From e17f26afe4825aea3034c01cc632b215c814f748 Mon Sep 17 00:00:00 2001 From: Jesper Kristensen Date: Wed, 4 Dec 2024 12:16:34 +0100 Subject: [PATCH] ITKDevOps: Updated nginx config --- .docker/nginx.conf | 2 +- .docker/templates/default.conf.template | 4 ++ .docker/vhost.conf | 94 ------------------------- 3 files changed, 5 insertions(+), 95 deletions(-) delete mode 100644 .docker/vhost.conf diff --git a/.docker/nginx.conf b/.docker/nginx.conf index d0a557b1..d6f5e64f 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf @@ -18,7 +18,7 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - set_real_ip_from 172.16.0.0/8; + set_real_ip_from 172.16.0.0/16; real_ip_recursive on; real_ip_header X-Forwarded-For; diff --git a/.docker/templates/default.conf.template b/.docker/templates/default.conf.template index 2da35cc2..aa570d27 100644 --- a/.docker/templates/default.conf.template +++ b/.docker/templates/default.conf.template @@ -6,6 +6,10 @@ server { client_max_body_size ${NGINX_MAX_BODY_SIZE}; + set_real_ip_from 172.16.0.0/16; + real_ip_recursive on; + real_ip_header X-Forwarded-For; + location = /favicon.ico { log_not_found off; access_log off; diff --git a/.docker/vhost.conf b/.docker/vhost.conf deleted file mode 100644 index 884b8a9c..00000000 --- a/.docker/vhost.conf +++ /dev/null @@ -1,94 +0,0 @@ -server { - listen 8080; - server_name localhost; - - client_max_body_size 90M; - - root /app/web; - - location = /favicon.ico { - log_not_found off; - access_log off; - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location ~* \.(txt|log)$ { - deny all; - } - - location ~ \..*/.*\.php$ { - return 403; - } - - location ~ ^/sites/.*/private/ { - return 403; - } - - # Block access to scripts in site files directory - location ~ ^/sites/[^/]+/files/.*\.php$ { - deny all; - } - - # Block access to "hidden" files and directories whose names begin with a - # period. - location ~ (^|/)\. { - return 403; - } - - location / { - try_files $uri /index.php?$query_string; - } - - location @rewrite { - rewrite ^ /index.php; - } - - # Don't allow direct access to PHP files in the vendor directory. - location ~ /vendor/.*\.php$ { - deny all; - return 404; - } - - # Protect files and directories from prying eyes. - location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { - deny all; - return 404; - } - - location ~ '\.php$|^/update.php' { - include fastcgi_params; - - fastcgi_buffers 16 32k; - fastcgi_buffer_size 64k; - fastcgi_busy_buffers_size 64k; - - fastcgi_split_path_info ^(.+?\.php)(|/.*)$; - - # Ensure the php file exists. Mitigates CVE-2019-11043 - try_files $fastcgi_script_name =404; - - fastcgi_param HTTP_PROXY ""; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param QUERY_STRING $query_string; - - fastcgi_intercept_errors on; - fastcgi_pass phpfpm:9000; - } - - # Enforce clean URLs - # - # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page - # Could be done with 301 for permanent or other redirect codes. - if ($request_uri ~* "^(.*/)index\.php/(.*)") { - return 307 $1$2; - } - - error_log /dev/stderr; - access_log /dev/stdout main; -}