-
Notifications
You must be signed in to change notification settings - Fork 1
/
.htaccess_nginx.conf
273 lines (229 loc) · 7.13 KB
/
.htaccess_nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
# folder /etc/nginx/sites-enabled
# to validate config `sudo nginx -t`
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
# server_name _;
server_name sh.webmanajemen.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
# With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include fastcgi_params;
}
# disable directory listing
autoindex off;
# Set the maximum allowed size of the client request body
client_max_body_size 50M;
# ignore access to these file patterns
location ~ \.(env|gitignore|gitattributes|gitmodules|sqlite|git|htaccess)$ {
deny all;
}
# restrict file access
location ~ \.(pem|json|py|crt|sock|key|conf|sh|md|ini|sql)$ {
return 403;
}
# Allow access to robots.txt and sitemap.txt
location = /robots.txt {
allow all;
}
location = /sitemap.txt {
allow all;
}
# Restrict access to other .txt files
location ~ \.txt$ {
# Always allow these patterns
location ~* ^/(robots|sitemap)\.txt$ {
return 200;
}
# if ($http_origin !~ "webmanajemen\.com") {
# return 403;
# }
# Validate Referer header
# if ($http_referer !~ "webmanajemen\.com") {
# return 403;
# }
# Allow access if the _ga cookie is present
# if ($http_cookie !~* _ga) {
# return 403;
# }
# Allow CORS from specific origin
# add_header Access-Control-Allow-Origin "https://webmanajemen.com";
# add_header Access-Control-Allow-Methods "GET, OPTIONS";
# Disallow text file access
return 403;
}
# Allow access to status.json
location = /status.json {
allow all;
# Set cache-control for 5 mins
add_header Cache-Control "public, max-age=300";
}
location /tmp {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location /tests {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location /python_browser {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location /backups {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location /django_backend {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location /xl {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location /node_browser {
if ($host = "sh.webmanajemen.com" ) {
return 404;
}
}
location ~ /tmp/.*\.lock$ {
allow all;
}
# Skip caching on html files
location ~ \.html$ {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires "0";
}
}
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sh.webmanajemen.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sh.webmanajemen.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# java server configuration (unused)
# server {
# listen 8880;
# listen [::]:8880;
# server_name sh.webmanajemen.com;
# location / {
# # local listen port
# proxy_pass http://127.0.0.1:8080/;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Port $server_port;
# # proxy_set_header X-Forwarded-Proto https;
# proxy_set_header Host $http_host;
# proxy_redirect off;
# proxy_connect_timeout 240;
# proxy_send_timeout 240;
# proxy_read_timeout 240;
# }
# }
# django non-SSL server configuration
# server {
# listen 8443;
# listen [::]:8443;
# server_name sh.webmanajemen.com;
# location / {
# # proxy_set_header Host $host;
# proxy_set_header Host $host:$server_port;
# # proxy_set_header Host $http_host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_pass http://unix:/var/www/html/tmp/gunicorn.sock;
# }
# location /static/ {
# alias /var/www/html/public/static/;
# }
# location /media/ {
# alias /var/www/html/public/media/;
# }
# }
# django SSL server configuration
# To configure see assets/systemctl/certbot.md
server {
listen 8443 ssl;
listen [::]:8443 ssl;
server_name sh.webmanajemen.com;
# SSL Configuration
ssl_certificate /etc/letsencrypt/live/sh.webmanajemen.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sh.webmanajemen.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-GCM-SHA256:RSA-AES256-SHA256:RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/var/www/html/tmp/gunicorn.sock;
}
location /static/ {
alias /var/www/html/public/static/;
}
location /media/ {
alias /var/www/html/public/media/;
}
}