212 lines
7.5 KiB
Plaintext
212 lines
7.5 KiB
Plaintext
server {
|
||
listen 80;
|
||
#listen [::]:80;
|
||
server_name lnmp.org www.lnmp.org;
|
||
root /home/wwwroot/owncloud;
|
||
|
||
#如果需要http 301跳转到 https 需要将下面行前面的 # 注释去掉,并重载nginx
|
||
#return 301 https://lnmp.org$request_uri;
|
||
|
||
add_header X-Content-Type-Options nosniff;
|
||
add_header X-Frame-Options "SAMEORIGIN";
|
||
add_header X-XSS-Protection "1; mode=block";
|
||
add_header X-Robots-Tag none;
|
||
add_header X-Download-Options noopen;
|
||
add_header X-Permitted-Cross-Domain-Policies none;
|
||
|
||
location = /robots.txt {
|
||
allow all;
|
||
log_not_found off;
|
||
access_log off;
|
||
}
|
||
|
||
# The following 2 rules are only needed for the user_webfinger app.
|
||
# Uncomment it if you're planning to use this app.
|
||
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||
|
||
location = /.well-known/carddav {
|
||
return 301 $scheme://$host/remote.php/dav;
|
||
}
|
||
location = /.well-known/caldav {
|
||
return 301 $scheme://$host/remote.php/dav;
|
||
}
|
||
|
||
location /.well-known/acme-challenge { }
|
||
|
||
# set max upload size
|
||
client_max_body_size 512M;
|
||
fastcgi_buffers 64 4K;
|
||
|
||
# Disable gzip to avoid the removal of the ETag header
|
||
gzip off;
|
||
|
||
# Uncomment if your server is build with the ngx_pagespeed module
|
||
# This module is currently not supported.
|
||
#pagespeed off;
|
||
|
||
error_page 403 /core/templates/403.php;
|
||
error_page 404 /core/templates/404.php;
|
||
|
||
location / {
|
||
rewrite ^ /index.php$uri;
|
||
}
|
||
|
||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
|
||
return 404;
|
||
}
|
||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||
return 404;
|
||
}
|
||
|
||
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
|
||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||
include fastcgi.conf;
|
||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||
#Avoid sending the security headers twice
|
||
fastcgi_param modHeadersAvailable true;
|
||
fastcgi_param front_controller_active true;
|
||
fastcgi_pass unix:/tmp/php-cgi.sock;
|
||
fastcgi_intercept_errors on;
|
||
fastcgi_request_buffering off;
|
||
}
|
||
|
||
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
|
||
try_files $uri $uri/ =404;
|
||
index index.php;
|
||
}
|
||
|
||
# Adding the cache control header for js and css files
|
||
# Make sure it is BELOW the PHP block
|
||
location ~* \.(?:css|js)$ {
|
||
try_files $uri /index.php$uri$is_args$args;
|
||
add_header Cache-Control "public, max-age=7200";
|
||
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
|
||
# Before enabling Strict-Transport-Security headers please read into this topic first.
|
||
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
|
||
add_header X-Content-Type-Options nosniff;
|
||
add_header X-Frame-Options "SAMEORIGIN";
|
||
add_header X-XSS-Protection "1; mode=block";
|
||
add_header X-Robots-Tag none;
|
||
add_header X-Download-Options noopen;
|
||
add_header X-Permitted-Cross-Domain-Policies none;
|
||
# Optional: Don't log access to assets
|
||
access_log off;
|
||
}
|
||
|
||
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
|
||
try_files $uri /index.php$uri$is_args$args;
|
||
# Optional: Don't log access to other assets
|
||
access_log off;
|
||
}
|
||
}
|
||
|
||
server {
|
||
listen 443 ssl http2;
|
||
#listen [::]:443 ssl http2;
|
||
server_name lnmp.org www.lnmp.org;
|
||
root /home/wwwroot/owncloud;
|
||
|
||
ssl_certificate /usr/local/nginx/conf/ssl/lnmp.org.crt;
|
||
ssl_certificate_key /usr/local/nginx/conf/ssl/lnmp.org.key;
|
||
ssl_session_timeout 5m;
|
||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||
ssl_prefer_server_ciphers on;
|
||
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
|
||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
|
||
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
|
||
|
||
add_header X-Content-Type-Options nosniff;
|
||
add_header X-Frame-Options "SAMEORIGIN";
|
||
add_header X-XSS-Protection "1; mode=block";
|
||
add_header X-Robots-Tag none;
|
||
add_header X-Download-Options noopen;
|
||
add_header X-Permitted-Cross-Domain-Policies none;
|
||
|
||
location = /robots.txt {
|
||
allow all;
|
||
log_not_found off;
|
||
access_log off;
|
||
}
|
||
|
||
# The following 2 rules are only needed for the user_webfinger app.
|
||
# Uncomment it if you're planning to use this app.
|
||
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||
|
||
location = /.well-known/carddav {
|
||
return 301 $scheme://$host/remote.php/dav;
|
||
}
|
||
location = /.well-known/caldav {
|
||
return 301 $scheme://$host/remote.php/dav;
|
||
}
|
||
|
||
location /.well-known/acme-challenge { }
|
||
|
||
# set max upload size
|
||
client_max_body_size 512M;
|
||
fastcgi_buffers 64 4K;
|
||
|
||
# Disable gzip to avoid the removal of the ETag header
|
||
gzip off;
|
||
|
||
# Uncomment if your server is build with the ngx_pagespeed module
|
||
# This module is currently not supported.
|
||
#pagespeed off;
|
||
|
||
error_page 403 /core/templates/403.php;
|
||
error_page 404 /core/templates/404.php;
|
||
|
||
location / {
|
||
rewrite ^ /index.php$uri;
|
||
}
|
||
|
||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
|
||
return 404;
|
||
}
|
||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||
return 404;
|
||
}
|
||
|
||
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
|
||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||
include fastcgi.conf;
|
||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||
#Avoid sending the security headers twice
|
||
fastcgi_param modHeadersAvailable true;
|
||
fastcgi_param front_controller_active true;
|
||
fastcgi_pass unix:/tmp/php-cgi.sock;
|
||
fastcgi_intercept_errors on;
|
||
fastcgi_request_buffering off;
|
||
}
|
||
|
||
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
|
||
try_files $uri $uri/ =404;
|
||
index index.php;
|
||
}
|
||
|
||
# Adding the cache control header for js and css files
|
||
# Make sure it is BELOW the PHP block
|
||
location ~* \.(?:css|js)$ {
|
||
try_files $uri /index.php$uri$is_args$args;
|
||
add_header Cache-Control "public, max-age=7200";
|
||
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
|
||
# Before enabling Strict-Transport-Security headers please read into this topic first.
|
||
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
|
||
add_header X-Content-Type-Options nosniff;
|
||
add_header X-Frame-Options "SAMEORIGIN";
|
||
add_header X-XSS-Protection "1; mode=block";
|
||
add_header X-Robots-Tag none;
|
||
add_header X-Download-Options noopen;
|
||
add_header X-Permitted-Cross-Domain-Policies none;
|
||
# Optional: Don't log access to assets
|
||
access_log off;
|
||
}
|
||
|
||
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
|
||
try_files $uri /index.php$uri$is_args$args;
|
||
# Optional: Don't log access to other assets
|
||
access_log off;
|
||
}
|
||
} |