nginx_vhost.conf.master 14.3 KB
Newer Older
1
server {
2
        listen <tmpl_var name='ip_address'>:<tmpl_var name='http_port'>;
3
<tmpl_if name='use_proxy_protocol' op='==' value='y'>
Jason's avatar
Jason committed
4 5 6 7
<tmpl_if name='proxy_protocol_http' op='>' value='0'>
        listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_http'> proxy_protocol;
</tmpl_if>
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
8
<tmpl_if name='ipv6_enabled'>
9
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
Falko Timme's avatar
Falko Timme committed
10
</tmpl_if>
11 12 13
<tmpl_if name='ipv6_wildcard'>
        listen [::]:<tmpl_var name='http_port'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
14
<tmpl_if name='ssl_enabled'>
15
        listen <tmpl_var name='ip_address'>:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
16
<tmpl_if name='use_proxy_protocol' op='==' value='y'>
Jason's avatar
Jason committed
17 18 19 20
<tmpl_if name='proxy_protocol_https' op='>' value='0'>
        listen <tmpl_var name='ip_address'>:<tmpl_var name='proxy_protocol_https'> ssl proxy_protocol;
</tmpl_if>
</tmpl_if>
Thom Pol's avatar
Thom Pol committed
21
		ssl_protocols TLSv1.2;
22 23
		# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
		# ssl_prefer_server_ciphers on;
Falko Timme's avatar
Falko Timme committed
24
<tmpl_if name='ipv6_enabled'>
25
        listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
26 27 28
</tmpl_if>
<tmpl_if name='ipv6_wildcard'>
        listen [::]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
Falko Timme's avatar
Falko Timme committed
29
</tmpl_if>
30 31
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
Falko Timme's avatar
Falko Timme committed
32
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
33 34
        
        server_name <tmpl_var name='domain'> <tmpl_var name='alias'>;
35

Falko Timme's avatar
Falko Timme committed
36
        root   <tmpl_var name='web_document_root_www'>;
37
		
38 39 40 41 42 43 44
<tmpl_if name='ssl_enabled'>
<tmpl_if name='rewrite_to_https' op='==' value='y'>
        if ($scheme != "https") {
            rewrite ^ https://$http_host$request_uri? permanent;
        }
</tmpl_if>
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
45
<tmpl_if name='seo_redirect_enabled'>
46
        if ($http_host <tmpl_var name='seo_redirect_operator'> "<tmpl_var name='seo_redirect_origin_domain'>") {
47
            rewrite ^ $scheme://<tmpl_var name='seo_redirect_target_domain'>$request_uri? permanent;
Falko Timme's avatar
Falko Timme committed
48
        }
Falko Timme's avatar
Falko Timme committed
49
</tmpl_if>
50 51 52
<tmpl_loop name="alias_seo_redirects">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
53
        }
Falko Timme's avatar
Falko Timme committed
54
</tmpl_loop>
55 56 57 58 59
<tmpl_loop name="local_redirects">
        if ($http_host <tmpl_var name='local_redirect_operator'> "<tmpl_var name='local_redirect_origin_domain'>") {
            rewrite ^<tmpl_var name='local_redirect_exclude'>(.*)$ <tmpl_var name='local_redirect_target'>$2 <tmpl_var name='local_redirect_type'>;
        }
</tmpl_loop>
60 61 62

<tmpl_loop name="own_redirects">
<tmpl_if name='use_rewrite'>
63
        <tmpl_if name='exclude_own_hostname'>if ($http_host != "<tmpl_var name='exclude_own_hostname'>") { </tmpl_if>rewrite ^<tmpl_var name='rewrite_exclude'>(.*)$ <tmpl_var name='rewrite_target'>$2 <tmpl_var name='rewrite_type'>;<tmpl_if name='exclude_own_hostname'> }</tmpl_if>
64 65 66 67
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
68
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
69 70 71 72 73 74 75
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
</tmpl_loop>
<tmpl_if name='use_proxy' op='!=' value='y'>		
76
        index index.html index.htm index.php index.cgi index.pl index.xhtml;
Falko Timme's avatar
Falko Timme committed
77
		
Falko Timme's avatar
Falko Timme committed
78
<tmpl_if name='ssi' op='==' value='y'>		
Falko Timme's avatar
Falko Timme committed
79 80
        location ~ \.shtml$ {
            ssi on;
81
        }
Falko Timme's avatar
Falko Timme committed
82
</tmpl_if>
83

