-From: Olaf Conradi
-Hey @Friendica Support,
-
-Just wanted to share my #nginx configuration for #friendica with you guys.
-
-I noticed most of the existing configurations that are floating on the web for #nginx do not deny access to local files. Most of them use the following construct.
-
-location / {
- try_files $uri $uri/ index.php?q=$request_uri
-}
-
-This serves files like images statically, but also gives everyone access to the source code of your ~friendica ~friendica installation (tpl templates, sql files, etc). One should deny all locations except for images, javascript and css files. Setting these deny rules is tedious and needs maintenance when new directories are added.
-
-It's easier to route everything through the front controller except those known file types.
-
-Below is my configuration. First I forward non-SSL traffic to SSL.
+##
+# Friendica Nginx configuration
+# by Olaf Conradi
+#
+# On Debian based distributions you can add this file to
+# /etc/nginx/sites-available
+#
+# Then customize to your needs. To enable the configuration
+# symlink it to /etc/nginx/sites-enabled and reload Nginx using
+#
+# service nginx reload
+##
+
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+#
+# http://wiki.nginx.org/Pitfalls
+# http://wiki.nginx.org/QuickStart
+# http://wiki.nginx.org/Configuration
+##
+
+##
+# This configuration assumes your domain is example.net
+# You have a separate subdomain friendica.example.net
+# You want all Friendica traffic to be https
+# You have an SSL certificate and key for your subdomain
+# You have PHP FastCGI Process Manager (php5-fpm) running on localhost
+# You have Friendica installed in /var/www/friendica
+##
server {
+ listen 80;
server_name friendica.example.net;
+
index index.php;
- root /mnt/friendica/www;
+ root /var/www/friendica;
rewrite ^ https://friendica.example.net$request_uri? permanent;
}
-Next is the SSL server part.
+##
+# Configure Friendica with SSL
+#
+# All requests are routed to the front controller
+# except for certain known file types like images, css, etc.
+# Those are served statically whenever possible with a
+# fall back to the front controller (needed for avatars, for example)
+##
server {
listen 443 ssl;
server_name friendica.example.net;
- index index.php;
- root /mnt/friendica/www;
-
ssl on;
+
+ #Traditional SSL
ssl_certificate /etc/nginx/ssl/friendica.example.net.chain.pem;
ssl_certificate_key /etc/nginx/ssl/example.net.key;
+
+ # If you have used letsencrypt as your SSL provider, remove the previous two lines, and uncomment the following two (adjusting the path) instead.
+ # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
+ # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
ssl_session_timeout 5m;
- ssl_protocols SSLv3 TLSv1;
- ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
+ fastcgi_param HTTPS on;
+
+ index index.php;
+ charset utf-8;
+ root /var/www/friendica;
+ access_log /var/log/nginx/friendica.log;
+
+ # Uncomment the following line to include a standard configuration file Note
+ # that the most specific rule wins and your standard configuration will
+ # therefore *add* to this file, but not override it.
+ #include standard.conf
+
# allow uploads up to 20MB in size
client_max_body_size 20m;
client_body_buffer_size 128k;
# rewrite to front controller as default rule
location / {
- rewrite ^/(.*) /index.php?q=$1 last;
+ try_files $uri /index.php?pagename=$uri&$args;
}
- # make sure webfinger isn't blocked by denying dot files
- # and rewrite to front controller
- location = /.well-known/host-meta {
+ # make sure webfinger and other well known services aren't blocked
+ # by denying dot files and rewrite request to the front controller
+ location ^~ /.well-known/ {
allow all;
- rewrite ^/(.*) /index.php?q=$1 last;
- }
-
- # statically serve these file types when possible
- # otherwise fall back to front controller
- # allow browser to cache them
- # added .htm for advanced source code editor library
- location ~* \.(jpg|jpeg|gif|png|css|js|ico|htm|html)$ {
- expires 30d;
- try_files $uri /index.php?q=$uri&$args;
+ try_files $uri /index.php?pagename=$uri&$args;
}
+ include mime.types;
- # block these file types
- location ~* \.(tpl|md|git|tgz|log|out) {
- deny all;
- }
+ # statically serve these file types when possible otherwise fall back to
+ # front controller allow browser to cache them added .htm for advanced source
+ # code editor library
+ #location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
+ # expires 30d;
+ # try_files $uri /index.php?pagename=$uri&$args;
+ #}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+ # or a unix socket
location ~* \.php$ {
+ # Zero-day exploit defense.
+ # http://forum.nginx.org/read.php?2,88845,page=3
+ # Won't work properly (404 error) if the file is not stored on this
+ # server, which is entirely possible with php-fpm/php-fcgi.
+ # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
+ # another machine. And then cross your fingers that you won't get hacked.
+ try_files $uri =404;
+
+ # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
- # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
- # # With php5-cgi alone:
+
+ # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
- # With php5-fpm:
- fastcgi_pass unix:/var/run/php5-fpm.sock;
- fastcgi_index index.php;
+
+ # With php7.0-fpm:
+ fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+
include fastcgi_params;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
- # deny access to all dot files (including .htaccess)
- location ~ /\. {
+ # block these file types
+ location ~* \.(tpl|md|tgz|log|out)$ {
deny all;
}
-}
-
-That's it.
-#nginx #friendica @Friendica Support
-
-I found one bug after posting when I noticed 404's coming in for certain image files. Avatars need a fallback to go through the front controller.
-# statically serve these file types when possible
-# otherwise fall back to front controller
-# allow browser to cache them
-# added .htm for advanced source code editor library
-location ~* \.(jpg|jpeg|gif|png|css|js|ico|htm)$ {
-expires 30d;
-try_files $uri /index.php?q=$request_uri?;
+ # deny access to all dot files
+ location ~ /\. {
+ deny all;
+ }
}
-
projects / friendica.git / blobdiff