nginx_vhost.conf.master 14 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
server {
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
        access_log off;
		rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>

15
server {
16
<tmpl_unless name='ssl_enabled'>
17
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
18
<tmpl_if name='ipv6_enabled'>
19
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
20
</tmpl_if>
21
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
22
		
23
<tmpl_if name='ssl_enabled'>
24 25 26 27 28 29
<tmpl_if name='rewrite_to_https' op='!=' value='y'>
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
</tmpl_if>
30
        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
31
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
32 33
		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
		# ssl_prefer_server_ciphers on;
34
<tmpl_if name='ipv6_enabled'>
35
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
36
</tmpl_if>
37 38
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
39
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
40 41
        
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
42

Falko Timme's avatar
Falko Timme committed
43
        root   <tmpl_var name='web_document_root_www'>;
44
		
45
<tmpl_if name='seo_redirect_enabled'>
46
        if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
47
            rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
48
        }
49
</tmpl_if>
50 51 52
<tmpl_loop name="alias_seo_redirects">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
53
        }
54
</tmpl_loop>
55 56 57 58 59
<tmpl_loop name="local_redirects">
        if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
            rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
        }
</tmpl_loop>
60 61 62

<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
63
        <tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
64 65 66 67
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
68
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
69 70 71 72 73 74 75
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>		
76
        index index.html index.htm index.php index.cgi index.pl index.xhtml;
Falko Timme's avatar
Falko Timme committed
77
		
78
<tmpl_if name='ssi' op='==' value='y'>		
Falko Timme's avatar
Falko Timme committed
79 80
        location ~ \.shtml$ {
            ssi on;
81
        }
82
</tmpl_if>
83

84
<tmpl_if name='errordocs'>		
Falko Timme's avatar
Falko Timme committed
85 86 87 88 89 90
        error_page 400 /error/400.html;
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;
        error_page 404 /error/404.html;
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;
91
        error_page 502 /error/502.html;
Falko Timme's avatar
Falko Timme committed
92
        error_page 503 /error/503.html;
93 94
        recursive_error_pages on;
        location = /error/400.html {
95
            <tmpl_var name='web_document_root_www_proxy'>
96 97 98
            internal;
        }
        location = /error/401.html {
99
            <tmpl_var name='web_document_root_www_proxy'>
100 101 102
            internal;
        }
        location = /error/403.html {
103
            <tmpl_var name='web_document_root_www_proxy'>
104 105 106
            internal;
        }
        location = /error/404.html {
107
            <tmpl_var name='web_document_root_www_proxy'>
108 109 110
            internal;
        }
        location = /error/405.html {
111
            <tmpl_var name='web_document_root_www_proxy'>
112 113 114
            internal;
        }
        location = /error/500.html {
115
            <tmpl_var name='web_document_root_www_proxy'>
116 117 118
            internal;
        }
        location = /error/502.html {
119
            <tmpl_var name='web_document_root_www_proxy'>
120 121 122
            internal;
        }
        location = /error/503.html {
123
            <tmpl_var name='web_document_root_www_proxy'>
124 125
            internal;
        }
126
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
127
		
128
<tmpl_if name='logging' op='==' value='yes'>
Falko Timme's avatar
Falko Timme committed
129
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
130
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
131 132 133 134 135
</tmpl_var>
<tmpl_if name='logging' op='==' value='anon'>
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
</tmpl_var>
136

Falko Timme's avatar
Falko Timme committed
137
        ## Disable .htaccess and other hidden files
138 139 140 141 142 143 144 145 146 147 148 149
		location ~ /\. {
			deny all;
		}

        ## Allow access for .well-known/acme-challenge
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
Falko Timme's avatar
Falko Timme committed
150 151
        }
		
152
        location = /favicon.ico {
Falko Timme's avatar
Falko Timme committed
153 154
            log_not_found off;
            access_log off;
155 156
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
Falko Timme's avatar
Falko Timme committed
157
        }
158

Falko Timme's avatar
Falko Timme committed
159 160 161 162 163 164
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
		
165
        location /stats/ {
166
            <tmpl_var name='web_document_root_www_proxy'>
Falko Timme's avatar
Falko Timme committed
167 168 169 170
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
        }
171

172
        location ^~ /awstats-icon {
173 174 175
            alias /usr/share/awstats/icon;
        }

Falko Timme's avatar
Falko Timme committed
176
        location ~ \.php$ {
177
            try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
178 179 180 181
        }

