====== Konfigurationsbeispiele ======
===== fastcgi.conf =====
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
===== fcgi.conf =====
# Include this file on your nginx.conf to support debian cgi-bin scripts using
# fcgiwrap
location /cgi-bin/ {
# Disable gzip (it makes scripts feel slower since they have to complete
# before getting gzipped)
gzip off;
# Set the root to /usr/lib (inside this location this means that we are
# giving access to the files under /usr/lib/cgi-bin)
root /usr/lib;
# Fastcgi socket
fastcgi_pass unix:/var/run/fcgiwrap.socket;
# Fastcgi parameters, include the standard ones
include /etc/nginx/fastcgi_params;
# Adjust non standard parameters (SCRIPT_FILENAME)
fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name;
}
===== php.conf =====
location ~ \.php {
fastcgi_pass unix:/run/php/php-fpm.sock;
include /etc/nginx/fastcgi.conf;
fastcgi_index index.php;
}
===== proxy_params =====
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
===== ssl.conf =====
# Certificates and Keys
ssl_certificate ;
ssl_certificate_key ;
#HSTS Security
add_header Strict-Transport-Security max-age=15768000;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
#SSL-Protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
===== PHPMyAdmin =====
Konfig als Subsite
server {
listen 80;
server_name ;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name ;
include /etc/nginx/sites-available/ssl.conf;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /phpmyadmin {
root /usr/share/;
index index.php;
location ~ ^/phpmyadmin/(.+\.(js|css|gif|jpg|png))$ {
root /usr/share/;
}
location ~ ^/phpmyadmin(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/sites-available/php.conf;
include fastcgi_params;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
}
Konfig als Subdomain
server{
listen 80;
server_name ;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name ;
include /etc/nginx/sites-enabled/ssl.conf;
[...]
location / {
root /usr/share/phpmyadmin;
index index.php;
}
location ~ \.php$ {
root /usr/share/phpmyadmin;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_index index.php;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$request_filename;
include fastcgi_params;
}
}
===== Nagios =====
server {
server_name ;
access_log /nagios.access.log piwik;
error_log /nagios.error.log;
expires 31d;
root /usr/local/nagios/share;
auth_basic "Nagios Restricted Access";
auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;
location / {
return 301 http://$server_name/nagios;
}
location /nagios {
alias /usr/local/nagios/share/;
index index.php;
}
location /stylesheets {
alias /usr/local/nagios/share/stylesheets;
}
location ~ ^/nagios/(.*\.php)$ {
alias /usr/local/nagios/share/$1;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~ \.cgi$ {
root /usr/local/nagios/sbin/;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
include fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_pass fcgiwrap;
}
location /pnp4nagios {
alias /usr/local/pnp4nagios/share;
auth_basic "Nagios Restricted Access";
auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;
index index.php;
try_files $uri $uri/ @pnp4nagios;
}
location @pnp4nagios {
fastcgi_pass unix:/var/run/php5-fpm.socket;
if ( $uri !~ /pnp4nagios/index.php(.*)) {
rewrite ^/pnp4nagios/(.*)$ /pnp4nagios/index.php/$1 break;
}
fastcgi_index index.php;
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME /usr/local/pnp4nagios/share/index.php;
}
}
===== Owncloud mit Roundcube Plugin =====
server {
server_name ;
#rewrite ^ https://$server_name$request_uri? permanent;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
server_name ;
access_log /hmura.access.log;
error_log /hmura.error.log;
# root ;
index index.php;
client_max_body_size 1000M; # set maximum upload size
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}
location / {
root ;
try_files $uri $uri/ @webdav;
}
location @webdav {
root ;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~ ^/remote.php(/.*)$ {
root ;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php5-fpm.socket;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTTPS on;
}
location ~ \.php$ {
root ;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_pass unix:/var/run/php5-fpm.socket;
} location ~ /rc {
root ;
index index.php;
try_files $uri $uri/ index.php;
}
location ~ /rc/favicon.ico$ {
root ;
log_not_found off;
access_log off;
expires max;
}
location ~ /rc/robots.txt$ {
root ;
allow all;
log_not_found off;
access_log off;
}
location ~ /rc/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
root ;
deny all;
}
location ~ /rc/(bin|SQL)/ {
root ;
deny all;
}
location ~ /rc/\. {
root ;
deny all;
access_log off;
log_not_found off;
}
location ~ /rc/\.php$ {
root ;
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
}
}
===== Wordpress =====
server {
server_name ;
root ;
client_max_body_size 40M;
