2024-10-23 02:17:00 +00:00
|
|
|
# HTTP redirect
|
2024-10-20 23:57:00 +00:00
|
|
|
server {
|
|
|
|
|
listen 80;
|
|
|
|
|
listen [::]:80;
|
|
|
|
|
server_name .$DOMAIN;
|
2024-10-22 02:29:12 +00:00
|
|
|
return 301 https://$host$request_uri;
|
2024-10-20 23:57:00 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# HTTPS server
|
2024-10-20 23:57:00 +00:00
|
|
|
server {
|
|
|
|
|
listen 443 ssl http2;
|
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
|
server_name .$DOMAIN;
|
|
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# SSL certificates
|
2024-10-20 23:57:00 +00:00
|
|
|
ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
|
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
|
|
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# Apply general rate limit
|
|
|
|
|
limit_req zone=general burst=100 nodelay;
|
|
|
|
|
|
|
|
|
|
# Content Security Policy (needs to be per-domain)
|
|
|
|
|
add_header Content-Security-Policy "
|
|
|
|
|
default-src 'self' *.$DOMAIN;
|
|
|
|
|
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN;
|
|
|
|
|
style-src 'self' 'unsafe-inline' *.$DOMAIN;
|
|
|
|
|
img-src 'self' data: *.$DOMAIN;
|
|
|
|
|
font-src 'self' data: *.$DOMAIN;
|
|
|
|
|
connect-src 'self' *.$DOMAIN;
|
|
|
|
|
frame-src 'self' *.$DOMAIN;
|
|
|
|
|
media-src 'self' *.$DOMAIN;
|
|
|
|
|
object-src 'none';
|
|
|
|
|
base-uri 'self';
|
|
|
|
|
form-action 'self' *.$DOMAIN;
|
|
|
|
|
" always;
|
|
|
|
|
|
|
|
|
|
# Subdomain handling
|
2024-10-22 02:29:12 +00:00
|
|
|
set $subdomain '';
|
2024-10-23 02:17:00 +00:00
|
|
|
set $full_root "/var/www/$DOMAIN/_main/www";
|
|
|
|
|
set $access_log_path "/var/www/$DOMAIN/logs/main.access.log";
|
|
|
|
|
set $error_log_path "/var/www/$DOMAIN/logs/main.error.log";
|
2024-10-22 02:29:12 +00:00
|
|
|
if ($host ~* ^([^.]+)\.$DOMAIN$) {
|
|
|
|
|
set $subdomain $1;
|
2024-10-23 02:17:00 +00:00
|
|
|
set $full_root "/var/www/$DOMAIN/subdomains/$subdomain/www";
|
|
|
|
|
set $access_log_path "/var/www/$DOMAIN/logs/$subdomain.access.log";
|
|
|
|
|
set $error_log_path "/var/www/$DOMAIN/logs/$subdomain.error.log";
|
2024-10-20 23:57:00 +00:00
|
|
|
}
|
2024-10-22 02:29:12 +00:00
|
|
|
root $full_root;
|
2024-10-20 23:57:00 +00:00
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# Basic settings
|
2024-10-20 23:57:00 +00:00
|
|
|
index index.html index.htm index.php;
|
2024-10-23 02:17:00 +00:00
|
|
|
client_max_body_size 20M;
|
|
|
|
|
|
|
|
|
|
# Block .ht* files
|
|
|
|
|
location ~ /\.ht {
|
|
|
|
|
deny all;
|
|
|
|
|
}
|
2024-10-20 23:57:00 +00:00
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# Main location block
|
2024-10-20 23:57:00 +00:00
|
|
|
location / {
|
2024-10-22 02:29:12 +00:00
|
|
|
try_files $uri $uri/ @router;
|
2024-10-20 23:57:00 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# Router handling
|
2024-10-20 23:57:00 +00:00
|
|
|
location @router {
|
2024-10-22 02:29:12 +00:00
|
|
|
if (!-f $document_root/router.php) {
|
2024-10-20 23:57:00 +00:00
|
|
|
return 404;
|
|
|
|
|
}
|
2024-10-23 02:17:00 +00:00
|
|
|
limit_req zone=php burst=20 nodelay;
|
2024-10-20 23:57:00 +00:00
|
|
|
fastcgi_pass unix:/var/run/php/php-fpm.sock;
|
|
|
|
|
include fastcgi_params;
|
2024-10-22 02:29:12 +00:00
|
|
|
fastcgi_param SCRIPT_FILENAME $document_root/router.php;
|
2024-10-20 23:57:00 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# Static file handling
|
|
|
|
|
location ~* ^.+\.((?!php).)*$ {
|
|
|
|
|
expires 30d;
|
|
|
|
|
add_header Cache-Control "public, no-transform";
|
|
|
|
|
try_files $uri $uri/ =404;
|
2024-10-20 23:57:00 +00:00
|
|
|
}
|
|
|
|
|
|
2024-10-23 02:17:00 +00:00
|
|
|
# Logging
|
2024-10-20 23:57:00 +00:00
|
|
|
access_log /var/log/nginx/access.log;
|
|
|
|
|
error_log /var/log/nginx/error.log;
|
2024-10-22 02:42:41 +00:00
|
|
|
access_log $access_log_path;
|
|
|
|
|
error_log $error_log_path;
|
2024-10-23 02:17:00 +00:00
|
|
|
}
|
