diff --git a/include/formular_proxy.conf b/include/formular_proxy.conf new file mode 100644 index 0000000..c165df5 --- /dev/null +++ b/include/formular_proxy.conf @@ -0,0 +1,6 @@ +# Transparenter Proxy für das Formular. + +location / { + proxy_pass http://localhost:8080; +} + diff --git a/include/graph_common.conf b/include/graph_common.conf new file mode 100644 index 0000000..4a56295 --- /dev/null +++ b/include/graph_common.conf @@ -0,0 +1,46 @@ +# Grundkonfiguration des Graphen / der Karte + +root /var/www/nodes_ffhh; +index graph.html; + +if_modified_since before; + +location ~ \.php$ { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; + + include /etc/nginx/fastcgi_params; +} + +location ~ \.cgi$ { + gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped + + fastcgi_pass unix:/var/run/nginx/cgiwrap-dispatch.sock; + + fastcgi_index index.cgi; + + fastcgi_param SCRIPT_FILENAME /var/www/nodes_ffhh/$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; +} + +location = /nodes.json { + gzip_types application/octet-stream; + gzip on; +} + diff --git a/include/media_common.conf b/include/media_common.conf new file mode 100644 index 0000000..a6b29ca --- /dev/null +++ b/include/media_common.conf @@ -0,0 +1,24 @@ +# Basis-Konfiguration für media. + +# Don't allow to get framed by sites that aren't on the same domain +add_header X-Frame-Options SAMEORIGIN; + +# Tell clients never to use http or self-signed (!) certificates +# There's no way to bypass this option after it has been cached! +add_header Strict-Transport-Security max-age=31536000; + +location ~ /\. { + deny all; + access_log off; + log_not_found off; +} + +root /var/www/media; + +disable_symlinks on from=$document_root; + +location / { + autoindex on; + autoindex_exact_size on; + autoindex_localtime off; +} diff --git a/include/meta_common.conf b/include/meta_common.conf new file mode 100644 index 0000000..2281d0e --- /dev/null +++ b/include/meta_common.conf @@ -0,0 +1,16 @@ +# Basis-Konfiguration für meta. + +root /var/www/meta_ffhh; +disable_symlinks on from=$document_root; + +location / { + autoindex on; + autoindex_exact_size on; + autoindex_localtime off; +} + +location ~ /\. { + deny all; + access_log off; + log_not_found off; +} diff --git a/include/no_logging.conf b/include/no_logging.conf new file mode 100644 index 0000000..03ee220 --- /dev/null +++ b/include/no_logging.conf @@ -0,0 +1,8 @@ +# Deaktiviert Logging + +access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + +# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. +# So stellen wir sicher, dass keine IPs geloggt werden. +error_log /dev/null crit; + diff --git a/include/postfixadmin_common.conf b/include/postfixadmin_common.conf new file mode 100644 index 0000000..c134ce6 --- /dev/null +++ b/include/postfixadmin_common.conf @@ -0,0 +1,18 @@ +# Basis-Konfiguration für den Postfix-Admin + +root /var/www/postfixadmin_ffhh; +index index.php index.html index.htm; + +location ~ \.php$ { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin_ffhh$fastcgi_script_name; + #fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; + include /etc/nginx/fastcgi_params; +} + +location / { + index index.php; + try_files $uri $uri/index.php; +} + diff --git a/include/ssl.rewrite b/include/ssl.rewrite new file mode 100644 index 0000000..27500e4 --- /dev/null +++ b/include/ssl.rewrite @@ -0,0 +1,2 @@ +# Generischer Rewrite von HTTP nach HTTPS +rewrite ^ https://$server_name$request_uri? permanent; diff --git a/include/ssl_common.conf b/include/ssl_common.conf new file mode 100644 index 0000000..95a60ff --- /dev/null +++ b/include/ssl_common.conf @@ -0,0 +1,10 @@ +# Basis Konfiguration für SSL. Wird von allen vhosts includet. + +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; + +# Only strong ciphers in PFS mode +ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + