« Nginx and Ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
Aucun résumé des modifications
 
(19 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
[[Category:Ubuntu]]
[[Category:Ubuntu]]
= Links =
* [[Nginx]]
= Install =
= Install =
<kode lang='bash'>
<kode lang='bash'>
Ligne 7 : Ligne 10 :
sc-status nginx
sc-status nginx
sc-status php8.2-fpm
sc-status php8.2-fpm
</kode>
== UWSGI ==
<kode lang='bash'>
ai uwsgi-plugin-php
# uwsgi dependencies: libjansson4 libnorm1 libpgm-5.2-0 libzmq5 uwsgi-core
# uwsgi-plugin-php dependencies: libphp-embed libphp8.2-embed php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-phpdbg php7.4-readline
# wrongly install php7.4 dependencies while php8.2 is installed
</kode>
</kode>


Ligne 21 : Ligne 16 :
# enable a web site
# enable a web site
sudo ln -s /etc/nginx/sites-available/phpinfo.conf /etc/nginx/sites-enabled/phpinfo.conf
sudo ln -s /etc/nginx/sites-available/phpinfo.conf /etc/nginx/sites-enabled/phpinfo.conf
sc-restart nginx
sc-reload nginx
</kode>
</kode>


== phpinfo ==
== php ==
<filebox fn='/etc/nginx/sites-available/phpinfo.conf' lang=nginx>
<filebox fn='/etc/nginx/sites-available/phpinfo.conf' lang=nginx>
server {
server {
    listen 80;
    root /var/www/php;
    index info.php;
     server_name phpinfo.net;
     server_name phpinfo.net;
    listen      80;
    root        /var/www/php;
    index      info.php;


     location ~ \.php$ {
     location ~ \.php$ {
Ligne 36 : Ligne 31 :


         # With php-fpm (or other unix sockets):
         # With php-fpm (or other unix sockets):
         fastcgi_pass unix:/run/php/php8.2-fpm.sock;
         fastcgi_pass unix:/run/php/php-fpm.sock;
     }
     }
}
}
</filebox>
</filebox>


= [http://wiki.nginx.org/MediaWiki Mediawiki] =
== [[Nginx#.Net_Core|.NET]] ==
== Pretty URL avec uwsgi ==
 
<filebox fn=/etc/nginx/nginx.conf lang=bash>
== [http://wiki.nginx.org/MediaWiki Mediawiki] ==
# only in production
<filebox fn='/etc/nginx/site-availables/mediawiki.conf' lang='nginx' collapsed>
error_page 403 404 = /index.php;
server {
    server_name mediawiki.domain.net;
    listen      80;
    root        /var/www/mediawiki;
    index      index.php;


location ~ \.php5?$ {
    # deny access to cache
    include uwsgi_params;
    location ^~ /cache/ {
    uwsgi_modifier1 14;
        deny all;
     uwsgi_pass unix:/run/uwsgi/mediawiki.sock;
     }
}


location ^~ /wiki/ {
    # don't execute php from images
    rewrite ^/wiki/(.*)$ /index.php?title=$1;
    location ^~ /images/ { }
}


# Restrictions based on the .htaccess files
    # Handling for the article path (pretty URLs)
location ^~ /cache/                 { deny all; }
    location /wiki/ {
#    location ^~ /images/               {}
        rewrite ^/wiki/(?<pagename>.*)$ /index.php;
location ^~ /images/deleted/        { deny all; }
    }
location ^~ /images/temp/          { deny all; }
location ^~ /includes/              { deny all; }
location ^~ /languages/            { deny all; }
location ^~ /maintenance/          { deny all; }
location ^~ /maintenance/archives/  { deny all; }
location ^~ /serialized/            { deny all; }
location ^~ /tests/                { deny all; }
#    location ^~ /tests/qunit/          { allow all; }
location ^~ /extensions/MobileFrontend/dev-scripts/ { deny all; }
#    location ^~ /extensions/MobileFrontend/tests/ {}


# Restrictions d'accès supplémentaires
    location ~ \.php$ {
location ^~ /mw-config/        { deny all; }
        include snippets/fastcgi-php.conf;
location ^~ /extensions/        { deny all; }
         fastcgi_pass unix:/run/php/php-fpm.sock;
location ^~ /resources/         { deny all; }
    }
location ^~ /resources/assets/ { allow all; }
location ^~ /docs/              { internal; }
location ^~ /vendor/            { internal; }
# Hide any .htaccess files
location ~ /.ht                { deny all; }


location ~* \.(js|css|png|jpg|jpeg|svg|gif|ico)$ {
    # Explicit access to the root website, redirect to main page
     try_files $uri /index.php;
    location = / {
     expires max;
        return 301 /wiki/Main_Page;
    }
    # Every other entry point will be disallowed
     location / {
        return 404;
     }
}
}
</filebox>
</filebox>
<filebox fn=LocalSettings.php lang=php>
* [https://www.mediawiki.org/wiki/Manual:Short_URL/Nginx example with short url]
$wgArticlePath = "/wiki/$1";
</filebox>


== Pretty URL avec php-fpm ==
== [https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html Nextcloud] ==
<filebox fn=/etc/nginx/nginx.conf lang=bash>
<filebox fn='/etc/nginx/sites-available/nextcloud.conf' lang='nginx' collapsed>
location / {
upstream php-handler {
     # Do this inside of a location so it can be negated
     server unix:/var/run/php/php-fpm.sock;
    location ~ \.php$ {
        try_files      $uri =404;
        fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock;
        include        /etc/nginx/fastcgi.conf;
    }
}
}


