From 2d35e7328108ca6faa30ddd9512f232720ef52da Mon Sep 17 00:00:00 2001 From: Adrian Date: Thu, 17 Mar 2016 00:41:34 +0100 Subject: [PATCH 1/2] Update Nginx config * Make only Let's Encrypt path available on port 80 * Protect WordPress admin URLs * Seperate logs for hosts * Update example PHP config * Update README --- conf/nginx/README.md | 17 ++++++++--------- conf/nginx/inc/allow-local | 4 ++++ conf/nginx/inc/cgi-bin | 2 -- conf/nginx/inc/letsencrypt | 4 +--- conf/nginx/inc/redirect-ssl | 5 +++-- conf/nginx/inc/restrict-wp-access | 9 +++++++++ conf/nginx/sites-available/example | 15 ++++++++++----- conf/nginx/sites-available/gogs | 3 +++ conf/nginx/sites-available/gollum | 3 +++ conf/nginx/sites-available/redirect-ssl-all | 6 +++++- conf/nginx/sites-available/seafile | 3 +++ conf/nginx/sites-available/trac | 3 +++ conf/nginx/sites-enabled/.empty | 0 conf/nginx/sites-enabled/example | 1 - 14 files changed, 52 insertions(+), 23 deletions(-) create mode 100644 conf/nginx/inc/allow-local create mode 100644 conf/nginx/inc/restrict-wp-access create mode 100644 conf/nginx/sites-enabled/.empty delete mode 120000 conf/nginx/sites-enabled/example diff --git a/conf/nginx/README.md b/conf/nginx/README.md index bcd2bbc..cb23b7c 100644 --- a/conf/nginx/README.md +++ b/conf/nginx/README.md @@ -1,15 +1,14 @@ -Nginx Config Files -================== +# Nginx Config Files These are carefully crafted Nginx config files. -Do not forget the following: +## Installation - sudo chown -R wwwrun.www /var/lib/nginx # if on openSUSE - cd /etc/nginx/sites-conf - sudo ln -s example.ssl default.ssl + sed -i 's/example.com/your-host.org/' sites-available/* + sudo cp -r * /etc/nginx + sudo ln -s example.ssl /etc/nginx/sites-conf/default.ssl + sudo mkdir -p /data/log/nginx -You can configure your host simply by doing: +If on openSUSE: - cd /etc/nginx/sites-available - sudo sed -i 's/example.com/your-host.org/' * + sudo chown -R wwwrun.www /var/lib/nginx diff --git a/conf/nginx/inc/allow-local b/conf/nginx/inc/allow-local new file mode 100644 index 0000000..4866d91 --- /dev/null +++ b/conf/nginx/inc/allow-local @@ -0,0 +1,4 @@ +allow 10.0.0.0/8; +allow 172.16.0.0/12; +allow 192.168.0.0/16; +deny all; diff --git a/conf/nginx/inc/cgi-bin b/conf/nginx/inc/cgi-bin index af56659..17797e2 100644 --- a/conf/nginx/inc/cgi-bin +++ b/conf/nginx/inc/cgi-bin @@ -1,6 +1,4 @@ fastcgi_pass unix:/run/php5-fpm.sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /etc/nginx/cgi-bin.php; -fastcgi_param SCRIPT_NAME ""; fastcgi_param X_SCRIPT_FILENAME $request_filename; -fastcgi_param X_SCRIPT_NAME ""; diff --git a/conf/nginx/inc/letsencrypt b/conf/nginx/inc/letsencrypt index e7a4db0..4406625 100644 --- a/conf/nginx/inc/letsencrypt +++ b/conf/nginx/inc/letsencrypt @@ -1,5 +1,3 @@ -listen 80; - location /.well-known/acme-challenge { - alias /data/letsencrypt; + alias /data/letsencrypt/challenge; } diff --git a/conf/nginx/inc/redirect-ssl b/conf/nginx/inc/redirect-ssl index 6b5f3d7..385fb49 100644 --- a/conf/nginx/inc/redirect-ssl +++ b/conf/nginx/inc/redirect-ssl @@ -1,2 +1,3 @@ -listen 80; -return 301 https://$host$request_uri; +location / { + return 301 https://$host$request_uri; +} diff --git a/conf/nginx/inc/restrict-wp-access b/conf/nginx/inc/restrict-wp-access new file mode 100644 index 0000000..80ff763 --- /dev/null +++ b/conf/nginx/inc/restrict-wp-access @@ -0,0 +1,9 @@ +location /wp-admin { + include inc/allow-local; + error_page 