Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-19 21:55:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'elmussol-release' into dev

Browse source
This commit is contained in:
Mike Macgirvin 2024-05-22 08:01:17 +10:00
commit 1b9dedadb0
1 changed files with 71 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

170
install/sample-nginx.conf
View file

@ -1,145 +1,117 @@
## # Streams nginx configuration
# Red Nginx configuration #
# by Olaf Conradi # originally by Olaf Conradi
# with later contributions by Thomas Willingham, Harald Eilertsen and elmussol,
# refactored by elmussol.
#
# preamble
#
# This config was constructed and tested to work on Debian Bookworm 12,
# PHP8.3 (from the Sury repo), and nginx 1.22.
#
# On Debian based distributions you can add this file to:
# #
# On Debian based distributions you can add this file to
# /etc/nginx/sites-available # /etc/nginx/sites-available
# #
# Then customize to your needs. To enable the configuration # then customize to your needs. To enable the configuration
# symlink it to /etc/nginx/sites-enabled and reload Nginx using # symlink it to /etc/nginx/sites-enabled and reload Nginx using:
# #
# service nginx reload # service nginx reload
##
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# #
# http://wiki.nginx.org/Pitfalls # This configuration assumes:
# http://wiki.nginx.org/QuickStart # Your domain is example.net
# http://wiki.nginx.org/Configuration # You have a separate subdomain streams.example.net
## # You want all Streams traffic to be https
# You have an SSL certificate and key for your subdomain
## # (in this example using LetsEncrypt)
# This configuration assumes your domain is example.net # You have PHP FastCGI Process Manager (php8.3-fpm) running as a unix:socket
# You have a separate subdomain red.example.net # You have Streams installed in /var/www/streams/
# You want all red traffic to be https
# You have an SSL certificate and key for your subdomain
# You have PHP FastCGI Process Manager (php5-fpm) running on localhost
# You have Red installed in /var/www/red
## ##
# Send http to https.
server { server {
listen 80; listen 80;
server_name red.example.net; listen [::]:80;
server_name streams.example.net;
root /var/www/streams.example.net;
index index.php; index index.php;
root /var/www/red;
rewrite ^ https://red.example.net$request_uri? permanent; if ($host = streams.example.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
} }
## # SSL config.
# Configure Red with SSL
#
# All requests are routed to the front controller
# except for certain known file types like images, css, etc.
# Those are served statically whenever possible with a
# fall back to the front controller (needed for avatars, for example)
##
server { server {
listen 443 ssl; listen [::]:443 ssl ipv6only=on; # managed by Certbot
server_name red.example.net; listen 443 ssl; # managed by Certbot
ssl on; server_name streams.example.net;
ssl_certificate /etc/nginx/ssl/red.example.net.chain.pem;
ssl_certificate_key /etc/nginx/ssl/example.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
fastcgi_param HTTPS on;
root /var/www/streams.example.net;
index index.php; index index.php;
charset utf-8;
root /var/www/red; ssl_certificate /etc/letsencrypt/live/streams.example.net/fullchain.pem; # managed by Certbot
access_log /var/log/nginx/red.log; ssl_certificate_key /etc/letsencrypt/live/streams.example.net/privkey.pem; # managed by Certbot
#Uncomment the following line to include a standard configuration file include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#Note that the most specific rule wins and your standard configuration ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#will therefore *add* to this file, but not override it.
#include standard.conf access_log /var/log/nginx/streams.log;
# allow uploads up to 20MB in size
# Uncomment the following line to include a standard configuration file.
# Note that the most specific rule wins and your standard configuration
# will therefore *add* to this file, but not override it.
#
# include standard.conf
# Allow uploads up to 20MB in size.
client_max_body_size 20m; client_max_body_size 20m;
client_body_buffer_size 128k; client_body_buffer_size 128k;
include mime.types; include mime.types;
# rewrite to front controller as default rule # Rewrite to front controller as default rule.
location / { location / {
if (!-e $request_filename) { if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?req=$1; rewrite ^(.*)$ /index.php?req=$1;
} }
} }
# make sure webfinger and other well known services aren't blocked # Make sure webfinger and other well-known services aren't blocked
# by denying dot files and rewrite request to the front controller # by denying dot files and rewrite request to the front controller.
location ^~ /.well-known/ { location ^~ /.well-known/ {
allow all; allow all;
if (!-e $request_filename) { if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?req=$1; rewrite ^(.*)$ /index.php?req=$1;
} }
} }
# Tell where fastcgi lives.
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
# statically serve these file types when possible # Block these file types.
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
# location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|map|ttf|woff|woff2|svg)$ {
# expires 30d;
# try_files $uri /index.php?req=$uri&$args;
# }
# block these file types
location ~* \.(tpl|tgz|log|out)$ { location ~* \.(tpl|tgz|log|out)$ {
deny all; deny all;
} }
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # Block dot files.
# or a unix socket
location ~* \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this
# server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
# another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# deny access to all dot files
location ~ /\. { location ~ /\. {
deny all; deny all;
} }
#deny access to store
location ~ /store {
deny all;
}
# Deny access to store.
location ~ /store {
deny all;
}
# Deny access to util.
location ~ /util {
deny all;
}
} }