Permalink
Browse files

* Initial commit.

  • Loading branch information...
0 parents commit c4dc54bb7ac6efe8ba63beeac14efc13fae6710c @perusio committed Jan 24, 2011
Showing with 978 additions and 0 deletions.
  1. +209 −0 README.md
  2. +9 −0 fastcgi.conf
  3. +24 −0 fastcgi_params
  4. +109 −0 koi-utf
  5. +103 −0 koi-win
  6. +77 −0 mime.types
  7. +88 −0 nginx.conf
  8. +94 −0 sites-available/chive.example.com
  9. +19 −0 sites-available/default
  10. +120 −0 sites-available/secure.chive.example.com
  11. +126 −0 win-utf
209 README.md
@@ -0,0 +1,209 @@
+# Nginx configuration for Chive
+
+## Introduction
+
+ This is a nginx configuration for running [Chive](http://chive-project.com "Chive").
+
+ **Chive** is a next generation tool for managing a MySQL database
+ through a web interface.
+
+ It's much better than phpMyAdmin, be it in terms of functionality
+ and user experience, no to mention security. phpMyAdmin it's
+ problably one of the most insecure web apps out there.
+
+ It assumes that the domain affect to Piwik is `chive.example.com`.
+
+ Change accordingly to reflect your server setup.
+
+ The configuration is splitted in secure (https) and standard
+ (http).
+
+ The first is given in the file `secure.chive.example.com`. The
+ second in `chive.example.com` of the `sites-available` directory
+
+## Features
+
+ 1. Filtering of invalid HTTP `Host` headers.
+
+ 2. Access to Chive is protected using
+ [HTTP Basic Auth](http://wiki.nginx.org/NginxHttpAuthBasicModule
+ "Basic Auth Nginx Module").
+
+ 3. Protection of all directories emulating the `.htaccess` files
+ that come with Chive.
+
+ 4. Faster and more secure handling of PHP FastCGI by Nginx using
+ named groups in regular expressions instead of using
+ [fastcgi_split_path_info](http://wiki.nginx.org/HttpFcgiModule#fastcgi_split_path_info
+ "FastCGI split path info"). Requires Nginx version ≥ 0.8.25.
+
+ 5. Expire header for static assets set to the maximum.
+
+ 6. SSL/TLS configuration makes use of
+ [Strict Transport Security](http://www.cromium.org/sts "STS")
+ for protecting against MiTM attacks like
+ [sslstrip](http://www.thoughtcrime.org/software/sslstrip/ "SSL strip script").
+ 7. IPv6 and IPv4 support.
+
+## Basic Auth and HTTPS
+
+ The **recommended** way to run Chive is using https. Basic Auth is
+ **insecure** because the password can be sniffed on the wire.
+
+ Ideally you should use approved Certificate Authorities issued TLS
+ certificates. But if not then self signed certificates are
+ fine. You just have to accept the exception in your browser.
+
+ If you're on Debian there's a `make-ssl-cert(8)` command for
+ creating self signed certificates. It's included in the
+ [ssl-cert](http://packages.debian.org/sid/ssl-cert "ssl-cert debian
+ pkg") package.
+
+ If you're on Debian or any of its derivatives like Ubuntu you need
+ the
+ [apache2-utils](http://packages.debian.org/search?suite%3Dall&section%3Dall&arch%3Dany&searchon%3Dnames&keywords%3Dapache2-utils)
+ package installed. Then create your password file by issuing:
+
+ htpasswd -d -b -c .htpasswd-users <user> <password>
+
+ You should delete this command from your shell history
+ afterwards with `history -d <command number>` or alternatively
+ omit the `-b` switch, then you'll be prompted for the password.
+
+ This creates the file (there's a `-c` switch). For adding
+ additional users omit the `-c`.
+
+ Of course you can rename the password file to whatever you want,
+ then accordingly change its name in the virtual host config
+ file, `chive.example.com` or `secure.chive.example.com`.
+
+## Installation
+
+ 1. Move the old `/etc/nginx` directory to `/etc/nginx.old`.
+
+ 2. Clone the git repository from github:
+
+ `git clone https://github.com/perusio/chive-nginx.git`
+
+ 3. Edit the `sites-available/chive.example.com` or
+ `sites-available/secure.chive.example.com` configuration file to
+ suit your requirements. Namely replacing chive.example.com with
+ **your** domain.