403 $scheme://$host/404; +} + +location ~ /wp-login.php { + include inc/allow-local; + error_page 403 $scheme://$host/404; +} diff --git a/conf/nginx/sites-available/example b/conf/nginx/sites-available/example index 85d57f2..81208df 100644 --- a/conf/nginx/sites-available/example +++ b/conf/nginx/sites-available/example @@ -1,14 +1,17 @@ server { - server_name localhost *.local; + server_name test.example.com; - listen 80; listen 443 ssl; root /usr/share/nginx/html; + index index.php index.html index.htm; - # redirect server error pages to the static page /50x.html + access_log /data/log/nginx/test-access.log; + error_log /data/log/nginx/test-error.log; - error_page 500 502 503 504 /50x.html; + location / { + try_files $uri $uri/ /index.php$is_args$args; + } # PHP processing @@ -18,13 +21,15 @@ server { fastcgi_intercept_errors on; } + include inc/restrict-wp-access; + # AWstats location /awstats { - # You may want to secure this location by appending a random string alias /usr/local/awstats/wwwroot/cgi-bin; access_log off; include inc/cgi-bin; + include inc/allow-local; } location /awstatsicons { diff --git a/conf/nginx/sites-available/gogs b/conf/nginx/sites-available/gogs index b0af6b5..cbf6d51 100644 --- a/conf/nginx/sites-available/gogs +++ b/conf/nginx/sites-available/gogs @@ -3,6 +3,9 @@ server { listen 443 ssl; + access_log /data/log/nginx/git-access.log; + error_log /data/log/nginx/git-error.log; + location / { proxy_pass http://localhost:3000; include proxy_params; diff --git a/conf/nginx/sites-available/gollum b/conf/nginx/sites-available/gollum index db94154..8a22e39 100644 --- a/conf/nginx/sites-available/gollum +++ b/conf/nginx/sites-available/gollum @@ -1,6 +1,9 @@ server { server_name www.example.com; + access_log /data/log/nginx/www-access.log; + error_log /data/log/nginx/www-error.log; + location / { proxy_pass http://localhost:4567/; include proxy_params; diff --git a/conf/nginx/sites-available/redirect-ssl-all b/conf/nginx/sites-available/redirect-ssl-all index 8896042..c386be2 100644 --- a/conf/nginx/sites-available/redirect-ssl-all +++ b/conf/nginx/sites-available/redirect-ssl-all @@ -1,4 +1,8 @@ server { - include inc/redirect-ssl; server_name *.example.com; + + listen 80; + + include inc/redirect-ssl; + include inc/letsencrypt; } diff --git a/conf/nginx/sites-available/seafile b/conf/nginx/sites-available/seafile index 496cf9c..56c9b76 100644 --- a/conf/nginx/sites-available/seafile +++ b/conf/nginx/sites-available/seafile @@ -3,6 +3,9 @@ server { listen 443 ssl; + access_log /data/log/nginx/seafile-access.log; + error_log /data/log/nginx/seafile-error.log; + location / { proxy_pass http://localhost:8000; include proxy_params; diff --git a/conf/nginx/sites-available/trac b/conf/nginx/sites-available/trac index 24492fe..b77a8cb 100644 --- a/conf/nginx/sites-available/trac +++ b/conf/nginx/sites-available/trac @@ -1,6 +1,9 @@ server { server_name trac.example.com; + access_log /data/log/nginx/trac-access.log; + error_log /data/log/nginx/trac-error.log; + client_max_body_size 20M; location / { diff --git a/conf/nginx/sites-enabled/.empty b/conf/nginx/sites-enabled/.empty new file mode 100644 index 0000000..e69de29 diff --git a/conf/nginx/sites-enabled/example b/conf/nginx/sites-enabled/example deleted file mode 120000 index 2fa0a13..0000000 --- a/conf/nginx/sites-enabled/example +++ /dev/null @@ -1 +0,0 @@ -../sites-available/example \ No newline at end of file