Mediawiki/nginx

From Segfault
Jump to: navigation, search

From axilleas/mediawiki-nginx.conf:

#
# nginx configuration for virtual host: axilleas.me.
#

# http -> https redirection
server {
	listen 80;
	listen [::]:80;

	# virtual host domains
	server_name axilleas.me www.axilleas.me;

	# accept requests only for this domain
	if ($host !~ ^(axilleas.me|www.axilleas.me)$) {
		return 444;
	}

	# redirect to https
	return 301 https://$host$request_uri;
}

# https and spdy
server {
	listen 443 ssl spdy;
	listen [::]:443 ssl spdy;

	# virtual host domains
	server_name axilleas.me www.axilleas.me;

	# accept requests only for this domain
	if ($host !~ ^(axilleas.me|www.axilleas.me)$) {
		return 444;
	}

	# certificate and private key
	ssl_certificate /etc/ssl/ellak/axilleas.me-codomo-bundle.pem;
    ssl_certificate_key /etc/ssl/ellak/axilleas.me-decrypted.key;

	# random 2048-bit parameter for DH elliptic curves
	# (re)generate with:
	# openssl dhparam -outform pem -out dhparam2048.pem 2048
	ssl_dhparam /etc/vhosts/axilleas.me/ssl/dhparam2048.pem;

	# include common ssl settings
	include /etc/nginx/ssl.conf;

	# ocsp stapling (optional, uncomment if necessary)
	#ssl_trusted_certificate /etc/ssl/certs/combined.stapling.pem;

	# public html
	root /var/www/vhosts/axilleas.me/site/public_html;

	# access and error logs
	access_log /var/www/vhosts/axilleas.me/logs/access.log;
	error_log  /var/www/vhosts/axilleas.me/logs/error.log error;

	# include standard restrictions
	include /etc/nginx/restrictions.conf;

	# application configuration
	include /etc/nginx/cms.conf;

	# document root
	index index.php index.html index.htm;

	# css and js
	location ~* ^.+\.(css|js) {
		# 1 week expires
		expires 1w;

		## no external referer
		valid_referers none blocked
		               axilleas.me *.axilleas.me;

		if ($invalid_referer) {
			return 403;
		}
	}

	location /wiki/ {
		try_files $uri $uri/ @mediawiki;
		
		# Do this inside of a location so it can be negated
		location ~ \.php$ {
			try_files $uri $uri/ =404; # Don't let php execute non-existent php files
			include /etc/nginx/fastcgi_params;
			fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;
		}
	}
	
	location /wiki/images {
		# Separate location for images/ so .php execution won't apply
		
		location ~ ^/wiki/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
			# Thumbnail handler for MediaWiki
			# This location only matches on a thumbnail's url
			# If the file does not exist we use @thumb to run the thumb.php script
			try_files $uri $uri/ @thumb;
		}
	}
	location /wiki/images/deleted {
		# Deny access to deleted images folder
		deny	all;
	}
	
	# Deny access to folders MediaWiki has a .htaccess deny in
	location /wiki/cache       { deny all; }
	location /wiki/languages   { deny all; }
	location /wiki/maintenance { deny all; }
	location /wiki/serialized  { deny all; }
	
	# Just in case, hide .svn and .git too
	location ~ /.(svn|git)(/|$) { deny all; }
	
	# Hide any .htaccess files
	location ~ /.ht { deny all; }
	
	# Uncomment the following code if you wish to hide the installer/updater
	## Deny access to the installer
	location /wiki/mw-config { deny all; }
	
	# Handling for the article path
	location @mediawiki {
		include /etc/nginx/fastcgi_params;
		# article path should always be passed to index.php
		fastcgi_param SCRIPT_FILENAME	$document_root/wiki/index.php;
		fastcgi_pass  unix:/var/run/php5-fpm/axilleas.me.sock;
	}
	
	# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
	location @thumb {
		# Do a rewrite here so that thumb.php gets the correct arguments
		rewrite ^/wiki/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /wiki/thumb.php?f=$1&width=$2;
		rewrite ^/wiki/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /wiki/thumb.php?f=$1&width=$2&archived=1;
		
		# Run the thumb.php script
		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME	$document_root/wiki/thumb.php;
		fastcgi_pass  unix:/var/run/php5-fpm/axilleas.me.sock;
	}


	# media files
	location ~* ^.+\.(og?|svg|svgz|eot|otf|woff|mp4|ttf|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
		# maximum expires
		expires max;

		# block hot-linking, allow SE and social media
		valid_referers none blocked ~\.google\. ~\.yahoo\. ~\.bing\.
			       ~\.facebook\. ~\.fbcdn\. ~\.twitter\.
			       axilleas.me *.axilleas.me;

		if ($invalid_referer) {
			return 403;
		}
	}

	# disable public access to buddypress docs attachments
	location /wp-content/uploads/bp-attachments/ {
		rewrite ^.*uploads/bp-attachments/([0-9]+)/(.*) /?p=$1&bp-attachment=$2 permanent;
	}

	# php-fpm support
	location ~ \.php$ {
		# make sure to not run php hidden in other files
		try_files $uri =404;

		# fastcgi unix socket
		fastcgi_pass unix:/var/run/php5-fpm/axilleas.me.sock;

		# include standard parameters
		include /etc/nginx/fastcgi_params;

		# increate fastcgi timeout (for mu)
		fastcgi_read_timeout 360;

		# include micro-caching configuration
		include /etc/nginx/microcache.conf;
	}
}