Falko Timme's avatar
Falko Timme committed
84
<tmpl_if name='errordocs'>		
Falko Timme's avatar
Falko Timme committed
85 86 87 88 89 90
        error_page 400 /error/400.html;
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;
        error_page 404 /error/404.html;
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;
91
        error_page 502 /error/502.html;
Falko Timme's avatar
Falko Timme committed
92
        error_page 503 /error/503.html;
93 94
        recursive_error_pages on;
        location = /error/400.html {
95
            <tmpl_var name='web_document_root_www_proxy'>
96 97 98
            internal;
        }
        location = /error/401.html {
99
            <tmpl_var name='web_document_root_www_proxy'>
100 101 102
            internal;
        }
        location = /error/403.html {
103
            <tmpl_var name='web_document_root_www_proxy'>
104 105 106
            internal;
        }
        location = /error/404.html {
107
            <tmpl_var name='web_document_root_www_proxy'>
108 109 110
            internal;
        }
        location = /error/405.html {
111
            <tmpl_var name='web_document_root_www_proxy'>
112 113 114
            internal;
        }
        location = /error/500.html {
115
            <tmpl_var name='web_document_root_www_proxy'>
116 117 118
            internal;
        }
        location = /error/502.html {
119
            <tmpl_var name='web_document_root_www_proxy'>
120 121 122
            internal;
        }
        location = /error/503.html {
123
            <tmpl_var name='web_document_root_www_proxy'>
124 125
            internal;
        }
Falko Timme's avatar
Falko Timme committed
126
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
127
		
128
<tmpl_if name='logging' op='==' value='yes'>
Falko Timme's avatar
Falko Timme committed
129
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
130
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log combined;
131 132 133 134 135
</tmpl_var>
<tmpl_if name='logging' op='==' value='anon'>
        error_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/error.log;
        access_log /var/log/ispconfig/httpd/<tmpl_var name='domain'>/access.log anonymized;
</tmpl_var>
136

Falko Timme's avatar
Falko Timme committed
137
        ## Disable .htaccess and other hidden files
138 139 140 141 142 143 144 145
		location ~ /\. {
			deny all;
		}

        ## Allow access for .well-known/acme-challenge
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
146
			auth_basic off;
147 148 149 150
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
Falko Timme's avatar
Falko Timme committed
151 152
        }
		
153
        location = /favicon.ico {
Falko Timme's avatar
Falko Timme committed
154 155
            log_not_found off;
            access_log off;
156 157
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
Falko Timme's avatar
Falko Timme committed
158
        }
159

Falko Timme's avatar
Falko Timme committed
160 161 162 163 164 165
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
		
166
        location /stats/ {
167
            <tmpl_var name='web_document_root_www_proxy'>
Falko Timme's avatar
Falko Timme committed
168 169 170 171
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
        }
172

173
        location ^~ /awstats-icon {
174 175 176
            alias /usr/share/awstats/icon;
        }

Falko Timme's avatar
Falko Timme committed
177
        location ~ \.php$ {
178
            try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
179 180 181 182
        }

<tmpl_if name='php' op='==' value='php-fpm'>
        location @php {
183
            try_files $uri =404;
184
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
185 186 187 188 189 190
<tmpl_if name='use_tcp'>
            fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
            fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
191
            fastcgi_index index.php;
192
<tmpl_if name='php_fpm_chroot' op='==' value='y'>
193 194 195
            fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
            fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
            fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
196
<tmpl_else>
Falko Timme's avatar
Falko Timme committed
197
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
198
</tmpl_if>
199
            #fastcgi_param PATH_INFO $fastcgi_script_name;
200
            fastcgi_intercept_errors on;
Falko Timme's avatar
Falko Timme committed
201
        }
Falko Timme's avatar
Falko Timme committed
202
</tmpl_else>
203 204 205 206 207 208
	<tmpl_if name='php' op='==' value='hhvm'>
			location @php {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
				fastcgi_pass unix:/var/run/hhvm/hhvm.<tmpl_var name='system_user'>.sock;
				fastcgi_index index.php;
209
<tmpl_if name='php_fpm_chroot'>
210 211 212
				fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
				fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
				fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
213
<tmpl_else>
214
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
215
</tmpl_if>
216 217
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
218 219
				error_page 500 501 502 503 = @phpfallback;
			}
220

221 222 223 224 225 226 227 228 229 230
			location @phpfallback {
				try_files $uri =404;
				include /etc/nginx/fastcgi_params;
<tmpl_if name='use_tcp'>
				fastcgi_pass 127.0.0.1:<tmpl_var name='fpm_port'>;
</tmpl_if>
<tmpl_if name='use_socket'>
				fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
				fastcgi_index index.php;
231
<tmpl_if name='php_fpm_chroot'>
232 233 234
				fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
				fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
				fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
235
<tmpl_else>
236
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
237
</tmpl_if>
238 239
				#fastcgi_param PATH_INFO $fastcgi_script_name;
				fastcgi_intercept_errors on;
240 241 242
			}
	</tmpl_else>

Falko Timme's avatar
Falko Timme committed
243
        location @php {
Falko Timme's avatar
Falko Timme committed
244 245
            deny all;
        }
246
	</tmpl_if>
Falko Timme's avatar
Falko Timme committed
247
</tmpl_if>
248

