107 lines
3.2 KiB
Plaintext
107 lines
3.2 KiB
Plaintext
server {
|
|
listen 80;
|
|
|
|
client_body_buffer_size 100K;
|
|
client_header_buffer_size 1k;
|
|
client_max_body_size 100k;
|
|
large_client_header_buffers 2 1k;
|
|
|
|
client_body_timeout 10;
|
|
client_header_timeout 10;
|
|
keepalive_timeout 5 5;
|
|
send_timeout 10;
|
|
|
|
root /var/www/passbolt;
|
|
|
|
# X-Frame-Options is to prevent from clickJacking attack
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
# disable content-type sniffing on some browsers.
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
# This header enables the Cross-site scripting (XSS) filter
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
## Only GET, Post, PUT are allowed##
|
|
if ($request_method !~ ^(GET|PUT|POST)$ ) {
|
|
return 444;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
index index.php;
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
fastcgi_index index.php;
|
|
fastcgi_pass 127.0.0.1:9000;
|
|
fastcgi_split_path_info ^(.+\.php)(.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
}
|
|
|
|
location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ {
|
|
access_log off;
|
|
log_not_found off;
|
|
try_files $uri /app/webroot/$uri /index.php?$args;
|
|
}
|
|
|
|
}
|
|
|
|
server {
|
|
listen 443;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/ssl/certs/certificate.crt;
|
|
ssl_certificate_key /etc/ssl/certs/certificate.key;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
|
|
ssl_session_tickets off;
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
root /var/www/passbolt;
|
|
|
|
# X-Frame-Options is to prevent from clickJacking attack
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
# disable content-type sniffing on some browsers.
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
# This header enables the Cross-site scripting (XSS) filter
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
## Only GET, Post, PUT are allowed##
|
|
if ($request_method !~ ^(GET|PUT|POST)$ ) {
|
|
return 444;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$args;
|
|
index index.php;
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
fastcgi_index index.php;
|
|
fastcgi_pass 127.0.0.1:9000;
|
|
fastcgi_split_path_info ^(.+\.php)(.+)$;
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
}
|
|
|
|
location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ {
|
|
access_log off;
|
|
log_not_found off;
|
|
try_files $uri /app/webroot/$uri /index.php?$args;
|
|
}
|
|
}
|