updated core to 1.7.15
This commit is contained in:
@@ -1,33 +1,31 @@
|
||||
:8080
|
||||
gzip
|
||||
fastcgi / 127.0.0.1:9000 php
|
||||
# To use this file simply install caddy and run the command below from the root of your Grav site
|
||||
# Once running it will redirect http://localhost to https://localhost (new default for Caddy2)
|
||||
# More infromation here: https://caddyserver.com/docs/
|
||||
#
|
||||
# $ caddy run --config webserver-configs/Caddyfile
|
||||
|
||||
localhost
|
||||
encode gzip
|
||||
root * .
|
||||
file_server
|
||||
|
||||
php_fastcgi 127.0.0.1:9000
|
||||
|
||||
# Begin - Security
|
||||
# deny all direct access for these folders
|
||||
rewrite {
|
||||
r /(\.git|cache|bin|logs|backups|tests)/.*$
|
||||
to /403
|
||||
}
|
||||
# deny running scripts inside core system folders
|
||||
rewrite {
|
||||
r /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
|
||||
to /403
|
||||
}
|
||||
# deny running scripts inside user folder
|
||||
rewrite {
|
||||
r /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
|
||||
to /403
|
||||
}
|
||||
# deny access to specific files in the root folder
|
||||
rewrite {
|
||||
r /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)
|
||||
to /403
|
||||
}
|
||||
rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403
|
||||
|
||||
status 403 /403
|
||||
# deny running scripts inside core system folders
|
||||
rewrite /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
|
||||
|
||||
# deny running scripts inside user folder
|
||||
rewrite /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
|
||||
|
||||
# deny access to specific files in the root folder
|
||||
rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403
|
||||
|
||||
respond /403 403
|
||||
## End - Security
|
||||
|
||||
# global rewrite should come last.
|
||||
rewrite {
|
||||
to {path} {path}/ /index.php?_url={uri}&{query}
|
||||
}
|
||||
try_files {path} {path}/ /index.php?_url={uri}&{query}
|
||||
|
||||
@@ -27,6 +27,9 @@ RewriteEngine On
|
||||
# If you experience problems on your site block out the operations listed below
|
||||
# This attempts to block the most common type of exploit `attempts` to Grav
|
||||
#
|
||||
# Block out any script trying to use twig tags in URL.
|
||||
RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR]
|
||||
RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR]
|
||||
# Block out any script trying to base64_encode data within the URL.
|
||||
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
|
||||
# Block out any script that includes a <script> tag in URL.
|
||||
|
||||
@@ -23,7 +23,7 @@ $HTTP["querystring"] =~ "_REQUEST(=|\[|\%[0-9A-Z])" {
|
||||
|
||||
#REROUTING TO THE INDEX PAGE
|
||||
url.rewrite-if-not-file = (
|
||||
"^/grav_path/(.*)$" => "/grav_path/index.php$1"
|
||||
"^/grav_path/(.*)$" => "/grav_path/index.php?$1"
|
||||
)
|
||||
|
||||
#IMPROVING SECURITY
|
||||
@@ -39,7 +39,7 @@ $HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|yml|ph
|
||||
$HTTP["url"] =~ "^/grav_path/(\.(.*))" {
|
||||
url.access-deny = ("")
|
||||
}
|
||||
url.access-deny = (".md","~",".inc")
|
||||
url.access-deny += (".md","~",".inc")
|
||||
|
||||
#PREVENT BROWSING AND SET INDEXES
|
||||
$HTTP["url"] =~ "^/grav_path($|/)" {
|
||||
|
||||
@@ -1,118 +0,0 @@
|
||||
# ddev GravCMS config
|
||||
|
||||
# You can override ddev's configuration by placing an edited copy
|
||||
# of this config (or one of the other ones) in .ddev/nginx-site.conf
|
||||
# See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration
|
||||
|
||||
# Set https to 'on' if x-forwarded-proto is https
|
||||
map $http_x_forwarded_proto $fcgi_https {
|
||||
default off;
|
||||
https on;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80; ## listen for ipv4; this line is default and implied
|
||||
listen [::]:80 default ipv6only=on; ## listen for ipv6
|
||||
# The NGINX_DOCROOT variable is substituted with
|
||||
# its value when the container is started.
|
||||
root $NGINX_DOCROOT;
|
||||
index index.php index.htm index.html;
|
||||
|
||||
# Make site accessible from http://localhost/
|
||||
server_name _;
|
||||
|
||||
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
|
||||
sendfile off;
|
||||
error_log /var/log/nginx/error.log info;
|
||||
access_log /var/log/nginx/access.log;
|
||||
|
||||
location / {
|
||||
absolute_redirect off;
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
}
|
||||
|
||||
# pass the PHP scripts to FastCGI server listening on socket
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm.sock;
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 32k;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
fastcgi_intercept_errors on;
|
||||
# fastcgi_read_timeout should match max_execution_time in php.ini
|
||||
fastcgi_read_timeout 10m;
|
||||
fastcgi_param SERVER_NAME $host;
|
||||
fastcgi_param HTTPS $fcgi_https;
|
||||
}
|
||||
|
||||
# Expire rules for static content
|
||||
# Feed
|
||||
location ~* \.(?:rss|atom|cache)$ {
|
||||
expires 1h;
|
||||
}
|
||||
|
||||
# Media: images, icons, video, audio, HTC
|
||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
||||
expires 1M;
|
||||
access_log off;
|
||||
add_header Cache-Control "public";
|
||||
}
|
||||
|
||||
# Prevent clients from accessing hidden files (starting with a dot)
|
||||
# This is particularly important if you store .htpasswd files in the site hierarchy
|
||||
# Access to `/.well-known/` is allowed.
|
||||
# https://www.mnot.net/blog/2010/04/07/well-known
|
||||
# https://tools.ietf.org/html/rfc5785
|
||||
location ~* /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Prevent clients from accessing to backup/config/source files
|
||||
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
|
||||
deny all;
|
||||
}
|
||||
|
||||
## Begin - Security
|
||||
# deny all direct access for these folders
|
||||
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
|
||||
# deny running scripts inside core system folders
|
||||
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
|
||||
# deny running scripts inside user folder
|
||||
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
|
||||
# deny access to specific files in the root folder
|
||||
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
|
||||
## End - Security
|
||||
|
||||
|
||||
## provide a health check endpoint
|
||||
location /healthcheck {
|
||||
access_log off;
|
||||
stub_status on;
|
||||
keepalive_timeout 0; # Disable HTTP keepalive
|
||||
return 200;
|
||||
}
|
||||
|
||||
error_page 400 401 /40x.html;
|
||||
location = /40x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
location ~ ^/(fpmstatus|ping)$ {
|
||||
access_log off;
|
||||
stub_status on;
|
||||
keepalive_timeout 0; # Disable HTTP keepalive
|
||||
allow 127.0.0.1;
|
||||
allow all;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass unix:/run/php-fpm.sock;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user