grav-lecampus/webserver-configs/nginx-ddev-site.conf

# ddev GravCMS config

# You can override ddev's configuration by placing an edited copy
# of this config (or one of the other ones) in .ddev/nginx-site.conf
# See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration

# Set https to 'on' if x-forwarded-proto is https
map $http_x_forwarded_proto $fcgi_https {
    default off;
    https on;
}

server {
    listen 80; ## listen for ipv4; this line is default and implied
    listen [::]:80 default ipv6only=on; ## listen for ipv6
    # The NGINX_DOCROOT variable is substituted with
    # its value when the container is started.
    root $NGINX_DOCROOT;
    index index.php index.htm index.html;

    # Make site accessible from http://localhost/
    server_name _;

    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
    sendfile off;
    error_log /var/log/nginx/error.log info;
    access_log /var/log/nginx/access.log;

    location / {
        absolute_redirect off;
        try_files $uri $uri/ /index.php?$query_string;
    }

    # pass the PHP scripts to FastCGI server listening on socket
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php-fpm.sock;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_intercept_errors on;
        # fastcgi_read_timeout should match max_execution_time in php.ini
        fastcgi_read_timeout 10m;
        fastcgi_param SERVER_NAME $host;
        fastcgi_param HTTPS $fcgi_https;
    }

    # Expire rules for static content
    # Feed
    location ~* \.(?:rss|atom|cache)$ {
        expires 1h;
    }

    # Media: images, icons, video, audio, HTC
    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    # Prevent clients from accessing hidden files (starting with a dot)
    # This is particularly important if you store .htpasswd files in the site hierarchy
    # Access to `/.well-known/` is allowed.
    # https://www.mnot.net/blog/2010/04/07/well-known
    # https://tools.ietf.org/html/rfc5785
    location ~* /\.(?!well-known\/) {
        deny all;
    }

    # Prevent clients from accessing to backup/config/source files
    location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
        deny all;
    }

    ## Begin - Security
    # deny all direct access for these folders
    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
    # deny running scripts inside core system folders
    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny running scripts inside user folder
    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny access to specific files in the root folder
    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
    ## End - Security


    ## provide a health check endpoint
    location /healthcheck {
        access_log off;
        stub_status     on;
        keepalive_timeout 0;    # Disable HTTP keepalive
        return 200;
    }

    error_page 400 401 /40x.html;
    location = /40x.html {
            root   /usr/share/nginx/html;
    }

    location ~ ^/(fpmstatus|ping)$ {
        access_log off;
        stub_status     on;
        keepalive_timeout 0;    # Disable HTTP keepalive
        allow 127.0.0.1;
        allow all;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass unix:/run/php-fpm.sock;
    }


}
first commit 2019-03-28 17:57:56 +01:00			`# ddev GravCMS config`

			`# You can override ddev's configuration by placing an edited copy`
			`# of this config (or one of the other ones) in .ddev/nginx-site.conf`
			`# See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration`

			`# Set https to 'on' if x-forwarded-proto is https`
			`map $http_x_forwarded_proto $fcgi_https {`
			`default off;`
			`https on;`
			`}`

			`server {`
			`listen 80; ## listen for ipv4; this line is default and implied`
			`listen [::]:80 default ipv6only=on; ## listen for ipv6`
			`# The NGINX_DOCROOT variable is substituted with`
			`# its value when the container is started.`
			`root $NGINX_DOCROOT;`
			`index index.php index.htm index.html;`

			`# Make site accessible from http://localhost/`
			`server_name _;`

			`# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html`
			`sendfile off;`
			`error_log /var/log/nginx/error.log info;`
			`access_log /var/log/nginx/access.log;`

			`location / {`
			`absolute_redirect off;`
			`try_files $uri $uri/ /index.php?$query_string;`
			`}`

			`# pass the PHP scripts to FastCGI server listening on socket`
			`location ~ \.php$ {`
			`try_files $uri =404;`
			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`
			`fastcgi_pass unix:/run/php-fpm.sock;`
			`fastcgi_buffers 16 16k;`
			`fastcgi_buffer_size 32k;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`fastcgi_param SCRIPT_NAME $fastcgi_script_name;`
			`fastcgi_index index.php;`
			`include fastcgi_params;`
			`fastcgi_intercept_errors on;`
			`# fastcgi_read_timeout should match max_execution_time in php.ini`
			`fastcgi_read_timeout 10m;`
			`fastcgi_param SERVER_NAME $host;`
			`fastcgi_param HTTPS $fcgi_https;`
			`}`

			`# Expire rules for static content`
			`# Feed`
			`location ~* \.(?:rss\|atom\|cache)$ {`
			`expires 1h;`
			`}`

			`# Media: images, icons, video, audio, HTC`
			`location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {`
			`expires 1M;`
			`access_log off;`
			`add_header Cache-Control "public";`
			`}`

			`# Prevent clients from accessing hidden files (starting with a dot)`
			`# This is particularly important if you store .htpasswd files in the site hierarchy`
			# Access to `/.well-known/` is allowed.
			`# https://www.mnot.net/blog/2010/04/07/well-known`
			`# https://tools.ietf.org/html/rfc5785`
			`location ~* /\.(?!well-known\/) {`
			`deny all;`
			`}`

			`# Prevent clients from accessing to backup/config/source files`
			`location ~* (?:\.(?:bak\|conf\|dist\|fla\|in[ci]\|log\|psd\|sh\|sql\|sw[op])\|~)$ {`
			`deny all;`
			`}`

			`## Begin - Security`
			`# deny all direct access for these folders`
			`location ~* /(\.git\|cache\|bin\|logs\|backup\|tests)/.*$ { return 403; }`
			`# deny running scripts inside core system folders`
			`location ~* /(system\|vendor)/.*\.(txt\|xml\|md\|html\|yaml\|yml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$ { return 403; }`
			`# deny running scripts inside user folder`
			`location ~* /user/.*\.(txt\|md\|yaml\|yml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$ { return 403; }`
			`# deny access to specific files in the root folder`
			`location ~ /(LICENSE\.txt\|composer\.lock\|composer\.json\|nginx\.conf\|web\.config\|htaccess\.txt\|\.htaccess) { return 403; }`
			`## End - Security`


			`## provide a health check endpoint`
			`location /healthcheck {`
			`access_log off;`
			`stub_status on;`
			`keepalive_timeout 0; # Disable HTTP keepalive`
			`return 200;`
			`}`

			`error_page 400 401 /40x.html;`
			`location = /40x.html {`
			`root /usr/share/nginx/html;`
			`}`

			`location ~ ^/(fpmstatus\|ping)$ {`
			`access_log off;`
			`stub_status on;`
			`keepalive_timeout 0; # Disable HTTP keepalive`
			`allow 127.0.0.1;`
			`allow all;`
			`fastcgi_index index.php;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`include fastcgi_params;`
			`fastcgi_pass unix:/run/php-fpm.sock;`
			`}`


			`}`