nginx_vhost.conf.master 12.9 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
server {
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
        access_log off;
		rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>

15
server {
16
<tmpl_unless name='ssl_enabled'>
17
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
18
<tmpl_if name='ipv6_enabled'>
19
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
20
</tmpl_if>
21
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
22
		
Falko Timme's avatar
Falko Timme committed
23
<tmpl_if name='ssl_enabled'>
24 25 26 27 28 29
<tmpl_if name='rewrite_to_https' op='!=' value='y'>
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
</tmpl_if>
</tmpl_if>
30
        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
31
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
32
		# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
33
		# ssl_prefer_server_ciphers on;
Falko Timme's avatar
Falko Timme committed
34
<tmpl_if name='ipv6_enabled'>
35
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
Falko Timme's avatar
Falko Timme committed
36
</tmpl_if>
37 38
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
Falko Timme's avatar
Falko Timme committed
39
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
40 41
        
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
42

Falko Timme's avatar
Falko Timme committed
43
        root   <tmpl_var name='web_document_root_www'>;
44
		
Falko Timme's avatar
Falko Timme committed
45
<tmpl_if name='seo_redirect_enabled'>
46
        if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
47
            rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
Falko Timme's avatar
Falko Timme committed
48
        }
Falko Timme's avatar
Falko Timme committed
49
</tmpl_if>
50 51 52
<tmpl_loop name="alias_seo_redirects">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
53
        }
Falko Timme's avatar
Falko Timme committed
54
</tmpl_loop>
55 56 57 58 59
<tmpl_loop name="local_redirects">
        if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
            rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
        }
</tmpl_loop>
60 61 62

<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
63
        <tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
64 65 66 67
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
68
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
69 70 71 72 73 74 75
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>		
76
        index index.html index.htm index.php index.cgi index.pl index.xhtml;
Falko Timme's avatar
Falko Timme committed
77
		
Falko Timme's avatar
Falko Timme committed
78
<tmpl_if name='ssi' op='==' value='y'>		
Falko Timme's avatar
Falko Timme committed
79 80
        location ~ \.shtml$ {
            ssi on;
81
        }
Falko Timme's avatar
Falko Timme committed
82
</tmpl_if>
83

Falko Timme's avatar
Falko Timme committed
84
<tmpl_if name='errordocs'>		
Falko Timme's avatar
Falko Timme committed
85 86 87 88 89 90
        error_page 400 /error/400.html;
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;
        error_page 404 /error/404.html;
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;
91
        error_page 502 /error/502.html;
Falko Timme's avatar
Falko Timme committed
92
        error_page 503 /error/503.html;
93 94
        recursive_error_pages on;
        location = /error/400.html {
95
            <tmpl_var name='web_document_root_www_proxy'>
96 97 98
            internal;
        }
        location = /error/401.html {
99
            <tmpl_var name='web_document_root_www_proxy'>
100 101 102
            internal;
        }
        location = /error/403.html {
103
            <tmpl_var name='web_document_root_www_proxy'>
104 105 106
            internal;
        }
        location = /error/404.html {
107
            <tmpl_var name='web_document_root_www_proxy'>
108 109 110
            internal;
        }
        location = /error/405.html {
111
            <tmpl_var name='web_document_root_www_proxy'>
112 113 114
            internal;
        }
        location = /error/500.html {
115
            <tmpl_var name='web_document_root_www_proxy'>
116 117 118
            internal;
        }
        location = /error/502.html {
119
            <tmpl_var name='web_document_root_www_proxy'>
120 121 122
            internal;
        }
        location = /error/503.html {
123
            <tmpl_var name='web_document_root_www_proxy'>
124 125
            internal;
        }
Falko Timme's avatar
Falko Timme committed
126
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
127
		
128
<tmpl_if name='logging' op='==' value='yes'>
Falko Timme's avatar
Falko Timme committed
129
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
130
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
131 132 133 134 135
</tmpl_var>
<tmpl_if name='logging' op='==' value='anon'>
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
</tmpl_var>
136

Falko Timme's avatar
Falko Timme committed
137
        ## Disable .htaccess and other hidden files
138 139 140 141 142 143 144 145 146 147 148 149
		location ~ /\. {
			deny all;
		}

        ## Allow access for .well-known/acme-challenge
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
Falko Timme's avatar
Falko Timme committed
150 151
        }
		
152
        location = /favicon.ico {
Falko Timme's avatar
Falko Timme committed
153 154
            log_not_found off;
            access_log off;
155 156
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
Falko Timme's avatar
Falko Timme committed
157
        }
158

Falko Timme's avatar
Falko Timme committed
159 160 161 162 163 164
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
		
165
        location /stats/ {
166
            <tmpl_var name='web_document_root_www_proxy'>
Falko Timme's avatar
Falko Timme committed
167 168 169 170
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
        }
171

172
        location ^~ /awstats-icon {
173 174 175
            alias /usr/share/awstats/icon;
        }

Falko Timme's avatar
Falko Timme committed
176
        location ~ \.php$ {
177
            try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
178 179 180 181
        }

