tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Update nginx sample configuration for 4.1

Browse Source 
- Remove unneeded denials (due to public folder)
- Add caveats about public folder, error pages, and HTTPS
This commit is contained in:
Fred Condo 2018-06-11 09:32:40 -04:00
parent ce58890baf
commit 6d12deb4b9
1 changed files with 11 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md
View File

@ -16,15 +16,19 @@ If you don't fully understand the configuration presented here, consult the
Especially be aware of [accidental php-execution](https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ "Don't trust the tutorials") when extending the configuration. Especially be aware of [accidental php-execution](https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ "Don't trust the tutorials") when extending the configuration.
</div> </div>
But enough of the disclaimer, on to the actual configuration — typically in `nginx.conf`: ## Caveats about the sample configuration below
* It does not cover serving securely over HTTPS.
* It uses the new filesystem layout (with `public` directory) introduced in version 4.1.0. If your installation has been upgraded to 4.1+ from an older version and you have not [upgraded to the public folder](/changelogs/4.1.0.md), see the version of this documentation for version 4.0.
* The error pages for 502 (Bad Gateway) and 503 (Service Unavailable) need to be manually created and published in the CMS (assuming use of the silverstripe/errorpage module).
```nginx ```nginx
server { server {
include mime.types; include mime.types;
default_type application/octet-stream; default_type application/octet-stream;
client_max_body_size 0; # Manage this in php.ini client_max_body_size 0; # Manage this in php.ini (upload_max_filesize & post_max_size)
listen 80; listen 80;
root /path/to/ss/folder; root /path/to/ss/folder/public;
server_name example.com www.example.com; server_name example.com www.example.com;
# Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013 # Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013
@ -39,6 +43,10 @@ server {
error_page 404 /assets/error-404.html; error_page 404 /assets/error-404.html;
error_page 500 /assets/error-500.html; error_page 500 /assets/error-500.html;
# See caveats
error_page 502 /assets/error-500.html;
error_page 503 /assets/error-500.html;
location ^~ /assets/ { location ^~ /assets/ {
sendfile on; sendfile on;
try_files $uri =404; try_files $uri =404;
@ -54,37 +62,6 @@ server {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params; include fastcgi_params;
} }
# Denials
location ~ /\.. {
deny all;
}
location ~ \.ss$ {
satisfy any;
allow 127.0.0.1;
deny all;
}
location ~ web\.config$ {
deny all;
}
location ~ \.ya?ml$ {
deny all;
}
location ~* README.*$ {
deny all;
}
location ^~ /vendor/ {
deny all;
}
location ~* /silverstripe-cache/ {
deny all;
}
location ~* composer\.(json|lock)$ {
deny all;
}
location ~* /(cms|framework)/silverstripe_version$ {
deny all;
}
} }
``` ```