access_log /blog.access.log;
error_log /blog.error.log;
fastcgi_intercept_errors off;
location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\. { deny all; access_log off; log_not_found off; }
location / {
index index.php;
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
root ;
index index.php;
server_name ;
access_log /blog.access.log;
error_log /blog.error.log;
location / {
index index.php;
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
===== Roundcube =====
server {
listen 80;
server_name ;
#rewrite ^ https://$server_name$request_uri? break;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
server_name ;
access_log /roundcube.access.log;
error_log /roundcube.error.log;
root ;
index index.php index.html;
location ~ ^/favicon.ico$ {
root /skins;
log_not_found off;
access_log off;
expires max;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
}
}
===== WWW-DIR =====
server {
root ;
index index.html index.htm index.php;
server_name www. ;
access_log /www.access.log;
error_log /www.error.log;
location / {
index index.html index.htm index.php;
# rewrite ^ http://$request_uri? break;
try_files $uri $uri/ /index.php;
}
location / {
index index.php;
try_files $uri $uri/ //index.php?$args;
}
location / {
autoindex on;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
fastcgi_intercept_errors off;
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires 72h;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# I like to place my php stuff into it's own file
# see http://kbeezie.com/view/nginx/ for more information
include fastcgi_params;
# We don't really need to log favicon requests
location = /favicon.ico { access_log off; log_not_found off; }
# We don't want to allow the browsers to see .hidden linux/unix files
location ~ /\. { deny all; access_log off; log_not_found off; }
location /w3perl {
try_files $uri $uri/ /index.html;
}
location /w3perl/admin {
auth_basic "W3Perl erfordert ein Login";
auth_basic_user_file /w3perl/htpasswd.users;
}
include fcgiwrap.conf;
location ~ ^/cgi-bin/.*\.cgi$ {
include fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_pass fcgiwrap;
}
location /stats {
index index.html;
# try_files $uri $uri/ /index.html;
auth_basic "W3Perl erfordert ein Login";
auth_basic_user_file /w3perl/htpasswd.users;
}
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
root ;
index index.html index.htm index.php;
server_name www. ;
access_log /www.access.log;
error_log /www.error.log;
location / {
index index.php;
#rewrite ^ https://$request_uri? break;
try_files $uri $uri/ /index.php;
}
}
===== Dokuwiki =====
server{
server_name ;
root //wiki.access.log;
error_log /wiki.error.log;
location / {
root //;
index doku.php;
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1 last;
}
location ~ \.php {
root //;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_index index.php;
}
location ~ ^/lib/ {
root //;
expires 30d;
}
location ~ ^/conf/ { deny all; }
location ~ ^/data/ { deny all; }
location ~ /\.ht { deny all; }
}
server {
listen 443 ssl http2;
ssl_certificate .pem;
ssl_certificate_key .pem;
include /etc/nginx/sites-enabled/ssl.conf;
server_name ;
root /wiki/;
access_log /wiki.access.log piwik;
error_log /wiki.error.log;
location ~ ^/(favicon.ico|apple-touch-icon.png)$ {
root /misc;
}
location / {
root /wiki/;
index doku.php;
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1 last;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
}
location ~ ^/lib/ {
root /wiki/;
expires 30d;
}
location ~ ^/conf/ { deny all; }
location ~ ^/data/ { deny all; }
location ~ /\.ht { deny all; }
}
===== VBOXADM =====
server {
listen 80;
server_name ;
#rewrite ^ https://$server_name$request_uri? break;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
server_name ;
root /var/lib/vwebadm/htdocs;
access_log /vboxadm.access.log;
error_log /vboxadm.error.log;
location / {
# root /var/lib/vwebadm/htdocs;
rewrite ^ /cgi-bin/vboxadm.pl;
}
location ^/icons/fffsilk {
alias /usr/share/icons/famfamfam/silk;
access_log off;
}
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
include fcgiwrap-vboxadm.conf;
location ~ ^/cgi-bin/.*\.(cgi|pl|py|rb) {
gzip off;
alias /var/lib/vboxadm;
# rewrite ^/(.*)$ /$1;
include fastcgi_params;
fastcgi_pass fcgiwrap;
fastcgi_index cgi-bin.php;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param X_SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_param X_SCRIPT_NAME $fastcgi_script_name;
}
location ~ /.*\.(php)$ {
root /usr/share/phpmyadmin;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_index index.php;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$request_filename;
include fastcgi_params;
}
}
===== Reverse-Proxy für Kibana =====
server {
listen 80;
server_name ;
auth_basic "Restricted Access";
auth_basic_user_file /htpasswd.users;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}