From: Roland Häder Date: Sat, 4 Mar 2017 09:58:33 +0000 (+0100) Subject: it is documenation, right? :-) X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=e61b8f667e0db27f9c96b7cbaef1031fd4b5de75;p=friendica.git it is documenation, right? :-) Signed-off-by: Roland Häder --- diff --git a/doc/server-config/readme.txt b/doc/server-config/readme.txt new file mode 100644 index 0000000000..8fc1c48b32 --- /dev/null +++ b/doc/server-config/readme.txt @@ -0,0 +1,31 @@ +sample-Lighttpd.config +sample-nginx.config + + Sample configuration files to use Friendica with Lighttpd + or Nginx. Pleas check software documentation to know how modify + these examples to make them work on your server. + + +sample-systemd.timer +sample-systemd.service + + Sample systemd unit files to start worker.php periodically. + + Please place them in the correct location for your system, + typically this is /etc/systemd/system/friendicaworker.timer + and /etc/systemd/system/friendicaworker.service. + Please report problems and improvements to + !helpers@forum.friendi.ca and @utzer@social.yl.ms or open an + issue in Github (https://github.com/friendica/friendica/issues). + This is for usage of systemd instead of cron to start the worker.php + periodically, the solution is work-in-progress and can surely be improved. + +home.css +home.html + + Example files to customize the landing page of your Friendica node. + The home.html file contains the text of the page, the home.css file + the style information. The login box will be added according to the + other system settings. + Both files have to be placed in the base directory of your Friendica + installation to be used for the landing page. diff --git a/doc/server-config/sample-Lighttpd.config b/doc/server-config/sample-Lighttpd.config new file mode 100644 index 0000000000..1c83700609 --- /dev/null +++ b/doc/server-config/sample-Lighttpd.config @@ -0,0 +1,138 @@ +Below is a sample config for Lighttpd that +seems to work well on Debian Squeeze, with "lighttpd/1.4.28 (ssl)" + +The idea is: if someone enters the bare URL for my site, 'example.com', +they get redirected to https://example.com/index.html, which is simply a +page with two links on it: https://wordpress.example.com and +https://friendica.example.com. + +If someone enters https://example.com, they get redirected to +https://wordpress.example.com/main/, which is the 'main' blog in a Word +Press 'network install' of the 'subdirectory' variety. + +I thought it might be nice to offer people who join my Friendica +instance their own blogs, if they like. + +One can obtain free, signed, single subdomain SSL certificates from +StartCom CA, which upon checking I noticed was already installed in both +Firefox and Google Chromium. Info at http://cert.startcom.org/ . So I +got one for each site, and have Lighty use the appropriate cert based on +the requested URL. + +Enjoy! + +On Debian Jessie with lighttpd 1.4.35-4 there was a problem encountered +between curl (which is used by Friendica in the background) and lighttp. +This problem caused requests being served with an error code of 417 in +the logs and no delivery of postings from the contacts. + +One can solve the issue by adding + + server.reject-expect-100-with-417 = "disable" + +to the lighttpd configuratiion file (e.g. in the beginning with the +other 'server.xxx' settings. + +---------------( config starts )----------------- + +debug.log-request-handling = "disable" +debug.log-condition-handling = "disable" + +server.modules = ( + "mod_access", + "mod_alias", + "mod_compress", + "mod_redirect", + "mod_fastcgi", + "mod_rewrite" +) + +server.document-root = "/var/www" +server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) +server.errorlog = "/var/log/lighttpd/error.log" +server.pid-file = "/var/run/lighttpd.pid" +server.username = "www-data" +server.groupname = "www-data" + +# enable SSL +ssl.engine = "enable" +ssl.pemfile = "/etc/lighttpd/ssl/wordpress.pem" +ssl.ca-file = "/etc/lighttpd/ssl/ca.pem" + +# fix for problem between curl and lighttpd +server.reject-expect-100-with-417 = "disable" + +# Send everybody to landing page: +$SERVER["socket"] == ":80" { + +$HTTP["scheme"] == "http" { + $HTTP["host"] =~ ".*" { + # This next redirect doesn't appear to ever execute in Firefox + # (sometimes, anyway -- caching issue?), but it does seem to + # reliably in Google's Chromium browser. If I change it here + # and restart Lighty, Firefox still goes to the URL in the + # last 'else' below. Or something. +Sometimes. + server.document-root = "/var/www" + url.redirect = (".