From a947a31ede27fdf995e0a63e766fcd68eb491426 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 7 Feb 2020 03:41:45 +0000 Subject: System configuration update --- tools/conf/etc/nginx/nginx.conf | 112 +++------------------ tools/conf/etc/nginx/sites-enabled/default.conf | 106 ++++++++----------- .../conf/etc/nginx/sites-enabled/email.c2.ank.conf | 61 +++++++++++ .../conf/etc/nginx/sites-enabled/forum.c2.ank.conf | 26 +++++ tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf | 28 ++++++ .../etc/nginx/sites-enabled/git.localhost.conf | 25 ----- .../conf/etc/nginx/sites-enabled/shop.c2.ank.conf | 84 ++++++++++++++++ .../conf/etc/nginx/sites-enabled/task.c2.ank.conf | 21 ++++ .../conf/etc/nginx/sites-enabled/wiki.c2.ank.conf | 43 ++++++++ 9 files changed, 319 insertions(+), 187 deletions(-) create mode 100644 tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/git.localhost.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf (limited to 'tools/conf/etc/nginx') diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 8fca293..1339275 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -6,36 +6,36 @@ user www; worker_processes auto; -error_log /var/log/nginx/error.log; +error_log syslog:server=unix:/dev/log debug; pid /var/run/nginx.pid; - events { worker_connections 1024; } - http { include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; #tcp_nopush on; - client_max_body_size 8M; - keepalive_timeout 65; - client_body_timeout 12; - client_header_timeout 12; - send_timeout 65; + # Allow attach iso to wiki + #client_max_body_size 8M; + client_max_body_size 30M; + #keepalive_timeout 65; + keepalive_timeout 120; + #client_body_timeout 12; + client_body_timeout 24; + #client_header_timeout 12; + client_header_timeout 24; + send_timeout 65; gzip on; gzip_vary on; @@ -45,88 +45,6 @@ http { # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; - - #server { - # listen 80; - # server_name localhost; - # - # #charset koi8-r; - # - # location / { - # root html; - # index index.html index.htm; - # } - # - # error_page 404 /404.html; - # - # # redirect server error pages to the static page /50x.html - # # - # error_page 500 502 503 504 /50x.html; - # location = /50x.html { - # root html; - # } - # - # # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # # - # #location ~ \.php$ { - # # proxy_pass http://127.0.0.1; - # #} - # - # # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # # - # #location ~ \.php$ { - # # root html; - # # fastcgi_pass 127.0.0.1:9000; - # # fastcgi_index index.php; - # # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # # include fastcgi_params; - # #} - # - # # deny access to .htaccess files, if Apache's document root - # # concurs with nginx's one - # # - # #location ~ /\.ht { - # # deny all; - # #} - #} - - - # another virtual host using mix of IP-, name-, and port-based configuration - # - #server { - # listen 8000; - # listen somename:8080; - # server_name somename alias another.alias; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - - - # HTTPS server - # - #server { - # listen 443 ssl; - # server_name localhost; - - # ssl_certificate cert.pem; - # ssl_certificate_key cert.key; - - # ssl_session_cache shared:SSL:1m; - # ssl_session_timeout 5m; - - # ssl_ciphers HIGH:!aNULL:!MD5; - # ssl_prefer_server_ciphers on; - - # location / { - # root html; - # index index.html index.htm; - # } - #} - } +# End of file diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index c35b0cd..fb9fb8e 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,15 +1,13 @@ server { + server_name tribu.semdestino.org; -#listen 443 ssl http2; - listen 443 ssl; + listen 80 default_server; + listen 443 ssl default_server; -# listen 80; - server_name machine.example; + ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem; -# listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/machine.example/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/machine.example/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/machine.example/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -20,84 +18,62 @@ server { ssl_stapling on; ssl_stapling_verify on; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; - - root /srv/www; - - location /ports/distfiles { - alias /usr/ports/distfiles; - } - - location /ports/packages { - alias /usr/ports/distfiles; - } + root /etc/html/; location /doc { alias /srv/www/doc; index index.html; } - location /git/static { -# static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - expires 30d; + location /pub { + proxy_pass http://wiki.c2.ank:8080; + } + + location /wiki { + proxy_pass http://wiki.c2.ank:8080; } location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; + proxy_pass http://git.c2.ank:8080; + } + + location /forum { + proxy_pass http://forum.c2.ank:8080; } location /task { - index index.php; - alias /srv/www/flyspray; - try_files $uri $uri/ index.php$is_args$args; + proxy_pass http://task.c2.ank:8080; } - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/flyspray; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + location /shop { + proxy_pass http://shop.c2.ank:8080; } - location / { - alias /srv/www/pmwiki/; - index pmwiki.php; - try_files $uri $uri/ /pmwiki.php$is_args$args; + location /email { + proxy_pass http://email.c2.ank:8080; } -# ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/pmwiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; + location /mirror { + proxy_pass http://c1.ank; } + location /awstats { + proxy_pass http://awstats.c2.ank:8080; + } + + location /stats { + proxy_pass http://stats.c2.ank:8080; + } - location ~ \.php$ { - alias /srv/www/pmwiki; - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; + # ACME challenge + location ^~ /.well-known { + proxy_pass http://wiki.c2.ank; + } + + location / { + proxy_pass http://frontpage.c2.ank; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf new file mode 100644 index 0000000..3ae544c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf @@ -0,0 +1,61 @@ +server { + listen 8080; + server_name email.c2.ank; + +#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; +#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; +#access_log /var/log/nginx/roundcube_access.log; +#error_log /var/log/nginx/roundcube_error.log; + + + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + +# Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } +# Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } +# Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + location ~ ^/email/(bin|SQL)/ { + deny all; + } +# Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } +# Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf new file mode 100644 index 0000000..2ed362a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf @@ -0,0 +1,26 @@ +server { + listen 8080; + server_name forum.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/; + + location /forum { + index index.php; + alias /srv/www/forum; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/forum(.+\.php)$ { ### This location block was the solution + alias /srv/www/forum; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf new file mode 100644 index 0000000..56e6412 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf @@ -0,0 +1,28 @@ +server { + listen 8080; + server_name git.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + #access_log /var/log/nginx/git main; + #error_log /var/log/nginx/git_error debug; + + root /srv/www/; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location /git { + alias /srv/www/gitweb; + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf b/tools/conf/etc/nginx/sites-enabled/git.localhost.conf deleted file mode 100644 index 910df66..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.localhost.conf +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl; - - server_name git.localhost git.machine.example git.machine.example.org; - - root /srv/www/gitweb; - - location /static/ { - # static files (png/css) served from /usr/share/gitweb/static - root /usr/share/gitweb ; - expires 30d; - } - - location / { - index gitweb.cgi - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb/; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - fastcgi_split_path_info ^()(/?.+)$; - - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } - -} diff --git a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf new file mode 100644 index 0000000..3a0aea1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf @@ -0,0 +1,84 @@ +server { + listen 8080; + server_name shop.c2.ank; + + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + +location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf new file mode 100644 index 0000000..2d62e96 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.c2.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf new file mode 100644 index 0000000..1504fa1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf @@ -0,0 +1,43 @@ +server { + listen 8080; + server_name wiki.c2.