Falko Timme's avatar
Falko Timme committed
249
<tmpl_if name='cgi' op='==' value='y'>
Falko Timme's avatar
Falko Timme committed
250
        location /cgi-bin/ {
251
            try_files $uri =404;
252
            include /etc/nginx/fastcgi_params;
Falko Timme's avatar
Falko Timme committed
253 254 255 256
            root <tmpl_var name='document_root'>;
            gzip off;
            fastcgi_pass  unix:/var/run/fcgiwrap.socket;
            fastcgi_index index.cgi;
257
<tmpl_if name='php_fpm_chroot'>
258 259 260
            fastcgi_param DOCUMENT_ROOT <tmpl_var name='php_fpm_chroot_web_folder'>;
            fastcgi_param HOME <tmpl_var name='php_fpm_chroot_web_folder'>;
            fastcgi_param SCRIPT_FILENAME <tmpl_var name='php_fpm_chroot_web_folder'>$fastcgi_script_name;
261
<tmpl_else>
Falko Timme's avatar
Falko Timme committed
262
            fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
263
</tmpl_if>
264
            fastcgi_intercept_errors on;
265
        }
Falko Timme's avatar
Falko Timme committed
266
</tmpl_if>
Falko Timme's avatar
Falko Timme committed
267

268 269 270 271
<tmpl_loop name="rewrite_rules">
        <tmpl_var name='rewrite_rule'>
</tmpl_loop>

Falko Timme's avatar
Falko Timme committed
272
<tmpl_loop name="nginx_directives">
273
        <tmpl_var name='nginx_directive'>
274 275
</tmpl_loop>

Marius Cramer's avatar
Marius Cramer committed
276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323
<tmpl_if name='enable_pagespeed' op='==' value='y'>
        pagespeed on;
        pagespeed FileCachePath /var/ngx_pagespeed_cache;
        <tmpl_if name='ssl_enabled'>pagespeed FetchHttps enable,allow_self_signed;</tmpl_if>


        # let's speed up PageSpeed by storing it in the super duper fast memcached
        pagespeed MemcachedThreads 1;
        pagespeed MemcachedServers "localhost:11211";

        # Filter settings
        pagespeed RewriteLevel CoreFilters;
        pagespeed EnableFilters collapse_whitespace,remove_comments;

        #  Ensure requests for pagespeed optimized resources go to the pagespeed
        #  handler and no extraneous headers get set.
        location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
                add_header "" "";
                access_log off;
        }
        location ~ "^/ngx_pagespeed_static/" {
                access_log off;
        }
        location ~ "^/ngx_pagespeed_beacon$" {
                access_log off;
        }
        location /ngx_pagespeed_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_global_statistics {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /ngx_pagespeed_message {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
        location /pagespeed_console {
                allow 127.0.0.1;
                deny all;
                access_log off;
        }
</tmpl_if>

324
<tmpl_loop name="basic_auth_locations">
325
        location <tmpl_var name='htpasswd_location'> { ##merge##
326 327
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='htpasswd_path'>.htpasswd;
Falko Timme's avatar
Falko Timme committed
328 329
				
                location ~ \.php$ {
330
                    try_files <tmpl_var name='rnd_php_dummy_file'> @php;
Falko Timme's avatar
Falko Timme committed
331
                }
332 333
        }
</tmpl_loop>
334 335 336 337 338 339 340 341 342 343 344 345 346 347 348
</tmpl_if>	
}

<tmpl_loop name="redirects">
server {
        listen <tmpl_var name='ip_address'>:80;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:80;
</tmpl_if>
		
<tmpl_if name='ssl_enabled'>
        listen <tmpl_var name='ip_address'>:443 ssl;
<tmpl_if name='ipv6_enabled'>
        listen [<tmpl_var name='ipv6_address'>]:443 ssl;
</tmpl_if>
349 350
        ssl_certificate <tmpl_var name='ssl_crt_file'>;
        ssl_certificate_key <tmpl_var name='ssl_key_file'>;
351 352 353
</tmpl_if>
        
        server_name <tmpl_var name='rewrite_domain'>;
354

355 356 357 358 359 360 361
<tmpl_if name='alias_seo_redirects2'>
<tmpl_loop name="alias_seo_redirects2">
        if ($http_host <tmpl_var name='alias_seo_redirect_operator'> "<tmpl_var name='alias_seo_redirect_origin_domain'>") {
            rewrite ^ $scheme://<tmpl_var name='alias_seo_redirect_target_domain'>$request_uri? permanent;
        }
</tmpl_loop>
</tmpl_if>
362 363 364 365 366 367 368 369 370
		## no redirect for acme
		location ^~ /.well-known/acme-challenge/ {
			access_log off;
			log_not_found off;
			root /usr/local/ispconfig/interface/acme/;
			autoindex off;
			index index.html;
			try_files $uri $uri/ =404;
        }
371
<tmpl_if name='use_rewrite'>
372 373 374
		location / {
			rewrite ^ <tmpl_var name='rewrite_target'>$request_uri? <tmpl_var name='rewrite_type'>;
		}
375 376 377 378
</tmpl_if>
<tmpl_if name='use_proxy'>
        location / {
            proxy_pass <tmpl_var name='rewrite_target'>;
379
            <tmpl_if name='rewrite_subdir'>rewrite ^/<tmpl_var name='rewrite_subdir'>(.*) /$1;</tmpl_if>
380 381 382 383 384 385
<tmpl_loop name="proxy_directives">
        <tmpl_var name='proxy_directive'>
</tmpl_loop>
        }
</tmpl_if>
}
Patrick Anders's avatar
Patrick Anders committed
386
</tmpl_loop>