Newer
Older
latham
committed
server {
listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
<tmpl_if name='use_proxy_protocol' op='==' value='y'>
<tmpl_if name='proxy_protocol_http' op='>' value='0'>
listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_http'> proxy_protocol;
</tmpl_if>
</tmpl_if>
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
<tmpl_if name='ipv6_wildcard'>
listen [::]:<tmpl_var name='http_port'>;
</tmpl_if>
listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl http2;
<tmpl_if name='use_proxy_protocol' op='==' value='y'>
<tmpl_if name='proxy_protocol_https' op='>' value='0'>
listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl proxy_protocol;
</tmpl_if>
</tmpl_if>
Till Brehm
committed
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# ssl_prefer_server_ciphers on;
listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl http2;
</tmpl_if>
<tmpl_if name='ipv6_wildcard'>
listen [::]:<tmpl_var name='https_port'> ssl http2;
Till Brehm
committed
ssl_certificate <tmpl_var name='ssl_crt_file'>;
ssl_certificate_key <tmpl_var name='ssl_key_file'>;
server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
latham
committed
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
if ($scheme != "https") {
rewrite ^ https://$http_host$request_uri? permanent;
}
</tmpl_if>
</tmpl_if>
if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
<tmpl_loop name="alias_seo_redirects">
if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
tbrehm
committed
<tmpl_loop name="local_redirects">
if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
}
</tmpl_loop>
<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
tbrehm
committed
<tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
</tmpl_if>
<tmpl_if name='use_proxy'>
location / {
proxy_pass <tmpl_var name='rewrite_target'>;
tbrehm
committed
<tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
<tmpl_loop name="proxy_directives">
<tmpl_var name='proxy_directive'>
</tmpl_loop>
}
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>
index index.html index.htm index.php index.cgi index.pl index.xhtml;
<tmpl_if name='ssi' op='==' value='y'>
latham
committed
}
latham
committed
<tmpl_if name='errordocs'>
error_page 400 /error/400.html;
error_page 401 /error/401.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 405 /error/405.html;
error_page 500 /error/500.html;
error_page 502 /error/502.html;
recursive_error_pages on;
location = /error/400.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/401.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/403.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/404.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/405.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/500.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/502.html {
<tmpl_var name='web_document_root_www_proxy'>
internal;
}
location = /error/503.html {
<tmpl_var name='web_document_root_www_proxy'>
<tmpl_if name='logging' op='==' value='yes'>
error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
</tmpl_var>
<tmpl_if name='logging' op='==' value='anon'>
error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
</tmpl_var>
latham
committed
location ~ /\. {
deny all;
}
## Allow access for .well-known/acme-challenge
location ^~ /.well-known/acme-challenge/ {
access_log off;
log_not_found off;
auth_basic off;
root /usr/local/ispconfig/interface/acme/;
autoindex off;
index index.html;
try_files $uri $uri/ =404;
expires max;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
latham
committed
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /stats/ {
<tmpl_var name='web_document_root_www_proxy'>
index index.html index.php;
auth_basic "Members Only";
auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
}
latham
committed
alias /usr/share/awstats/icon;
}
try_files <tmpl_var name='rnd_php_dummy_file'> @php;
}
<tmpl_if name='php' op='==' value='php-fpm'>
location @php {
Falko Timme
committed
include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
<tmpl_if name='php_fpm_chroot' op='==' value='y'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
tbrehm
committed
#fastcgi_param PATH_INFO $fastcgi_script_name;
Falko Timme
committed
fastcgi_intercept_errors on;
Marius Cramer
committed
<tmpl_if name='php' op='==' value='hhvm'>
location @php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
fastcgi_index index.php;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
Marius Cramer
committed
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Marius Cramer
committed
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_intercept_errors on;
error_page 500 501 502 503 = @phpfallback;
}
location @phpfallback {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
fastcgi_index index.php;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_intercept_errors on;
Marius Cramer
committed
}
</tmpl_else>
Marius Cramer
committed
</tmpl_if>
Falko Timme
committed
include /etc/nginx/fastcgi_params;
root <tmpl_var name='document_root'>;
gzip off;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.cgi;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Falko Timme
committed
fastcgi_intercept_errors on;
latham
committed
}
<tmpl_loop name="rewrite_rules">
<tmpl_var name='rewrite_rule'>
</tmpl_loop>
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
<tmpl_if name='enable_pagespeed' op='==' value='y'>
pagespeed on;
pagespeed FileCachePath /var/ngx_pagespeed_cache;
<tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>
# let's speed up PageSpeed by storing it in the super duper fast memcached
pagespeed MemcachedThreads 1;
pagespeed MemcachedServers "localhost:11211";
# Filter settings
pagespeed RewriteLevel CoreFilters;
pagespeed EnableFilters collapse_whitespace,remove_comments;
# Ensure requests for pagespeed optimized resources go to the pagespeed
# handler and no extraneous headers get set.
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
add_header "" "";
access_log off;
}
location ~ "^/ngx_pagespeed_static/" {
access_log off;
}
location ~ "^/ngx_pagespeed_beacon$" {
access_log off;
}
location /ngx_pagespeed_statistics {
allow 127.0.0.1;
deny all;
access_log off;
}
location /ngx_pagespeed_global_statistics {
allow 127.0.0.1;
deny all;
access_log off;
}
location /ngx_pagespeed_message {
allow 127.0.0.1;
deny all;
access_log off;
}
location /pagespeed_console {
allow 127.0.0.1;
deny all;
access_log off;
}
</tmpl_if>
<tmpl_loop name="basic_auth_locations">
Falko Timme
committed
location <tmpl_var name='htpasswd_location'> { ##merge##
auth_basic "Members Only";
auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
try_files <tmpl_var name='rnd_php_dummy_file'> @php;
</tmpl_if>
}
<tmpl_loop name="redirects">
server {
listen <tmpl_var name='ip_address'>:80;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:80;
</tmpl_if>
<tmpl_if name='ssl_enabled'>
listen <tmpl_var name='ip_address'>:443 ssl;
<tmpl_if name='ipv6_enabled'>
listen [<tmpl_var name='ipv6_address'>]:443 ssl;
</tmpl_if>
Till Brehm
committed
ssl_certificate <tmpl_var name='ssl_crt_file'>;
ssl_certificate_key <tmpl_var name='ssl_key_file'>;
server_name <tmpl_var name='rewrite_domain'>;
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
}
</tmpl_loop>
</tmpl_if>
Marius Burkard
committed
## no redirect for acme
location ^~ /.well-known/acme-challenge/ {
access_log off;
log_not_found off;
root /usr/local/ispconfig/interface/acme/;
autoindex off;
index index.html;
try_files $uri $uri/ =404;
}
<tmpl_if name='use_rewrite'>
Marius Burkard
committed
location / {
rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
}
</tmpl_if>
<tmpl_if name='use_proxy'>
location / {
proxy_pass <tmpl_var name='rewrite_target'>;
tbrehm
committed
<tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
<tmpl_loop name="proxy_directives">
<tmpl_var name='proxy_directive'>
</tmpl_loop>
}
</tmpl_if>
}