nginx_vhost.conf.master 11.7 KB
Newer Older
1
server {
2
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
3
<tmpl_if name='ipv6_enabled'>
4
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
5
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
6
		
Falko Timme's avatar
Falko Timme committed
7
<tmpl_if name='ssl_enabled'>
8
        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
9
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
10 11
		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
		# ssl_prefer_server_ciphers on;
Falko Timme's avatar
Falko Timme committed
12
<tmpl_if name='ipv6_enabled'>
13
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
Falko Timme's avatar
Falko Timme committed
14
</tmpl_if>
15 16
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
Falko Timme's avatar
Falko Timme committed
17
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
18 19
        
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
20

Falko Timme's avatar
Falko Timme committed
21
        root   <tmpl_var name='web_document_root_www'>;
22
		
Falko Timme's avatar
Falko Timme committed
23
<tmpl_if name='seo_redirect_enabled'>
24
        if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
25
            rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
Falko Timme's avatar
Falko Timme committed
26
        }
Falko Timme's avatar
Falko Timme committed
27
</tmpl_if>
28 29 30
<tmpl_loop name="alias_seo_redirects">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
31
        }
Falko Timme's avatar
Falko Timme committed
32
</tmpl_loop>
33 34 35 36 37
<tmpl_loop name="local_redirects">
        if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
            rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
        }
</tmpl_loop>
38 39 40 41 42 43 44
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }
</tmpl_if>
</tmpl_if>
45 46 47

<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
48
        <tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
49 50 51 52
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
53
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
54 55 56 57 58 59 60
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>		
61
        index index.html index.htm index.php index.cgi index.pl index.xhtml;
Falko Timme's avatar
Falko Timme committed
62
		
Falko Timme's avatar
Falko Timme committed
63
<tmpl_if name='ssi' op='==' value='y'>		
Falko Timme's avatar
Falko Timme committed
64 65
        location ~ \.shtml$ {
            ssi on;
66
        }
Falko Timme's avatar
Falko Timme committed
67
</tmpl_if>
68

Falko Timme's avatar
Falko Timme committed
69
<tmpl_if name='errordocs'>		
Falko Timme's avatar
Falko Timme committed
70 71 72 73 74 75
        error_page 400 /error/400.html;
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;
        error_page 404 /error/404.html;
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;
76
        error_page 502 /error/502.html;
Falko Timme's avatar
Falko Timme committed
77
        error_page 503 /error/503.html;
78 79
        recursive_error_pages on;
        location = /error/400.html {
80
            <tmpl_var name='web_document_root_www_proxy'>
81 82 83
            internal;
        }
        location = /error/401.html {
84
            <tmpl_var name='web_document_root_www_proxy'>
85 86 87
            internal;
        }
        location = /error/403.html {
88
            <tmpl_var name='web_document_root_www_proxy'>
89 90 91
            internal;
        }
        location = /error/404.html {
92
            <tmpl_var name='web_document_root_www_proxy'>
93 94 95
            internal;
        }
        location = /error/405.html {
96
            <tmpl_var name='web_document_root_www_proxy'>
97 98 99
            internal;
        }
        location = /error/500.html {
100
            <tmpl_var name='web_document_root_www_proxy'>
101 102 103
            internal;
        }
        location = /error/502.html {
104
            <tmpl_var name='web_document_root_www_proxy'>
105 106 107
            internal;
        }
        location = /error/503.html {
108
            <tmpl_var name='web_document_root_www_proxy'>
109 110
            internal;
        }
Falko Timme's avatar
Falko Timme committed
111
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
112 113
		
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
114
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
115

Falko Timme's avatar
Falko Timme committed
116
        ## Disable .htaccess and other hidden files
117 118 119 120 121 122 123 124 125 126 127 128
		location ~ /\. {
			deny all;
		}

        ## Allow access for .well-known/acme-challenge
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
Falko Timme's avatar
Falko Timme committed
129 130
        }
		
131
        location = /favicon.ico {
Falko Timme's avatar
Falko Timme committed
132 133 134
            log_not_found off;
            access_log off;
        }
135

Falko Timme's avatar
Falko Timme committed
136 137 138 139 140 141
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
		
142
        location /stats/ {
143
            <tmpl_var name='web_document_root_www_proxy'>
Falko Timme's avatar
Falko Timme committed
144 145 146 147
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
        }
148

