Konfigurationsbeispiele
fastcgi.conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
fcgi.conf
# Include this file on your nginx.conf to support debian cgi-bin scripts using # fcgiwrap location /cgi-bin/ { # Disable gzip (it makes scripts feel slower since they have to complete # before getting gzipped) gzip off; # Set the root to /usr/lib (inside this location this means that we are # giving access to the files under /usr/lib/cgi-bin) root /usr/lib; # Fastcgi socket fastcgi_pass unix:/var/run/fcgiwrap.socket; # Fastcgi parameters, include the standard ones include /etc/nginx/fastcgi_params; # Adjust non standard parameters (SCRIPT_FILENAME) fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name; }
php.conf
location ~ \.php {
fastcgi_pass unix:/run/php/php<VERSION>-fpm.sock;
include /etc/nginx/fastcgi.conf;
fastcgi_index index.php;
}
proxy_params
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl.conf
# Certificates and Keys ssl_certificate <PFAD_ZU_ZERTIFIKAT>; ssl_certificate_key <PFAD_ZU_PRIVATE_KEY>; #HSTS Security add_header Strict-Transport-Security max-age=15768000; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # openssl dhparam -out dhparam.pem 2048 ssl_dhparam /etc/nginx/dhparam.pem; #SSL-Protocols ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on;
PHPMyAdmin
Konfig als Subsite
server {
listen 80;
server_name <SERVERNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name <SERVERNAME>;
include /etc/nginx/sites-available/ssl.conf;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /phpmyadmin {
root /usr/share/;
index index.php;
location ~ ^/phpmyadmin/(.+\.(js|css|gif|jpg|png))$ {
root /usr/share/;
}
location ~ ^/phpmyadmin(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/sites-available/php.conf;
include fastcgi_params;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}
}
Konfig als Subdomain
server{
listen 80;
server_name <SERVERNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name <SERVERNAME>;
include /etc/nginx/sites-enabled/ssl.conf;
[...]
location / {
root /usr/share/phpmyadmin;
index index.php;
}
location ~ \.php$ {
root /usr/share/phpmyadmin;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_index index.php;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$request_filename;
include fastcgi_params;
}
}
Nagios
server {
server_name <HOSTNAME>;
access_log <PFAD_ZU>/nagios.access.log piwik;
error_log <PFAD_ZU>/nagios.error.log;
expires 31d;
root /usr/local/nagios/share;
auth_basic "Nagios Restricted Access";
auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;
location / {
return 301 http://$server_name/nagios;
}
location /nagios {
alias /usr/local/nagios/share/;
index index.php;
}
location /stylesheets {
alias /usr/local/nagios/share/stylesheets;
}
location ~ ^/nagios/(.*\.php)$ {
alias /usr/local/nagios/share/$1;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~ \.cgi$ {
root /usr/local/nagios/sbin/;
rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break;
include fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_pass fcgiwrap;
}
location /pnp4nagios {
alias /usr/local/pnp4nagios/share;
auth_basic "Nagios Restricted Access";
auth_basic_user_file /usr/local/nagios/etc/htpasswd.users;
index index.php;
try_files $uri $uri/ @pnp4nagios;
}
location @pnp4nagios {
fastcgi_pass unix:/var/run/php5-fpm.socket;
if ( $uri !~ /pnp4nagios/index.php(.*)) {
rewrite ^/pnp4nagios/(.*)$ /pnp4nagios/index.php/$1 break;
}
fastcgi_index index.php;
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME /usr/local/pnp4nagios/share/index.php;
}
}
Owncloud mit Roundcube Plugin
server {
