Inhaltsverzeichnis

Konfigurationsbeispiele

fastcgi.conf

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
 
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
 
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
 
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
 
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

fcgi.conf

# Include this file on your nginx.conf to support debian cgi-bin scripts using
# fcgiwrap
location /cgi-bin/ {
  # Disable gzip (it makes scripts feel slower since they have to complete
  # before getting gzipped)
  gzip off;
 
  # Set the root to /usr/lib (inside this location this means that we are
  # giving access to the files under /usr/lib/cgi-bin)
  root  /usr/lib;
 
  # Fastcgi socket
  fastcgi_pass  unix:/var/run/fcgiwrap.socket;
 
  # Fastcgi parameters, include the standard ones
  include /etc/nginx/fastcgi_params;
 
  # Adjust non standard parameters (SCRIPT_FILENAME)
  fastcgi_param SCRIPT_FILENAME  /usr/lib$fastcgi_script_name;
}

php.conf

location ~ \.php {
        fastcgi_pass unix:/run/php/php<VERSION>-fpm.sock;
        include /etc/nginx/fastcgi.conf;
        fastcgi_index index.php;
}

proxy_params

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

ssl.conf

# Certificates and Keys
ssl_certificate <PFAD_ZU_ZERTIFIKAT>;
ssl_certificate_key <PFAD_ZU_PRIVATE_KEY>;
 
#HSTS Security
add_header Strict-Transport-Security max-age=15768000;
 
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
 
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
 
#SSL-Protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

PHPMyAdmin

Konfig als Subsite

server {
        listen 80;
        server_name <SERVERNAME>;
        return 301 https://$server_name$request_uri;
}
 
server {
        listen 443 ssl http2;
        server_name <SERVERNAME>;
        include /etc/nginx/sites-available/ssl.conf;
 
        access_log  /var/log/nginx/access.log;
        error_log   /var/log/nginx/error.log;
 
        location /phpmyadmin {
                root /usr/share/;
                index index.php;
 
                location ~ ^/phpmyadmin/(.+\.(js|css|gif|jpg|png))$ {
                        root /usr/share/;
                }
 
                location ~ ^/phpmyadmin(.+\.php)$ {
                        try_files $uri =404;
                        root /usr/share/;
                        fastcgi_param HTTPS $fastcgi_https;
                        fastcgi_index index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include         /etc/nginx/sites-available/php.conf;
                        include         fastcgi_params;
                        }
        }
        location /phpMyAdmin {
               rewrite ^/* /phpmyadmin last;
        }
 
}

Konfig als Subdomain

server{
        listen 80;
        server_name <SERVERNAME>;
        return 301 https://$server_name$request_uri;
}
 
server {
        listen 443 ssl http2;
        server_name <SERVERNAME>;
        include /etc/nginx/sites-enabled/ssl.conf;
[...]
        location / {
                root /usr/share/phpmyadmin;
                index index.php;
        }
 
        location ~ \.php$ {
                root    /usr/share/phpmyadmin;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
                fastcgi_index   index.php;
                fastcgi_param HTTPS $fastcgi_https;
                fastcgi_param   SCRIPT_FILENAME $document_root$request_filename;
                include         fastcgi_params;
        }
}

Nagios

server {
        server_name  <HOSTNAME>;
 
        access_log  <PFAD_ZU>/nagios.access.log piwik;
        error_log   <PFAD_ZU>/nagios.error.log;
 
        expires 31d;
 
        root /usr/local/nagios/share;
 
        auth_basic "Nagios Restricted Access";
        auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;
 
        location / {
                return 301 http://$server_name/nagios;
        }
 
        location /nagios {
                alias /usr/local/nagios/share/;
                index index.php;
          }
 
        location /stylesheets {
                alias /usr/local/nagios/share/stylesheets;
        }
 
        location ~ ^/nagios/(.*\.php)$ {
                alias /usr/local/nagios/share/$1;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.socket;
        }
 
        location ~ \.cgi$ {
                root /usr/local/nagios/sbin/;
                rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
                include fastcgi_params;
                fastcgi_param AUTH_USER $remote_user;
                fastcgi_param REMOTE_USER $remote_user;
                fastcgi_pass fcgiwrap;
}
        location /pnp4nagios {
                alias /usr/local/pnp4nagios/share;
                auth_basic "Nagios Restricted Access";
                auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;
                index index.php;
                try_files $uri $uri/ @pnp4nagios;
        }
 
        location @pnp4nagios {
                fastcgi_pass unix:/var/run/php5-fpm.socket;
                if ( $uri !~ /pnp4nagios/index.php(.*)) {
                        rewrite ^/pnp4nagios/(.*)$ /pnp4nagios/index.php/$1 break;
                }
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_split_path_info ^(.+\.php)(.*)$;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param SCRIPT_FILENAME /usr/local/pnp4nagios/share/index.php;
        }
}

