diff --git a/confs/site/php.conf b/confs/site/php.conf index 8b7c8ca..950b986 100644 --- a/confs/site/php.conf +++ b/confs/site/php.conf @@ -1,6 +1,3 @@ -include %FASTCGI_PATH%fastcgi.conf; -include %FASTCGI_PATH%fastcgi_params; - location ~ \.php$ { fastcgi_pass %REMOTE_PHP%:9000; fastcgi_index index.php; diff --git a/confs/site/server.conf b/confs/site/server.conf index ba59750..a14515a 100644 --- a/confs/site/server.conf +++ b/confs/site/server.conf @@ -1,4 +1,5 @@ server { + %FASTCGI_PATH% %SERVER_CONF% %PROXY_REAL_IP% %MAIN_LUA% @@ -15,7 +16,6 @@ server { } %LIMIT_REQ% %AUTH_BASIC% - %USE_PHP% %REMOVE_HEADERS% %X_FRAME_OPTIONS% %X_XSS_PROTECTION% @@ -38,4 +38,5 @@ server { %USE_OPEN_FILE_CACHE% %USE_PROXY_CACHE% %USE_REVERSE_PROXY% + %USE_PHP% } diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index f83cf06..1165b74 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -128,15 +128,15 @@ fi # remote PHP if [ "$REMOTE_PHP" != "" ] ; then replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "include ${NGINX_PREFIX}php.conf;" + replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;" replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP" - replace_in_file "${NGINX_PREFIX}php.conf" "%FASTCGI_PATH%" "$NGINX_PREFIX" if [ "$MULTISITE" = "yes" ] ; then cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf - cp /etc/nginx/fastcgi_params ${NGINX_PREFIX}fastcgi_params fi replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/" else replace_in_file "${NGINX_PREFIX}server.conf" "%USE_PHP%" "" + replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "" fi # serve files diff --git a/examples/multisite-custom-server-confs/docker-compose.yml b/examples/multisite-custom-server-confs/docker-compose.yml index 267a09b..5501880 100644 --- a/examples/multisite-custom-server-confs/docker-compose.yml +++ b/examples/multisite-custom-server-confs/docker-compose.yml @@ -31,6 +31,7 @@ services: - nc.website.com_LIMIT_REQ_BURST=60 - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN + - nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444 networks: - net1 - net2 diff --git a/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf b/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf index b32bf62..547c680 100644 --- a/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf +++ b/examples/multisite-custom-server-confs/server-confs/nc.website.com/nextcloud.conf @@ -1,42 +1,32 @@ +location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include /etc/nginx/nc.website.com/fastcgi.conf; + fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass mync:9000; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; +} + +location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` +} + +location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` +} + location / { - rewrite ^ /index.php; + try_files $uri /index.php$request_uri; } - -location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; -} - -location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; -} - -location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - include /etc/nginx/nc.website.com/fastcgi_params; - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass mync:9000; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - include /etc/nginx/nc.website.com/fastcgi.conf; -} - -location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; -} - -location ~ \.(?:css|js|woff2?|svg|gif|map|mp4)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; -} - -location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; -} - diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index e10a0a6..b9b5b2b 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -27,12 +27,12 @@ services: - LIMIT_REQ_BURST=60 - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT - X_FRAME_OPTIONS=SAMEORIGIN - - USE_CLIENT_CACHE=yes - USE_GZIP=yes - USE_BROTLI=yes + - FAIL2BAN_STATUS_CODE=400|401|403|405|444 mync: - image: nextcloud:stable-fpm + image: nextcloud:20-fpm restart: always volumes: - ./nc-files:/var/www/html diff --git a/examples/nextcloud/server-confs/nextcloud.conf b/examples/nextcloud/server-confs/nextcloud.conf index 22c73d4..402aac6 100644 --- a/examples/nextcloud/server-confs/nextcloud.conf +++ b/examples/nextcloud/server-confs/nextcloud.conf @@ -1,42 +1,32 @@ +location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi.conf; + fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass mync:9000; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; +} + +location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` +} + +location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` +} + location / { - rewrite ^ /index.php; + try_files $uri /index.php$request_uri; } - -location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; -} - -location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; -} - -location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - include fastcgi_params; - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass mync:9000; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - include fastcgi.conf; -} - -location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; -} - -location ~ \.(?:css|js|woff2?|svg|gif|map|mp4)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; -} - -location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; -} -