server_name <HOSTNAME>;
#rewrite ^ https://$server_name$request_uri? permanent;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
server_name <HOSTNAME>;
access_log <PFAD_ZU>/hmura.access.log;
error_log <PFAD_ZU>/hmura.error.log;
# root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
index index.php;
client_max_body_size 1000M; # set maximum upload size
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}
location / {
root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
try_files $uri $uri/ @webdav;
}
location @webdav {
root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~ ^/remote.php(/.*)$ {
root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass unix:/var/run/php5-fpm.socket;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTTPS on;
}
location ~ \.php$ {
root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_pass unix:/var/run/php5-fpm.socket;
} location ~ /rc {
root <PFAD_ZU_WEB_DIR>;
index index.php;
try_files $uri $uri/ index.php;
}
location ~ /rc/favicon.ico$ {
root <PFAD_ZU_WEB_DIR>;
log_not_found off;
access_log off;
expires max;
}
location ~ /rc/robots.txt$ {
root <PFAD_ZU_WEB_DIR>;
allow all;
log_not_found off;
access_log off;
}
location ~ /rc/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
root <PFAD_ZU_WEB_DIR>;
deny all;
}
location ~ /rc/(bin|SQL)/ {
root <PFAD_ZU_WEB_DIR>;
deny all;
}
location ~ /rc/\. {
root <PFAD_ZU_WEB_DIR>;
deny all;
access_log off;
log_not_found off;
}
location ~ /rc/\.php$ {
root <PFAD_ZU_WEB_DIR>;
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
}
}
Wordpress
server {
server_name <HOSTNAME>;
root <PFAD_ZU_WORDPRESS_INSTALL_DIR>;
client_max_body_size 40M;
access_log <PFAD_ZU>/blog.access.log;
error_log <PFAD_ZU>/blog.error.log;
fastcgi_intercept_errors off;
location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\. { deny all; access_log off; log_not_found off; }
location / {
index index.php;
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
root <PFAD_ZU_WORDPRESS_INSTALL_DIR>;
index index.php;
server_name <HOSTNAME>;
access_log <PFAD_ZU>/blog.access.log;
error_log <PFAD_ZU>/blog.error.log;
location / {
index index.php;
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
}
Roundcube
server {
listen 80;
server_name <HOSTNAME>;
#rewrite ^ https://$server_name$request_uri? break;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
server_name <HOSTNAME>;
access_log <PFAD_ZU>/roundcube.access.log;
error_log <PFAD_ZU>/roundcube.error.log;
root <PFAD_ZU_ROUNDCUBE_INSTALL_DIR>;
index index.php index.html;
location ~ ^/favicon.ico$ {
root <PFAD_ZU_ROUNDCUBE_INSTALL_DIR>/skins;
log_not_found off;
access_log off;
expires max;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
}
}
WWW-DIR
server {
root <PFAD_ZU_WEB_DIR>;
index index.html index.htm index.php;
server_name www.<HOSTNAME> <HOSTNAME>;
access_log <PFAD_ZU>/www.access.log;
error_log <PFAD_ZU>/www.error.log;
location / {
index index.html index.htm index.php;
# rewrite ^ http://<HOSTNAME>$request_uri? break;
try_files $uri $uri/ /index.php;
}
location /<WEBSITE_NAME> {
index index.php;
try_files $uri $uri/ /<WEBSITE_NAME>/index.php?$args;
}
location /<WEBSITE_NAME> {
autoindex on;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
fastcgi_intercept_errors off;
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires 72h;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# I like to place my php stuff into it's own file
# see http://kbeezie.com/view/nginx/ for more information
include fastcgi_params;
# We don't really need to log favicon requests
location = /favicon.ico { access_log off; log_not_found off; }