From c58105e816e51f6c4b72a43e28fd7a6f4d1afa66 Mon Sep 17 00:00:00 2001 From: Adrian Date: Thu, 17 Mar 2016 00:41:34 +0100 Subject: [PATCH 2/2] Update Nginx config * Make only Let's Encrypt path available on port 80 * Protect WordPress admin URLs * Seperate logs for hosts * Update example PHP config * Update README --- conf/nginx/README.md | 17 ++++++++--------- conf/nginx/inc/allow-local | 4 ++++ conf/nginx/inc/cgi-bin | 2 -- conf/nginx/inc/letsencrypt | 4 +--- conf/nginx/inc/redirect-ssl | 5 +++-- conf/nginx/inc/restrict-wp-access | 9 +++++++++ conf/nginx/sites-available/example | 15 ++++++++++----- conf/nginx/sites-available/gogs | 3 +++ conf/nginx/sites-available/gollum | 3 +++ conf/nginx/sites-available/redirect-ssl-all | 6 +++++- conf/nginx/sites-available/seafile | 3 +++ conf/nginx/sites-available/trac | 3 +++ conf/nginx/sites-enabled/.empty | 0 conf/nginx/sites-enabled/example | 1 - 14 files changed, 52 insertions(+), 23 deletions(-) create mode 100644 conf/nginx/inc/allow-local create mode 100644 conf/nginx/inc/restrict-wp-access create mode 100644 conf/nginx/sites-enabled/.empty delete mode 120000 conf/nginx/sites-enabled/example diff --git a/conf/nginx/README.md b/conf/nginx/README.md index bcd2bbc..cb23b7c 100644 --- a/conf/nginx/README.md +++ b/conf/nginx/README.md @@ -1,15 +1,14 @@ -Nginx Config Files -================== +# Nginx Config Files These are carefully crafted Nginx config files. -Do not forget the following: +## Installation - sudo chown -R wwwrun.www /var/lib/nginx # if on openSUSE - cd /etc/nginx/sites-conf - sudo ln -s example.ssl default.ssl + sed -i 's/example.com/your-host.org/' sites-available/* + sudo cp -r * /etc/nginx + sudo ln -s example.ssl /etc/nginx/sites-conf/default.ssl + sudo mkdir -p /data/log/nginx -You can configure your host simply by doing: +If on openSUSE: - cd /etc/nginx/sites-available - sudo sed -i 's/example.com/your-host.org/' * + sudo chown -R wwwrun.www /var/lib/nginx diff --git a/conf/nginx/inc/allow-local b/conf/nginx/inc/allow-local new file mode 100644 index 0000000..4866d91 --- /dev/null +++ b/conf/nginx/inc/allow-local @@ -0,0 +1,4 @@ +allow 10.0.0.0/8; +allow 172.16.0.0/12; +allow 192.168.0.0/16; +deny all; diff --git a/conf/nginx/inc/cgi-bin b/conf/nginx/inc/cgi-bin index af56659..17797e2 100644 --- a/conf/nginx/inc/cgi-bin +++ b/conf/nginx/inc/cgi-bin @@ -1,6 +1,4 @@ fastcgi_pass unix:/run/php5-fpm.sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /etc/nginx/cgi-bin.php; -fastcgi_param SCRIPT_NAME ""; fastcgi_param X_SCRIPT_FILENAME $request_filename; -fastcgi_param X_SCRIPT_NAME ""; diff --git a/conf/nginx/inc/letsencrypt b/conf/nginx/inc/letsencrypt index e7a4db0..4406625 100644 --- a/conf/nginx/inc/letsencrypt +++ b/conf/nginx/inc/letsencrypt @@ -1,5 +1,3 @@ -listen 80; - location /.well-known/acme-challenge { - alias /data/letsencrypt; + alias /data/letsencrypt/challenge; } diff --git a/conf/nginx/inc/redirect-ssl b/conf/nginx/inc/redirect-ssl index 6b5f3d7..385fb49 100644 --- a/conf/nginx/inc/redirect-ssl +++ b/conf/nginx/inc/redirect-ssl @@ -1,2 +1,3 @@ -listen 80; -return 301 https://$host$request_uri; +location / { + return 301 https://$host$request_uri; +} diff --git a/conf/nginx/inc/restrict-wp-access b/conf/nginx/inc/restrict-wp-access new file mode 100644 index 0000000..80ff763 --- /dev/null +++ b/conf/nginx/inc/restrict-wp-access @@ -0,0 +1,9 @@ +location /wp-admin { + include inc/allow-local; + error_page 