Owncloud mit Roundcube Plugin

server {
        server_name <HOSTNAME>;
        #rewrite ^ https://$server_name$request_uri? permanent;
        return 301 https://$server_name$request_uri;
}
 
server {
        listen 443 ssl http2;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        include /etc/nginx/sites-enabled/ssl.conf;
 
        server_name <HOSTNAME>;
 
        access_log <PFAD_ZU>/hmura.access.log;
        error_log <PFAD_ZU>/hmura.error.log;
 
#       root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
        index index.php;
        client_max_body_size 1000M; # set maximum upload size
 
        location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
                deny all;
        }
 
        location / {
                root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
                try_files $uri $uri/ @webdav;
        }
 
        location @webdav {
                root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param HTTPS on;
                include fastcgi_params;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
        }
 
        location ~ ^/remote.php(/.*)$ {
                root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_pass unix:/var/run/php5-fpm.socket;
                include fastcgi_params;
                fastcgi_param  PATH_INFO          $fastcgi_path_info;
                fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
                fastcgi_param HTTPS on;
        }
 
        location ~ \.php$ {
                root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param HTTPS on;
                include fastcgi_params;
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_param HTTPS $fastcgi_https;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
        }        location ~ /rc {
                root <PFAD_ZU_WEB_DIR>;
                index index.php;
                try_files $uri $uri/ index.php;
        }
 
        location ~ /rc/favicon.ico$ {
                root <PFAD_ZU_WEB_DIR>;
                log_not_found off;
                access_log off;
                expires max;
        }
 
        location ~ /rc/robots.txt$ {
                root <PFAD_ZU_WEB_DIR>;
                allow all;
                log_not_found off;
                access_log off;
        }
 
        location ~ /rc/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
                root <PFAD_ZU_WEB_DIR>;
                deny all;
        }
 
        location ~ /rc/(bin|SQL)/ {
                root <PFAD_ZU_WEB_DIR>;
                deny all;
        }
 
        location ~ /rc/\. {
                root <PFAD_ZU_WEB_DIR>;
                deny all;
                access_log off;
                log_not_found off;
        }
 
        location ~ /rc/\.php$ {
                root <PFAD_ZU_WEB_DIR>;
                try_files $uri =404;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.socket;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param HTTPS $fastcgi_https;
                fastcgi_index index.php;
        }
 
}

Wordpress

server {
        server_name <HOSTNAME>;
        root <PFAD_ZU_WORDPRESS_INSTALL_DIR>;
        client_max_body_size 40M;
 
        access_log <PFAD_ZU>/blog.access.log;
        error_log <PFAD_ZU>/blog.error.log;
 
        fastcgi_intercept_errors off;
        location = /favicon.ico { access_log off; log_not_found off; }
        location ~ /\. { deny  all; access_log off; log_not_found off; }
 
        location / {
                index index.php;
                try_files $uri $uri/ /index.php;
        }
 
        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
        }
 
        location ~* \.(ico|css|js|gif|jpe?g|png)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
}
 
server {
        listen 443 ssl http2;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        include /etc/nginx/sites-enabled/ssl.conf;
 
        root <PFAD_ZU_WORDPRESS_INSTALL_DIR>;
        index index.php;
 
        server_name <HOSTNAME>;
 
        access_log <PFAD_ZU>/blog.access.log;
        error_log <PFAD_ZU>/blog.error.log;
 
        location / {
                index index.php;
                try_files $uri $uri/ /index.php;
        }
 
        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
        }
 
        location ~* \.(ico|css|js|gif|jpe?g|png)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
}