*" => "https://example.com") + } +} + +} +else $SERVER["socket"] == ":443" { + +$HTTP["scheme"] == "https" { + + $HTTP["host"] == "wordpress.example.com" { + server.document-root = "/var/www/wordpress" + ssl.pemfile = "/etc/lighttpd/ssl/wordpress.pem" + # include "wpmu-rewrites.conf" + url.rewrite-if-not-file = ( + "^/(.*/)?files/$" => "/index.php", + "^/(.*/)?files/(.*)" => "/wp-includes/ms-files.php?file=$2", + "^(/wp-admin/.*)" => "$1", + "^/([_0-9a-zA-Z-]+/)?(wp-.*)" => "/$2", + "^/([_0-9a-zA-Z-]+/)?(.*\.php)" => "/$2", + "^/(.*)/?$" => "/index.php/$1" + ) + } + else $HTTP["host"] == "friendica.example.com" { + server.document-root = "/var/www/friendica" + ssl.pemfile = "/etc/lighttpd/ssl/friendica.pem" + # Got the following 'Drupal Clean URL'after Mike suggested trying + # something along those lines, from http://drupal.org/node/1414950 + url.rewrite-if-not-file = ( + "^\/([^\?]*)\?(.*)$" => "/index.php?q=$1&$2", + "^\/(.*)$" => "/index.php?q=$1" + ) + } + else $HTTP["host"] !~ "(friendica.example.com|wordpress.example.com)" { + server.document-root = "/var/www/wordpress" + ssl.pemfile = "/etc/lighttpd/ssl/wordpress.pem" + url.redirect = (".*" => "https://wordpress.example.com/main/") + } +} + +} + +index-file.names = ( "index.php", "index.html", + "index.htm", "default.htm", + "index.lighttpd.html" ) + +url.access-deny = ( "~", ".inc" ) + +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +include_shell "/usr/share/lighttpd/use-ipv6.pl" + +dir-listing.encoding = "utf-8" +server.dir-listing = "disable" + +#compress.cache-dir = "/var/cache/lighttpd/compress/" +#compress.filetype = ( "application/x-javascript", "text/css", "text/html", "text/p\lain" ) + + +include_shell "/usr/share/lighttpd/create-mime.assign.pl" +include_shell "/usr/share/lighttpd/include-conf-enabled.pl" + +---------------( config ends )----------------- diff --git a/doc/server-config/sample-nginx-reverse-proxy.config b/doc/server-config/sample-nginx-reverse-proxy.config new file mode 100644 index 0000000000..afc74dfc4a --- /dev/null +++ b/doc/server-config/sample-nginx-reverse-proxy.config @@ -0,0 +1,37 @@ +# +# Example of NGINX as reverse-proxy terminating an HTTPS connection. +# +# This is not a complete NGINX config. +# +# Please refer to NGINX docs +# + +# Note provided by Gabe R.: if you are using nginx as proxy server for Apache2 +# make sure your nginx config DOES NOT contain the following +# ----- +# location ~ /.well-known { +# allow all; +# } +# ----- +... + +server { + + ... + + # assuming Friendica runs on port 8080 + location / { + if ( $scheme != https ) { + # Force Redirect to HTTPS + return 302 https://$host$uri; + } + proxy_pass http://localhost:8080; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Forwarded "for=$proxy_add_x_forwarded_for; proto=$scheme"; + } + + ... + +} diff --git a/doc/server-config/sample-nginx.config b/doc/server-config/sample-nginx.config new file mode 100644 index 0000000000..6bf75bd818 --- /dev/null +++ b/doc/server-config/sample-nginx.config @@ -0,0 +1,141 @@ +## +# Friendica Nginx configuration +# by Olaf Conradi +# +# On Debian based distributions you can add this file to +# /etc/nginx/sites-available +# +# Then customize to your needs. To enable the configuration +# symlink it to /etc/nginx/sites-enabled and reload Nginx using +# +# service nginx reload +## + +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +## + +## +# This configuration assumes your domain is example.net +# You have a separate subdomain friendica.example.net +# You want all Friendica traffic to be https +# You have an SSL certificate and key for your subdomain +# You have PHP FastCGI Process Manager (php5-fpm) running on localhost +# You have Friendica installed in /var/www/friendica +## + +server { + listen 80; + server_name friendica.example.net; + + index index.php; + root /var/www/friendica; + rewrite ^ https://friendica.example.net$request_uri? permanent; +} + +## +# Configure Friendica with SSL +# +# All requests are routed to the front controller +# except for certain known file types like images, css, etc. +# Those are served statically whenever possible with a +# fall back to the front controller (needed for avatars, for example) +## + +server { + listen 443 ssl; + server_name friendica.example.net; + + ssl on; + + #Traditional SSL + ssl_certificate /etc/nginx/ssl/friendica.example.net.chain.pem; + ssl_certificate_key /etc/nginx/ssl/example.net.key; + + # If you have used letsencrypt as your SSL provider, remove the previous two lines, and uncomment the following two (adjusting the path) instead. + # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; + ssl_prefer_server_ciphers on; + + fastcgi_param HTTPS on; + + index index.php; + charset utf-8; + root /var/www/friendica; + access_log /var/log/nginx/friendica.log; + #Uncomment the following line to include a standard configuration file + #Note that the most specific rule wins and your standard configuration + #will therefore *add* to this file, but not override it. + #include standard.conf + # allow uploads up to 20MB in size + client_max_body_size 20m; + client_body_buffer_size 128k; + + # rewrite to front controller as default rule + location / { + if ($is_args != "") { + rewrite ^/(.*) /index.php?pagename=$uri&$args last; + } + rewrite ^/(.*) /index.php?pagename=$uri last; + } + + # make sure webfinger and other well known services aren't blocked + # by denying dot files and rewrite request to the front controller + location ^~ /.well-known/ { + allow all; + rewrite ^/(.*) /index.php?pagename=$uri&$args last; + } + + # statically serve these file types when possible + # otherwise fall back to front controller + # allow browser to cache them + # added .htm for advanced source code editor library + location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { + expires 30d; + try_files $uri /index.php?pagename=$uri&$args; + } + + # block these file types + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # or a unix socket + location ~* \.php$ { + # Zero-day exploit defense. + # http://forum.nginx.org/read.php?2,88845,page=3 + # Won't work properly (404 error) if the file is not stored on this + # server, which is entirely possible with php-fpm/php-fcgi. + # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on + # another machine. And then cross your fingers that you won't get hacked. + try_files $uri =404; + + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + + include fastcgi_params; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + # deny access to all dot files + location ~ /\. { + deny all; + } +} diff --git a/mods/readme.txt b/mods/readme.txt deleted file mode 100644 index 8fc1c48b32..0000000000 --- a/mods/readme.txt +++ /dev/null @@ -1,31 +0,0 @@ -sample-Lighttpd.config -sample-nginx.config - - Sample configuration files to use Friendica with Lighttpd - or Nginx. Pleas check software documentation to know how modify - these examples to make them work on your server. - - -sample-systemd.timer -sample-systemd.service - - Sample systemd unit files to start worker.php periodically. - - Please place them in the correct location for your system, - typically this is /etc/systemd/system/friendicaworker.timer - and /etc/systemd/system/friendicaworker.service. - Please report problems and improvements to - !helpers@forum.friendi.ca and @utzer@social.yl.ms or open an - issue in Github (https://github.com/friendica/friendica/issues). - This is for usage of systemd instead of cron to start the worker.php - periodically, the solution is work-in-progress and can surely be improved. - -home.css -home.html - - Example files to customize the landing page of your Friendica node. - The home.html file contains the text of the page, the home.css file - the style information. The login box will be added according to the - other system settings. - Both files have to be placed in the base directory of your Friendica - installation to be used for the landing page. diff --git a/mods/sample-Lighttpd.config b/mods/sample-Lighttpd.config deleted file mode 100644 index 1c83700609..0000000000 --- a/mods/sample-Lighttpd.config +++ /dev/null @@ -1,138 +0,0 @@ -Below is a sample config for Lighttpd that -seems to work well on Debian Squeeze, with "lighttpd/1.4.28 (ssl)" - -The idea is: if someone enters the bare URL for my site, 'example.com', -they get redirected to https://example.com/index.html, which is simply a -page with two links on it: https://wordpress.example.com and -https://friendica.example.com. - -If someone enters https://example.com, they get redirected to -https://wordpress.example.com/main/, which is the 'main' blog in a Word -Press 'network install' of the 'subdirectory' variety. - -I thought it might be nice to offer people who join my Friendica -instance their own blogs, if they like. - -One can obtain free, signed, single subdomain SSL certificates from -StartCom CA, which upon checking I noticed was already installed in both -Firefox and Google Chromium. Info at http://cert.startcom.org/ . So I -got one for each site, and have Lighty use the appropriate cert based on -the requested URL. - -Enjoy! - -On Debian Jessie with lighttpd 1.4.35-4 there was a problem encountered -between curl (which is used by Friendica in the background) and lighttp. -This problem caused requests being served with an error code of 417 in -the logs and no delivery of postings from the contacts. - -One can solve the issue by adding - - server.reject-expect-100-with-417 = "disable" - -to the lighttpd configuratiion file (e.g. in the beginning with the -other 'server.xxx' settings. - ----------------( config starts )----------------- - -debug.log-request-handling = "disable" -debug.log-condition-handling = "disable" - -server.modules = ( - "mod_access", - "mod_alias", - "mod_compress", - "mod_redirect", - "mod_fastcgi", - "mod_rewrite" -) - -server.document-root = "/var/www" -server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) -server.errorlog = "/var/log/lighttpd/error.log" -server.pid-file = "/var/run/lighttpd.pid" -server.username = "www-data" -server.groupname = "www-data" - -# enable SSL -ssl.engine = "enable" -ssl.pemfile = "/etc/lighttpd/ssl/wordpress.pem" -ssl.ca-file = "/etc/lighttpd/ssl/ca.pem" - -# fix for problem between curl and lighttpd -server.reject-expect-100-with-417 = "disable" - -# Send everybody to landing page: -$SERVER["socket"] == ":80" { - -$HTTP["scheme"] == "http" { - $HTTP["host"] =~ ".*" { - # This next redirect doesn't appear to ever execute in Firefox - # (sometimes, anyway -- caching issue?), but it does seem to - # reliably in Google's Chromium browser. If I change it here - # and restart Lighty, Firefox still goes to the URL in the - # last 'else' below. Or something. -Sometimes. - server.document-root = "/var/www" - url.redirect = (".*" => "https://example.com") - } -} - -} -else $SERVER["socket"] == ":443" { - -$HTTP["scheme"] == "https" { - - $HTTP["host"] == "wordpress.example.com" { - server.document-root = "/var/www/wordpress" - ssl.pemfile = "/etc/lighttpd/ssl/wordpress.pem" - # include "wpmu-rewrites.conf" - url.rewrite-if-not-file = ( - "^/(.*/)?files/$" => "/index.php", - "^/(.*/)?files/(.*)" => "/wp-includes/ms-files.php?file=$2", - "^(/wp-admin/.*)" => "$1", - "^/([_0-9a-zA-Z-]+/)?(wp-.*)" => "/$2", - "^/([_0-9a-zA-Z-]+/)?(.*\.php)" => "/$2", - "^/(.*)/?$" => "/index.php/$1" - ) - } - else $HTTP["host"] == "friendica.example.com" { - server.document-root = "/var/www/friendica" - ssl.pemfile = "/etc/lighttpd/ssl/friendica.pem" - # Got the following 'Drupal Clean URL'after Mike suggested trying - # something along those lines, from http://drupal.org/node/1414950 - url.rewrite-if-not-file = ( - "^\/([^\?]*)\?(.*)$" => "/index.php?q=$1&$2", - "^\/(.*)$" => "/index.php?q=$1" - ) - } - else $HTTP["host"] !~ "(friendica.example.com|wordpress.example.com)" { - server.document-root = "/var/www/wordpress" - ssl.pemfile = "/etc/lighttpd/ssl/wordpress.pem" - url.redirect = (".*" => "https://wordpress.example.com/main/") - } -} - -} - -index-file.names = ( "index.php", "index.html", - "index.htm", "default.htm", - "index.lighttpd.html" ) - -url.access-deny = ( "~", ".inc" ) - -static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) - -include_shell "/usr/share/lighttpd/use-ipv6.pl" - -dir-listing.encoding = "utf-8" -server.dir-listing = "disable" - -#compress.cache-dir = "/var/cache/lighttpd/compress/" -#compress.filetype = ( "application/x-javascript", "text/css", "text/html", "text/p\lain" ) - - -include_shell "/usr/share/lighttpd/create-mime.assign.pl" -include_shell "/usr/share/lighttpd/include-conf-enabled.pl" - ----------------( config ends )----------------- diff --git a/mods/sample-nginx-reverse-proxy.config b/mods/sample-nginx-reverse-proxy.config deleted file mode 100644 index afc74dfc4a..0000000000 --- a/mods/sample-nginx-reverse-proxy.config +++ /dev/null @@ -1,37 +0,0 @@ -# -# Example of NGINX as reverse-proxy terminating an HTTPS connection. -# -# This is not a complete NGINX config. -# -# Please refer to NGINX docs -# - -# Note provided by Gabe R.: if you are using nginx as proxy server for Apache2 -# make sure your nginx config DOES NOT contain the following -# ----- -# location ~ /.well-known { -# allow all; -# } -# ----- -... - -server { - - ... - - # assuming Friendica runs on port 8080 - location / { - if ( $scheme != https ) { - # Force Redirect to HTTPS - return 302 https://$host$uri; - } - proxy_pass http://localhost:8080; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Forwarded "for=$proxy_add_x_forwarded_for; proto=$scheme"; - } - - ... - -} diff --git a/mods/sample-nginx.config b/mods/sample-nginx.config deleted file mode 100644 index 6bf75bd818..0000000000 --- a/mods/sample-nginx.config +++ /dev/null @@ -1,141 +0,0 @@ -## -# Friendica Nginx configuration -# by Olaf Conradi -# -# On Debian based distributions you can add this file to -# /etc/nginx/sites-available -# -# Then customize to your needs. To enable the configuration -# symlink it to /etc/nginx/sites-enabled and reload Nginx using -# -# service nginx reload -## - -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# -# http://wiki.nginx.org/Pitfalls -# http://wiki.nginx.org/QuickStart -# http://wiki.nginx.org/Configuration -## - -## -# This configuration assumes your domain is example.net -# You have a separate subdomain friendica.example.net -# You want all Friendica traffic to be https -# You have an SSL certificate and key for your subdomain -# You have PHP FastCGI Process Manager (php5-fpm) running on localhost -# You have Friendica installed in /var/www/friendica -## - -server { - listen 80; - server_name friendica.example.net; - - index index.php; - root /var/www/friendica; - rewrite ^ https://friendica.example.net$request_uri? permanent; -} - -## -# Configure Friendica with SSL -# -# All requests are routed to the front controller -# except for certain known file types like images, css, etc. -# Those are served statically whenever possible with a -# fall back to the front controller (needed for avatars, for example) -## - -server { - listen 443 ssl; - server_name friendica.example.net; - - ssl on; - - #Traditional SSL - ssl_certificate /etc/nginx/ssl/friendica.example.net.chain.pem; - ssl_certificate_key /etc/nginx/ssl/example.net.key; - - # If you have used letsencrypt as your SSL provider, remove the previous two lines, and uncomment the following two (adjusting the path) instead. - # ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; - # ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; - - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; - ssl_prefer_server_ciphers on; - - fastcgi_param HTTPS on; - - index index.php; - charset utf-8; - root /var/www/friendica; - access_log /var/log/nginx/friendica.log; - #Uncomment the following line to include a standard configuration file - #Note that the most specific rule wins and your standard configuration - #will therefore *add* to this file, but not override it. - #include standard.conf - # allow uploads up to 20MB in size - client_max_body_size 20m; - client_body_buffer_size 128k; - - # rewrite to front controller as default rule - location / { - if ($is_args != "") { - rewrite ^/(.*) /index.php?pagename=$uri&$args last; - } - rewrite ^/(.*) /index.php?pagename=$uri last; - } - - # make sure webfinger and other well known services aren't blocked - # by denying dot files and rewrite request to the front controller - location ^~ /.well-known/ { - allow all; - rewrite ^/(.*) /index.php?pagename=$uri&$args last; - } - - # statically serve these file types when possible - # otherwise fall back to front controller - # allow browser to cache them - # added .htm for advanced source code editor library - location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { - expires 30d; - try_files $uri /index.php?pagename=$uri&$args; - } - - # block these file types - location ~* \.(tpl|md|tgz|log|out)$ { - deny all; - } - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # or a unix socket - location ~* \.php$ { - # Zero-day exploit defense. - # http://forum.nginx.org/read.php?2,88845,page=3 - # Won't work properly (404 error) if the file is not stored on this - # server, which is entirely possible with php-fpm/php-fcgi. - # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on - # another machine. And then cross your fingers that you won't get hacked. - try_files $uri =404; - - # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - fastcgi_split_path_info ^(.+\.php)(/.+)$; - - # With php5-cgi alone: - # fastcgi_pass 127.0.0.1:9000; - - # With php5-fpm: - fastcgi_pass unix:/var/run/php5-fpm.sock; - - include fastcgi_params; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - } - - # deny access to all dot files - location ~ /\. { - deny all; - } -}