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + #access_log /var/log/nginx/wiki main; + #error_log /var/log/nginx/wiki_error debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} -- cgit 1.4.1-2-gfad0 From 721c5af0bb335b2367121681694ceaa7606b18ce Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 9 Mar 2020 20:15:17 +0000 Subject: nginx configuration revision --- tools/conf/etc/logrotate.conf | 34 ++++---- tools/conf/etc/nginx/nginx.conf | 3 +- tools/conf/etc/nginx/sites-enabled/default.conf | 102 ++++++++++++++---------- tools/conf/etc/nginx/sites-enabled/ports.conf | 55 +++++++++++++ 4 files changed, 133 insertions(+), 61 deletions(-) create mode 100644 tools/conf/etc/nginx/sites-enabled/ports.conf (limited to 'tools/conf/etc/nginx') diff --git a/tools/conf/etc/logrotate.conf b/tools/conf/etc/logrotate.conf index ee85347..d7ff75c 100644 --- a/tools/conf/etc/logrotate.conf +++ b/tools/conf/etc/logrotate.conf @@ -18,6 +18,8 @@ maxsize 1M # this directory include /etc/logrotate.d +dateformat .%Y%m%d + # few generic files to rotate /var/log/wtmp { monthly @@ -39,7 +41,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -50,7 +52,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -61,7 +63,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -73,7 +75,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -84,7 +86,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -95,7 +97,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -115,7 +117,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -126,7 +128,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -137,7 +139,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -148,7 +150,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -159,7 +161,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -170,7 +172,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -181,7 +183,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -193,7 +195,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -204,7 +206,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } @@ -215,7 +217,7 @@ include /etc/logrotate.d delaycompress sharedscripts postrotate - /etc/init.d/syslog-ng reload + /sbin/syslog-ng-ctl reload >/dev/null endscript } diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index 1339275..e757df6 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -2,11 +2,10 @@ # /etc/nginx/nginx.conf - nginx server configuration # - user www; worker_processes auto; -error_log syslog:server=unix:/dev/log debug; +error_log syslog:server=unix:/dev/log,facility=daemon debug; pid /var/run/nginx.pid; diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index fb9fb8e..1bb8afd 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,8 +1,19 @@ server { +#if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) { +# return 410; +#} + +##listen 443 ssl http2; server_name tribu.semdestino.org; listen 80 default_server; listen 443 ssl default_server; +# listen [::]:443 ssl http2; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; + + root /etc/nginx/html/; ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem; @@ -18,62 +29,67 @@ server { ssl_stapling on; ssl_stapling_verify on; - access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; - error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; +#proxy_redirect off; +#proxy_set_header Host $http_host; +#proxy_set_header X-Forwarded-Host $http_host; +#proxy_set_header X-Real-IP $remote_addr; +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - root /etc/html/; - location /doc { - alias /srv/www/doc; - index index.html; + location /doc { + alias /srv/www/doc; + index index.html; + autoindex on; } - location /pub { + location /mirror { + proxy_pass http://c1.ank; + } + + location /pub { + proxy_pass http://wiki.c2.ank:8080; + } + location ^~ /.well-known { + # ACME challenge + proxy_pass http://wiki.c2.ank; + } + location /wiki { proxy_pass http://wiki.c2.ank:8080; - } + } - location /wiki { - proxy_pass http://wiki.c2.ank:8080; - } + location /git { + proxy_pass http://git.c2.ank:8080; + } - location /git { - proxy_pass http://git.c2.ank:8080; - } + location /forum/ { + proxy_pass http://forum.c2.ank:8080/; + } - location /forum { - proxy_pass http://forum.c2.ank:8080; - } - - location /task { - proxy_pass http://task.c2.ank:8080; - } - - location /shop { - proxy_pass http://shop.c2.ank:8080; - } + #location /task { + # proxy_pass http://task.c2.ank:8080; + #} - location /email { - proxy_pass http://email.c2.ank:8080; - } + # location /shop { + # proxy_pass http://shop.c2.ank:8080; + # } - location /mirror { - proxy_pass http://c1.ank; - } + location /vexim/ { + proxy_pass http://vexim.c2.ank:8080/; + } - location /awstats { - proxy_pass http://awstats.c2.ank:8080; - } + # location /email { + # proxy_pass http://email.c2.ank:8080; + # } - location /stats { - proxy_pass http://stats.c2.ank:8080; - } + # location /awstats { + # proxy_pass http://awstats.c2.ank:8080; + # } - # ACME challenge - location ^~ /.well-known { - proxy_pass http://wiki.c2.ank; - } + # location /stats { + # proxy_pass http://stats.c2.ank:8080; + # } - location / { - proxy_pass http://frontpage.c2.ank; + location / { + proxy_pass http://frontpage.c2.ank:8080/; } } diff --git a/tools/conf/etc/nginx/sites-enabled/ports.conf b/tools/conf/etc/nginx/sites-enabled/ports.conf new file mode 100644 index 0000000..829d710 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/ports.conf @@ -0,0 +1,55 @@ +server { + listen 80; + server_name localhost ports.ank default_host; + + access_log /var/log/nginx/ports_access.log; + error_log /var/log/nginx/ports_error.log; + + location /mirror/archive { + autoindex on; + alias /usr/ports/archive; + } + + location /mirror/packages { + autoindex on; + alias /usr/ports/packages; + } + + location /mirror/distfiles { + autoindex on; + alias /usr/ports/distfiles; + } + + location /mirror/bugs { + autoindex on; + alias /usr/ports/pkgbuild; + types { + text/plain log; + } + } + + location /mirror/installed { + autoindex on; + alias /usr/ports/installed; + default_type text/plain; + } + + location /mirror/releases { + autoindex on; + alias /usr/ports/releases; + } + + location /mirror/ { + return 301 https://tribu.semdestino.org/wiki/Main/Mirror; + } + + error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root html; + } +} + -- cgit 1.4.1-2-gfad0 From 8a5897ad0a5e82d389c119001e3feaeaf2d0b1c3 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 11 Mar 2020 01:12:03 +0000 Subject: nginx configuration update --- tools/conf/etc/nginx/sites-enabled/default.conf | 51 ++++---- .../conf/etc/nginx/sites-enabled/email.c2.ank.conf | 61 --------- tools/conf/etc/nginx/sites-enabled/email.conf | 63 ++++++++++ .../conf/etc/nginx/sites-enabled/forum.c2.ank.conf | 26 ---- tools/conf/etc/nginx/sites-enabled/forum.conf | 39 ++++++ tools/conf/etc/nginx/sites-enabled/frontpage.conf | 40 ++++++ tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf | 28 ----- tools/conf/etc/nginx/sites-enabled/git.conf | 24 ++++ tools/conf/etc/nginx/sites-enabled/vexim.conf | 39 ++++++ .../conf/etc/nginx/sites-enabled/wiki.c2.ank.conf | 43 ------- tools/conf/etc/nginx/sites-enabled/wiki.conf | 39 ++++++ tools/nginx.html | 137 +++++++++++---------- 12 files changed, 341 insertions(+), 249 deletions(-) delete mode 100644 tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/email.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/forum.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/frontpage.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/git.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/vexim.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/wiki.conf (limited to 'tools/conf/etc/nginx') diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index 1bb8afd..4bf7fa7 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -7,8 +7,8 @@ server { server_name tribu.semdestino.org; listen 80 default_server; - listen 443 ssl default_server; -# listen [::]:443 ssl http2; + listen 443 ssl default_server; +# listen [::]:443 ssl http2; access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; @@ -29,6 +29,7 @@ server { ssl_stapling on; ssl_stapling_verify on; + #proxy_redirect off; #proxy_set_header Host $http_host; #proxy_set_header X-Forwarded-Host $http_host; @@ -43,53 +44,53 @@ server { } location /mirror { - proxy_pass http://c1.ank; + proxy_pass http://ports.ank; } location /pub { - proxy_pass http://wiki.c2.ank:8080; + proxy_pass http://wiki.server.ank:8080; } location ^~ /.well-known { # ACME challenge - proxy_pass http://wiki.c2.ank; + proxy_pass http://wiki.server.ank; } location /wiki { - proxy_pass http://wiki.c2.ank:8080; + proxy_pass http://wiki.server.ank:8080; } location /git { - proxy_pass http://git.c2.ank:8080; + proxy_pass http://git.server.ank:8080; } location /forum/ { - proxy_pass