Roundcube

server {
        listen 80;
        server_name <HOSTNAME>;
        #rewrite ^ https://$server_name$request_uri? break;
        return 301 https://$server_name$request_uri;
}
 
server {
        listen 443 ssl http2;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        include /etc/nginx/sites-enabled/ssl.conf;
 
        server_name <HOSTNAME>;
 
        access_log <PFAD_ZU>/roundcube.access.log;
        error_log <PFAD_ZU>/roundcube.error.log;
 
        root <PFAD_ZU_ROUNDCUBE_INSTALL_DIR>;
 
        index index.php index.html;
 
        location ~ ^/favicon.ico$ {
                root <PFAD_ZU_ROUNDCUBE_INSTALL_DIR>/skins;
                log_not_found off;
                access_log off;
                expires max;
        }
 
        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }
 
        location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
                deny all;
        }
 
        location ~ ^/(bin|SQL)/ {
                deny all;
        }
 
        location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
        }
 
        location ~ \.php$ {
                try_files $uri =404;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.socket;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param HTTPS $fastcgi_https;
                fastcgi_index index.php;
        }
}

WWW-DIR

server {
        root <PFAD_ZU_WEB_DIR>;
        index index.html index.htm index.php;
 
        server_name www.<HOSTNAME> <HOSTNAME>;
 
        access_log <PFAD_ZU>/www.access.log;
        error_log <PFAD_ZU>/www.error.log;
 
        location / {
                index index.html index.htm index.php;
#               rewrite ^ http://<HOSTNAME>$request_uri? break;
                try_files $uri $uri/ /index.php;
        }
 
        location /<WEBSITE_NAME> {
                index index.php;
                try_files $uri $uri/ /<WEBSITE_NAME>/index.php?$args;
        }
 
        location /<WEBSITE_NAME> {
                autoindex on;
        }
 
        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
        }
 
        fastcgi_intercept_errors off;
 
        location ~* \.(ico|css|js|gif|jpe?g|png)$ {
                expires 72h;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
 
        # I like to place my php stuff into it's own file
        # see http://kbeezie.com/view/nginx/ for more information
        include fastcgi_params;
 
        # We don't really need to log favicon requests
        location = /favicon.ico { access_log off; log_not_found off; }
 
        # We don't want to allow the browsers to see .hidden linux/unix files
        location ~ /\. { deny  all; access_log off; log_not_found off; }
 
        location /w3perl {
                try_files $uri $uri/ /index.html;
        }
 
        location /w3perl/admin {
                auth_basic "W3Perl erfordert ein Login";
                auth_basic_user_file <PFAD_ZU>/w3perl/htpasswd.users;
        }
 
        include fcgiwrap.conf;
 
        location ~ ^/cgi-bin/.*\.cgi$ {
                include fastcgi_params;
                fastcgi_param AUTH_USER $remote_user;
                fastcgi_param REMOTE_USER $remote_user;
                fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
                fastcgi_pass fcgiwrap;
        }
 
        location /stats {
                index index.html;
       #         try_files $uri $uri/ /index.html;
                auth_basic "W3Perl erfordert ein Login";
                auth_basic_user_file <PFAD_ZU>/w3perl/htpasswd.users;
        }
 
}
 
server {
        listen 443 ssl http2;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        include /etc/nginx/sites-enabled/ssl.conf;
 
        root <PFAD_ZU_WEBDIR>;
        index index.html index.htm index.php;
 
        server_name www.<HOSTNAME> <HOSTNAME>;
 
        access_log <PFAD_ZU>/www.access.log;
        error_log <PFAD_ZU>/www.error.log;
 
        location / {
                index index.php;
                #rewrite ^ https://<HOSTNAME>$request_uri? break;
                try_files $uri $uri/ /index.php;
        }
}