+
+ 4. Setup the PHP handling method. It can be:
+
+ + Upstream HTTP server like Apache with mod_php
+
+ + FastCGI process using php-cgi. In this case an
+ [init script](https://github.com/perusio/php-fastcgi-debian-script
+ "Init script for php-cgi") is
+ required. This is how the server is configured out of the
+ box. It uses UNIX sockets. You can use TCP sockets if you prefer.
+
+ + [PHP FPM](http://www.php-fpm.org "PHP FPM"), this requires you
+ to configure your fpm setup, in Debian/Ubuntu this is done in
+ the `/etc/php5/fpm` directory.
+
+ Check that the socket is properly created and is listening. This
+ can be done with `netstat`, like this for UNIX sockets:
+
+ `netstat --unix -l`
+
+ `netstat -t -l`
+
+ It should display the PHP CGI socket.
+
+ 5. Create the `/etc/nginx/sites-enabled` directory and enable the
+ virtual host using one of the methods described below.
+
+ 6. Reload Nginx:
+
+ `/etc/init.d/nginx reload`
+
+ 7. Check that Chive is working by visiting the configured site
+ in your browser.
+
+ 8. Remove the `/etc/nginx.old` directory.
+
+ 9. Done.
+
+## Enabling and Disabling Virtual Hosts
+
+ I've created a shell script
+ [nginx_ensite](http://github.com/perusio/nginx_ensite) that lives
+ here on github for quick enabling and disabling of virtual hosts.
+
+ If you're not using that script then you have to **manually**
+ create the symlinks from `sites-enabled` to `sites-available`. Only
+ the virtual hosts configured in `sites-enabled` will be available
+ for Nginx to serve.
+
+
+## Getting the latest Nginx packaged for Debian or Ubuntu
+
+ I maintain a [debian repository](http://debian.perusio.net/unstable
+ "my debian repo") with the
+ [latest](http://nginx.org/en/download.html "Nginx source download")
+ version of Nginx. This is packaged for Debian **unstable** or
+ **testing**. The instructions for using the repository are
+ presented on this [page](http://debian.perusio.net/debian.html
+ "Repository instructions").
+
+ It may work or not on Ubuntu. Since Ubuntu seems to appreciate more
+ finding semi-witty names for their releases instead of making clear
+ what's the status of the software included, meaning. Is it
+ **stable**? Is it **testing**? Is it **unstable**? The package may
+ work with your currently installed environment or not. I don't have
+ the faintest idea which release to advise. So you're on your
+ own. Generally the APT machinery will sort out for you any
+ dependencies issues that might exist.
+
+## Running Chive in a subdirectory instead of a subdomain
+
+ You can run Chive in a subdirectory instead of a subdomain. Suppose
+ that you run Chive in `priv/chive`. The config is:
+
+ location /priv {
+ ## Access is restricted using Basic Auth.
+ auth_basic "Restricted Access"; # auth realm
+ auth_basic_user_file .htpasswd-users; # htpasswd file
+
+ ## Chive configuration.
+ location /priv/chive {
+
+ ## Use PATH_INFO for translating the requests to the
+ ## FastCGI. This config follows Igor's suggestion here:
+ ## http://forum.nginx.org/read.php?2,124378,124582.
+ ## This is preferable to using:
+ ## fastcgi_split_path_info ^(.+\.php)(.*)$
+ ## It saves one regex in the location. Hence it's faster.
+ location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
+ include fastcgi.conf;
+ ## The fastcgi_params must be redefined from the ones
+ ## given in fastcgi.conf. No longer standard names
+ ## but arbitrary: named patterns in regex.
+ fastcgi_param SCRIPT_FILENAME $document_root$script;
+ fastcgi_param SCRIPT_NAME $script;
+ fastcgi_param PATH_INFO $path_info;
+ ## Passing the request upstream to the FastCGI
+ ## listener.
+ fastcgi_pass unix:/tmp/php-cgi/php-cgi.socket;
+ }
+
+ ## Protect these locations. Replicating the .htaccess
+ ## rules throughout the chive distro.
