Newer
Older
latham
committed
server {
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Till Brehm
committed
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ssl_prefer_server_ciphers on;
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
Till Brehm
committed
ssl_certificate <tmpl_var name='ssl_crt_file'>;
ssl_certificate_key <tmpl_var name='ssl_key_file'>;
server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
latham
committed
if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
<tmpl_loop name="alias_seo_redirects">
if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
tbrehm
committed
<tmpl_loop name="local_redirects">
if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
}
</tmpl_loop>
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
if ($scheme != "https") {
rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>
<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
tbrehm
committed
<tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
</tmpl_if>
<tmpl_if name='use_proxy'>
location / {
proxy_pass <tmpl_var name='rewrite_target'>;
tbrehm
committed
<tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
<tmpl_loop name="proxy_directives">
<tmpl_var name='proxy_directive'>
</tmpl_loop>
}
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>
index index.html index.htm index.php index.cgi index.pl index.xhtml;
latham
committed
}
latham
committed
error_page 400 /error/400.html;
error_page 401 /error/401.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 405 /error/405.html;
error_page 500 /error/500.html;
error_page 502 /error/502.html;
recursive_error_pages on;
location = /error/400.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/401.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/403.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/404.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/405.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/500.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/502.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/503.html {
<tmpl_var name='web_document_root_www_proxy'>
<tmpl_if name='logging' op='==' value='yes'>
error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
</tmpl_var>
<tmpl_if name='logging' op='==' value='anon'>
error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
</tmpl_var>
latham
committed
location ~ /\. {
deny all;
}
## Allow access for .well-known/acme-challenge
location ^~ /.well-known/acme-challenge/ {
access_log off;
log_not_found off;
root /usr/local/ispconfig/interface/acme/;
autoindex off;
index index.html;
try_files $uri $uri/ =404;
expires max;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
latham
committed
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /stats/ {
<tmpl_var name='web_document_root_www_proxy'>
index index.html index.php;
auth_basic "Members Only";
auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
}
latham
committed
alias /usr/share/awstats/icon;
}
try_files <tmpl_var name='rnd_php_dummy_file'> @php;
}
<tmpl_if name='php' op='==' value='php-fpm'>
location @php {
Falko Timme
committed
include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
<tmpl_if name='php_fpm_chroot' op='==' value='y'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
tbrehm
committed
#fastcgi_param PATH_INFO $fastcgi_script_name;
Falko Timme
committed
fastcgi_intercept_errors on;
Marius Cramer
committed
<tmpl_if name='php' op='==' value='hhvm'>
location @php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
fastcgi_index index.php;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
Marius Cramer
committed
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Marius Cramer
committed
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_intercept_errors on;
error_page 500 501 502 503 = @phpfallback;
}
location @phpfallback {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
fastcgi_index index.php;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_intercept_errors on;
Marius Cramer
committed
}
</tmpl_else>
Marius Cramer
committed
</tmpl_if>
Falko Timme
committed
include /etc/nginx/fastcgi_params;
root <tmpl_var name='document_root'>;
gzip off;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Falko Timme
committed
fastcgi_intercept_errors on;
latham
committed
}
<tmpl_loop name="rewrite_rules">
<tmpl_var name='rewrite_rule'>
</tmpl_loop>
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
<tmpl_if name='enable_pagespeed' op='==' value='y'>
pagespeed on;
pagespeed FileCachePath /var/ngx_pagespeed_cache;
<tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>
# let's speed up PageSpeed by storing it in the super duper fast memcached
pagespeed MemcachedThreads 1;
pagespeed MemcachedServers "localhost:11211";
# Filter settings
pagespeed RewriteLevel CoreFilters;
pagespeed EnableFilters collapse_whitespace,remove_comments;
# Ensure requests for pagespeed optimized resources go to the pagespeed
# handler and no extraneous headers get set.
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
add_header "" "";
access_log off;
}
location ~ "^/ngx_pagespeed_static/" {
access_log off;
}
location ~ "^/ngx_pagespeed_beacon$" {
access_log off;
}
location /ngx_pagespeed_statistics {
allow 127.0.0.1;
deny all;
access_log off;
}
location /ngx_pagespeed_global_statistics {
allow 127.0.0.1;
deny all;
access_log off;
}
location /ngx_pagespeed_message {
allow 127.0.0.1;
deny all;
access_log off;
}
location /pagespeed_console {
allow 127.0.0.1;
deny all;
access_log off;
}
</tmpl_if>
<tmpl_loop name="basic_auth_locations">
Falko Timme
committed
location <tmpl_var name='htpasswd_location'> { ##merge##
auth_basic "Members Only";
auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
try_files <tmpl_var name='rnd_php_dummy_file'> @php;
</tmpl_if>
}
<tmpl_loop name="redirects">
server {
listen <tmpl_var name='ip_address'>:80;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:80;
</tmpl_if>
<tmpl_if name='ssl_enabled'>
listen <tmpl_var name='ip_address'>:443 ssl;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:443 ssl;
</tmpl_if>
Till Brehm
committed
ssl_certificate <tmpl_var name='ssl_crt_file'>;
ssl_certificate_key <tmpl_var name='ssl_key_file'>;
</tmpl_if>
server_name <tmpl_var name='rewrite_domain'>;
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
}
</tmpl_loop>
</tmpl_if>
Marius Burkard
committed
## no redirect for acme
location ^~ /.well-known/acme-challenge/ {
access_log off;
log_not_found off;
root /usr/local/ispconfig/interface/acme/;
autoindex off;
index index.html;
try_files $uri $uri/ =404;
}
<tmpl_if name='use_rewrite'>
Marius Burkard
committed
location / {
rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
}
</tmpl_if>
<tmpl_if name='use_proxy'>
location / {
proxy_pass <tmpl_var name='rewrite_target'>;
tbrehm
committed
<tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
<tmpl_loop name="proxy_directives">
<tmpl_var name='proxy_directive'>
</tmpl_loop>
}
</tmpl_if>
}