# Handling for the article path
server {
location /wiki {
    listen 80;
     fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock;
     listen [::]:80;
     include        /etc/nginx/fastcgi.conf;
     server_name cloud.domain.net;
     # article path should always be passed to index.php
     # enforce https
     fastcgi_param SCRIPT_FILENAME $document_root/index.php;
     return 301 https://$server_name:443$request_uri;
}
}
</filebox>
<filebox fn=LocalSettings.php lang=php>
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;
</filebox>


== URL classique ==
<filebox fn=/etc/nginx/nginx.conf lang=bash>
server {
server {
     listen     80;
     listen 443 ssl http2;
     server_name myserver;
    listen [::]:443 ssl http2;
     root       /srv/http/myserverfolder;
     server_name cloud.domain.net;
     index       index.php;
 
    ssl_certificate /etc/ssl/nginx/cloud.domain.net.crt;
     ssl_certificate_key /etc/ssl/nginx/cloud.domain.net.key;
 
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
 
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
 
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;
 
    # Path to the root of your installation
    root /var/www/nextcloud;
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
     }
    location = /.well-known/caldav {
       return 301 $scheme://$host:$server_port/remote.php/dav;
    }
 
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
 
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
    location / {
        rewrite ^ /index.php;
    }


     # Restrictions based on the .htaccess files
     location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
     location ~ /cache|images/deleted|languages|maintenance|maintenance/archives|serialized|tests/ {
        deny all;
    }
     location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
         deny all;
         deny all;
     }
     }
    # est-ce vraiment utile ?
    # location ~ /docs|extensions|includes|mw-config|resources|scripts/ {
    #    internal;
    # }


     # ne semble pas nécessaire
     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    # réécrit les urls: /index.php/Sujet → /index.php?title=Sujet
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
     # location / {
        set $path_info $fastcgi_path_info;
    #    try_files $uri $uri/ @rewrite;
        try_files $fastcgi_script_name =404;
     # }  
        include fastcgi_params;
     # location @rewrite {
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     #   rewrite ^/(.*)$ /index.php?title=$1&$args;
        fastcgi_param PATH_INFO $path_info;
    # }
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
 
     location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
     }
 
     # Adding the cache control header for js, css and map files
     # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;


    # est-ce vraiment utile ?
        access_log off;
    # Keep images and CSS around in browser cache for as long as possible, to cut down on server load
     }
    # location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    #    try_files $uri /index.php;
    #    expires max;
    #    log_not_found off;
     # }


     location ~ \.php$ {
     location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
         try_files $uri =404;
         try_files $uri /index.php$request_uri;
        fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock;
         access_log off;
        fastcgi_index  index.php;
         include        /etc/nginx/fastcgi.conf;
     }
     }
}
</filebox>
</filebox>
{{info | Le fichier <tt>robots.txt</tt> devra correspondre aux urls de type <tt><nowiki>/index.php?title=MonTitre</nowiki></tt>}}
 
= [https://ubuntu.com/server/docs/how-to-use-nginx-modules Modules] =
<kode lang='bash'>
# list available and enable modules
ls /etc/nginx/modules-*
 
# install GeoIP2 HTTP module for Nginx (auto enabled after install)
apt install libnginx-mod-http-geoip2
</kode>

Dernière version du 18 mai 2024 à 13:42

Links

Install

Bash.svg 
ai nginx php-fpm

# check nginx and php-fpm are running
sc-status nginx
sc-status php8.2-fpm

Site configuration

Bash.svg 
# enable a web site
sudo ln -s /etc/nginx/sites-available/phpinfo.conf /etc/nginx/sites-enabled/phpinfo.conf
sc-reload nginx

php

/etc/nginx/sites-available/phpinfo.conf 
server {
    server_name phpinfo.net;
    listen      80;
    root        /var/www/php;
    index       info.php;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;

        # With php-fpm (or other unix sockets):
        fastcgi_pass unix:/run/php/php-fpm.sock;
    }
}

.NET

Mediawiki

/etc/nginx/site-availables/mediawiki.conf 
server {
    server_name mediawiki.domain.net;
    listen      80;
    root        /var/www/mediawiki;
    index       index.php;

    # deny access to cache
    location ^~ /cache/ {
        deny all;
    }

    # don't execute php from images
    location ^~ /images/ { }

    # Handling for the article path (pretty URLs)
    location /wiki/ {
        rewrite ^/wiki/(?<pagename>.*)$ /index.php;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php-fpm.sock;
    }

    # Explicit access to the root website, redirect to main page
    location = / {
        return 301 /wiki/Main_Page;
    }
    # Every other entry point will be disallowed
    location / {
        return 404;
    }
}

Nextcloud

/etc/nginx/sites-available/nextcloud.conf 
upstream php-handler {
    server unix:/var/run/php/php-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.domain.net;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.domain.net;

    ssl_certificate /etc/ssl/nginx/cloud.domain.net.crt;
    ssl_certificate_key /etc/ssl/nginx/cloud.domain.net.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.

    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /var/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
    }
}

Modules

Bash.svg 
# list available and enable modules
ls /etc/nginx/modules-*

# install GeoIP2 HTTP module for Nginx (auto enabled after install)
apt install libnginx-mod-http-geoip2
Récupérée de « http://wiki.bananeatomic.fr/index.php?title=Nginx_and_Ubuntu&oldid=30717 »