Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
# common config file for nginx
root /elabftw/web;
index index.php;
# fix 502 error "upstream sent too big header"
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
# fix 504 errors "timeout"
fastcgi_read_timeout 600s;
# custom error pages
error_page 400 /error-pages/400.html;
error_page 401 /error-pages/401.html;
error_page 402 /error-pages/402.html;
error_page 403 /error-pages/403.html;
error_page 404 /error-pages/404.html;
error_page 500 /error-pages/500.html;
error_page 501 /error-pages/501.html;
error_page 502 /error-pages/502.html;
error_page 503 /error-pages/503.html;
error_page 520 /error-pages/520.html;
error_page 521 /error-pages/521.html;
error_page 533 /error-pages/533.html;
# overwritten by run.sh if needed
#%REAL_IP_CONF%
#real_ip_header X-Forwarded-For;
# whitelist allowed methods
if ($request_method !~ ^(GET|HEAD|POST|DELETE)$) {
return 405;
}
location /error-pages/ {
alias /etc/nginx/error-pages/;
internal;
}
# add a healthcheck endpoint for nginx
# 204 is OK No Content
location /healthcheck {
access_log off;
return 204;
}
location / {
try_files $uri $uri/ =404;
}
# deny access to hidden files/folders
location ~ /\. { access_log off; log_not_found off; deny all; }
# assets configuration
location ~* \.(js|css|png|jpg|jpeg|gif|ico|map|woff|svg)$ {
access_log off;
log_not_found off;
expires 1y;
more_set_headers "Cache-Control: public, no-transform";
more_clear_headers Feature-Policy X-XSS-Protection;
# for not js|svg, also remove the CSP header
location ~* \.(css|png|jpg|jpeg|gif|ico|map|woff)$ {
more_clear_headers Content-Security-Policy;
}
}
# to use the RESTful api
location ~ ^/api/v1/(.*)/?$ {
rewrite /api/v1/(.*)$ /app/controllers/ApiController.php?req=$uri&args=$args last;
}
# php is passed to php-fpm
location ~ \.php$ {
include /etc/nginx/fastcgi.conf;
fastcgi_index index.php;
log_not_found off;
if (-f $request_filename) {
fastcgi_pass unix:/var/run/php-fpm.sock;
}
}
# security headers
more_set_headers "Strict-Transport-Security: max-age=63072000";
more_set_headers "X-XSS-Protection: 0";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Content-Security-Policy: default-src 'self' data:; script-src 'self' %UNSAFE-EVAL4DEV%; connect-src 'self' blob: https://get.elabftw.net; img-src 'self' data: blob: https://www.cornify.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; base-uri 'none'; frame-ancestors 'none'";
more_set_headers "Referrer-Policy: no-referrer";
more_set_headers "Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none'";
more_set_headers "Vary: Accept-Encoding";