diff --git a/webserver-configs/nginx-ddev-site.conf b/webserver-configs/nginx-ddev-site.conf new file mode 100644 index 000000000..e75cf2ff1 --- /dev/null +++ b/webserver-configs/nginx-ddev-site.conf @@ -0,0 +1,118 @@ +# ddev GravCMS config + +# You can override ddev's configuration by placing an edited copy +# of this config (or one of the other ones) in .ddev/nginx-site.conf +# See https://ddev.readthedocs.io/en/latest/users/extend/customization-extendibility/#providing-custom-nginx-configuration + +# Set https to 'on' if x-forwarded-proto is https +map $http_x_forwarded_proto $fcgi_https { + default off; + https on; +} + +server { + listen 80; ## listen for ipv4; this line is default and implied + listen [::]:80 default ipv6only=on; ## listen for ipv6 + # The NGINX_DOCROOT variable is substituted with + # its value when the container is started. + root $NGINX_DOCROOT; + index index.php index.htm index.html; + + # Make site accessible from http://localhost/ + server_name _; + + # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html + sendfile off; + error_log /var/log/nginx/error.log info; + access_log /var/log/nginx/access.log; + + location / { + absolute_redirect off; + try_files $uri $uri/ /index.php?$query_string; + } + + # pass the PHP scripts to FastCGI server listening on socket + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php-fpm.sock; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_intercept_errors on; + # fastcgi_read_timeout should match max_execution_time in php.ini + fastcgi_read_timeout 10m; + fastcgi_param SERVER_NAME $host; + fastcgi_param HTTPS $fcgi_https; + } + + # Expire rules for static content + # Feed + location ~* \.(?:rss|atom|cache)$ { + expires 1h; + } + + # Media: images, icons, video, audio, HTC + location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { + expires 1M; + access_log off; + add_header Cache-Control "public"; + } + + # Prevent clients from accessing hidden files (starting with a dot) + # This is particularly important if you store .htpasswd files in the site hierarchy + # Access to `/.well-known/` is allowed. + # https://www.mnot.net/blog/2010/04/07/well-known + # https://tools.ietf.org/html/rfc5785 + location ~* /\.(?!well-known\/) { + deny all; + } + + # Prevent clients from accessing to backup/config/source files + location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { + deny all; + } + + ## Begin - Security + # deny all direct access for these folders + location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } + # deny running scripts inside core system folders + location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny running scripts inside user folder + location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny access to specific files in the root folder + location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } + ## End - Security + + + ## provide a health check endpoint + location /healthcheck { + access_log off; + stub_status on; + keepalive_timeout 0; # Disable HTTP keepalive + return 200; + } + + error_page 400 401 /40x.html; + location = /40x.html { + root /usr/share/nginx/html; + } + + location ~ ^/(fpmstatus|ping)$ { + access_log off; + stub_status on; + keepalive_timeout 0; # Disable HTTP keepalive + allow 127.0.0.1; + allow all; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_pass unix:/run/php-fpm.sock; + } + + +} +