<tmpl_if name='php' op='==' value='php-fpm'>
        location @php {
182
            try_files $uri =404;
183
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
184 185 186 187 188 189
<tmpl_if name='use_tcp'>
            fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
            fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
190
            fastcgi_index index.php;
Jozef Sroka's avatar
Jozef Sroka committed
191 192
<tmpl_if name='php_fpm_chroot'>
            fastcgi_param SCRIPT_FILENAME /web$fastcgi_script_name;
Jozef Sroka's avatar
Jozef Sroka committed
193 194
</tmpl_if>
<tmpl_if name='php_fpm_nochroot'>
Falko Timme's avatar
Falko Timme committed
195
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Jozef Sroka's avatar
Jozef Sroka committed
196
</tmpl_if>
197
            #fastcgi_param PATH_INFO $fastcgi_script_name;
Qroac's avatar
Qroac committed
198 199 200
<tmpl_if name='seo_redirect_enabled'>
            fastcgi_param SERVER_NAME <tmpl_var name='seo_redirect_target_domain'>;
</tmpl_if>
201
            fastcgi_intercept_errors on;
Falko Timme's avatar
Falko Timme committed
202
        }
Falko Timme's avatar
Falko Timme committed
203
</tmpl_else>
Falko Timme's avatar
Falko Timme committed
204
        location @php {
Falko Timme's avatar
Falko Timme committed
205 206
            deny all;
        }
Falko Timme's avatar
Falko Timme committed
207
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
208
		
Falko Timme's avatar
Falko Timme committed
209
<tmpl_if name='cgi' op='==' value='y'>
Falko Timme's avatar
Falko Timme committed
210
        location /cgi-bin/ {
alexalouit's avatar
alexalouit committed
211 212 213 214
            try_files <tmpl_var name='rnd_php_dummy_file'> @cgi;
        }

        location @cgi {
215
            try_files $uri =404;
216
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
217 218 219 220 221
            root <tmpl_var name='document_root'>;
            gzip off;
            fastcgi_pass  unix:/var/run/fcgiwrap.socket;
            fastcgi_index index.cgi;
            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
222
            fastcgi_intercept_errors on;
223
        }
Falko Timme's avatar
Falko Timme committed
224
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
225

226 227 228 229
<tmpl_loop name="rewrite_rules">
        <tmpl_var name='rewrite_rule'>
</tmpl_loop>

Falko Timme's avatar
Falko Timme committed
230
<tmpl_loop name="nginx_directives">
231
        <tmpl_var name='nginx_directive'>
232 233
</tmpl_loop>

Marius Cramer's avatar
Marius Cramer committed
234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281
<tmpl_if name='enable_pagespeed' op='==' value='y'>
        pagespeed on;
        pagespeed FileCachePath /var/ngx_pagespeed_cache;
        <tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>


        # let's speed up PageSpeed by storing it in the super duper fast memcached
        pagespeed MemcachedThreads 1;
        pagespeed MemcachedServers "localhost:11211";

        # Filter settings
        pagespeed RewriteLevel CoreFilters;
        pagespeed EnableFilters collapse_whitespace,remove_comments;

        #  Ensure requests for pagespeed optimized resources go to the pagespeed
        #  handler and no extraneous headers get set.
        location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                add_header "" "";
                access_log off;
        }
        location ~ "^/ngx_pagespeed_static/" {
                access_log off;
        }
        location ~ "^/ngx_pagespeed_beacon$" {
                access_log off;
        }
        location /ngx_pagespeed_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_global_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_message {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /pagespeed_console {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
</tmpl_if>

282
<tmpl_loop name="basic_auth_locations">
283
        location <tmpl_var name='htpasswd_location'> { ##merge##
284 285
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
Falko Timme's avatar
Falko Timme committed
286 287
				
                location ~ \.php$ {
288
                    try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
289
                }
alexalouit's avatar
alexalouit committed
290 291 292 293 294 295

<tmpl_if name='cgi' op='==' value='y'>
                location ~ \.cgi$ {
                    try_files <tmpl_var name='rnd_php_dummy_file'> @cgi;
                }
</tmpl_if>
296 297
        }
</tmpl_loop>
298 299 300 301 302
</tmpl_if>	
}

<tmpl_loop name="redirects">
server {
Ramil Valitov's avatar
Ramil Valitov committed
303
		listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
304
<tmpl_if name='ipv6_enabled'>
Ramil Valitov's avatar
Ramil Valitov committed
305
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
306
</tmpl_if>
Ramil Valitov's avatar
Ramil Valitov committed
307

308
<tmpl_if name='ssl_enabled'>
Ramil Valitov's avatar
Ramil Valitov committed
309 310
		listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
311
<tmpl_if name='ipv6_enabled'>
Ramil Valitov's avatar
Ramil Valitov committed
312
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
313
</tmpl_if>
Ramil Valitov's avatar
Ramil Valitov committed
314 315
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
316 317 318
</tmpl_if>
        
        server_name <tmpl_var name='rewrite_domain'>;
319

320 321 322 323 324 325 326
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
        }
</tmpl_loop>
</tmpl_if>
327 328 329 330 331 332 333 334 335
		## no redirect for acme
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
        }
336
<tmpl_if name='use_rewrite'>
337 338 339
		location / {
			rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
		}
340 341 342 343
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
344
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
345 346 347 348 349 350
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
}
Patrick Anders's avatar
Patrick Anders committed
351
</tmpl_loop>