149
        location ^~ /awstats-icon {
150 151 152
            alias /usr/share/awstats/icon;
        }

Falko Timme's avatar
Falko Timme committed
153
        location ~ \.php$ {
154
            try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
155 156 157 158
        }

<tmpl_if name='php' op='==' value='php-fpm'>
        location @php {
159
            try_files $uri =404;
160
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
161 162 163 164 165 166
<tmpl_if name='use_tcp'>
            fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
            fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
167 168
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
169
            #fastcgi_param PATH_INFO $fastcgi_script_name;
170
            fastcgi_intercept_errors on;
Falko Timme's avatar
Falko Timme committed
171
        }
Falko Timme's avatar
Falko Timme committed
172
</tmpl_else>
173 174 175 176 177 178 179 180 181
	<tmpl_if name='php' op='==' value='hhvm'>
			location @php {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
				fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197
				error_page 500 501 502 503 = @phpfallback;
			}
			
			location @phpfallback {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
				fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
				fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
198 199 200
			}
	</tmpl_else>

Falko Timme's avatar
Falko Timme committed
201
        location @php {
Falko Timme's avatar
Falko Timme committed
202 203
            deny all;
        }
204
	</tmpl_if>
Falko Timme's avatar
Falko Timme committed
205
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
206
		
Falko Timme's avatar
Falko Timme committed
207
<tmpl_if name='cgi' op='==' value='y'>
Falko Timme's avatar
Falko Timme committed
208
        location /cgi-bin/ {
209
            try_files $uri =404;
210
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
211 212 213 214 215
            root <tmpl_var name='document_root'>;
            gzip off;
            fastcgi_pass  unix:/var/run/fcgiwrap.socket;
            fastcgi_index index.cgi;
            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
216
            fastcgi_intercept_errors on;
217
        }
Falko Timme's avatar
Falko Timme committed
218
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
219

220 221 222 223
<tmpl_loop name="rewrite_rules">
        <tmpl_var name='rewrite_rule'>
</tmpl_loop>

Falko Timme's avatar
Falko Timme committed
224
<tmpl_loop name="nginx_directives">
225
        <tmpl_var name='nginx_directive'>
226 227
</tmpl_loop>

Marius Cramer's avatar
Marius Cramer committed
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275
<tmpl_if name='enable_pagespeed' op='==' value='y'>
        pagespeed on;
        pagespeed FileCachePath /var/ngx_pagespeed_cache;
        <tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>


        # let's speed up PageSpeed by storing it in the super duper fast memcached
        pagespeed MemcachedThreads 1;
        pagespeed MemcachedServers "localhost:11211";

        # Filter settings
        pagespeed RewriteLevel CoreFilters;
        pagespeed EnableFilters collapse_whitespace,remove_comments;

        #  Ensure requests for pagespeed optimized resources go to the pagespeed
        #  handler and no extraneous headers get set.
        location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                add_header "" "";
                access_log off;
        }
        location ~ "^/ngx_pagespeed_static/" {
                access_log off;
        }
        location ~ "^/ngx_pagespeed_beacon$" {
                access_log off;
        }
        location /ngx_pagespeed_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_global_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_message {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /pagespeed_console {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
</tmpl_if>

276
<tmpl_loop name="basic_auth_locations">
277
        location <tmpl_var name='htpasswd_location'> { ##merge##
278 279
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
Falko Timme's avatar
Falko Timme committed
280 281
				
                location ~ \.php$ {
282
                    try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
283
                }
284 285
        }
</tmpl_loop>
286 287 288 289 290 291 292 293 294 295 296 297 298 299 300
</tmpl_if>	
}

<tmpl_loop name="redirects">
server {
        listen <tmpl_var name='ip_address'>:80;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:80;
</tmpl_if>
		
<tmpl_if name='ssl_enabled'>
        listen <tmpl_var name='ip_address'>:443 ssl;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:443 ssl;
</tmpl_if>
301 302
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
303 304 305
</tmpl_if>
        
        server_name <tmpl_var name='rewrite_domain'>;
306

307 308 309 310 311 312 313 314 315 316 317 318 319
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
        }
</tmpl_loop>
</tmpl_if>
<tmpl_if name='use_rewrite'>
        rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
320
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
321 322 323 324 325 326
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
}
Patrick Anders's avatar
Patrick Anders committed
327
</tmpl_loop>