nginx_vhost.conf.master 12.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
server {
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
        access_log off;
		rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>

15
server {
16
<tmpl_unless name='ssl_enabled'>
17
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
18
<tmpl_if name='ipv6_enabled'>
19
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
20
</tmpl_if>
21
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
22
		
Falko Timme's avatar
Falko Timme committed
23
<tmpl_if name='ssl_enabled'>
24 25 26 27 28 29
<tmpl_if name='rewrite_to_https' op='!=' value='y'>
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
</tmpl_if>
30
        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
31
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
32 33
		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
		# ssl_prefer_server_ciphers on;
Falko Timme's avatar
Falko Timme committed
34
<tmpl_if name='ipv6_enabled'>
35
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
Falko Timme's avatar
Falko Timme committed
36
</tmpl_if>
37 38
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
Falko Timme's avatar
Falko Timme committed
39
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
40 41
        
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
42

Falko Timme's avatar
Falko Timme committed
43
        root   <tmpl_var name='web_document_root_www'>;
44
		
Falko Timme's avatar
Falko Timme committed
45
<tmpl_if name='seo_redirect_enabled'>
46
        if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
47
            rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
Falko Timme's avatar
Falko Timme committed
48
        }
Falko Timme's avatar
Falko Timme committed
49
</tmpl_if>
50 51 52
<tmpl_loop name="alias_seo_redirects">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
53
        }
Falko Timme's avatar
Falko Timme committed
54
</tmpl_loop>
55 56 57 58 59
<tmpl_loop name="local_redirects">
        if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
            rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
        }
</tmpl_loop>
60 61 62

<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
63
        <tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
64 65 66 67
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
68
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
69 70 71 72 73 74 75
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>		
76
        index index.html index.htm index.php index.cgi index.pl index.xhtml;
Falko Timme's avatar
Falko Timme committed
77
		
Falko Timme's avatar
Falko Timme committed
78
<tmpl_if name='ssi' op='==' value='y'>		
Falko Timme's avatar
Falko Timme committed
79 80
        location ~ \.shtml$ {
            ssi on;
81
        }
Falko Timme's avatar
Falko Timme committed
82
</tmpl_if>
83

Falko Timme's avatar
Falko Timme committed
84
<tmpl_if name='errordocs'>		
Falko Timme's avatar
Falko Timme committed
85 86 87 88 89 90
        error_page 400 /error/400.html;
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;
        error_page 404 /error/404.html;
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;
91
        error_page 502 /error/502.html;
Falko Timme's avatar
Falko Timme committed
92
        error_page 503 /error/503.html;
93 94
        recursive_error_pages on;
        location = /error/400.html {
95
            <tmpl_var name='web_document_root_www_proxy'>
96 97 98
            internal;
        }
        location = /error/401.html {
99
            <tmpl_var name='web_document_root_www_proxy'>
100 101 102
            internal;
        }
        location = /error/403.html {
103
            <tmpl_var name='web_document_root_www_proxy'>
104 105 106
            internal;
        }
        location = /error/404.html {
107
            <tmpl_var name='web_document_root_www_proxy'>
108 109 110
            internal;
        }
        location = /error/405.html {
111
            <tmpl_var name='web_document_root_www_proxy'>
112 113 114
            internal;
        }
        location = /error/500.html {
115
            <tmpl_var name='web_document_root_www_proxy'>
116 117 118
            internal;
        }
        location = /error/502.html {
119
            <tmpl_var name='web_document_root_www_proxy'>
120 121 122
            internal;
        }
        location = /error/503.html {
123
            <tmpl_var name='web_document_root_www_proxy'>
124 125
            internal;
        }
Falko Timme's avatar
Falko Timme committed
126
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
127 128
		
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
129
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
130

Falko Timme's avatar
Falko Timme committed
131
        ## Disable .htaccess and other hidden files
132 133 134 135 136 137 138 139 140 141 142 143
		location ~ /\. {
			deny all;
		}

        ## Allow access for .well-known/acme-challenge
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
Falko Timme's avatar
Falko Timme committed
144 145
        }
		
146
        location = /favicon.ico {
Falko Timme's avatar
Falko Timme committed
147 148
            log_not_found off;
            access_log off;
149 150
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
Falko Timme's avatar
Falko Timme committed
151
        }
152

Falko Timme's avatar
Falko Timme committed
153 154 155 156 157 158
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
		
159
        location /stats/ {
160
            <tmpl_var name='web_document_root_www_proxy'>
Falko Timme's avatar
Falko Timme committed
161 162 163 164
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
        }
165

166
        location ^~ /awstats-icon {
167 168 169
            alias /usr/share/awstats/icon;
        }

Falko Timme's avatar
Falko Timme committed
170
        location ~ \.php$ {
171
            try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
172 173 174 175
        }

<tmpl_if name='php' op='==' value='php-fpm'>
        location @php {
176
            try_files $uri =404;
177
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
178 179 180 181 182 183
<tmpl_if name='use_tcp'>
            fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
            fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
184 185
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
186
            #fastcgi_param PATH_INFO $fastcgi_script_name;
187
            fastcgi_intercept_errors on;
Falko Timme's avatar
Falko Timme committed
188
        }
Falko Timme's avatar
Falko Timme committed
189
</tmpl_else>
190 191 192 193 194 195 196 197 198
	<tmpl_if name='php' op='==' value='hhvm'>
			location @php {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
				fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214
				error_page 500 501 502 503 = @phpfallback;
			}
			
			location @phpfallback {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
				fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
				fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
215 216 217
			}
	</tmpl_else>

Falko Timme's avatar
Falko Timme committed
218
        location @php {
Falko Timme's avatar
Falko Timme committed
219 220
            deny all;
        }
221
	</tmpl_if>
Falko Timme's avatar
Falko Timme committed
222
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
223
		
Falko Timme's avatar
Falko Timme committed
224
<tmpl_if name='cgi' op='==' value='y'>
Falko Timme's avatar
Falko Timme committed
225
        location /cgi-bin/ {
226
            try_files $uri =404;
227
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
228 229 230 231 232
            root <tmpl_var name='document_root'>;
            gzip off;
            fastcgi_pass  unix:/var/run/fcgiwrap.socket;
            fastcgi_index index.cgi;
            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
233
            fastcgi_intercept_errors on;
234
        }
Falko Timme's avatar
Falko Timme committed
235
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
236

237 238 239 240
<tmpl_loop name="rewrite_rules">
        <tmpl_var name='rewrite_rule'>
</tmpl_loop>

Falko Timme's avatar
Falko Timme committed
241
<tmpl_loop name="nginx_directives">
242
        <tmpl_var name='nginx_directive'>
243 244
</tmpl_loop>

Marius Cramer's avatar
Marius Cramer committed
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292
<tmpl_if name='enable_pagespeed' op='==' value='y'>
        pagespeed on;
        pagespeed FileCachePath /var/ngx_pagespeed_cache;
        <tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>


        # let's speed up PageSpeed by storing it in the super duper fast memcached
        pagespeed MemcachedThreads 1;
        pagespeed MemcachedServers "localhost:11211";

        # Filter settings
        pagespeed RewriteLevel CoreFilters;
        pagespeed EnableFilters collapse_whitespace,remove_comments;

        #  Ensure requests for pagespeed optimized resources go to the pagespeed
        #  handler and no extraneous headers get set.
        location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                add_header "" "";
                access_log off;
        }
        location ~ "^/ngx_pagespeed_static/" {
                access_log off;
        }
        location ~ "^/ngx_pagespeed_beacon$" {
                access_log off;
        }
        location /ngx_pagespeed_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_global_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_message {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /pagespeed_console {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
</tmpl_if>

293
<tmpl_loop name="basic_auth_locations">
294
        location <tmpl_var name='htpasswd_location'> { ##merge##
295 296
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
Falko Timme's avatar
Falko Timme committed
297 298
				
                location ~ \.php$ {
299
                    try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
300
                }
301 302
        }
</tmpl_loop>
303 304 305 306 307
</tmpl_if>	
}

<tmpl_loop name="redirects">
server {
Ramil Valitov's avatar
Ramil Valitov committed
308
		listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
309
<tmpl_if name='ipv6_enabled'>
Ramil Valitov's avatar
Ramil Valitov committed
310
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
311
</tmpl_if>
Ramil Valitov's avatar
Ramil Valitov committed
312

313
<tmpl_if name='ssl_enabled'>
Ramil Valitov's avatar
Ramil Valitov committed
314 315
		listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
316
<tmpl_if name='ipv6_enabled'>
Ramil Valitov's avatar
Ramil Valitov committed
317
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
318
</tmpl_if>
Ramil Valitov's avatar
Ramil Valitov committed
319 320
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
321 322 323
</tmpl_if>
        
        server_name <tmpl_var name='rewrite_domain'>;
324

325 326 327 328 329 330 331 332 333 334 335 336 337
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
        }
</tmpl_loop>
</tmpl_if>
<tmpl_if name='use_rewrite'>
        rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
338
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
339 340 341 342 343 344
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
}
Patrick Anders's avatar
Patrick Anders committed
345
</tmpl_loop>