Konfigurationsbeispiele
fastcgi.conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
fcgi.conf
# Include this file on your nginx.conf to support debian cgi-bin scripts using # fcgiwrap location /cgi-bin/ { # Disable gzip (it makes scripts feel slower since they have to complete # before getting gzipped) gzip off; # Set the root to /usr/lib (inside this location this means that we are # giving access to the files under /usr/lib/cgi-bin) root /usr/lib; # Fastcgi socket fastcgi_pass unix:/var/run/fcgiwrap.socket; # Fastcgi parameters, include the standard ones include /etc/nginx/fastcgi_params; # Adjust non standard parameters (SCRIPT_FILENAME) fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name; }
php.conf
location ~ \.php {
fastcgi_pass unix:/run/php/php<VERSION>-fpm.sock;
include /etc/nginx/fastcgi.conf;
fastcgi_index index.php;
}
proxy_params
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl.conf
# Certificates and Keys ssl_certificate <PFAD_ZU_ZERTIFIKAT>; ssl_certificate_key <PFAD_ZU_PRIVATE_KEY>; #HSTS Security add_header Strict-Transport-Security max-age=15768000; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # openssl dhparam -out dhparam.pem 2048 ssl_dhparam /etc/nginx/dhparam.pem; #SSL-Protocols ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on;
PHPMyAdmin
Konfig als Subsite
server { listen 80; server_name <SERVERNAME>; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name <SERVERNAME>; include /etc/nginx/sites-available/ssl.conf; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location /phpmyadmin { root /usr/share/; index index.php; location ~ ^/phpmyadmin/(.+\.(js|css|gif|jpg|png))$ { root /usr/share/; } location ~ ^/phpmyadmin(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_param HTTPS $fastcgi_https; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/sites-available/php.conf; include fastcgi_params; } } location /phpMyAdmin { rewrite ^/* /phpmyadmin last; } }
Konfig als Subdomain
server{ listen 80; server_name <SERVERNAME>; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name <SERVERNAME>; include /etc/nginx/sites-enabled/ssl.conf; [...] location / { root /usr/share/phpmyadmin; index index.php; } location ~ \.php$ { root /usr/share/phpmyadmin; fastcgi_pass unix:/var/run/php5-fpm.socket; fastcgi_index index.php; fastcgi_param HTTPS $fastcgi_https; fastcgi_param SCRIPT_FILENAME $document_root$request_filename; include fastcgi_params; } }
Nagios
server { server_name <HOSTNAME>; access_log <PFAD_ZU>/nagios.access.log piwik; error_log <PFAD_ZU>/nagios.error.log; expires 31d; root /usr/local/nagios/share; auth_basic "Nagios Restricted Access"; auth_basic_user_file /usr/local/nagios/etc/htpasswd.users; location / { return 301 http://$server_name/nagios; } location /nagios { alias /usr/local/nagios/share/; index index.php; } location /stylesheets { alias /usr/local/nagios/share/stylesheets; } location ~ ^/nagios/(.*\.php)$ { alias /usr/local/nagios/share/$1; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; } location ~ \.cgi$ { root /usr/local/nagios/sbin/; rewrite ^/nagios/cgi-bin/(.*)\.cgi /$1.cgi break; include fastcgi_params; fastcgi_param AUTH_USER $remote_user; fastcgi_param REMOTE_USER $remote_user; fastcgi_pass fcgiwrap; } location /pnp4nagios { alias /usr/local/pnp4nagios/share; auth_basic "Nagios Restricted Access"; auth_basic_user_file /usr/local/nagios/etc/htpasswd.users; index index.php; try_files $uri $uri/ @pnp4nagios; } location @pnp4nagios { fastcgi_pass unix:/var/run/php5-fpm.socket; if ( $uri !~ /pnp4nagios/index.php(.*)) { rewrite ^/pnp4nagios/(.*)$ /pnp4nagios/index.php/$1 break; } fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME /usr/local/pnp4nagios/share/index.php; } }
Owncloud mit Roundcube Plugin