<tmpl_if name='php' op='==' value='php-fpm'>
        location @php {
182
            try_files $uri =404;
183
            include /etc/nginx/fastcgi_params;
184 185 186 187 188 189
<tmpl_if name='use_tcp'>
            fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
            fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
190
            fastcgi_index index.php;
Jozef Sroka's avatar
Jozef Sroka committed
191 192
<tmpl_if name='php_fpm_chroot'>
            fastcgi_param SCRIPT_FILENAME /web$fastcgi_script_name;
Jozef Sroka's avatar
Jozef Sroka committed
193 194
</tmpl_if>
<tmpl_if name='php_fpm_nochroot'>
Falko Timme's avatar
Falko Timme committed
195
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Jozef Sroka's avatar
Jozef Sroka committed
196
</tmpl_if>
197
            #fastcgi_param PATH_INFO $fastcgi_script_name;
Qroac's avatar
Qroac committed
198 199 200
<tmpl_if name='seo_redirect_enabled'>
            fastcgi_param SERVER_NAME <tmpl_var name='seo_redirect_target_domain'>;
</tmpl_if>
201
            fastcgi_intercept_errors on;
Falko Timme's avatar
Falko Timme committed
202
        }
203
</tmpl_else>
204 205 206 207 208 209 210 211
	<tmpl_if name='php' op='==' value='hhvm'>
			location @php {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
				fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
Qroac's avatar
Qroac committed
212 213 214
<tmpl_if name='seo_redirect_enabled'>
                fastcgi_param SERVER_NAME <tmpl_var name='seo_redirect_target_domain'>;
</tmpl_if>
215
				fastcgi_intercept_errors on;
216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
				error_page 500 501 502 503 = @phpfallback;
			}
			
			location @phpfallback {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
				fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
				fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
Qroac's avatar
Qroac committed
231 232 233
<tmpl_if name='seo_redirect_enabled'>
                fastcgi_param SERVER_NAME <tmpl_var name='seo_redirect_target_domain'>;
</tmpl_if>
234
				fastcgi_intercept_errors on;
235 236 237
			}
	</tmpl_else>

Falko Timme's avatar
Falko Timme committed
238
        location @php {
Falko Timme's avatar
Falko Timme committed
239 240
            deny all;
        }
241
	</tmpl_if>
242
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
243
		
244
<tmpl_if name='cgi' op='==' value='y'>
Falko Timme's avatar
Falko Timme committed
245
        location /cgi-bin/ {
alexalouit's avatar
alexalouit committed
246 247 248 249
            try_files <tmpl_var name='rnd_php_dummy_file'> @cgi;
        }

        location @cgi {
250
            try_files $uri =404;
251
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
252 253 254 255 256
            root <tmpl_var name='document_root'>;
            gzip off;
            fastcgi_pass  unix:/var/run/fcgiwrap.socket;
            fastcgi_index index.cgi;
            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
257
            fastcgi_intercept_errors on;
258
        }
259
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
260

261 262 263 264
<tmpl_loop name="rewrite_rules">
        <tmpl_var name='rewrite_rule'>
</tmpl_loop>

265
<tmpl_loop name="nginx_directives">
266
        <tmpl_var name='nginx_directive'>
267 268
</tmpl_loop>

Marius Cramer's avatar
Marius Cramer committed
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316
<tmpl_if name='enable_pagespeed' op='==' value='y'>
        pagespeed on;
        pagespeed FileCachePath /var/ngx_pagespeed_cache;
        <tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>


        # let's speed up PageSpeed by storing it in the super duper fast memcached
        pagespeed MemcachedThreads 1;
        pagespeed MemcachedServers "localhost:11211";

        # Filter settings
        pagespeed RewriteLevel CoreFilters;
        pagespeed EnableFilters collapse_whitespace,remove_comments;

        #  Ensure requests for pagespeed optimized resources go to the pagespeed
        #  handler and no extraneous headers get set.
        location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                add_header "" "";
                access_log off;
        }
        location ~ "^/ngx_pagespeed_static/" {
                access_log off;
        }
        location ~ "^/ngx_pagespeed_beacon$" {
                access_log off;
        }
        location /ngx_pagespeed_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_global_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_message {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /pagespeed_console {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
</tmpl_if>

317
<tmpl_loop name="basic_auth_locations">
318
        location <tmpl_var name='htpasswd_location'> { ##merge##
319 320
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
Falko Timme's avatar
Falko Timme committed
321 322
				
                location ~ \.php$ {
323
                    try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
324
                }
alexalouit's avatar
alexalouit committed
325 326 327 328 329 330

<tmpl_if name='cgi' op='==' value='y'>
                location ~ \.cgi$ {
                    try_files <tmpl_var name='rnd_php_dummy_file'> @cgi;
                }
</tmpl_if>
331 332
        }
</tmpl_loop>
333 334 335 336 337
</tmpl_if>	
}

<tmpl_loop name="redirects">
server {
338
		listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
339
<tmpl_if name='ipv6_enabled'>
340
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
341
</tmpl_if>
342

343
<tmpl_if name='ssl_enabled'>
344 345
		listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
346
<tmpl_if name='ipv6_enabled'>
347
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
348
</tmpl_if>
349 350
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
351 352 353
</tmpl_if>
        
        server_name <tmpl_var name='rewrite_domain'>;
354

355 356 357 358 359 360 361
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
        }
</tmpl_loop>
</tmpl_if>
362 363 364 365 366 367 368 369 370
		## no redirect for acme
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
        }
371
<tmpl_if name='use_rewrite'>
372 373 374
		location / {
			rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
		}
375 376 377 378
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
379
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
380 381 382 383 384 385
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
}
Patrick Anders's avatar
Patrick Anders committed
386
</tmpl_loop>