diff --git a/include/ssl_hamburg_freifunk_net.conf b/include/ssl_hamburg_freifunk_net.conf new file mode 100644 index 0000000..9029a4c --- /dev/null +++ b/include/ssl_hamburg_freifunk_net.conf @@ -0,0 +1,7 @@ +# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat. + +ssl_certificate /etc/ssl/certs/hamburg.freifunk.net.crt; +ssl_certificate_key /etc/ssl/private/hamburg.freifunk.net.key; + +include /etc/nginx/include/ssl_common.conf; + diff --git a/include/ssl_wildcard.conf b/include/ssl_wildcard.conf new file mode 100644 index 0000000..c50c851 --- /dev/null +++ b/include/ssl_wildcard.conf @@ -0,0 +1,7 @@ +# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat. + +ssl_certificate /etc/ssl/certs/*.hamburg.freifunk.net.crt; +ssl_certificate_key /etc/ssl/private/*.hamburg.freifunk.net.key; + +include /etc/nginx/include/ssl_common.conf; + diff --git a/include/start_common.conf b/include/start_common.conf new file mode 100644 index 0000000..d72b542 --- /dev/null +++ b/include/start_common.conf @@ -0,0 +1,13 @@ +# Basis-Konfiguration für start. + +root /var/www/start-ffhh/_site; + +location ~ /\. { + deny all; + access_log off; + log_not_found off; +} + +location /feeds/hamburg.freifunk.net.rss { + proxy_pass https://hamburg.freifunk.net/feed; +} diff --git a/include/updates_common.conf b/include/updates_common.conf new file mode 100644 index 0000000..9096f27 --- /dev/null +++ b/include/updates_common.conf @@ -0,0 +1,9 @@ +# Basis-Konfiguration für updates. + +root /var/www/updates; + +location / { + access_log off; + log_not_found off; + autoindex on; +} diff --git a/include/wordpress_common.conf b/include/wordpress_common.conf new file mode 100644 index 0000000..9d0e300 --- /dev/null +++ b/include/wordpress_common.conf @@ -0,0 +1,34 @@ +# Basis-Konfiguration für Wordpress + +client_max_body_size 16M; + +root /var/www/wordpress; +index index.php index.html index.htm; + +# Don't allow to get framed by sites that aren't on the same domain +add_header X-Frame-Options SAMEORIGIN; + +# Tell clients never to use http or self-signed (!) certificates +# There's no way to bypass this option after it has been cached! +add_header Strict-Transport-Security max-age=31536000; + +# This order might seem weird - this is attempted to match last if rules below fail. +# http://wiki.nginx.org/HttpCoreModule +location / { + index index.php; + try_files $uri $uri/ /index.php?$args; +} + +# Directives to send expires headers and turn off 404 error logging. +location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires 24h; + log_not_found off; +} + +location ~ \.php$ { + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name; +# fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; + include /etc/nginx/fastcgi_params; +} diff --git a/nginx.conf b/nginx.conf index d5f87ee..a0fc422 100644 --- a/nginx.conf +++ b/nginx.conf @@ -27,12 +27,13 @@ http { ############################################## # Logging Settings ## + #access_log /var/log/nginx/access.log; access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; - #error_log /var/log/nginx/error.log crit; + error_log /dev/null warn; + #error_log /var/log/nginx/error.log debug; ############################################## # nginx-naxsi config diff --git a/sites-available/base b/sites-available/base new file mode 100644 index 0000000..d9ff368 --- /dev/null +++ b/sites-available/base @@ -0,0 +1,39 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + + + + access_log off; + error_log /dev/null crit; + + + ssl_certificate /etc/ssl/certs/*.hamburg.freifunk.net.crt; + ssl_certificate_key /etc/ssl/private/*.hamburg.freifunk.net.key; + + + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # Only strong ciphers in PFS mode + ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + # Don't allow to get framed by sites that aren't on the same domain + add_header