-
-
Notifications
You must be signed in to change notification settings - Fork 32
/
common.conf
146 lines (129 loc) · 4.83 KB
/
common.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# common config file for nginx
root /elabftw/web;
index index.php;
# fix 502 error "upstream sent too big header"
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# fix 504 errors "timeout"
fastcgi_read_timeout 600s;
# custom error pages
error_page 400 /error-pages/400.html;
error_page 401 /error-pages/401.html;
error_page 402 /error-pages/402.html;
error_page 403 /error-pages/403.html;
error_page 404 =404 /error-pages/404.html;
error_page 500 /error-pages/500.html;
error_page 501 /error-pages/501.html;
error_page 502 /error-pages/502.html;
error_page 503 /error-pages/503.html;
error_page 520 /error-pages/520.html;
error_page 521 /error-pages/521.html;
error_page 533 /error-pages/533.html;
# overwritten by prepare.sh if needed
#%REAL_IP_CONF%
#real_ip_header X-Forwarded-For;
#real_ip_recursive on;
# whitelist allowed methods
if ($request_method !~ ^(GET|HEAD|POST|DELETE|OPTIONS|PATCH)$) {
return 405;
}
# disable logging for 404 errors
location = /error-pages/404.html {
access_log off;
log_not_found off;
alias /etc/nginx/error-pages/404.html;
internal;
}
location /error-pages/ {
alias /etc/nginx/error-pages/;
internal;
}
# add a healthcheck endpoint for nginx
# 204 is OK No Content
location = /healthcheck {
access_log off;
return 204;
}
# same for php: replies with 200
location = /php-ping {
access_log off;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.sock;
}
# the php-status page is protected
location = /php-status {
access_log off;
auth_basic "Show Me What You Got";
auth_basic_user_file /etc/nginx/passwords;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.sock;
}
# the nginx status page, protected with same credentials as php-status
# https://nginx.org/en/docs/http/ngx_http_stub_status_module.html
location = /nginx-status {
access_log off;
auth_basic "Show Me What You Got";
auth_basic_user_file /etc/nginx/passwords;
stub_status;
}
# deny access to hidden files/folders
location ~ /\. { access_log off; log_not_found off; deny all; }
# assets configuration
location ~* \.(js|css|png|jpg|jpeg|gif|ico|map|ttf|txt|woff|woff2|svg|webmanifest)$ {
access_log off;
log_not_found off;
expires 1y;
more_set_headers "Cache-Control: public, no-transform";
more_clear_headers Feature-Policy X-XSS-Protection;
# for not js|svg, also remove the CSP header
location ~* \.(css|png|jpg|jpeg|gif|ico|map|woff|woff2)$ {
more_clear_headers Content-Security-Policy;
}
}
# REST API v1
location ~ ^/api/v1/(.*)/?$ {
rewrite /api/v1/(.*)$ /app/controllers/ApiController.php?req=$uri&args=$args last;
}
# REST API v2
location ~ ^/api/v2/(.*)/?$ {
rewrite /api/v2/(.*)$ /app/controllers/ApiController.php?req=$uri last;
}
# silence the healthcheck.php endpoint but redirect to php
location = /healthcheck.php {
access_log off;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.sock;
}
# we whitelist the php files that can be processed by php-fpm
location ~ ^/(%PHP_FILES_NGINX_ALLOWLIST%)$|^/$ {
include /etc/nginx/fastcgi.conf;
fastcgi_index index.php;
log_not_found off;
if (-f $request_filename) {
fastcgi_pass unix:/run/php-fpm.sock;
}
}
# for all the requests that don't match, return 404, but don't pollute the logs with it
location / {
return 404;
}
# security headers
more_set_headers "Strict-Transport-Security: max-age=63072000";
more_set_headers "X-XSS-Protection: 0";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Content-Security-Policy: default-src 'self' data:; script-src 'self' %UNSAFE-EVAL4DEV%; connect-src 'self' blob: https://get.elabftw.net; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; base-uri 'none'; frame-ancestors 'none'";
more_set_headers "Referrer-Policy: no-referrer";
more_set_headers "Permissions-Policy: autoplay 'none'; camera 'self'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'self'; midi 'none'; payment 'none'; vr 'none'";
more_set_headers "Vary: Accept-Encoding";
more_set_headers "Server: %SERVER_HEADER%";
# optional Access-Control-Allow-Origin header
%ACAO_HEADER%
# optional Access-Control-Allow-Methods header
%ACAM_HEADER%
# optional Access-Control-Allow-Headers header
%ACAH_HEADER%
# this one is only used for CORS but let's leave it there, it doesn't hurt
more_set_headers "Access-Control-Allow-Credentials: true";
# this one is only used for CORS, we might make it user configurable if necessary, but it makes sense to hard code what we have and want to expose
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
more_set_headers "Access-Control-Expose-Headers: Location, Content-Encoding, Content-Disposition, Cache-Control";