mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-19 23:55:19 +00:00
117 lines
3 KiB
Text
117 lines
3 KiB
Text
# Streams nginx configuration
|
|
#
|
|
# originally by Olaf Conradi
|
|
# with later contributions by Thomas Willingham, Harald Eilertsen and elmussol,
|
|
# refactored by elmussol.
|
|
#
|
|
# preamble
|
|
#
|
|
# This config was constructed and tested to work on Debian Bookworm 12,
|
|
# PHP8.3 (from the Sury repo), and nginx 1.22.
|
|
#
|
|
# On Debian based distributions you can add this file to:
|
|
#
|
|
# /etc/nginx/sites-available
|
|
#
|
|
# then customize to your needs. To enable the configuration
|
|
# symlink it to /etc/nginx/sites-enabled and reload Nginx using:
|
|
#
|
|
# service nginx reload
|
|
#
|
|
# This configuration assumes:
|
|
# Your domain is example.net
|
|
# You have a separate subdomain streams.example.net
|
|
# You want all Streams traffic to be https
|
|
# You have an SSL certificate and key for your subdomain
|
|
# (in this example using LetsEncrypt)
|
|
# You have PHP FastCGI Process Manager (php8.3-fpm) running as a unix:socket
|
|
# You have Streams installed in /var/www/streams/
|
|
##
|
|
|
|
# Send http to https.
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name streams.example.net;
|
|
|
|
root /var/www/streams.example.net;
|
|
index index.php;
|
|
|
|
if ($host = streams.example.net) {
|
|
return 301 https://$host$request_uri;
|
|
} # managed by Certbot
|
|
}
|
|
|
|
# SSL config.
|
|
server {
|
|
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
|
listen 443 ssl; # managed by Certbot
|
|
|
|
server_name streams.example.net;
|
|
|
|
root /var/www/streams.example.net;
|
|
index index.php;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/streams.example.net/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/streams.example.net/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
access_log /var/log/nginx/streams.log;
|
|
|
|
# Uncomment the following line to include a standard configuration file.
|
|
# Note that the most specific rule wins and your standard configuration
|
|
# will therefore *add* to this file, but not override it.
|
|
#
|
|
# include standard.conf
|
|
|
|
# Allow uploads up to 20MB in size.
|
|
client_max_body_size 20m;
|
|
client_body_buffer_size 128k;
|
|
|
|
include mime.types;
|
|
|
|
# Rewrite to front controller as default rule.
|
|
location / {
|
|
if (!-e $request_filename) {
|
|
rewrite ^(.*)$ /index.php?req=$1;
|
|
}
|
|
}
|
|
|
|
# Make sure webfinger and other well-known services aren't blocked
|
|
# by denying dot files and rewrite request to the front controller.
|
|
location ^~ /.well-known/ {
|
|
allow all;
|
|
if (!-e $request_filename) {
|
|
rewrite ^(.*)$ /index.php?req=$1;
|
|
}
|
|
}
|
|
# Tell where fastcgi lives.
|
|
location ~ \.php$ {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
|
|
include fastcgi_params;
|
|
include snippets/fastcgi-php.conf;
|
|
}
|
|
|
|
# Block these file types.
|
|
location ~* \.(tpl|tgz|log|out)$ {
|
|
deny all;
|
|
}
|
|
|
|
# Block dot files.
|
|
location ~ /\. {
|
|
deny all;
|
|
}
|
|
|
|
# Deny access to store.
|
|
location ~ /store {
|
|
deny all;
|
|
}
|
|
|
|
# Deny access to util.
|
|
location ~ /util {
|
|
deny all;
|
|
}
|
|
}
|