Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
73 lines (59 sloc) 2.3 KB
# common config file for nginx
root /elabftw/web;
index index.php;
# fix 502 error "upstream sent too big header"
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# custom error pages
error_page 400 /error-pages/400.html;
error_page 401 /error-pages/401.html;
error_page 402 /error-pages/402.html;
error_page 403 /error-pages/403.html;
error_page 404 /error-pages/404.html;
error_page 500 /error-pages/500.html;
error_page 501 /error-pages/501.html;
error_page 502 /error-pages/502.html;
error_page 503 /error-pages/503.html;
error_page 520 /error-pages/520.html;
error_page 521 /error-pages/521.html;
error_page 533 /error-pages/533.html;
# overwritten by if needed
#real_ip_header X-Forwarded-For;
# only allow GET, HEAD and POST methods
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
location /error-pages/ {
alias /etc/nginx/error-pages/;
location / {
try_files $uri $uri/ =404;
# deny access to hidden files/folders
location ~ /\. { access_log off; log_not_found off; deny all; }
# disable access log for assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
access_log off;
# to use the RESTful api
location ~ ^/api/v1/(.*)/?$ {
rewrite /api/v1/(.*)$ /app/controllers/ApiController.php?req=$1? last;
# php is passed to php-fpm
location ~ \.php$ {
include /etc/nginx/fastcgi.conf;
fastcgi_index index.php;
if (-f $request_filename) {
fastcgi_pass unix:/var/run/php-fpm.sock;
# security headers
add_header Strict-Transport-Security "max-age=63072000;";
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self' blob:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'";
add_header Referrer-Policy "no-referrer";
add_header Feature-Policy "autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none'";
You can’t perform that action at this time.