http://forum.c2.ank:8080/; + proxy_pass http://forum.server.ank:8080/; } - #location /task { - # proxy_pass http://task.c2.ank:8080; - #} + location /task { + proxy_pass http://task.server.ank:8080; + } - # location /shop { - # proxy_pass http://shop.c2.ank:8080; - # } + location /shop { + proxy_pass http://shop.server.ank:8080; + } location /vexim/ { - proxy_pass http://vexim.c2.ank:8080/; + proxy_pass http://vexim.server.ank:8080/; } - # location /email { - # proxy_pass http://email.c2.ank:8080; - # } + location /email { + proxy_pass http://email.server.ank:8080; + } - # location /awstats { - # proxy_pass http://awstats.c2.ank:8080; - # } + location /awstats { + proxy_pass http://awstats.server.ank:8080; + } - # location /stats { - # proxy_pass http://stats.c2.ank:8080; - # } + location /stats { + proxy_pass http://stats.server.ank:8080; + } location / { - proxy_pass http://frontpage.c2.ank:8080/; + proxy_pass http://frontpage.server.ank:8080/; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf deleted file mode 100644 index 3ae544c..0000000 --- a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf +++ /dev/null @@ -1,61 +0,0 @@ -server { - listen 8080; - server_name email.c2.ank; - -#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; -#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; -#access_log /var/log/nginx/roundcube_access.log; -#error_log /var/log/nginx/roundcube_error.log; - - - - location /email { - alias /srv/www/email; - index index.php; - autoindex off; - } - -# Favicon - location ~ ^/email/favicon.ico$ { - root /srv/www/email/skins/classic/images; - log_not_found off; - access_log off; - expires max; - } -# Robots file - location ~ ^/email/robots.txt { - allow all; - log_not_found off; - access_log off; - } -# Deny Protected directories - location ~ ^/email/(config|temp|logs)/ { - deny all; - } - location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { - deny all; - } - location ~ ^/email/(bin|SQL)/ { - deny all; - } -# Hide .md files - location ~ ^/email/(.+\.md)$ { - deny all; - } -# Hide all dot files - location ~ ^/email/\. { - deny all; - access_log off; - log_not_found off; - } - - location ~ /email/.*\.php { - alias /srv/www/email; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/email.conf b/tools/conf/etc/nginx/sites-enabled/email.conf new file mode 100644 index 0000000..5b34d7c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.conf @@ -0,0 +1,63 @@ +server { + listen 8080; + server_name email.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email_err,nohostname debug; + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + + # Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } + + # Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + + location ~ ^/email/(bin|SQL)/ { + deny all; + } + + # Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } + + # Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf deleted file mode 100644 index 2ed362a..0000000 --- a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf +++ /dev/null @@ -1,26 +0,0 @@ -server { - listen 8080; - server_name forum.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; - - root /srv/www/; - - location /forum { - index index.php; - alias /srv/www/forum; - try_files $uri $uri/ index.php$is_args$args; - } - - location ~ ^/forum(.+\.php)$ { ### This location block was the solution - alias /srv/www/forum; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.conf b/tools/conf/etc/nginx/sites-enabled/forum.conf new file mode 100644 index 0000000..14350e3 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name forum.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/forum; + + location / { + index index.php; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/frontpage.conf b/tools/conf/etc/nginx/sites-enabled/frontpage.conf new file mode 100644 index 0000000..7f7e66a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/frontpage.conf @@ -0,0 +1,40 @@ +server { + listen 8080; + server_name frontpage.server.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage_err,nohostname debug; + + root /srv/www/frontpage; + + index index.html index.php; + + location / { + index index.html; + try_files $uri $uri/ index.html index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf deleted file mode 100644 index 56e6412..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 8080; - server_name git.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; - - #access_log /var/log/nginx/git main; - #error_log /var/log/nginx/git_error debug; - - root /srv/www/; - - location /git/static { - # static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - } - - location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/git.conf b/tools/conf/etc/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..f9d2d97 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.conf @@ -0,0 +1,24 @@ +server { + listen 8080; + server_name git.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + root /srv/www/gitweb; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location / { + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/vexim.conf b/tools/conf/etc/nginx/sites-enabled/vexim.conf new file mode 100644 index 0000000..d113cdc --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/vexim.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name vexim.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim_err,nohostname debug; + + root /srv/www/vexim; + + location / { + index index.php; + autoindex off; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf deleted file mode 100644 index 1504fa1..0000000 --- a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - listen 8080; - server_name wiki.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; - - #access_log /var/log/nginx/wiki main; - #error_log /var/log/nginx/wiki_error debug; - - root /srv/www/; - - location /pub { - alias /srv/www/wiki/pub; - } - # ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/wiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; - } - - location @pmwiki { - rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; - } - - location /wiki { - index pmwiki.php; - try_files $uri $uri/ @pmwiki; - } - - location ~ ^\/wiki(.+\.php)$ { - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.conf b/tools/conf/etc/nginx/sites-enabled/wiki.conf new file mode 100644 index 0000000..1e3b4d1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name wiki.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/nginx.html b/tools/nginx.html index 21abb90..937be15 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -273,10 +273,18 @@ 
         server {
-            listen 80 default_server;
+        #if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12Bot|DotBot)) {
+        #     return 410;
+        #}
             server_name tribu.semdestino.org;
-
+            listen 80 default_server;
             listen 443 ssl default_server;
+
+            access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main;
+            error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug;
+
+            root /etc/nginx/html/;
+
             ssl_certificate /etc/letsencrypt/live/tribu.semdestino.org/fullchain.pem;
             ssl_certificate_key /etc/letsencrypt/live/tribu.semdestino.org/privkey.pem;
             ssl_trusted_certificate /etc/letsencrypt/live/tribu.semdestino.org/chain.pem;
@@ -291,55 +299,67 @@
             ssl_stapling on;
             ssl_stapling_verify on;
 
-            access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main;
-            error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug;
-
-            root /etc/html/;
-
-            location /doc {
-                alias /srv/www/doc;
-                index index.html;
-            }
-
-            location /pub {
-                proxy_pass http://wiki.c2.ank:8080;
-            }
-
-            location /wiki {
-                proxy_pass http://wiki.c2.ank:8080;
-            }
-
-            location /git {
-                proxy_pass http://git.c2.ank:8080;
-            }
-
-            location /forum {
-                proxy_pass http://forum.c2.ank:8080;
-            }
-
-            location /task {
-                proxy_pass http://task.c2.ank:8080;
-            }
-
-            location /shop {
-                proxy_pass http://shop.c2.ank:8080;
-            }
+            #proxy_redirect off;
+            #proxy_set_header Host $http_host;
+            #proxy_set_header X-Forwarded-Host $http_host;
+            #proxy_set_header X-Real-IP $remote_addr;
+            #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-            location /email {
-                proxy_pass http://email.c2.ank:8080;
+           location /doc {
+               alias /srv/www/doc;
+               index index.html;
+                autoindex on;
             }
 
-            location /mirror {
