Alan Orth
52dc0c357b
We need to actually check if HSTS was requested before setting the header in the block handing PHP requests. We check in the main vhost block, but nginx headers are only inherited if you don't set ANY headers in child blocks (ie, headers set in parent blocks are cleared if you set any new ones in the child). Signed-off-by: Alan Orth <alan.orth@gmail.com>
98 lines
3.7 KiB
Django/Jinja
98 lines
3.7 KiB
Django/Jinja
{% set domain_name = item.nginx_domain_name %}
|
|
{% set domain_aliases = item.nginx_domain_aliases | default("") %}
|
|
{% set use_https = item.use_https | default("no") %}
|
|
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
|
|
{% set enable_hsts = item.nginx_enable_hsts | default("no") %}
|
|
{% set has_wordpress = item.has_wordpress | default("no") %}
|
|
|
|
{% if use_https == "yes" %}
|
|
# http -> https vhost
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ domain_name }} {{ domain_aliases }};
|
|
|
|
# redirect http -> https
|
|
location / {
|
|
# ? in rewrite makes sure nginx doesn't append query string again
|
|
# see: http://wiki.nginx.org/NginxHttpRewriteModule#rewrite
|
|
rewrite ^ https://{{ domain_name }}$request_uri? permanent;
|
|
}
|
|
}
|
|
{% endif %}
|
|
|
|
server {
|
|
listen {% if use_https == "yes" %} 443 ssl http2{% else %} 80{% endif %};
|
|
listen [::]{% if use_https == "yes" %}:443 ssl http2{% else %}:80{% endif %};
|
|
|
|
root {{ nginx_root_prefix }}/{{ domain_name }};
|
|
|
|
{# assumes you only want the main domain name listening for https #}
|
|
server_name {{ domain_name }} {% if use_https == "no" %} {{ domain_aliases }}{% endif %};
|
|
|
|
index index.php index.html;
|
|
|
|
access_log /var/log/nginx/{{ domain_name }}-access.log;
|
|
error_log /var/log/nginx/{{ domain_name }}-error.log;
|
|
|
|
{% if use_https == "yes" %}
|
|
{% include 'https.j2' %}
|
|
{% endif %}
|
|
|
|
{% if has_wordpress == "yes" %}
|
|
{% include 'wordpress.j2' %}
|
|
{% endif %}
|
|
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
|
|
location ~ [^/]\.php(/|$) {
|
|
# Zero-day exploit defense.
|
|
# http://forum.nginx.org/read.php?2,88845,page=3
|
|
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
|
|
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
|
|
try_files $uri =404;
|
|
|
|
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
|
|
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
|
|
fastcgi_index index.php;
|
|
# set script path relative to document root in server block
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
|
|
fastcgi_cache global;
|
|
# Set X-Fastcgi-Cache header to "HIT", "MISS", "BYPASS", etc
|
|
add_header X-Fastcgi-Cache $upstream_cache_status;
|
|
# Don't cache when user shift-refreshes (Pragma: no-cache) or when a user is logged in!
|
|
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
|
|
fastcgi_no_cache $http_pragma $wordpress_logged_in;
|
|
|
|
{% if use_https == "yes" and enable_hsts == "yes" %}
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
|
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
|
# See: https://hstspreload.appspot.com/
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
|
{% endif %}
|
|
|
|
include extra-security.conf;
|
|
}
|
|
|
|
include extra-security.conf;
|
|
}
|
|
|
|
# Check if a user is logged in
|
|
# if so, set $wordpress_logged_in = 1
|
|
# otherwise, set $wordpress_logged_in = 0
|
|
# See: http://jeradbitner.com/2012/02/nginx-do-not-cache-logged-in-drupal-or-wordpress-users/
|
|
# See: http://syshero.org/post/50053543196/disable-nginx-cache-based-on-cookies
|
|
# See nginx bug: http://trac.nginx.org/nginx/ticket/707
|
|
map $http_cookie $wordpress_logged_in {
|
|
default 0;
|
|
|
|
~wordpress_logged_in 1;
|
|
}
|