server { server_name <HOSTNAME>; #rewrite ^ https://$server_name$request_uri? permanent; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; include /etc/nginx/sites-enabled/ssl.conf; server_name <HOSTNAME>; access_log <PFAD_ZU>/hmura.access.log; error_log <PFAD_ZU>/hmura.error.log; # root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>; index index.php; client_max_body_size 1000M; # set maximum upload size location ~ ^/(data|config|\.ht|db_structure\.xml|README) { deny all; } location / { root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>; try_files $uri $uri/ @webdav; } location @webdav { root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; } location ~ ^/remote.php(/.*)$ { root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_pass unix:/var/run/php5-fpm.socket; include fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_param HTTPS on; } location ~ \.php$ { root <PFAD_ZU_OWNCLOUD_INSTALL_DIR>; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_param HTTPS $fastcgi_https; fastcgi_pass unix:/var/run/php5-fpm.socket; } location ~ /rc { root <PFAD_ZU_WEB_DIR>; index index.php; try_files $uri $uri/ index.php; } location ~ /rc/favicon.ico$ { root <PFAD_ZU_WEB_DIR>; log_not_found off; access_log off; expires max; } location ~ /rc/robots.txt$ { root <PFAD_ZU_WEB_DIR>; allow all; log_not_found off; access_log off; } location ~ /rc/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { root <PFAD_ZU_WEB_DIR>; deny all; } location ~ /rc/(bin|SQL)/ { root <PFAD_ZU_WEB_DIR>; deny all; } location ~ /rc/\. { root <PFAD_ZU_WEB_DIR>; deny all; access_log off; log_not_found off; } location ~ /rc/\.php$ { root <PFAD_ZU_WEB_DIR>; try_files $uri =404; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $fastcgi_https; fastcgi_index index.php; } }
Wordpress
server { server_name <HOSTNAME>; root <PFAD_ZU_WORDPRESS_INSTALL_DIR>; client_max_body_size 40M; access_log <PFAD_ZU>/blog.access.log; error_log <PFAD_ZU>/blog.error.log; fastcgi_intercept_errors off; location = /favicon.ico { access_log off; log_not_found off; } location ~ /\. { deny all; access_log off; log_not_found off; } location / { index index.php; try_files $uri $uri/ /index.php; } location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; } location ~* \.(ico|css|js|gif|jpe?g|png)$ { expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } } server { listen 443 ssl http2; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; include /etc/nginx/sites-enabled/ssl.conf; root <PFAD_ZU_WORDPRESS_INSTALL_DIR>; index index.php; server_name <HOSTNAME>; access_log <PFAD_ZU>/blog.access.log; error_log <PFAD_ZU>/blog.error.log; location / { index index.php; try_files $uri $uri/ /index.php; } location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; } location ~* \.(ico|css|js|gif|jpe?g|png)$ { expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } }
Roundcube
server { listen 80; server_name <HOSTNAME>; #rewrite ^ https://$server_name$request_uri? break; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; include /etc/nginx/sites-enabled/ssl.conf; server_name <HOSTNAME>; access_log <PFAD_ZU>/roundcube.access.log; error_log <PFAD_ZU>/roundcube.error.log; root <PFAD_ZU_ROUNDCUBE_INSTALL_DIR>; index index.php index.html; location ~ ^/favicon.ico$ { root <PFAD_ZU_ROUNDCUBE_INSTALL_DIR>/skins; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; } location ~ ^/(bin|SQL)/ { deny all; } location ~ /\. { deny all; access_log off; log_not_found off; } location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $fastcgi_https; fastcgi_index index.php; } }
WWW-DIR
server { root <PFAD_ZU_WEB_DIR>; index index.html index.htm index.php; server_name www.<HOSTNAME> <HOSTNAME>; access_log <PFAD_ZU>/www.access.log; error_log <PFAD_ZU>/www.error.log; location / { index index.html index.htm index.php; # rewrite ^ http://<HOSTNAME>$request_uri? break; try_files $uri $uri/ /index.php; } location /<WEBSITE_NAME> { index index.php; try_files $uri $uri/ /<WEBSITE_NAME>/index.php?$args; } location /<WEBSITE_NAME> { autoindex on; } location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; } fastcgi_intercept_errors off; location ~* \.