ansible-personal/roles/nginx/templates/vhost.conf.j2
Alan Orth 9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:32:06 +03:00

92 lines
3.2 KiB
Django/Jinja

{% set domain_name = item.nginx_domain_name %}
{% set domain_aliases = item.nginx_domain_aliases | default("") %}
{% set use_https = item.use_https | default("no") %}
{% set has_wordpress = item.has_wordpress | default("no") %}
{% if use_https == "yes" %}
# http -> https vhost
server {
listen 80;
server_name {{ domain_name }} {{ domain_aliases }};
# redirect http -> https
location / {
# ? in rewrite makes sure nginx doesn't append query string again
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
}
}
{% endif %}
server {
listen {% if use_https == "yes" %} 443 ssl spdy{% else %} 80{% endif %};
root {{ nginx_root_prefix }}/{{ domain_name }};
{# assumes you only want the main domain name listening for https #}
server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %};
index index.php index.html;
access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log;
{% if use_https == "yes" %}
{% include 'https.j2' %}
{% endif %}
{% if has_wordpress == "yes" %}
{% include 'wordpress.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ [^/]\.php(/|$) {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
fastcgi_index index.php;
# set script path relative to document root in server block
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_cache global;
# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
add_header X-Fastcgi-Cache $upstream_cache_status;
# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if use_https == "yes" %}
# Enable this if you want HSTS (recommended, but be careful)
add_header Strict-Transport-Security max-age=15768000 always;
{% endif %}
include extra-security.conf;
}
include extra-security.conf;
}
# Check if a user is logged in
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
map $http_cookie $wordpress_logged_in {
default 0;
~wordpress_logged_in 1;
}