drupal-ssl-decoupled.nginxconf 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157
  1. # https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
  2. server {
  3. listen 80;
  4. listen [::]:80;
  5. server_name DOMAIN.LTD;
  6. return 301 https://$server_name$request_uri;
  7. }
  8. server {
  9. listen 443 ssl;
  10. listen [::]:443 ssl;
  11. server_name DOMAIN.LTD;
  12. #SSL Certificates
  13. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  14. ssl_certificate "/etc/letsencrypt/live/DOMAIN.LTD/fullchain.pem";
  15. ssl_certificate_key "/etc/letsencrypt/live/DOMAIN.LTD/privkey.pem";
  16. ssl_dhparam /etc/nginx/ssl/certs/DOMAIN.LTD/dhparam.pem;
  17. ssl_session_cache shared:SSL:1m;
  18. ssl_session_timeout 10m;
  19. ssl_ciphers HIGH:!aNULL:!MD5;
  20. #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  21. ssl_prefer_server_ciphers on;
  22. add_header Strict-Transport-Security "max-age=31536000;
  23. #includeSubDomains" always;
  24. charset utf-8;
  25. access_log on;
  26. error_log /var/www/DOMAIN.LTD/log/error.log; # debug;
  27. root /var/www/DOMAIN.LTD/app/src/dist/;
  28. index index.php index.html index.htm;
  29. location @app {
  30. rewrite ^/(.*)$ /index.html;
  31. }
  32. location / {
  33. #alias /var/www/enfrancais.fr/app/web/;
  34. try_files $uri $uri/ @app;
  35. }
  36. location @api {
  37. rewrite ^/api/(.*)$ /api/index.php;
  38. }
  39. location @rewrite {
  40. rewrite ^/api/(.*)$ /index.php?q=$1;
  41. }
  42. location /api {
  43. alias /var/www/enfrancais.fr/api/src/web/;
  44. try_files $uri $uri/ @api;
  45. # In Drupal 8, we must also match new paths where the '.php' appears in
  46. # the middle, such as update.php/selection. The rule we use is strict,
  47. # and only allows this pattern with the update.php front controller.
  48. # This allows legacy path aliases in the form of
  49. # blog/index.php/legacy-path to continue to route to Drupal nodes. If
  50. # you do not have any paths like that, then you might prefer to use a
  51. # laxer rule, such as:
  52. # # location ~ \.php(/|$) {
  53. # The laxer rule will continue to work if Drupal uses this new URL
  54. # pattern with front controllers other than update.php in a future
  55. # release.
  56. #location ~ '\.php$|^/update.php' {
  57. #location ~ \.php(/|$) {
  58. location ~ \.php$ {
  59. #fastcgi_split_path_info ^(.+\.php)(/.+)$;
  60. #fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
  61. #fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  62. include fastcgi_params;
  63. #fastcgi_index index.php;
  64. # Block httpoxy attacks. See https://httpoxy.org/.
  65. #fastcgi_param HTTP_PROXY "";
  66. #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  67. #fastcgi_param SCRIPT_FILENAME index.php;
  68. fastcgi_param SCRIPT_FILENAME $request_filename;
  69. #fastcgi_param REQUEST_URI $request_uri;
  70. #fastcgi_param PATH_INFO $fastcgi_path_info;
  71. #set $path_info $fastcgi_path_info;
  72. #fastcgi_param PATH_INFO /;
  73. #fastcgi_param QUERY_STRING $query_string;
  74. #fastcgi_intercept_errors off;
  75. #fastcgi_param DOCUMENT_ROOT /var/www/enfrancais.fr/api;
  76. # fastcgi_buffer_size 16k;
  77. # fastcgi_buffers 4 16k;
  78. fastcgi_pass unix:/run/php/php7.4-fpm.sock;
  79. }
  80. location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
  81. try_files $uri @rewrite;
  82. expires max;
  83. log_not_found off;
  84. }
  85. location ~ \..*/.*\.php$ {
  86. return 403;
  87. }
  88. location ~ ^/sites/.*/private/ {
  89. return 403;
  90. }
  91. # Block access to scripts in site files directory
  92. location ~ ^/sites/[^/]+/files/.*\.php$ {
  93. deny all;
  94. }
  95. # Allow "Well-Known URIs" as per RFC 5785
  96. location ~* ^/.well-known/ {
  97. allow all;
  98. }
  99. # Block access to "hidden" files and directories whose names begin with a
  100. # period. This includes directories used by version control systems such
  101. # as Subversion or Git to store control files.
  102. location ~ (^|/)\. {
  103. return 403;
  104. }
  105. # Don't allow direct access to PHP files in the vendor directory.
  106. location ~ /vendor/.*\.php$ {
  107. deny all;
  108. return 404;
  109. }
  110. location ~ /\.ht {
  111. deny all;
  112. }
  113. sendfile off;
  114. client_max_body_size 100m;
  115. # Fighting with Styles? This little gem is amazing.
  116. # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
  117. location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
  118. try_files $uri @rewrite;
  119. }
  120. # Handle private files through Drupal. Private file's path can come
  121. # with a language prefix.
  122. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
  123. try_files $uri /index.php?$query_string;
  124. }
  125. }
  126. location = /favicon.ico { access_log off; log_not_found off; }
  127. # website should not be displayed inside a <frame>, an <iframe> or an <object>
  128. add_header X-Frame-Options SAMEORIGIN;
  129. }