diff --git a/contrib/nginx.conf b/contrib/nginx.conf index 850d6ed2..d668ce09 100644 --- a/contrib/nginx.conf +++ b/contrib/nginx.conf @@ -1,22 +1,49 @@ server { - listen 80 default_server; - listen [::]:80 default_server; - server_name localhost; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pixelfed.example; # change this to your fqdn + root /home/pixelfed/public; # path to repo/public - index index.php index.html; - root /var/www/html/public; + ssl_certificate /etc/nginx/ssl/server.crt; # generate your own + ssl_certificate_key /etc/nginx/ssl/server.key; # or use letsencrypt - location / { - try_files $uri $uri/ /$is_args$args; - } + ssl_protocols TLSv1.2; + ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES; + ssl_prefer_server_ciphers on; - location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass php:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - } + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + index index.html index.htm index.php; + + charset utf-8; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + error_page 404 /index.php; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php-fpm/php-fpm.sock; # make sure this is correct + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # or $request_filename + } + + location ~ /\.(?!well-known).* { + deny all; + } +} + +server { # Redirect http to https + server_name pixelfed.example; # change this to your fqdn + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; }