diff --git a/install/nginx-snippets/error-pages.conf b/install/nginx-snippets/error-pages.conf index 4c281e8..f3f9a6a 100644 --- a/install/nginx-snippets/error-pages.conf +++ b/install/nginx-snippets/error-pages.conf @@ -1,58 +1,9 @@ -# Global error pages -error_page 403 /403.html; -error_page 404 /404.html; -error_page 500 502 504 /50x.html; -error_page 503 /503.html; +error_page 403 /error/403.html; +error_page 404 /error/404.html; +error_page 503 /error/503.html; +error_page 500 502 504 /error/50x.html; -# Global error handler locations -location = /403.html { +location ^~ /error/ { + alias /var/www/error-pages/; internal; - try_files - $document_root/403.php - $document_root/403.html - /var/www/error-pages/403.php - /var/www/error-pages/403.html - =403; - fastcgi_intercept_errors on; -} - -location = /404.html { - internal; - try_files - $document_root/404.php - $document_root/404.html - /var/www/error-pages/404.php - /var/www/error-pages/404.html - =404; - fastcgi_intercept_errors on; -} - -location = /503.html { - internal; - try_files - $document_root/503.php - $document_root/503.html - /var/www/error-pages/503.php - /var/www/error-pages/503.html - =503; - fastcgi_intercept_errors on; -} - -location = /50x.html { - internal; - try_files - $document_root/50x.php - $document_root/50x.html - /var/www/error-pages/50x.php - /var/www/error-pages/50x.html - =500; - fastcgi_intercept_errors on; -} - -# PHP handling for error pages -location ~ ^/(?:403|404|503|50x)\.php$ { - internal; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_pass unix:/var/run/php/php-fpm.sock; # Adjust this path as needed -} +} \ No newline at end of file diff --git a/site-config.conf b/site-config.conf index c026118..57623aa 100644 --- a/site-config.conf +++ b/site-config.conf @@ -17,28 +17,43 @@ server { ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; include snippets/ssl.conf; - # Error page config + # Default error page config include snippets/error-pages.conf; - # Check for banned IPs - if ($is_banned) { - return 403; - } - # Apply general rate limit limit_req zone=general burst=100 nodelay; + # Check for banned IPs + if ($is_banned) { + rewrite ^ @banned last; + } + # Content Security Policy (needs to be per-domain) add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always; # Subdomain handling set $subdomain ''; - set $full_root "/var/www/$DOMAIN/_main/www"; + set $site_root "/var/www/$DOMAIN/_main"; if ($host ~* ^([^.]+)\.$DOMAIN$) { set $subdomain $1; - set $full_root "/var/www/$DOMAIN/subdomains/$subdomain/www"; + set $site_root "/var/www/$DOMAIN/subdomains/$subdomain"; + } + root "$site_root/www"; + + # Banned location handler + location @banned { + return 403; + } + + # Site-specific error pages + error_page 403 /error/403.html; + error_page 404 /error/404.html; + error_page 503 /error/503.html; + error_page 500 502 504 /error/50x.html; + location ^~ /error/ { + alias "$site_root/error-pages/"; + internal; } - root $full_root; # Basic settings index index.html index.htm index.php;