-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'develop' of https://github.com/getgrav/grav into 1.5
- Loading branch information
Showing
1 changed file
with
118 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
# ddev GravCMS config | ||
|
||
# You can override ddev's configuration by placing an edited copy | ||
# of this config (or one of the other ones) in .ddev/nginx-site.conf | ||
# See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration | ||
|
||
# Set https to 'on' if x-forwarded-proto is https | ||
map $http_x_forwarded_proto $fcgi_https { | ||
default off; | ||
https on; | ||
} | ||
|
||
server { | ||
listen 80; ## listen for ipv4; this line is default and implied | ||
listen [::]:80 default ipv6only=on; ## listen for ipv6 | ||
# The NGINX_DOCROOT variable is substituted with | ||
# its value when the container is started. | ||
root $NGINX_DOCROOT; | ||
index index.php index.htm index.html; | ||
|
||
# Make site accessible from http://localhost/ | ||
server_name _; | ||
|
||
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html | ||
sendfile off; | ||
error_log /var/log/nginx/error.log info; | ||
access_log /var/log/nginx/access.log; | ||
|
||
location / { | ||
absolute_redirect off; | ||
try_files $uri $uri/ /index.php?$query_string; | ||
} | ||
|
||
# pass the PHP scripts to FastCGI server listening on socket | ||
location ~ \.php$ { | ||
try_files $uri =404; | ||
fastcgi_split_path_info ^(.+\.php)(/.+)$; | ||
fastcgi_pass unix:/run/php-fpm.sock; | ||
fastcgi_buffers 16 16k; | ||
fastcgi_buffer_size 32k; | ||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | ||
fastcgi_index index.php; | ||
include fastcgi_params; | ||
fastcgi_intercept_errors on; | ||
# fastcgi_read_timeout should match max_execution_time in php.ini | ||
fastcgi_read_timeout 10m; | ||
fastcgi_param SERVER_NAME $host; | ||
fastcgi_param HTTPS $fcgi_https; | ||
} | ||
|
||
# Expire rules for static content | ||
# Feed | ||
location ~* \.(?:rss|atom|cache)$ { | ||
expires 1h; | ||
} | ||
|
||
# Media: images, icons, video, audio, HTC | ||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { | ||
expires 1M; | ||
access_log off; | ||
add_header Cache-Control "public"; | ||
} | ||
|
||
# Prevent clients from accessing hidden files (starting with a dot) | ||
# This is particularly important if you store .htpasswd files in the site hierarchy | ||
# Access to `/.well-known/` is allowed. | ||
# https://www.mnot.net/blog/2010/04/07/well-known | ||
# https://tools.ietf.org/html/rfc5785 | ||
location ~* /\.(?!well-known\/) { | ||
deny all; | ||
} | ||
|
||
# Prevent clients from accessing to backup/config/source files | ||
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { | ||
deny all; | ||
} | ||
|
||
## Begin - Security | ||
# deny all direct access for these folders | ||
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } | ||
# deny running scripts inside core system folders | ||
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } | ||
# deny running scripts inside user folder | ||
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } | ||
# deny access to specific files in the root folder | ||
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } | ||
## End - Security | ||
|
||
|
||
## provide a health check endpoint | ||
location /healthcheck { | ||
access_log off; | ||
stub_status on; | ||
keepalive_timeout 0; # Disable HTTP keepalive | ||
return 200; | ||
} | ||
|
||
error_page 400 401 /40x.html; | ||
location = /40x.html { | ||
root /usr/share/nginx/html; | ||
} | ||
|
||
location ~ ^/(fpmstatus|ping)$ { | ||
access_log off; | ||
stub_status on; | ||
keepalive_timeout 0; # Disable HTTP keepalive | ||
allow 127.0.0.1; | ||
allow all; | ||
fastcgi_index index.php; | ||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
include fastcgi_params; | ||
fastcgi_pass unix:/run/php-fpm.sock; | ||
} | ||
|
||
|
||
} | ||
|