(ico|css|js|gif|jpe?g|png)$ { expires 72h; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } # I like to place my php stuff into it's own file # see http://kbeezie.com/view/nginx/ for more information include fastcgi_params; # We don't really need to log favicon requests location = /favicon.ico { access_log off; log_not_found off; } # We don't want to allow the browsers to see .hidden linux/unix files location ~ /\. { deny all; access_log off; log_not_found off; } location /w3perl { try_files $uri $uri/ /index.html; } location /w3perl/admin { auth_basic "W3Perl erfordert ein Login"; auth_basic_user_file <PFAD_ZU>/w3perl/htpasswd.users; } include fcgiwrap.conf; location ~ ^/cgi-bin/.*\.cgi$ { include fastcgi_params; fastcgi_param AUTH_USER $remote_user; fastcgi_param REMOTE_USER $remote_user; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_pass fcgiwrap; } location /stats { index index.html; # try_files $uri $uri/ /index.html; auth_basic "W3Perl erfordert ein Login"; auth_basic_user_file <PFAD_ZU>/w3perl/htpasswd.users; } } server { listen 443 ssl http2; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; include /etc/nginx/sites-enabled/ssl.conf; root <PFAD_ZU_WEBDIR>; index index.html index.htm index.php; server_name www.<HOSTNAME> <HOSTNAME>; access_log <PFAD_ZU>/www.access.log; error_log <PFAD_ZU>/www.error.log; location / { index index.php; #rewrite ^ https://<HOSTNAME>$request_uri? break; try_files $uri $uri/ /index.php; } }
Dokuwiki
server{ server_name <HOSTNAME>; root /<PFAD_ZU_DOKUWIKI_INSTALL_DIR/; access_log <PFAD_ZU>/wiki.access.log; error_log <PFAD_ZU>/wiki.error.log; location / { root <PFAD_ZU>/<WIKI_INSTALL_DIR>/; index doku.php; try_files $uri $uri/ @dokuwiki; } location @dokuwiki { rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1 last; } location ~ \.php { root <PFAD_ZU>/<WIKI_INSTALL_DIR>/; include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; fastcgi_index index.php; } location ~ ^/lib/ { root <PFAD_ZU>/<WIKI_INSTALL_DIR>/; expires 30d; } location ~ ^/conf/ { deny all; } location ~ ^/data/ { deny all; } location ~ /\.ht { deny all; } } server { listen 443 ssl http2; ssl_certificate <PFAD_ZU_ZERTIFIKAT>.pem; ssl_certificate_key <PFAD_ZU_ZERTIFIKAT>.pem; include /etc/nginx/sites-enabled/ssl.conf; server_name <HOSTNAME>; root <PFAD_ZU>/wiki/; access_log <PFAD_ZU>/wiki.access.log piwik; error_log <PFAD_ZU>/wiki.error.log; location ~ ^/(favicon.ico|apple-touch-icon.png)$ { root <PFAD_ZU>/misc; } location / { root <PFAD_ZU>/wiki/; index doku.php; try_files $uri $uri/ @dokuwiki; } location @dokuwiki { rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1 last; } location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } include fastcgi_params; fastcgi_pass unix:/var/run/php5-fpm.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS $fastcgi_https; fastcgi_index index.php; } location ~ ^/lib/ { root <PFAD_ZU>/wiki/; expires 30d; } location ~ ^/conf/ { deny all; } location ~ ^/data/ { deny all; } location ~ /\.ht { deny all; } }
VBOXADM
server { listen 80; server_name <HOSTNAME>; #rewrite ^ https://$server_name$request_uri? break; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; include /etc/nginx/sites-enabled/ssl.conf; server_name <HOSTNAME>; root /var/lib/vwebadm/htdocs; access_log <PFAD_ZU>/vboxadm.access.log; error_log <PFAD_ZU>/vboxadm.error.log; location / { # root /var/lib/vwebadm/htdocs; rewrite ^ /cgi-bin/vboxadm.pl; } location ^/icons/fffsilk { alias /usr/share/icons/famfamfam/silk; access_log off; } location ~* \.(ico|css|js|gif|jpe?g|png)$ { expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } include fcgiwrap-vboxadm.conf; location ~ ^/cgi-bin/.*\.(cgi|pl|py|rb) { gzip off; alias /var/lib/vboxadm; # rewrite ^/(.*)$ /$1; include fastcgi_params; fastcgi_pass fcgiwrap; fastcgi_index cgi-bin.php; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param HTTPS $fastcgi_https; fastcgi_param X_SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param X_SCRIPT_NAME $fastcgi_script_name; } location ~ /.*\.(php)$ { root /usr/share/phpmyadmin; fastcgi_pass unix:/var/run/php5-fpm.socket; fastcgi_index index.php; fastcgi_param HTTPS $fastcgi_https; fastcgi_param SCRIPT_FILENAME $document_root$request_filename; include fastcgi_params; } }
Reverse-Proxy für Kibana
server { listen 80; server_name <FQDN_SERVERNAME>; auth_basic "Restricted Access"; auth_basic_user_file <PFAD_ZU>/htpasswd.users; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }