nginx_vhost.conf.master 11.9 KB
Newer Older
1
server {
2
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
3
<tmpl_if name='ipv6_enabled'>
4
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
5
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
6
		
Falko Timme's avatar
Falko Timme committed
7
<tmpl_if name='ssl_enabled'>
8
        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
9
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
10 11
		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
		# ssl_prefer_server_ciphers on;
Falko Timme's avatar
Falko Timme committed
12
<tmpl_if name='ipv6_enabled'>
13
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
Falko Timme's avatar
Falko Timme committed
14
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
15 16
        ssl_certificate <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt;
        ssl_certificate_key <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key;
Falko Timme's avatar
Falko Timme committed
17
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
18 19
        
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
20

Falko Timme's avatar
Falko Timme committed
21
        root   <tmpl_var name='web_document_root_www'>;
22
		
Falko Timme's avatar
Falko Timme committed
23
<tmpl_if name='seo_redirect_enabled'>
24
        if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
25
            rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
Falko Timme's avatar
Falko Timme committed
26
        }
Falko Timme's avatar
Falko Timme committed
27
</tmpl_if>
28 29 30
<tmpl_loop name="alias_seo_redirects">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
31
        }
Falko Timme's avatar
Falko Timme committed
32
</tmpl_loop>
33 34 35 36 37
<tmpl_loop name="local_redirects">
        if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
            rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
        }
</tmpl_loop>
38 39 40 41 42 43 44
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }
</tmpl_if>
</tmpl_if>
45 46 47

<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
48
        <tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
49 50 51 52
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
53
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
54 55 56 57 58 59 60
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>		
61
        index index.html index.htm index.php index.cgi index.pl index.xhtml;
Falko Timme's avatar
Falko Timme committed
62
		
Falko Timme's avatar
Falko Timme committed
63
<tmpl_if name='ssi' op='==' value='y'>		
Falko Timme's avatar
Falko Timme committed
64 65
        location ~ \.shtml$ {
            ssi on;
66
        }
Falko Timme's avatar
Falko Timme committed
67
</tmpl_if>
68

Falko Timme's avatar
Falko Timme committed
69
<tmpl_if name='errordocs'>		
Falko Timme's avatar
Falko Timme committed
70 71 72 73 74 75
        error_page 400 /error/400.html;
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;
        error_page 404 /error/404.html;
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;
76
        error_page 502 /error/502.html;
Falko Timme's avatar
Falko Timme committed
77
        error_page 503 /error/503.html;
78 79
        recursive_error_pages on;
        location = /error/400.html {
80
            <tmpl_var name='web_document_root_www_proxy'>
81 82 83
            internal;
        }
        location = /error/401.html {
84
            <tmpl_var name='web_document_root_www_proxy'>
85 86 87
            internal;
        }
        location = /error/403.html {
88
            <tmpl_var name='web_document_root_www_proxy'>
89 90 91
            internal;
        }
        location = /error/404.html {
92
            <tmpl_var name='web_document_root_www_proxy'>
93 94 95
            internal;
        }
        location = /error/405.html {
96
            <tmpl_var name='web_document_root_www_proxy'>
97 98 99
            internal;
        }
        location = /error/500.html {
100
            <tmpl_var name='web_document_root_www_proxy'>
101 102 103
            internal;
        }
        location = /error/502.html {
104
            <tmpl_var name='web_document_root_www_proxy'>
105 106 107
            internal;
        }
        location = /error/503.html {
108
            <tmpl_var name='web_document_root_www_proxy'>
109 110
            internal;
        }
Falko Timme's avatar
Falko Timme committed
111
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
112 113
		
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
114
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
115

Falko Timme's avatar
Falko Timme committed
116
        ## Disable .htaccess and other hidden files
117
        location ~ /\.(?!well-known/acme-challenge/) {
Falko Timme's avatar
Falko Timme committed
118 119 120 121 122
            deny all;
            access_log off;
            log_not_found off;
        }
		
123
        location = /favicon.ico {
Falko Timme's avatar
Falko Timme committed
124 125 126
            log_not_found off;
            access_log off;
        }
127

Falko Timme's avatar
Falko Timme committed
128 129 130 131 132 133
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
		
134
        location /stats/ {
135
            <tmpl_var name='web_document_root_www_proxy'>
Falko Timme's avatar
Falko Timme committed
136 137 138 139
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
        }
140

141
        location ^~ /awstats-icon {
142 143 144
            alias /usr/share/awstats/icon;
        }

Falko Timme's avatar
Falko Timme committed
145
        location ~ \.php$ {
146
            try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
147 148 149 150
        }

<tmpl_if name='php' op='==' value='php-fpm'>
        location @php {
151
            try_files $uri =404;
152
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
153 154 155 156 157 158
<tmpl_if name='use_tcp'>
            fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
            fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
159 160
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
161
            #fastcgi_param PATH_INFO $fastcgi_script_name;
162
            fastcgi_intercept_errors on;
Falko Timme's avatar
Falko Timme committed
163
        }
Falko Timme's avatar
Falko Timme committed
164
</tmpl_else>
165 166 167 168 169 170 171 172 173
	<tmpl_if name='php' op='==' value='hhvm'>
			location @php {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
				fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189
				error_page 500 501 502 503 = @phpfallback;
			}
			
			location @phpfallback {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
				fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
				fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
190 191 192
			}
	</tmpl_else>

Falko Timme's avatar
Falko Timme committed
193
        location @php {
Falko Timme's avatar
Falko Timme committed
194 195
            deny all;
        }
196
	</tmpl_if>
Falko Timme's avatar
Falko Timme committed
197
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
198
		
Falko Timme's avatar
Falko Timme committed
199
<tmpl_if name='cgi' op='==' value='y'>
Falko Timme's avatar
Falko Timme committed
200
        location /cgi-bin/ {
201
            try_files $uri =404;
202
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
203 204 205 206 207
            root <tmpl_var name='document_root'>;
            gzip off;
            fastcgi_pass  unix:/var/run/fcgiwrap.socket;
            fastcgi_index index.cgi;
            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
208
            fastcgi_intercept_errors on;
209
        }
Falko Timme's avatar
Falko Timme committed
210
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
211

212 213 214 215
<tmpl_loop name="rewrite_rules">
        <tmpl_var name='rewrite_rule'>
</tmpl_loop>

Falko Timme's avatar
Falko Timme committed
216
<tmpl_loop name="nginx_directives">
217
        <tmpl_var name='nginx_directive'>
218 219
</tmpl_loop>

Marius Cramer's avatar
Marius Cramer committed
220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
<tmpl_if name='enable_pagespeed' op='==' value='y'>
        pagespeed on;
        pagespeed FileCachePath /var/ngx_pagespeed_cache;
        <tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>


        # let's speed up PageSpeed by storing it in the super duper fast memcached
        pagespeed MemcachedThreads 1;
        pagespeed MemcachedServers "localhost:11211";

        # Filter settings
        pagespeed RewriteLevel CoreFilters;
        pagespeed EnableFilters collapse_whitespace,remove_comments;

        #  Ensure requests for pagespeed optimized resources go to the pagespeed
        #  handler and no extraneous headers get set.
        location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                add_header "" "";
                access_log off;
        }
        location ~ "^/ngx_pagespeed_static/" {
                access_log off;
        }
        location ~ "^/ngx_pagespeed_beacon$" {
                access_log off;
        }
        location /ngx_pagespeed_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_global_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_message {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /pagespeed_console {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
</tmpl_if>

268 269
location ~ /\.well-known/acme-challenge/ {
	   root /usr/local/ispconfig/interface/acme/;
270 271 272 273 274
	   index index.html index.htm;
	   try_files $uri =404;
}


275
<tmpl_loop name="basic_auth_locations">
276
        location <tmpl_var name='htpasswd_location'> { ##merge##
277 278
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
Falko Timme's avatar
Falko Timme committed
279 280
				
                location ~ \.php$ {
281
                    try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
282
                }
283 284
        }
</tmpl_loop>
285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304
</tmpl_if>	
}

<tmpl_loop name="redirects">
server {
        listen <tmpl_var name='ip_address'>:80;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:80;
</tmpl_if>
		
<tmpl_if name='ssl_enabled'>
        listen <tmpl_var name='ip_address'>:443 ssl;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:443 ssl;
</tmpl_if>
        ssl_certificate <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt;
        ssl_certificate_key <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key;
</tmpl_if>
        
        server_name <tmpl_var name='rewrite_domain'>;
305

306 307
location ~ /\.well-known/acme-challenge/ {
	   root /usr/local/ispconfig/interface/acme/;
308 309 310 311
	   index index.html index.htm;
	   try_files $uri =404;
}

312 313 314 315 316 317 318 319 320 321 322 323 324
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
        }
</tmpl_loop>
</tmpl_if>
<tmpl_if name='use_rewrite'>
        rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
325
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
326 327 328 329 330 331
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
}
Patrick Anders's avatar
Patrick Anders committed
332
</tmpl_loop>