Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

* Moved php-fpm status to a geo block setup.

  • Loading branch information...
commit 370f528e43630b3e3c986e85047bb193567933d6 1 parent 9dd388e
@perusio perusio authored
View
4 README.md
@@ -518,6 +518,10 @@ This is strictly a **drupal 6** issue.
of IP addresses. In the suggested configuration only from
localhost and non-routable IPs of the 192.168.1.0 network.
+ The allowed hosts are defined in a geo block in file
+ `php_fpm_status_allowed_hosts.conf`. You should edit the predefined
+ IP addresses to suit your setup.
+
To enable the status and ping pages uncomment the line in the
`example.com.conf` virtual host configuration file.
View
14 nginx.conf
@@ -42,14 +42,14 @@ http {
limit_zone arbeit $binary_remote_addr 1m;
## Timeouts.
- client_body_timeout 60;
+ client_body_timeout 60;
client_header_timeout 60;
keepalive_timeout 10 10;
send_timeout 60;
## Reset lingering timed out connections. Deflect DDoS.
reset_timedout_connection on;
-
+
## Body size.
client_max_body_size 10m;
@@ -84,7 +84,7 @@ http {
## http://nginx.org/pipermail/nginx/2010-November/023736.html.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
-
+
## For the filefield_nginx_progress module to work. From the
## README. Reserve 1MB under the name 'uploads' to track uploads.
upload_progress uploads 1m;
@@ -102,9 +102,13 @@ http {
#include reverse_proxy.conf;
#include upstream_phpapache.conf;
+ ## Include the php-fpm status allowed hosts configuration block.
+ ## Uncomment to enable if you're running php-fpm.
+ #include php_fpm_status_allowed_hosts.conf;
+
## Include blacklist for bad bot and referer blocking.
include blacklist.conf;
-
- ## Include all vhosts.
+
+ ## Include all vhosts.
include /etc/nginx/sites-enabled/*;
}
View
9 php_fpm_status_allowed_hosts.conf
@@ -0,0 +1,9 @@
+# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
+### Configuration of php-fpm status and ping pages. Here we define the
+### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule
+
+geo $dont_show_fpm_status {
+ default 1;
+ 127.0.0.1 0; # allow on the loopback
+ 192.168.1.0/24 0; # allow on an internal network
+}
View
19 php_fpm_status.conf → php_fpm_status_vhost.conf
@@ -1,6 +1,7 @@
# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*-
+
### The configuration for the status pages of php-fpm. As described in
-### http://www.php.net/manual/en/install.fpm.configuration.php.
+### http://www.php.net/manual/en/install.fpm.configuration.php.
### php-fpm provides a status and a heartbeat page that is served through the web server.
### Here's an example configuration for them.
@@ -10,20 +11,20 @@
## allowed. Non authorized access returns a 404 through the error_page
## directive.
location = /fpm-status {
+ if ($dont_show_fpm_status) {
+ return 404;
+ }
+
fastcgi_pass phpcgi;
- allow 127.0.0.1;
- allow 192.168.1.0/24;
- error_page 403 =404;
- deny all;
}
## The ping page is at /ping and returns the string configured at the php-fpm level.
## Also only local network connections (loopback and LAN) are permitted.
location = /ping {
+ if ($dont_show_fpm_status) {
+ return 404;
+ }
+
fastcgi_pass phpcgi;
- allow 127.0.0.1;
- allow 192.168.1.0/24;
- error_page 403 =404;
- deny all;
}
View
15 sites-available/example.com.conf
@@ -7,6 +7,7 @@ server {
## rewriting. See http://wiki.nginx.org/Pitfalls#Server_Name.
server_name www.example.com;
rewrite ^ $scheme://example.com$request_uri? permanent;
+
} # server domain rewrite.
@@ -29,7 +30,7 @@ server {
if ($bad_referer) {
return 444;
}
-
+
## Filesystem root of the site and index.
root /var/www/sites/example.com;
index index.php;
@@ -80,8 +81,8 @@ server {
### the configuration below.
#################################################################
#include sites-available/drupal_cron_update.conf;
-
-
+
+
## For upload progress to work. From the README of the
## filefield_nginx_progress module.
location ~ (.*)/x-progress-id:(\w*) {
@@ -94,7 +95,7 @@ server {
## Including the php-fpm status and ping pages config.
## Uncomment to enable if you're running php-fpm.
- #include php_fpm_status.conf;
+ #include php_fpm_status_vhost.conf;
} # HTTP server
@@ -111,7 +112,7 @@ server {
## Keep alive timeout set to a greater value for SSL/TLS.
keepalive_timeout 75 75;
-
+
## Disable all methods besides HEAD, GET and POST.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
@@ -121,7 +122,7 @@ server {
## Server certificate and key.
ssl_certificate /etc/ssl/certs/example-cert.pem;
ssl_certificate_key /etc/ssl/private/example.key;
-
+
## Strict Transport Security header for enhanced security. See
## http://www.chromium.org/sts. I've set it to 2 hours; set it to
## whichever age you want.
@@ -186,7 +187,7 @@ server {
### the configuration below.
#################################################################
#include sites-available/drupal_cron_update.conf;
-
+
## For upload progress to work. From the README of the
## filefield_nginx_progress module.
location ~ (.*)/x-progress-id:(\w*) {
Please sign in to comment.
Something went wrong with that request. Please try again.