From 0157b9eb3762d4f27f63c48187c5faf334777cd2 Mon Sep 17 00:00:00 2001 From: Paul Chaignon Date: Fri, 6 Mar 2015 07:38:54 +0100 Subject: [PATCH] .vhost as a Nginx extension --- lib/linguist/languages.yml | 3 + samples/Nginx/example.com.vhost | 242 ++++++++++++++++++++++++++++++++ 2 files changed, 245 insertions(+) create mode 100644 samples/Nginx/example.com.vhost diff --git a/lib/linguist/languages.yml b/lib/linguist/languages.yml index 9f2a742a..5a841087 100644 --- a/lib/linguist/languages.yml +++ b/lib/linguist/languages.yml @@ -1968,6 +1968,9 @@ Nginx: type: markup extensions: - .nginxconf + - .vhost + filenames: + - nginx.conf tm_scope: source.nginx aliases: - nginx configuration file diff --git a/samples/Nginx/example.com.vhost b/samples/Nginx/example.com.vhost new file mode 100644 index 00000000..ed0c40d9 --- /dev/null +++ b/samples/Nginx/example.com.vhost @@ -0,0 +1,242 @@ +# Move the www people to no-www +server { + listen 80; + server_name www.example.com; + return 301 $scheme://example.com$request_uri; +} + +server { + listen 80; + listen 443 ssl; + server_name example.com; + + # Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate + ssl_certificate /srv/www/example.com/ssl/example.com.crt; + ssl_certificate_key /srv/www/example.com/ssl/example.com.key; + + # Allow multiple connections to use the same key data + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ssl_dhparam /etc/ssl/certs/dhparam.pem; + + # Intermediate configuration. tweak to your needs + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + include snippets/ssl_ciphers_intermediate.conf; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + #add_header Strict-Transport-Security max-age=15768000; + + # OCSP Stapling - fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + + # Verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /srv/www/example.com/ssl/unified-ssl.crt; + resolver 8.8.8.8 8.8.4.4; + resolver_timeout 10s; + + root /srv/www/example.com/htdocs; + index index.php index.html index.htm; + charset UTF-8; + autoindex off; + + # Deny access based on HTTP method (set in HTTP level) + if ($bad_method = 1) { + return 444; + } + + # Show "Not Found" 404 errors in place of "Forbidden" 403 errors, because + # forbidden errors allow attackers potential insight into your server's + # layout and contents + error_page 403 = 404; + + # It's always good to set logs, note however you cannot turn off the error log + # setting error_log off; will simply create a file called 'off'. + access_log /var/log/nginx/example.com.access.log; + error_log /var/log/nginx/example.com.error.log; + + # Add trailing slash to */wp-admin requests. + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + + location / { + # This try_files directive is used to enable pretty, SEO-friendly URLs + # and permalinks for Wordpress. Leave it *off* to start with, and then + # turn it on once you've gotten Wordpress configured! + try_files $uri $uri/ /index.php?$args; + } + + # Option to create password protected directory + # http://www.howtoforge.com/basic-http-authentication-with-nginx + # location /admin { + # auth_basic "Administrator Login"; + # auth_basic_user_file /var/www/domain.com/admin/.htpasswd; + # } + + # Do not log access to these to keep the logs cleaner + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /apple-touch-icon.png { + log_not_found off; + access_log off; + } + + location = /apple-touch-icon-precomposed.png { + log_not_found off; + access_log off; + } + + # This block will catch static file requests, such as images, css, js + # The ?: prefix is a 'non-capturing' mark, meaning we do not require + # the pattern to be captured into $1 which should help improve performance + location ~* \.(?:3gp|gif|jpg|jpe?g|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff)$ { + # Some basic cache-control for static files to be sent to the browser + expires max; + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } + + # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). + # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) + location ~ /\. { + access_log off; + log_not_found off; + deny all; + } + + location ~ ~$ { + access_log off; + log_not_found off; + deny all; + } + + # Common deny or internal locations, to help prevent access to areas of + # the site that should not be public + location ~* wp-admin/includes { + deny all; + } + + location ~* wp-includes/theme-compat/ { + deny all; + } + + location ~* wp-includes/js/tinymce/langs/.*\.php { + deny all; + } + + location /wp-content/ { + internal; + } + + # Deny access to any files with a .php extension in the uploads directory + # Works in sub-directory installs and also in multisite network + # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) + location ~* /(?:uploads|files)/.*\.php$ { + deny all; + } + + # Make sure these get through, esp with dynamic WP sitmap plugin + location = /robots.txt { + try_files $uri /index.php; + } + + location = /sitemap.xml { + try_files $uri /index.php; + } + + location = /sitemap.xml.gz { + try_files $uri /index.php; + } + + # Fix for Firefox issue with cross site font icons + location ~* \.(eot|otf|ttf|woff)$ { + add_header Access-Control-Allow-Origin *; + } + + # Redirect server error pages to the static page /50x.html + # Make sure 50x.html exists at that location + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # Cache everything by default + set $skip_cache 0; + + # POST requests and urls with a query string should always go to PHP + if ($request_method = POST) { + set $skip_cache 1; + } + if ($query_string != "") { + set $skip_cache 1; + } + + # Don't cache uris containing the following segments + if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { + set $skip_cache 1; + } + + # Don't use the cache for logged in users or recent commenters + if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { + set $skip_cache 1; + } + + # Pass all .php files onto a php-fpm/php-fcgi server. + location ~ [^/]\.php(/|$) { + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # Check that the PHP script exists before passing it + try_files $fastcgi_script_name =404; + + # Bypass the fact that try_files resets $fastcgi_path_info + # see: http://trac.nginx.org/nginx/ticket/321 + set $path_info $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; + + fastcgi_pass unix:/var/run/example.com.sock; + fastcgi_index index.php; + # Uncomment if site is HTTPS + #fastcgi_param HTTPS on; + include fastcgi.conf; + + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; + + fastcgi_cache WORDPRESS; + fastcgi_cache_valid 60m; + } + + location ~ /purge(/.*) { + fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; + } + + # Use this block if PHPMyAdmin is enabled for this domain + location /phpmyadmin { + root /usr/share/; + index index.php index.html index.htm; + + location ~ ^/phpmyadmin/(.+\.php)$ { + try_files $uri =404; + root /usr/share/; + fastcgi_pass unix:/var/run/example.com.sock; + fastcgi_index index.php; + include fastcgi.conf; + } + + location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { + root /usr/share/; + } + } + + location /phpMyAdmin { + rewrite ^/* /phpmyadmin last; + } + # End PHPMyAdmin block + +} # End of server block.