc/nginx/sites-enabled/frontpage.conf new file mode 100644 index 0000000..7f7e66a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/frontpage.conf @@ -0,0 +1,40 @@ +server { + listen 8080; + server_name frontpage.server.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage_err,nohostname debug; + + root /srv/www/frontpage; + + index index.html index.php; + + location / { + index index.html; + try_files $uri $uri/ index.html index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.conf b/tools/conf/etc/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..f9d2d97 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.conf @@ -0,0 +1,24 @@ +server { + listen 8080; + server_name git.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + root /srv/www/gitweb; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location / { + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf b/tools/conf/etc/nginx/sites-enabled/git.localhost.conf deleted file mode 100644 index 910df66..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - - server_name git.localhost git.machine.example git.machine.example.org; - - root /srv/www/gitweb; - - location /static/ { - # static files (png/css) served from /usr/share/gitweb/static - root /usr/share/gitweb ; - expires 30d; - } - - location / { - index gitweb.cgi - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb/; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - fastcgi_split_path_info ^()(/?.+)$; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } - -} diff --git a/tools/conf/etc/nginx/sites-enabled/ports.conf b/tools/conf/etc/nginx/sites-enabled/ports.conf new file mode 100644 index 0000000..829d710 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/ports.conf @@ -0,0 +1,55 @@ +server { + listen 80; + server_name localhost ports.ank default_host; + + access_log /var/log/nginx/ports_access.log; + error_log /var/log/nginx/ports_error.log; + + location /mirror/archive { + autoindex on; + alias /usr/ports/archive; + } + + location /mirror/packages { + autoindex on; + alias /usr/ports/packages; + } + + location /mirror/distfiles { + autoindex on; + alias /usr/ports/distfiles; + } + + location /mirror/bugs { + autoindex on; + alias /usr/ports/pkgbuild; + types { + text/plain log; + } + } + + location /mirror/installed { + autoindex on; + alias /usr/ports/installed; + default_type text/plain; + } + + location /mirror/releases { + autoindex on; + alias /usr/ports/releases; + } + + location /mirror/ { + return 301 https://tribu.semdestino.org/wiki/Main/Mirror; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } +} + diff --git a/tools/conf/etc/nginx/sites-enabled/shop.conf b/tools/conf/etc/nginx/sites-enabled/shop.conf new file mode 100644 index 0000000..de34e40 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/shop.conf @@ -0,0 +1,86 @@ +server { + listen 8080; + server_name shop.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_shop,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_shop_err,nohostname debug; + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + + location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/task.conf b/tools/conf/etc/nginx/sites-enabled/task.conf new file mode 100644 index 0000000..8b15ee5 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/task.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.server.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/vexim.conf b/tools/conf/etc/nginx/sites-enabled/vexim.conf new file mode 100644 index 0000000..d113cdc --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/vexim.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name vexim.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim_err,nohostname debug; + + root /srv/www/vexim; + + location / { + index index.php; + autoindex off; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.conf b/tools/conf/etc/nginx/sites-enabled/wiki.conf new file mode 100644 index 0000000..1e3b4d1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name wiki.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} |