+ location = /priv/chive/protected {
+ internal;
+ }
+ location = /priv/chive/yii {
+ internal;
+ }
+ location = /priv/chive/yii/cli/views/webapp/themes/classic/views {
+ internal;
+ }
+ location = /priv/chive/yii/cli/views/webapp/protected {
+ internal;
+ }
+ }
+ }
+
@@ -0,0 +1,9 @@
+#-*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+### fastcgi configuration.
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+include fastcgi_params;
+fastcgi_buffers 256 4k;
+fastcgi_intercept_errors on;
+## allow 4 hrs - pass timeout responsibility to upstrea
+fastcgi_read_timeout 14400;
+fastcgi_index index.php;
@@ -0,0 +1,24 @@
+# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+### fastcgi parameters.
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
109 koi-utf
@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters. Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map koi8-r utf-8 {
+
+ 80 E282AC ; # euro
+
+ 95 E280A2 ; # bullet
+
+ 9A C2A0 ; # &nbsp;
+
+ 9E C2B7 ; # &middot;
+
+ A3 D191 ; # small yo
+ A4 D194 ; # small Ukrainian ye
+
+ A6 D196 ; # small Ukrainian i
+ A7 D197 ; # small Ukrainian yi
+
+ AD D291 ; # small Ukrainian soft g
+ AE D19E ; # small Byelorussian short u
+
+ B0 C2B0 ; # &deg;
+
+ B3 D081 ; # capital YO
+ B4 D084 ; # capital Ukrainian YE
+
+ B6 D086 ; # capital Ukrainian I
+ B7 D087 ; # capital Ukrainian YI
+
+ B9 E28496 ; # numero sign
+
+ BD D290 ; # capital Ukrainian soft G
+ BE D18E ; # capital Byelorussian short U
+
+ BF C2A9 ; # (C)
+
+ C0 D18E ; # small yu
+ C1 D0B0 ; # small a
+ C2 D0B1 ; # small b
+ C3 D186 ; # small ts
+ C4 D0B4 ; # small d
+ C5 D0B5 ; # small ye
+ C6 D184 ; # small f
+ C7 D0B3 ; # small g
+ C8 D185 ; # small kh
+ C9 D0B8 ; # small i
+ CA D0B9 ; # small j
+ CB D0BA ; # small k
+ CC D0BB ; # small l
+ CD D0BC ; # small m
+ CE D0BD ; # small n
+ CF D0BE ; # small o
+
+ D0 D0BF ; # small p
+ D1 D18F ; # small ya
+ D2 D180 ; # small r
+ D3 D181 ; # small s
+ D4 D182 ; # small t
+ D5 D183 ; # small u
+ D6 D0B6 ; # small zh
+ D7 D0B2 ; # small v
+ D8 D18C ; # small soft sign
+ D9 D18B ; # small y
+ DA D0B7 ; # small z
+ DB D188 ; # small sh
+ DC D18D ; # small e
+ DD D189 ; # small shch
+ DE D187 ; # small ch
+ DF D18A ; # small hard sign
+
+ E0 D0AE ; # capital YU
+ E1 D090 ; # capital A
+ E2 D091 ; # capital B
+ E3 D0A6 ; # capital TS
+ E4 D094 ; # capital D
+ E5 D095 ; # capital YE
+ E6 D0A4 ; # capital F
+ E7 D093 ; # capital G
+ E8 D0A5 ; # capital KH
+ E9 D098 ; # capital I
+ EA D099 ; # capital J
+ EB D09A ; # capital K
+ EC D09B ; # capital L
+ ED D09C ; # capital M
+ EE D09D ; # capital N
+ EF D09E ; # capital O
+
+ F0 D09F ; # capital P
+ F1 D0AF ; # capital YA
+ F2 D0A0 ; # capital R
+ F3 D0A1 ; # capital S
+ F4 D0A2 ; # capital T
+ F5 D0A3 ; # capital U
+ F6 D096 ; # capital ZH
+ F7 D092 ; # capital V
+ F8 D0AC ; # capital soft sign
+ F9 D0AB ; # capital Y
+ FA D097 ; # capital Z
+ FB D0A8 ; # capital SH
+ FC D0AD ; # capital E
+ FD D0A9 ; # capital SHCH
+ FE D0A7 ; # capital CH
+ FF D0AA ; # capital hard sign
+}
Oops, something went wrong.

0 comments on commit c4dc54b

Please sign in to comment.