-                proxy_pass http://c1.ank;
-            }
-
-            # ACME challenge
-            location ^~ /.well-known {
-                proxy_pass http://wiki.c2.ank;
-            }
-
-            location / {
-                proxy_pass http://frontpage.c2.ank;
+           location /mirror {
+               proxy_pass http://ports.ank;
+           }
+
+           location /pub {
+               proxy_pass http://wiki.server.ank:8080;
+           }
+           location ^~ /.well-known {
+               # ACME challenge
+               proxy_pass http://wiki.server.ank;
+           }
+           location /wiki {
+                proxy_pass http://wiki.server.ank:8080;
+           }
+
+           location /git {
+               proxy_pass http://git.server.ank:8080;
+           }
+
+           location /forum/ {
+                proxy_pass http://forum.server.ank:8080/;
+           }
+
+           location /task {
+               proxy_pass http://task.server.ank:8080;
+           }
+
+           location /shop {
+                proxy_pass http://shop.server.ank:8080;
+           }
+
+           location /vexim/ {
+               proxy_pass http://vexim.server.ank:8080/;
+           }
+
+           location /email {
+               proxy_pass http://email.server.ank:8080;
+           }
+
+           location /awstats {
+               proxy_pass http://awstats.server.ank:8080;
+           }
+
+           location /stats {
+               proxy_pass http://stats.server.ank:8080;
+           }
+
+           location / {
+                proxy_pass http://frontpage.server.ank:8080/;
             }
         }
@@ -357,17 +377,16 @@ 
         server {
             listen 8080;
-            server_name wiki.c2.ank;
+            server_name wiki.server.ank;
 
-            access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki,nohostname main;
-            error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_wiki_err,nohostname debug;
+            access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main;
+            error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug;
 
             root /srv/www/;
 
             location /pub {
                 alias /srv/www/wiki/pub;
             }
-
             # ACME challenge
             location ^~ /.well-known {
                 allow all;
@@ -397,20 +416,6 @@
         }
-

Change /srv/www/default/flyspray/index.php to;

- - 
-        <?php
-        /*
-           This is the main script that everything else is included
-           in.  Mostly what it does is check the user permissions
-           to see what they have access to.
-        */
-        define('IN_FS', true);
-        $_SERVER['SCRIPT_NAME'] = "/bug/index.php";
-        require_once(dirname(__FILE__).'/header.php');
-
-

5. User Directory

Nginx Wiki UserDir

-- cgit 1.4.1-2-gfad0 From 97dedeca18f2550ff6a86a57925149daf1878992 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 13 Mar 2020 19:30:30 +0000 Subject: nginx configuration update --- tools/conf/etc/nginx/sites-enabled/default.conf | 4 +- .../conf/etc/nginx/sites-enabled/shop.c2.ank.conf | 84 --------------------- tools/conf/etc/nginx/sites-enabled/shop.conf | 86 ++++++++++++++++++++++ .../conf/etc/nginx/sites-enabled/task.c2.ank.conf | 21 ------ tools/conf/etc/nginx/sites-enabled/task.conf | 21 ++++++ 5 files changed, 109 insertions(+), 107 deletions(-) delete mode 100644 tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/shop.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/task.conf (limited to 'tools/conf/etc/nginx') diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index 4bf7fa7..f7a6928 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -32,9 +32,9 @@ server { #proxy_redirect off; #proxy_set_header Host $http_host; -#proxy_set_header X-Forwarded-Host $http_host; +proxy_set_header X-Forwarded-Host $http_host; #proxy_set_header X-Real-IP $remote_addr; -#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location /doc { diff --git a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf deleted file mode 100644 index 3a0aea1..0000000 --- a/tools/conf/etc/nginx/sites-enabled/shop.c2.ank.conf +++ /dev/null @@ -1,84 +0,0 @@ -server { - listen 8080; - server_name shop.c2.ank; - - - location ~ ^/shop/admin { - alias /srv/www/shop/upload/admin; - index index.php; - - location ~ ^/shop/admin/config.php { - deny all; - } - - location ~ \.php$ { - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $request_filename$1; - fastcgi_pass 127.0.0.1:9000; - } - } - - location ^~ /shop { - alias /srv/www/shop/upload; - index index.php; - #try_files $uri $uri/ index.php$is_args$args; - #try_files index.php @opencart; - - location ~ ^/shop/upload/image/data { - autoindex on; - } - - location ~ ^/shop/config.php { - deny all; - } - - - location ~ ^/shop/admin/config.php { - deny all; - } - -# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). -# - location ~ ^/shop/\. { - deny all; - access_log off; - log_not_found off; - } - location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { - expires max; - log_not_found off; - } - - location ~ \.php$ { - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $request_filename$1; - fastcgi_pass 127.0.0.1:9000; - #fastcgi_split_path_info ^(.+\.php)(/.+)$; - #fastcgi_split_path_info ^(.+\.php)(.*)$; - #fastcgi_index index.php; - #try_files $uri /index.php =404; - # fastcgi_pass unix:/var/run/php5-fpm.sock; - } - - } - - -location @tribushop { - rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; - } - - location /shop/engine { - deny all; - } - - location ~ ^/shop/library { - deny all; - } - - # Make sure files with the following extensions do not - # get loaded by nginx because nginx would display the - # source code, and these files can contain PASSWORDS! - location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { - deny all; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/shop.conf b/tools/conf/etc/nginx/sites-enabled/shop.conf new file mode 100644 index 0000000..de34e40 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/shop.conf @@ -0,0 +1,86 @@ +server { + listen 8080; + server_name shop.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_shop,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_shop_err,nohostname debug; + + location ~ ^/shop/admin { + alias /srv/www/shop/upload/admin; + index index.php; + + location ~ ^/shop/admin/config.php { + deny all; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + } + } + + location ^~ /shop { + alias /srv/www/shop/upload; + index index.php; + #try_files $uri $uri/ index.php$is_args$args; + #try_files index.php @opencart; + + location ~ ^/shop/upload/image/data { + autoindex on; + } + + location ~ ^/shop/config.php { + deny all; + } + + + location ~ ^/shop/admin/config.php { + deny all; + } + +# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). +# + location ~ ^/shop/\. { + deny all; + access_log off; + log_not_found off; + } + location ~ ^/shop/\.(jpg|jpeg|png|gif|css|js|ico)$ { + expires max; + log_not_found off; + } + + location ~ \.php$ { + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename$1; + fastcgi_pass 127.0.0.1:9000; + #fastcgi_split_path_info ^(.+\.php)(/.+)$; + #fastcgi_split_path_info ^(.+\.php)(.*)$; + #fastcgi_index index.php; + #try_files $uri /index.php =404; + # fastcgi_pass unix:/var/run/php5-fpm.sock; + } + + } + + + location @tribushop { + rewrite ^/shop/(.+)$ /shop/index.php?_route_=$1 last; + } + + location /shop/engine { + deny all; + } + + location ~ ^/shop/library { + deny all; + } + + # Make sure files with the following extensions do not + # get loaded by nginx because nginx would display the + # source code, and these files can contain PASSWORDS! + location ~ ^/shop/\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|.*ini|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { + deny all; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf deleted file mode 100644 index 2d62e96..0000000 --- a/tools/conf/etc/nginx/sites-enabled/task.c2.ank.conf +++ /dev/null @@ -1,21 +0,0 @@ -server { - listen 8080; - server_name task.c2.ank; - - location /task { - index index.php; - alias /srv/www/task; - try_files $uri $uri/ index.php$is_args$args; - } - - location ~ ^/task(.+\.php)$ { ### This location block was the solution - alias /srv/www/task; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/task.conf b/tools/conf/etc/nginx/sites-enabled/task.conf new file mode 100644 index 0000000..8b15ee5 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/task.conf @@ -0,0 +1,21 @@ +server { + listen 8080; + server_name task.server.ank; + + location /task { + index index.php; + alias /srv/www/task; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/task; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; +# fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass 127.0.0.1:9000; + } +} -- cgit 1.4.1-2-gfad0