From a850434387abb8aed7e94453771c7b038827b7c8 Mon Sep 17 00:00:00 2001 From: phelixbtc Date: Tue, 9 Dec 2014 13:39:46 +0100 Subject: [PATCH 1/2] Nginx Conf Initial Version --- nginx/default | 120 +++++++++++++++++++++++++++++++++++++++++++++++ nginx/nginx.conf | 97 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 217 insertions(+) create mode 100644 nginx/default create mode 100644 nginx/nginx.conf diff --git a/nginx/default b/nginx/default new file mode 100644 index 00000000000..14097e3f9f4 --- /dev/null +++ b/nginx/default @@ -0,0 +1,120 @@ +# You may add here your +# server { +# ... +# } +# statements for each of your virtual hosts to this file + +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +server { + listen 80; ## listen for ipv4; this line is default and implied + listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + + root /usr/share/nginx/www; + index index.php index.html index.htm; + + # Make site accessible from http://localhost/ + server_name _; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ /index.html; + # Uncomment to enable naxsi on this location + # include /etc/nginx/naxsi.rules + } + + location /doc/ { + alias /usr/share/doc/; + autoindex on; + allow 127.0.0.1; + allow ::1; + deny all; + } + + # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests + #location /RequestDenied { + # proxy_pass http://127.0.0.1:8080; + #} + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/www; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + location ~ \.php$ { + # fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } +} + + +# another virtual host using mix of IP-, name-, and port-based configuration +# +#server { +# listen 8000; +# listen somename:8080; +# server_name somename alias another.alias; +# root html; +# index index.html index.htm; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} + + +# HTTPS server +# +#server { +# listen 443; +# server_name localhost; +# +# root html; +# index index.html index.htm; +# +# ssl on; +# ssl_certificate cert.pem; +# ssl_certificate_key cert.key; +# +# ssl_session_timeout 5m; +# +# ssl_protocols SSLv3 TLSv1; +# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; +# ssl_prefer_server_ciphers on; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 00000000000..2ea27ca2434 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,97 @@ +user www-data; +worker_processes 4; +pid /var/run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 2; + proxy_read_timeout 50; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/x-javascri pt text/xml application/xml application/xml+rss text/javascript; + + ## + # nginx-naxsi config + ## + # Uncomment it if you installed nginx-naxsi + ## + + #include /etc/nginx/naxsi_core.rules; + + ## + # nginx-passenger config + ## + # Uncomment it if you installed nginx-passenger + ## + + #passenger_root /usr; + #passenger_ruby /usr/bin/ruby; + + ## + # Virtual Host Configs + ## + + #include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} From 51484d5cc3386cba5c18d93f92934f87d6cafff3 Mon Sep 17 00:00:00 2001 From: phelixbtc Date: Tue, 9 Dec 2014 15:08:28 +0100 Subject: [PATCH 2/2] Strict file filtering (hopefully) --- nginx/default | 30 ++++++------------------------ 1 file changed, 6 insertions(+), 24 deletions(-) diff --git a/nginx/default b/nginx/default index 14097e3f9f4..8fd7479327b 100644 --- a/nginx/default +++ b/nginx/default @@ -28,38 +28,20 @@ server { server_name _; location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - try_files $uri $uri/ /index.html; - # Uncomment to enable naxsi on this location - # include /etc/nginx/naxsi.rules + deny all; } - location /doc/ { - alias /usr/share/doc/; - autoindex on; - allow 127.0.0.1; - allow ::1; - deny all; + location = / { + index index.php; } - # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests - #location /RequestDenied { - # proxy_pass http://127.0.0.1:8080; - #} + location ~ (\.css|\.jpg|\.png|\.exe|\.zip)$ { + } #error_page 404 /404.html; - # redirect server error pages to the static page /50x.html - # - #error_page 500 502 503 504 /50x.html; - #location = /50x.html { - # root /usr/share/nginx/www; - #} - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - location ~ \.php$ { + location ~ ^(/index\.php|/indexsnow\.php)$ { # fastcgi_split_path_info ^(.+\.php)(/.+)$; # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini #