Update Nginx config

* Make only Let's Encrypt path available on port 80
* Protect WordPress admin URLs
* Seperate logs for hosts
* Update example PHP config
* Update README

conf/nginx/README.md

@@ -1,15 +1,14 @@
-Nginx Config Files
+# Nginx Config Files
-==================
 
 These are carefully crafted Nginx config files.
 
-Do not forget the following:
+## Installation
 
-	sudo chown -R wwwrun.www /var/lib/nginx # if on openSUSE
+	sed -i 's/example.com/your-host.org/' sites-available/*
-	cd /etc/nginx/sites-conf
+	sudo cp -r * /etc/nginx
-	sudo ln -s example.ssl default.ssl
+	sudo ln -s example.ssl /etc/nginx/sites-conf/default.ssl
+	sudo mkdir -p /data/log/nginx
 
-You can configure your host simply by doing:
+If on openSUSE:
 
-	cd /etc/nginx/sites-available
+	sudo chown -R wwwrun.www /var/lib/nginx
-	sudo sed -i 's/example.com/your-host.org/' *

conf/nginx/inc/allow-local

@@ -0,0 +1,4 @@
+allow 10.0.0.0/8;
+allow 172.16.0.0/12;
+allow 192.168.0.0/16;
+deny all;

conf/nginx/inc/cgi-bin

@@ -1,6 +1,4 @@
 fastcgi_pass unix:/run/php5-fpm.sock;
 include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME /etc/nginx/cgi-bin.php;
-fastcgi_param SCRIPT_NAME "";
 fastcgi_param X_SCRIPT_FILENAME $request_filename;
-fastcgi_param X_SCRIPT_NAME "";

conf/nginx/inc/letsencrypt

@@ -1,5 +1,3 @@
-listen 80;
-
 location /.well-known/acme-challenge {
-	alias /data/letsencrypt;
+	alias /data/letsencrypt/challenge;
 }

conf/nginx/inc/redirect-ssl

@@ -1,2 +1,3 @@
-listen 80;
+location / {
-return 301 https://$host$request_uri;
+	return 301 https://$host$request_uri;
+}

conf/nginx/inc/restrict-wp-access

@@ -0,0 +1,9 @@
+location /wp-admin {
+	include inc/allow-local;
+	error_page 403 $scheme://$host/404;
+}
+
+location ~ /wp-login.php {
+	include inc/allow-local;
+	error_page 403 $scheme://$host/404;
+}

conf/nginx/sites-available/example

@@ -1,14 +1,17 @@
 server {
-	server_name localhost *.local;
+	server_name test.example.com;
 
-	listen 80;
 	listen 443 ssl;
 
 	root /usr/share/nginx/html;
+	index index.php index.html index.htm;
 
-	# redirect server error pages to the static page /50x.html
+	access_log /data/log/nginx/test-access.log;
+	error_log /data/log/nginx/test-error.log;
 
-	error_page 500 502 503 504 /50x.html;
+	location / {
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
 
 	# PHP processing
 
@@ -18,13 +21,15 @@ server {
 		fastcgi_intercept_errors on;
 	}
 
+	include inc/restrict-wp-access;
+
 	# AWstats
 
 	location /awstats {
-		# You may want to secure this location by appending a random string
 		alias /usr/local/awstats/wwwroot/cgi-bin;
 		access_log off;
 		include inc/cgi-bin;
+		include inc/allow-local;
 	}
 
 	location /awstatsicons {

conf/nginx/sites-available/gogs

@@ -3,6 +3,9 @@ server {
 
 	listen 443 ssl;
 
+	access_log /data/log/nginx/git-access.log;
+	error_log /data/log/nginx/git-error.log;
+
 	location / {
 		proxy_pass http://localhost:3000;
 		include proxy_params;

conf/nginx/sites-available/gollum

@@ -1,6 +1,9 @@
 server {
 	server_name www.example.com;
 
+	access_log /data/log/nginx/www-access.log;
+	error_log /data/log/nginx/www-error.log;
+
 	location / {
 		proxy_pass http://localhost:4567/;
 		include proxy_params;

conf/nginx/sites-available/redirect-ssl-all

@@ -1,4 +1,8 @@
 server {
-	include inc/redirect-ssl;
 	server_name *.example.com;
+
+	listen 80;
+
+	include inc/redirect-ssl;
+	include inc/letsencrypt;
 }

conf/nginx/sites-available/seafile

@@ -3,6 +3,9 @@ server {
 
 	listen 443 ssl;
 
+	access_log /data/log/nginx/seafile-access.log;
+	error_log /data/log/nginx/seafile-error.log;
+
 	location / {
 		proxy_pass http://localhost:8000;
 		include proxy_params;

conf/nginx/sites-available/trac

@@ -1,6 +1,9 @@
 server {
 	server_name          trac.example.com;
 
+	access_log /data/log/nginx/trac-access.log;
+	error_log /data/log/nginx/trac-error.log;
+
 	client_max_body_size 20M;
 
 	location / {

conf/nginx/sites-enabled/example

@@ -1 +0,0 @@
-../sites-available/example