Dokuwiki

server{
        server_name <HOSTNAME>;
        root /<PFAD_ZU_DOKUWIKI_INSTALL_DIR/;
 
        access_log <PFAD_ZU>/wiki.access.log;
        error_log <PFAD_ZU>/wiki.error.log;
 
        location / {
                root <PFAD_ZU>/<WIKI_INSTALL_DIR>/;
                index doku.php;
                try_files $uri $uri/ @dokuwiki;
        }
 
        location @dokuwiki {
                rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
                rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
                rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
                rewrite ^/(.*) /doku.php?id=$1 last;
        }
 
        location ~ \.php {
                root    <PFAD_ZU>/<WIKI_INSTALL_DIR>/;
                include        fastcgi_params;
                fastcgi_pass   unix:/var/run/php5-fpm.socket;
                fastcgi_index  index.php;
        }
 
        location ~ ^/lib/  {
        root         <PFAD_ZU>/<WIKI_INSTALL_DIR>/;
        expires 30d;
        }
 
        location ~ ^/conf/ { deny all; }
        location ~ ^/data/ { deny all; }
        location ~ /\.ht   { deny all; }
}
 
server {
        listen 443 ssl http2;
        ssl_certificate <PFAD_ZU_ZERTIFIKAT>.pem;
        ssl_certificate_key <PFAD_ZU_ZERTIFIKAT>.pem;
 
        include /etc/nginx/sites-enabled/ssl.conf;
 
        server_name <HOSTNAME>;
        root <PFAD_ZU>/wiki/;
 
        access_log <PFAD_ZU>/wiki.access.log piwik;
        error_log <PFAD_ZU>/wiki.error.log;
 
        location ~ ^/(favicon.ico|apple-touch-icon.png)$ {
                root <PFAD_ZU>/misc;
        }
 
        location / {
                root <PFAD_ZU>/wiki/;
                index doku.php;
                try_files $uri $uri/ @dokuwiki;
        }
 
        location @dokuwiki {
                rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
                rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
                rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
                rewrite ^/(.*) /doku.php?id=$1 last;
        }
 
        location ~ [^/]\.php(/|$) {
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                if (!-f $document_root$fastcgi_script_name) {
                        return 404;
                }
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.socket;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param HTTPS $fastcgi_https;
                fastcgi_index index.php;
        }
 
        location ~ ^/lib/  {
                root         <PFAD_ZU>/wiki/;
        expires 30d;
        }
 
        location ~ ^/conf/ { deny all; }
        location ~ ^/data/ { deny all; }
        location ~ /\.ht   { deny all; }
}

VBOXADM

server {
        listen 80;
        server_name <HOSTNAME>;
        #rewrite ^ https://$server_name$request_uri? break;
        return 301 https://$server_name$request_uri;
}
 
server {
        listen 443 ssl http2;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
        include /etc/nginx/sites-enabled/ssl.conf;
 
        server_name <HOSTNAME>;
        root /var/lib/vwebadm/htdocs;
 
        access_log <PFAD_ZU>/vboxadm.access.log;
        error_log <PFAD_ZU>/vboxadm.error.log;
 
        location / {
#               root /var/lib/vwebadm/htdocs;
                rewrite ^ /cgi-bin/vboxadm.pl;
        }
 
        location ^/icons/fffsilk {
                alias /usr/share/icons/famfamfam/silk;
                access_log off;
        }
 
        location ~* \.(ico|css|js|gif|jpe?g|png)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
 
        include fcgiwrap-vboxadm.conf;
 
        location ~ ^/cgi-bin/.*\.(cgi|pl|py|rb) {
                gzip off;
                alias /var/lib/vboxadm;
#                rewrite ^/(.*)$ /$1;
                include fastcgi_params;
                fastcgi_pass fcgiwrap;
                fastcgi_index cgi-bin.php;
                fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
                fastcgi_param SCRIPT_NAME        $fastcgi_script_name;
                fastcgi_param HTTPS             $fastcgi_https;
                fastcgi_param X_SCRIPT_FILENAME  $fastcgi_script_name;
                fastcgi_param X_SCRIPT_NAME      $fastcgi_script_name;
        }
 
        location ~ /.*\.(php)$ {
                root    /usr/share/phpmyadmin;
                fastcgi_pass    unix:/var/run/php5-fpm.socket;
                fastcgi_index   index.php;
                fastcgi_param HTTPS $fastcgi_https;
                fastcgi_param   SCRIPT_FILENAME $document_root$request_filename;
                include         fastcgi_params;
        }
}

Reverse-Proxy für Kibana

server {
    listen 80;
 
    server_name <FQDN_SERVERNAME>;
 
    auth_basic "Restricted Access";
    auth_basic_user_file <PFAD_ZU>/htpasswd.users;
 
    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;        
    }
}