amishakov · October 27, 2023 13:14
diff --git a/kirby.conf b/kirby.conf
 server {
    listen 80;
    server_name kirby.dev www.kirby.dev;
    root /path/to/www/kirby;
    
    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;
    
    # Route LetsEncrypt ACME Challenges to the right place
    location ^~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        try_files $uri /404;
    }

    # Route everything else through SSL
    location ~* ^/(.*)$ {
        return 301 https://$server_name/$1$is_args$args;
    }
 }

 server {
    charset utf-8;
    server_name kirby.dev www.kirby.dev;
    root /path/to/www/kirby;

    listen 443 ssl;
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers On;
    ssl_certificate /etc/letsencrypt/live/kirby.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/kirby.dev/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/kirby.dev/chain.pem;
    ssl_session_cache shared:SSL:128m;
    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8; # Google Resolver
    index index.php index.html index.htm;

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Don't hint these as folders
    rewrite ^/(content|site|kirby)$ /error last;

    # Block content
    rewrite ^/content/(.*).(txt|md|mdown)$ /error last;

    # Block all files in the site and kirby folder from being accessed directly
    rewrite ^/(site|kirby)/(.*)$ /error last;

    # Panel links
    location /panel {
        autoindex off;
        try_files $uri $uri/ /panel/index.php?$query_string;
    }

    # Site links
    location / {
        autoindex off;
        try_files $uri $uri/ /index.php?$query_string; #$uri&$args;
    }

    # PHP scripts
    location ~ \.php$ {
        # Set CORS headers
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Credentials' 'true';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;
        }
        if ($request_method = 'POST') {
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Credentials' 'true';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        }
        if ($request_method = 'GET') {
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Credentials' 'true';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        }

        try_files $uri =404;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_script_name;
        include fastcgi_params;
    }

    # Prevent clients from accessing hidden files (starting with a dot)
    # This is particularly important if you store .htpasswd files in the site hierarchy
    location ~ (?:^|/)\. {
        deny all;
    }

    # Prevent clients from accessing to backup/config/source files
    location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
        deny all;
    }
 }
	server {
	listen 80;
	server_name kirby.dev www.kirby.dev;
	root /path/to/www/kirby;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	# Route LetsEncrypt ACME Challenges to the right place
	location ^~ /.well-known/acme-challenge/ {
	allow all;
	default_type "text/plain";
	try_files $uri /404;
	}

	# Route everything else through SSL
	location ~* ^/(.*)$ {
	return 301 https://$server_name/$1$is_args$args;
	}
	}

	server {
	charset utf-8;
	server_name kirby.dev www.kirby.dev;
	root /path/to/www/kirby;

	listen 443 ssl;
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers On;
	ssl_certificate /etc/letsencrypt/live/kirby.dev/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/kirby.dev/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/kirby.dev/chain.pem;
	ssl_session_cache shared:SSL:128m;
	add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8; # Google Resolver
	index index.php index.html index.htm;

	error_page 404 /404.html;
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	# Don't hint these as folders
	rewrite ^/(content\|site\|kirby)$ /error last;

	# Block content
	rewrite ^/content/(.*).(txt\|md\|mdown)$ /error last;

	# Block all files in the site and kirby folder from being accessed directly
	rewrite ^/(site\|kirby)/(.*)$ /error last;

	# Panel links
	location /panel {
	autoindex off;
	try_files $uri $uri/ /panel/index.php?$query_string;
	}

	# Site links
	location / {
	autoindex off;
	try_files $uri $uri/ /index.php?$query_string; #$uri&$args;
	}

	# PHP scripts
	location ~ \.php$ {
	# Set CORS headers
	if ($request_method = 'OPTIONS') {
	add_header 'Access-Control-Allow-Origin' '*';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	add_header 'Access-Control-Max-Age' 1728000;
	add_header 'Content-Type' 'text/plain charset=UTF-8';
	add_header 'Content-Length' 0;
	return 204;
	}
	if ($request_method = 'POST') {
	add_header 'Access-Control-Allow-Origin' '*';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	}
	if ($request_method = 'GET') {
	add_header 'Access-Control-Allow-Origin' '*';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	}

	try_files $uri =404;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_script_name;
	include fastcgi_params;
	}

	# Prevent clients from accessing hidden files (starting with a dot)
	# This is particularly important if you store .htpasswd files in the site hierarchy
	location ~ (?:^\|/)\. {
	deny all;
	}

	# Prevent clients from accessing to backup/config/source files
	location ~ (?:\.(?:bak\|config\|sql\|fla\|psd\|ini\|log\|sh\|inc\|swp\|dist)\|~)$ {
	deny all;
	}
	}