From 8a5897ad0a5e82d389c119001e3feaeaf2d0b1c3 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 11 Mar 2020 01:12:03 +0000 Subject: nginx configuration update --- tools/conf/etc/nginx/sites-enabled/default.conf | 51 +++++++++--------- .../conf/etc/nginx/sites-enabled/email.c2.ank.conf | 61 --------------------- tools/conf/etc/nginx/sites-enabled/email.conf | 63 ++++++++++++++++++++++ .../conf/etc/nginx/sites-enabled/forum.c2.ank.conf | 26 --------- tools/conf/etc/nginx/sites-enabled/forum.conf | 39 ++++++++++++++ tools/conf/etc/nginx/sites-enabled/frontpage.conf | 40 ++++++++++++++ tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf | 28 ---------- tools/conf/etc/nginx/sites-enabled/git.conf | 24 +++++++++ tools/conf/etc/nginx/sites-enabled/vexim.conf | 39 ++++++++++++++ .../conf/etc/nginx/sites-enabled/wiki.c2.ank.conf | 43 --------------- tools/conf/etc/nginx/sites-enabled/wiki.conf | 39 ++++++++++++++ 11 files changed, 270 insertions(+), 183 deletions(-) delete mode 100644 tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/email.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/forum.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/frontpage.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/git.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/vexim.conf delete mode 100644 tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf create mode 100644 tools/conf/etc/nginx/sites-enabled/wiki.conf (limited to 'tools/conf/etc') diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index 1bb8afd..4bf7fa7 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -7,8 +7,8 @@ server { server_name tribu.semdestino.org; listen 80 default_server; - listen 443 ssl default_server; -# listen [::]:443 ssl http2; + listen 443 ssl default_server; +# listen [::]:443 ssl http2; access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost,nohostname main; error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vhost_err,nohostname debug; @@ -29,6 +29,7 @@ server { ssl_stapling on; ssl_stapling_verify on; + #proxy_redirect off; #proxy_set_header Host $http_host; #proxy_set_header X-Forwarded-Host $http_host; @@ -43,53 +44,53 @@ server { } location /mirror { - proxy_pass http://c1.ank; + proxy_pass http://ports.ank; } location /pub { - proxy_pass http://wiki.c2.ank:8080; + proxy_pass http://wiki.server.ank:8080; } location ^~ /.well-known { # ACME challenge - proxy_pass http://wiki.c2.ank; + proxy_pass http://wiki.server.ank; } location /wiki { - proxy_pass http://wiki.c2.ank:8080; + proxy_pass http://wiki.server.ank:8080; } location /git { - proxy_pass http://git.c2.ank:8080; + proxy_pass http://git.server.ank:8080; } location /forum/ { - proxy_pass http://forum.c2.ank:8080/; + proxy_pass http://forum.server.ank:8080/; } - #location /task { - # proxy_pass http://task.c2.ank:8080; - #} + location /task { + proxy_pass http://task.server.ank:8080; + } - # location /shop { - # proxy_pass http://shop.c2.ank:8080; - # } + location /shop { + proxy_pass http://shop.server.ank:8080; + } location /vexim/ { - proxy_pass http://vexim.c2.ank:8080/; + proxy_pass http://vexim.server.ank:8080/; } - # location /email { - # proxy_pass http://email.c2.ank:8080; - # } + location /email { + proxy_pass http://email.server.ank:8080; + } - # location /awstats { - # proxy_pass http://awstats.c2.ank:8080; - # } + location /awstats { + proxy_pass http://awstats.server.ank:8080; + } - # location /stats { - # proxy_pass http://stats.c2.ank:8080; - # } + location /stats { + proxy_pass http://stats.server.ank:8080; + } location / { - proxy_pass http://frontpage.c2.ank:8080/; + proxy_pass http://frontpage.server.ank:8080/; } } diff --git a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf deleted file mode 100644 index 3ae544c..0000000 --- a/tools/conf/etc/nginx/sites-enabled/email.c2.ank.conf +++ /dev/null @@ -1,61 +0,0 @@ -server { - listen 8080; - server_name email.c2.ank; - -#access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; -#error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; -#access_log /var/log/nginx/roundcube_access.log; -#error_log /var/log/nginx/roundcube_error.log; - - - - location /email { - alias /srv/www/email; - index index.php; - autoindex off; - } - -# Favicon - location ~ ^/email/favicon.ico$ { - root /srv/www/email/skins/classic/images; - log_not_found off; - access_log off; - expires max; - } -# Robots file - location ~ ^/email/robots.txt { - allow all; - log_not_found off; - access_log off; - } -# Deny Protected directories - location ~ ^/email/(config|temp|logs)/ { - deny all; - } - location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { - deny all; - } - location ~ ^/email/(bin|SQL)/ { - deny all; - } -# Hide .md files - location ~ ^/email/(.+\.md)$ { - deny all; - } -# Hide all dot files - location ~ ^/email/\. { - deny all; - access_log off; - log_not_found off; - } - - location ~ /email/.*\.php { - alias /srv/www/email; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/email.conf b/tools/conf/etc/nginx/sites-enabled/email.conf new file mode 100644 index 0000000..5b34d7c --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/email.conf @@ -0,0 +1,63 @@ +server { + listen 8080; + server_name email.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_email_err,nohostname debug; + + location /email { + alias /srv/www/email; + index index.php; + autoindex off; + } + + # Favicon + location ~ ^/email/favicon.ico$ { + root /srv/www/email/skins/classic/images; + log_not_found off; + access_log off; + expires max; + } + + # Robots file + location ~ ^/email/robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny Protected directories + location ~ ^/email/(config|temp|logs)/ { + deny all; + } + + location ~ ^/email/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { + deny all; + } + + location ~ ^/email/(bin|SQL)/ { + deny all; + } + + # Hide .md files + location ~ ^/email/(.+\.md)$ { + deny all; + } + + # Hide all dot files + location ~ ^/email/\. { + deny all; + access_log off; + log_not_found off; + } + + location ~ /email/.