-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from lehigh-university-libraries/nginx
Add nginx
- Loading branch information
Showing
4 changed files
with
191 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
name: Build and push nginx 1.25 | ||
on: | ||
push: | ||
paths: | ||
- 'nginx/**' | ||
- '.github/workflows/nginx-1.25.yml' | ||
- '.github/workflows/build-push.yml' | ||
|
||
jobs: | ||
deploy: | ||
uses: ./.github/workflows/build-push.yml | ||
with: | ||
dir: nginx | ||
major_version: 1.25 | ||
build_arg: NGINX_VERSION=1.25.1 | ||
permissions: | ||
contents: read | ||
id-token: write | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
ARG NGINX_VERSION=1.25.1 | ||
|
||
FROM nginx:${NGINX_VERSION} | ||
|
||
COPY conf/fastcgi_params /etc/nginx/fastcgi_params | ||
COPY conf/nginx.conf /etc/nginx/nginx.conf | ||
|
||
RUN rm /docker-entrypoint.d/* /etc/nginx/conf.d/*.conf && \ | ||
mkdir -p /code/web |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
fastcgi_param QUERY_STRING $query_string; | ||
fastcgi_param REQUEST_METHOD $request_method; | ||
fastcgi_param CONTENT_TYPE $content_type; | ||
fastcgi_param CONTENT_LENGTH $content_length; | ||
|
||
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | ||
fastcgi_param REQUEST_URI $request_uri; | ||
fastcgi_param DOCUMENT_URI $document_uri; | ||
fastcgi_param DOCUMENT_ROOT $document_root; | ||
fastcgi_param SERVER_PROTOCOL $server_protocol; | ||
fastcgi_param REQUEST_SCHEME $scheme; | ||
fastcgi_param HTTPS off; | ||
|
||
fastcgi_param GATEWAY_INTERFACE CGI/1.1; | ||
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; | ||
|
||
fastcgi_param REMOTE_ADDR $remote_addr; | ||
fastcgi_param REMOTE_PORT $remote_port; | ||
fastcgi_param SERVER_ADDR $server_addr; | ||
fastcgi_param SERVER_PORT $server_port; | ||
fastcgi_param SERVER_NAME $server_name; | ||
|
||
fastcgi_param REDIRECT_STATUS 200; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,139 @@ | ||
user nginx; | ||
worker_processes 1; | ||
error_log /dev/stderr warn; | ||
pid /var/run/nginx.pid; | ||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
http { | ||
include /etc/nginx/mime.types; | ||
default_type application/octet-stream; | ||
|
||
error_log /dev/stderr warn; | ||
|
||
log_format compression '$remote_addr - $remote_user [$time_local] ' | ||
'"$request" $status $body_bytes_sent ' | ||
'"$http_referer" "$http_user_agent" "$gzip_ratio"'; | ||
access_log /dev/stderr compression; | ||
|
||
sendfile on; | ||
keepalive_timeout 65; | ||
include /etc/nginx/conf.d/*.conf; | ||
proxy_read_timeout 600; | ||
fastcgi_read_timeout 600; | ||
|
||
upstream php_fpm_service { | ||
server php-fpm:9000; | ||
} | ||
|
||
server { | ||
root /code/web; | ||
|
||
listen 80 default; | ||
|
||
location = /robots.txt { | ||
allow all; | ||
} | ||
|
||
# Very rarely should these ever be accessed outside of your lan | ||
location ~* \.(txt|log)$ { | ||
deny all; | ||
} | ||
|
||
location ~ \..*/.*\.php$ { | ||
return 403; | ||
} | ||
|
||
location ~ ^/sites/.*/private/ { | ||
return 403; | ||
} | ||
|
||
# Block access to scripts in site files directory | ||
location ~ ^/sites/[^/]+/files/.*\.php$ { | ||
deny all; | ||
} | ||
|
||
# Allow "Well-Known URIs" as per RFC 5785 | ||
location ~* ^/.well-known/ { | ||
allow all; | ||
} | ||
|
||
# Block access to "hidden" files and directories whose names begin with a | ||
# period. This includes directories used by version control systems such | ||
# as Subversion or Git to store control files. | ||
location ~ (^|/)\. { | ||
return 403; | ||
} | ||
|
||
location / { | ||
try_files $uri /index.php?$query_string; # For Drupal >= 7 | ||
} | ||
|
||
location @rewrite { | ||
rewrite ^ /index.php; # For Drupal >= 7 | ||
} | ||
|
||
# Don't allow direct access to PHP files in the vendor directory. | ||
location ~ /vendor/.*\.php$ { | ||
deny all; | ||
return 404; | ||
} | ||
|
||
# Protect files and directories from prying eyes. | ||
location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { | ||
deny all; | ||
return 404; | ||
} | ||
|
||
location ~ '\.php$|^/update.php' { | ||
fastcgi_split_path_info ^(.+?\.php)(|/.*)$; | ||
|
||
# Ensure the php file exists. Mitigates CVE-2019-11043 | ||
try_files $fastcgi_script_name =404; | ||
|
||
fastcgi_index index.php; | ||
include fastcgi_params; | ||
|
||
# Block httpoxy attacks. See https://httpoxy.org/. | ||
fastcgi_param HTTP_PROXY ""; | ||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
fastcgi_param PATH_INFO $fastcgi_path_info; | ||
fastcgi_param QUERY_STRING $query_string; | ||
fastcgi_intercept_errors on; | ||
|
||
fastcgi_pass php_fpm_service; | ||
} | ||
|
||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { | ||
try_files $uri @rewrite; | ||
expires max; | ||
log_not_found off; | ||
} | ||
|
||
# Fighting with Styles? This little gem is amazing. | ||
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 | ||
try_files $uri @rewrite; | ||
} | ||
|
||
# Handle private files through Drupal. Private file's path can come | ||
# with a language prefix. | ||
location ~ ^(/[a-z\-]+)?/system/files/ { | ||
try_files $uri /index.php?$query_string; | ||
} | ||
|
||
# Enforce clean URLs | ||
# Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page | ||
# Could be done with 301 for permanent or other redirect codes. | ||
if ($request_uri ~* "^(.*/)index\.php/(.*)") { | ||
return 307 $1$2; | ||
} | ||
|
||
location ~ ^/(status|ping)$ { | ||
allow all; | ||
include fastcgi_params; | ||
fastcgi_pass php_fpm_service; | ||
} | ||
} | ||
} |