403 $scheme://$host/404; +} + +location ~ /wp-login.php { + include inc/allow-local; + error_page 403 $scheme://$host/404; +} diff --git a/conf/nginx/sites-available/example b/conf/nginx/sites-available/example index 85d57f2..81208df 100644 --- a/conf/nginx/sites-available/example +++ b/conf/nginx/sites-available/example @@ -1,14 +1,17 @@ server { - server_name localhost *.local; + server_name test.example.com; - listen 80; listen 443 ssl; root /usr/share/nginx/html; + index index.php index.html index.htm; - # redirect server error pages to the static page /50x.html + access_log /data/log/nginx/test-access.log; + error_log /data/log/nginx/test-error.log; - error_page 500 502 503 504 /50x.html; + location / { + try_files $uri $uri/ /index.php$is_args$args; + } # PHP processing @@ -18,13 +21,15 @@ server { fastcgi_intercept_errors on; } + include inc/restrict-wp-access; + # AWstats location /awstats { - # You may want to secure this location by appending a random string alias /usr/local/awstats/wwwroot/cgi-bin; access_log off; include inc/cgi-bin; + include inc/allow-local; } location /awstatsicons { diff --git a/conf/nginx/sites-available/gogs b/conf/nginx/sites-available/gogs index b0af6b5..cbf6d51 100644 --- a/conf/nginx/sites-available/gogs +++ b/conf/nginx/sites-available/gogs @@ -3,6 +3,9 @@ server { listen 443 ssl; + access_log /data/log/nginx/git-access.log; + error_log /data/log/nginx/git-error.log; + location / { proxy_pass http://localhost:3000; include proxy_params; diff --git a/conf/nginx/sites-available/gollum b/conf/nginx/sites-available/gollum index db94154..8a22e39 100644 --- a/conf/nginx/sites-available/gollum +++ b/conf/nginx/sites-available/gollum @@ -1,6 +1,9 @@ server { server_name www.example.com; + access_log /data/log/nginx/www-access.log; + error_log /data/log/nginx/www-error.log; + location / { proxy_pass http://localhost:4567/; include proxy_params; diff --git a/conf/nginx/sites-available/redirect-ssl-all b/conf/nginx/sites-available/redirect-ssl-all index 8896042..1ccf657 100644 --- a/conf/nginx/sites-available/redirect-ssl-all +++ b/conf/nginx/sites-available/redirect-ssl-all @@ -1,4 +1,8 @@ server { + server_name .example.com; + + listen 80; + include inc/redirect-ssl; - server_name *.example.com; + include inc/letsencrypt; } diff --git a/conf/nginx/sites-available/seafile b/conf/nginx/sites-available/seafile index 496cf9c..56c9b76 100644 --- a/conf/nginx/sites-available/seafile +++ b/conf/nginx/sites-available/seafile @@ -3,6 +3,9 @@ server { listen 443 ssl; + access_log /data/log/nginx/seafile-access.log; + error_log /data/log/nginx/seafile-error.log; + location / { proxy_pass http://localhost:8000; include proxy_params; diff --git a/conf/nginx/sites-available/trac b/conf/nginx/sites-available/trac index 24492fe..b77a8cb 100644 --- a/conf/nginx/sites-available/trac +++ b/conf/nginx/sites-available/trac @@ -1,6 +1,9 @@ server { server_name trac.example.com; + access_log /data/log/nginx/trac-access.log; + error_log /data/log/nginx/trac-error.log; + client_max_body_size 20M; location / { diff --git a/conf/nginx/sites-enabled/.empty b/conf/nginx/sites-enabled/.empty new file mode 100644 index 0000000..e69de29 diff --git a/conf/nginx/sites-enabled/example b/conf/nginx/sites-enabled/example deleted file mode 120000 index 2fa0a13..0000000 --- a/conf/nginx/sites-enabled/example +++ /dev/null @@ -1 +0,0 @@ -../sites-available/example \ No newline at end of file