*\.php { + alias /srv/www/email; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + try_files $uri /index.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf deleted file mode 100644 index 2ed362a..0000000 --- a/tools/conf/etc/nginx/sites-enabled/forum.c2.ank.conf +++ /dev/null @@ -1,26 +0,0 @@ -server { - listen 8080; - server_name forum.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; - - root /srv/www/; - - location /forum { - index index.php; - alias /srv/www/forum; - try_files $uri $uri/ index.php$is_args$args; - } - - location ~ ^/forum(.+\.php)$ { ### This location block was the solution - alias /srv/www/forum; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - try_files $uri /index.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/forum.conf b/tools/conf/etc/nginx/sites-enabled/forum.conf new file mode 100644 index 0000000..14350e3 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/forum.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name forum.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_forum_err,nohostname debug; + + root /srv/www/forum; + + location / { + index index.php; + try_files $uri $uri/ index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/frontpage.conf b/tools/conf/etc/nginx/sites-enabled/frontpage.conf new file mode 100644 index 0000000..7f7e66a --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/frontpage.conf @@ -0,0 +1,40 @@ +server { + listen 8080; + server_name frontpage.server.ank; + + #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_frontpage_err,nohostname debug; + + root /srv/www/frontpage; + + index index.html index.php; + + location / { + index index.html; + try_files $uri $uri/ index.html index.php$is_args$args; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf deleted file mode 100644 index 56e6412..0000000 --- a/tools/conf/etc/nginx/sites-enabled/git.c2.ank.conf +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 8080; - server_name git.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; - - #access_log /var/log/nginx/git main; - #error_log /var/log/nginx/git_error debug; - - root /srv/www/; - - location /git/static { - # static files (png/css) served from /usr/share/gitweb/static - alias /srv/www/gitweb/static; - } - - location /git { - alias /srv/www/gitweb; - index gitweb.cgi; - fastcgi_split_path_info ^/git()(/?.+)$; - fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; - fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; - fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - include fastcgi_params; - fastcgi_pass unix:/var/run/fcgiwrap.sock; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/git.conf b/tools/conf/etc/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..f9d2d97 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/git.conf @@ -0,0 +1,24 @@ +server { + listen 8080; + server_name git.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_git_err,nohostname debug; + + root /srv/www/gitweb; + + location /git/static { + # static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + } + + location / { + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } +} diff --git a/tools/conf/etc/nginx/sites-enabled/vexim.conf b/tools/conf/etc/nginx/sites-enabled/vexim.conf new file mode 100644 index 0000000..d113cdc --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/vexim.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name vexim.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=nginx_vexim_err,nohostname debug; + + root /srv/www/vexim; + + location / { + index index.php; + autoindex off; + } + + location ~ [^/]\.php(/|$) { + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + + # SCRIPT_FILENAME parameter is used for PHP FPM determining + # the script name. If it is not set in fastcgi_params file, + # i.e. /etc/nginx/fastcgi_params or in the parent contexts, + # please comment off following line + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + +} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf b/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf deleted file mode 100644 index 1504fa1..0000000 --- a/tools/conf/etc/nginx/sites-enabled/wiki.c2.ank.conf +++ /dev/null @@ -1,43 +0,0 @@ -server { - listen 8080; - server_name wiki.c2.ank; - - #access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; - #error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; - - #access_log /var/log/nginx/wiki main; - #error_log /var/log/nginx/wiki_error debug; - - root /srv/www/; - - location /pub { - alias /srv/www/wiki/pub; - } - # ACME challenge - location ^~ /.well-known { - allow all; - alias /srv/www/wiki/pub/cert/.well-known/; - default_type "text/plain"; - try_files $uri =404; - } - - location @pmwiki { - rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; - } - - location /wiki { - index pmwiki.php; - try_files $uri $uri/ @pmwiki; - } - - location ~ ^\/wiki(.+\.php)$ { - index pmwiki.php; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index pmwiki.php; - try_files $uri /pmwiki.php =404; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_pass 127.0.0.1:9000; - } -} diff --git a/tools/conf/etc/nginx/sites-enabled/wiki.conf b/tools/conf/etc/nginx/sites-enabled/wiki.conf new file mode 100644 index 0000000..1e3b4d1 --- /dev/null +++ b/tools/conf/etc/nginx/sites-enabled/wiki.conf @@ -0,0 +1,39 @@ +server { + listen 8080; + server_name wiki.server.ank; + + access_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu,nohostname main; + error_log syslog:server=unix:/dev/log,facility=daemon,tag=vh_tribu_err,nohostname debug; + + root /srv/www/; + + location /pub { + alias /srv/www/wiki/pub; + } + # ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/wiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location @pmwiki { + rewrite ^/wiki/(.*) /wiki/pmwiki.php?n=$1; + } + + location /wiki { + index pmwiki.php; + try_files $uri $uri/ @pmwiki; + } + + location ~ ^\/wiki(.+\.php)$ { + index pmwiki.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index pmwiki.php; + try_files $uri /pmwiki.php =404; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass 127.0.0.1:9000; + } +} -- cgit 1.4.1-2-gfad0