# We don't want to allow the browsers to see .hidden linux/unix files
location ~ /\. { deny all; access_log off; log_not_found off; }
location /w3perl {
try_files $uri $uri/ /index.html;
}
location /w3perl/admin {
auth_basic "W3Perl erfordert ein Login";
auth_basic_user_file <PFAD_ZU>/w3perl/htpasswd.users;
}
include fcgiwrap.conf;
location ~ ^/cgi-bin/.*\.cgi$ {
include fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_pass fcgiwrap;
}
location /stats {
index index.html;
# try_files $uri $uri/ /index.html;
auth_basic "W3Perl erfordert ein Login";
auth_basic_user_file <PFAD_ZU>/w3perl/htpasswd.users;
}
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
root <PFAD_ZU_WEBDIR>;
index index.html index.htm index.php;
server_name www.<HOSTNAME> <HOSTNAME>;
access_log <PFAD_ZU>/www.access.log;
error_log <PFAD_ZU>/www.error.log;
location / {
index index.php;
#rewrite ^ https://<HOSTNAME>$request_uri? break;
try_files $uri $uri/ /index.php;
}
}
Dokuwiki
server{
server_name <HOSTNAME>;
root /<PFAD_ZU_DOKUWIKI_INSTALL_DIR/;
access_log <PFAD_ZU>/wiki.access.log;
error_log <PFAD_ZU>/wiki.error.log;
location / {
root <PFAD_ZU>/<WIKI_INSTALL_DIR>/;
index doku.php;
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1 last;
}
location ~ \.php {
root <PFAD_ZU>/<WIKI_INSTALL_DIR>/;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_index index.php;
}
location ~ ^/lib/ {
root <PFAD_ZU>/<WIKI_INSTALL_DIR>/;
expires 30d;
}
location ~ ^/conf/ { deny all; }
location ~ ^/data/ { deny all; }
location ~ /\.ht { deny all; }
}
server {
listen 443 ssl http2;
ssl_certificate <PFAD_ZU_ZERTIFIKAT>.pem;
ssl_certificate_key <PFAD_ZU_ZERTIFIKAT>.pem;
include /etc/nginx/sites-enabled/ssl.conf;
server_name <HOSTNAME>;
root <PFAD_ZU>/wiki/;
access_log <PFAD_ZU>/wiki.access.log piwik;
error_log <PFAD_ZU>/wiki.error.log;
location ~ ^/(favicon.ico|apple-touch-icon.png)$ {
root <PFAD_ZU>/misc;
}
location / {
root <PFAD_ZU>/wiki/;
index doku.php;
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1 last;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_index index.php;
}
location ~ ^/lib/ {
root <PFAD_ZU>/wiki/;
expires 30d;
}
location ~ ^/conf/ { deny all; }
location ~ ^/data/ { deny all; }
location ~ /\.ht { deny all; }
}
VBOXADM
server {
listen 80;
server_name <HOSTNAME>;
#rewrite ^ https://$server_name$request_uri? break;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
include /etc/nginx/sites-enabled/ssl.conf;
server_name <HOSTNAME>;
root /var/lib/vwebadm/htdocs;
access_log <PFAD_ZU>/vboxadm.access.log;
error_log <PFAD_ZU>/vboxadm.error.log;
location / {
# root /var/lib/vwebadm/htdocs;
rewrite ^ /cgi-bin/vboxadm.pl;
}
location ^/icons/fffsilk {
alias /usr/share/icons/famfamfam/silk;
access_log off;
}
location ~* \.(ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
include fcgiwrap-vboxadm.conf;
location ~ ^/cgi-bin/.*\.(cgi|pl|py|rb) {
gzip off;
alias /var/lib/vboxadm;
# rewrite ^/(.*)$ /$1;
include fastcgi_params;
fastcgi_pass fcgiwrap;
fastcgi_index cgi-bin.php;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param X_SCRIPT_FILENAME $fastcgi_script_name;
fastcgi_param X_SCRIPT_NAME $fastcgi_script_name;
}
location ~ /.*\.(php)$ {
root /usr/share/phpmyadmin;
fastcgi_pass unix:/var/run/php5-fpm.socket;
fastcgi_index index.php;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$request_filename;
include fastcgi_params;
}
}
Reverse-Proxy für Kibana
server {
listen 80;
server_name <FQDN_SERVERNAME>;
auth_basic "Restricted Access";
auth_basic_user_file <PFAD_ZU>/htpasswd.users;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}