nginx.conf.j2 3.02 KB
Newer Older
1
server {
2
3
    listen 80;
    listen [::]:80;
4
5
6
7
8
9
10
11
12
13
14
15
    server_name  {{ fluxbb_domain }};

    access_log   /var/log/nginx/{{ fluxbb_domain }}/access.log;
    error_log    /var/log/nginx/{{ fluxbb_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        rewrite ^(.*) https://{{ fluxbb_domain }}$1 permanent;
    }
}

16
17
18
19
# a limiter to stop abuse of the rss feed.
# limit to 1 requests per minute, with a burst defined when we use this
# limiter in the location directive below
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
Jelle van der Waa's avatar
Jelle van der Waa committed
20
limit_req_zone $binary_remote_addr zone=searchlimit:10m rate=1r/s;
21
limit_req_status 429;
22

23
24
server {
    listen 443 ssl http2;
25
    listen [::]:443 ssl http2;
26
27
28
29
30
31
32
33
34
35
36
    server_name {{ fluxbb_domain }};
    root {{ fluxbb_dir }};
    index index.php;

    access_log /var/log/nginx/{{ fluxbb_domain }}/access.log;
    error_log /var/log/nginx/{{ fluxbb_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ fluxbb_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ fluxbb_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ fluxbb_domain }}/chain.pem;

37
38
39
40
    location /.git {
        deny all;
    }

Jelle van der Waa's avatar
Jelle van der Waa committed
41
42
43
44
45
46
47
48
49
    location = /search.php {
	limit_req zone=searchlimit burst=10;
        fastcgi_pass   unix:/run/php-fpm/fluxbb.socket;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;
    }

50
51
    location ~ /extern\.php {
        limit_req zone=rsslimit burst=10 nodelay;
52
53
54
55
56
        fastcgi_pass   unix:/run/php-fpm/fluxbb.socket;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;
57
58
    }

59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
    location ~ ^/(?:config|header|footer)\.php {
        log_not_found off;
        deny all;
        return 403;
    }

    location ~ /(cache|include|lang|plugins) {
        log_not_found off;
        deny all;
        return 403;
    }

    location ^~ /style/ {
        expires 7d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location ^~ /img/ {
        expires 7d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location ~ ^/(?:db_update|install)\.php {
        auth_basic "Administration";
        auth_basic_user_file auth/{{ fluxbb_domain }};
        fastcgi_pass   unix:/run/php-fpm/fluxbb.socket;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;
    }

    location ~ ^/[^/]+\.php$ {
        fastcgi_pass   unix:/run/php-fpm/fluxbb.socket;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;
    }
}