# ddev GravCMS config # You can override ddev's configuration by placing an edited copy # of this config (or one of the other ones) in .ddev/nginx-site.conf # See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration # Set https to 'on' if x-forwarded-proto is https map $http_x_forwarded_proto $fcgi_https { default off; https on; } server { listen 80; ## listen for ipv4; this line is default and implied listen [::]:80 default ipv6only=on; ## listen for ipv6 # The NGINX_DOCROOT variable is substituted with # its value when the container is started. root $NGINX_DOCROOT; index index.php index.htm index.html; # Make site accessible from http://localhost/ server_name _; # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html sendfile off; error_log /var/log/nginx/error.log info; access_log /var/log/nginx/access.log; location / { absolute_redirect off; try_files $uri $uri/ /index.php?$query_string; } # pass the PHP scripts to FastCGI server listening on socket location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php-fpm.sock; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_index index.php; include fastcgi_params; fastcgi_intercept_errors on; # fastcgi_read_timeout should match max_execution_time in php.ini fastcgi_read_timeout 10m; fastcgi_param SERVER_NAME $host; fastcgi_param HTTPS $fcgi_https; } # Expire rules for static content # Feed location ~* \.(?:rss|atom|cache)$ { expires 1h; } # Media: images, icons, video, audio, HTC location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { expires 1M; access_log off; add_header Cache-Control "public"; } # Prevent clients from accessing hidden files (starting with a dot) # This is particularly important if you store .htpasswd files in the site hierarchy # Access to `/.well-known/` is allowed. # https://www.mnot.net/blog/2010/04/07/well-known # https://tools.ietf.org/html/rfc5785 location ~* /\.(?!well-known\/) { deny all; } # Prevent clients from accessing to backup/config/source files location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { deny all; } ## Begin - Security # deny all direct access for these folders location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } # deny running scripts inside core system folders location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny running scripts inside user folder location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny access to specific files in the root folder location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } ## End - Security ## provide a health check endpoint location /healthcheck { access_log off; stub_status on; keepalive_timeout 0; # Disable HTTP keepalive return 200; } error_page 400 401 /40x.html; location = /40x.html { root /usr/share/nginx/html; } location ~ ^/(fpmstatus|ping)$ { access_log off; stub_status on; keepalive_timeout 0; # Disable HTTP keepalive allow 127.0.0.1; allow all; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_pass unix:/run/php-fpm.sock; } }