91 lines
3.0 KiB
Plaintext
91 lines
3.0 KiB
Plaintext
#upstream php-handler {
|
|
# server 127.0.0.1:9001;
|
|
#}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name piwik.cipherbliss.com;
|
|
# enforce https
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name piwik.cipherbliss.com;
|
|
|
|
# Use Mozilla's guidelines for SSL/TLS settings
|
|
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
# NOTE: some settings below might be redundant
|
|
ssl_certificate /etc/letsencrypt/live/piwik.cipherbliss.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/piwik.cipherbliss.com/privkey.pem;
|
|
|
|
# Path to the root of your installation
|
|
root /home/www/tykayn/piwik/;
|
|
|
|
## This should be in your http block and if it is, it's not needed here.
|
|
index index.php;
|
|
|
|
## only allow accessing the following php files
|
|
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
|
|
# include snippets/fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf
|
|
include fastcgi.conf;
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_pass php-handler;
|
|
|
|
# try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
|
|
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
|
|
# fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file
|
|
#fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container)
|
|
}
|
|
|
|
## deny access to all other .php files
|
|
location ~* ^.+\.php$ {
|
|
deny all;
|
|
return 403;
|
|
}
|
|
|
|
## serve all other files normally
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
## disable all access to the following directories
|
|
location ~ ^/(config|tmp|core|lang) {
|
|
deny all;
|
|
return 403; # replace with 404 to not show these directories exist
|
|
}
|
|
|
|
location ~ /\.ht {
|
|
deny all;
|
|
return 403;
|
|
}
|
|
|
|
location ~ js/container_.*_preview\.js$ {
|
|
expires off;
|
|
add_header Cache-Control 'private, no-cache, no-store';
|
|
}
|
|
|
|
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
|
|
allow all;
|
|
## Cache images,CSS,JS and webfonts for an hour
|
|
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
|
|
expires 1h;
|
|
add_header Pragma public;
|
|
add_header Cache-Control "public";
|
|
}
|
|
|
|
location ~ ^/(libs|vendor|plugins|misc|node_modules) {
|
|
deny all;
|
|
return 403;
|
|
}
|
|
|
|
## properly display textfiles in root directory
|
|
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
|
|
default_type text/plain;
|
|
}
|
|
|
|
# --------------------
|
|
}
|