-
Notifications
You must be signed in to change notification settings - Fork 112
/
Copy pathnginx.conf
175 lines (152 loc) · 5.18 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# mime types are already covered in nginx.conf
#include mime.types;
upstream php-pimcore10 {
server php:9000;
}
map $args $static_page_root {
default /var/tmp/pages;
"~*(^|&)pimcore_editmode=true(&|$)" /var/nonexistent;
"~*(^|&)pimcore_preview=true(&|$)" /var/nonexistent;
"~*(^|&)pimcore_version=[^&]+(&|$)" /var/nonexistent;
}
map $uri $static_page_uri {
default $uri;
"/" /%home;
}
server {
listen [::]:80 default_server;
listen 80 default_server;
#server_name pimcore.localhost;
root /var/www/html/public;
index index.php;
# Filesize depending on your data
client_max_body_size 100m;
# It is recommended to seclude logs per virtual host
#access_log /var/log/access.log;
#error_log /var/log/error.log error;
# Protected Assets
#
### 1. Option - Restricting access to certain assets completely
#
# location ~ ^/protected/.* {
# return 403;
# }
# location ~ ^/var/.*/protected(.*) {
# return 403;
# }
#
# location ~ ^/cache-buster\-[\d]+/protected(.*) {
# return 403;
# }
#
### 2. Option - Checking permissions before delivery
#
# rewrite ^(/protected/.*) /index.php$is_args$args last;
#
# rewrite ^(/cache-buster-(?:\d+)/protected(?:.*)) /index.php$is_args$args last;
#
# location ~ ^/var/.*/protected(.*) {
# return 403;
# }
#
# location ~ ^/cache-buster\-[\d]+/protected(.*) {
# return 403;
# }
# Pimcore Head-Link Cache-Busting
rewrite ^/cache-buster-(?:\d+)/(.*) /$1 last;
# Stay secure
#
# a) don't allow PHP in folders allowing file uploads
location ~* /var/assets/.*\.php(/|$) {
return 404;
}
# b) Prevent clients from accessing hidden files (starting with a dot)
# Access to `/.well-known/` is allowed.
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~* /\.(?!well-known/) {
deny all;
log_not_found off;
access_log off;
}
# c) Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|conf(ig)?|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
# Some Admin Modules need this:
# Server Info, Opcache
location ~* ^/admin/external {
rewrite .* /index.php$is_args$args last;
}
# Thumbnails
location ~* .*/(image|video)-thumb__\d+__.* {
try_files /var/tmp/thumbnails$uri /index.php;
expires 2w;
access_log off;
add_header Cache-Control "public";
}
# Assets
# Still use a whitelist approach to prevent each and every missing asset to go through the PHP Engine.
location ~* ^(?!/admin|/asset/webdav|/studio/api)(.+?)\.((?:css|js)(?:\.map)?|jpe?g|gif|png|svgz?|eps|exe|gz|json|zip|mp\d|m4a|ogg|ogv|webp|webm|pdf|csv|docx?|xlsx?|pptx?)$ {
try_files /var/assets$uri $uri =404;
expires 2w;
access_log off;
log_not_found off;
add_header Cache-Control "public";
}
location / {
error_page 404 /meta/404;
try_files $static_page_root$static_page_uri.html $uri /index.php$is_args$args;
}
# Use this location when the installer has to be run
# location ~ /(index|install)\.php(/|$) {
#
# Use this after initial install is done:
location ~ ^/index\.php(/|$) {
send_timeout 1800;
fastcgi_read_timeout 1800;
# regex to split $uri to $fastcgi_script_name and $fastcgi_path_info
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
#try_files $fastcgi_script_name =404;
# include fastcgi.conf if needed
include fastcgi_params;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
# Activate these, if using Symlinks and opcache
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass php-pimcore10;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# PHP-FPM Status and Ping
location /fpm- {
access_log off;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
location /fpm-status {
allow 127.0.0.1;
# add additional IP's or Ranges
deny all;
fastcgi_pass php-pimcore10;
}
location /fpm-ping {
fastcgi_pass php-pimcore10;
}
}
# nginx Status
# see: https://nginx.org/en/docs/http/ngx_http_stub_status_module.html
location /nginx-status {
allow 127.0.0.1;
deny all;
access_log off;
stub_status;
}
}