translatewiki.net

# file managed by puppet

map $cookie_env $env {
	default w;
	x       x;
}

map $http_accept $webp {
	default     "";
	~image/webp .webp;
}

server {
	listen 80 default_server;
	listen [2a03:4000:39:55d:5400:a2ff:fe21:b3ea]:80;
	server_name translatewiki.net;
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl default_server deferred http2;
	listen [2a03:4000:39:55d:5400:a2ff:fe21:b3ea]:443 default_server deferred ssl http2;

	include includes/ssl-certbot.conf;

	server_name translatewiki.net;
	root /www/$host/docroot;

	rewrite ^/$ /$env/index.php;
	rewrite ^/wiki /$env/index.php;
	rewrite ^/sitemap$ "/$env/index.php?title=Special:RecentChanges&translations=&feed=atom";
	# No-op if using the default environment, but required for the 'internal' rules to work
	rewrite ^/w/(.*) /$env/$1;

	# Prevent direct access to /x. It can only be accessed through the above rewrites
	location /x {
		internal;
	}
	location ~ ^/[xw]/(cache|config|docs|includes|languages|maintenance|mw-config|tests|vendor)/ {
		deny all;
	}

	# Allowed php files, case sensitive
	location ~ ^/[xw]/(i|index|load|api|opensearch_desc|rest|webfiles/jserror)\.php {
		limit_req zone=perip burst=60 delay=20;

		fastcgi_pass php;
		fastcgi_buffering off;
		fastcgi_buffers 16 16k;
		fastcgi_connect_timeout 1s;
		fastcgi_send_timeout 2s;
		fastcgi_read_timeout 15s;
		include fastcgi.conf;
		internal;
	}

	# Deny access to all php files except those above
	location ~* \.php$ {
		deny all;
	}

	location ~* ^/static/mainpage/.*\.jpg$ {
		expires 2M;
		# Note: all other add_header calls are ignored. There is one in ssl.conf that is not mandatory
		add_header Vary Accept;
		try_files $uri$webp $uri =404;
	}

	location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|webp)$ {
		expires 2M;
	}

	location /static/translation-dump {
		autoindex on;
	}

	error_page 500 502 503 504 /error.html;
	location = /error.html {
		root /www/error;
		internal;
	}
}