X-Frame-Options SAMEORIGIN; + + # Tell clients never to use http or self-signed (!) certificates + # There's no way to bypass this option after it has been cached! + add_header Strict-Transport-Security max-age=31536000; + + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + + + +} diff --git a/sites-available/default_ffhh b/sites-available/default_ffhh index f449b36..d4a4ff7 100644 --- a/sites-available/default_ffhh +++ b/sites-available/default_ffhh @@ -1,6 +1,6 @@ server { listen 80 default_server; - listen [::]:80 default_server; + listen [::]:80 default_server; root /var/www/wordpress; #/usr/share/nginx/html; index index.php index.html index.htm; @@ -17,3 +17,23 @@ server { # include /etc/nginx/fastcgi_params; # } } + +#server { +# listen 80 default_server; +# listen [::]:80 default_server; +# +# root /var/www/wordpress; #/usr/share/nginx/html; +# index index.php index.html index.htm; +# +# # Make site accessible from http://localhost/ +## server_name *.hamburg.freifunk.net; +# +# return 302 http://hamburg.freifunk.net; +# +## location ~ \.php$ { +## fastcgi_pass unix:/var/run/php5-fpm.sock; +## fastcgi_index index.php; +## fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; +## include /etc/nginx/fastcgi_params; +## } +#} diff --git a/sites-available/formular_ffhh b/sites-available/formular_ffhh index 3acb77c..b739f14 100644 --- a/sites-available/formular_ffhh +++ b/sites-available/formular_ffhh @@ -1,45 +1,35 @@ server { - listen 80; - listen [::]:80; - server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh; + include /etc/nginx/include/no_logging.conf; - access_log off; + listen 80; + listen [::]:80; - return 301 https://formular.hamburg.freifunk.net$request_uri; + server_name formular.hamburg.freifunk.net; + + include /etc/nginx/include/ssl.rewrite; } server { - listen 443; - listen [::]:443; - server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh; + include /etc/nginx/include/no_logging.conf; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + listen 80; + listen [::]:80; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; + server_name formular.services.ffhh formular.ffhh; - ssl_certificate /etc/ssl/certs/formular.hamburg.freifunk.net.crt; - ssl_certificate_key /etc/ssl/private/formular.hamburg.freifunk.net.key; - - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - # Only strong ciphers in PFS mode - ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - - # Don't allow to get framed by sites that aren't on the same domain - add_header X-Frame-Options SAMEORIGIN; - - # Tell clients never to use http or self-signed (!) certificates - # There's no way to bypass this option after it has been cached! - add_header Strict-Transport-Security max-age=31536000; - - #return 301 $scheme://formular.hamburg.freifunk.net:8080$request_uri; - location / { - proxy_pass http://formular.hamburg.freifunk.net:8080; - } + include /etc/nginx/include/formular_proxy.conf; } + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name formular.hamburg.freifunk.net; + + include /etc/nginx/include/ssl_wildcard.conf; + + include /etc/nginx/include/formular_proxy.conf; +} + diff --git a/sites-available/graph_ffhh b/sites-available/graph_ffhh index bb01f6e..1b1d891 100644 --- a/sites-available/graph_ffhh +++ b/sites-available/graph_ffhh @@ -1,51 +1,35 @@ server { - listen 80; - listen [::]:80; - server_name graph.hamburg.freifunk.net knotengraph.ffhh; + include /etc/nginx/include/no_logging.conf; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + listen 80; + listen [::]:80; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; + server_name knotengraph.ffhh; - root /var/www/nodes_ffhh; - index graph.html; - - if_modified_since before; - - location ~ \.php$ { - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; - include /etc/nginx/fastcgi_params; - } - - location ~ \.cgi$ { - gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped - fastcgi_pass unix:/var/run/nginx/cgiwrap-dispatch.sock; - fastcgi_index index.cgi; - fastcgi_param SCRIPT_FILENAME /var/www/nodes_ffhh/$fastcgi_script_name; - fastcgi_param QUERY_STRING $query_string; - fastcgi_param REQUEST_METHOD $request_method; - fastcgi_param CONTENT_TYPE $content_type; - fastcgi_param CONTENT_LENGTH $content_length; - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param REQUEST_URI $request_uri; - fastcgi_param DOCUMENT_URI $document_uri; - fastcgi_param DOCUMENT_ROOT $document_root; - fastcgi_param SERVER_PROTOCOL $server_protocol; - fastcgi_param REMOTE_ADDR $remote_addr; - fastcgi_param REMOTE_PORT $remote_port; - fastcgi_param SERVER_ADDR $server_addr; - fastcgi_param SERVER_PORT $server_port; - fastcgi_param SERVER_NAME $server_name; - } - - location = /nodes.json { - gzip_types application/octet-stream; - gzip on; - } + include /etc/nginx/include/graph_common.conf; } + +server { + include /etc/nginx/include/no_logging.conf; + + listen 80; + listen [::]:80; + + server_name graph.hamburg.freifunk.net; + + include /etc/nginx/include/ssl.rewrite; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name graph.hamburg.freifunk.net; + + include /etc/nginx/include/ssl_wildcard.conf; + + include /etc/nginx/include/graph_common.conf; +} + diff --git a/sites-available/insecure b/sites-available/insecure new file mode 100644 index 0000000..8eaca94 --- /dev/null +++ b/sites-available/insecure @@ -0,0 +1,9 @@ +server { + listen 80; + listen [::]:80; + + server_name _; + access_log off; + + rewrite ^ https://$host$request_uri? permanent; +} \ No newline at end of file diff --git a/sites-available/media_ffhh b/sites-available/media_ffhh new file mode 100644 index 0000000..ace5791 --- /dev/null +++ b/sites-available/media_ffhh @@ -0,0 +1,35 @@ +server { + include /etc/nginx/include/no_logging.conf; + + listen 80; + listen [::]:80; + + server_name media.services.ffhh; + + include /etc/nginx/include/media_common.conf; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 80; + listen [::]:80; + + server_name media.hamburg.freifunk.net; + + include /etc/nginx/include/ssl.rewrite; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name media.hamburg.freifunk.net; + + include /etc/nginx/include/ssl_wildcard.conf; + + include /etc/nginx/include/media_common.conf; +} + diff --git a/sites-available/meta_ffhh b/sites-available/meta_ffhh index ddfe1b8..fb0bfdd 100644 --- a/sites-available/meta_ffhh +++ b/sites-available/meta_ffhh @@ -1,28 +1,24 @@ server { - listen 80; - listen [::]:80; - server_name meta.hamburg.freifunk.net; + include /etc/nginx/include/no_logging.conf; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + listen 80; + listen [::]:80; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; + server_name meta.hamburg.freifunk.net; - root /var/www/meta_ffhh; - - disable_symlinks on from=$document_root; - - location / { - autoindex on; - autoindex_exact_size on; - autoindex_localtime off; - } - - location ~ /\. { - deny all; - access_log off; - log_not_found off; - } + include /etc/nginx/include/meta_common.conf; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name meta.hamburg.freifunk.net; + + include /etc/nginx/include/ssl_wildcard.conf; + + include /etc/nginx/include/meta_common.conf; } diff --git a/sites-available/opkg_ffhh b/sites-available/opkg_ffhh index 41e4d40..754ed9e 100644 --- a/sites-available/opkg_ffhh +++ b/sites-available/opkg_ffhh @@ -1,16 +1,13 @@ server { - #listen 80; - listen [::]:80; - server_name opkg.services.ffhh; + include /etc/nginx/include/no_logging.conf; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + #listen 80; + listen [::]:80; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; + server_name opkg.services.ffhh; - location / { - proxy_pass https://downloads.openwrt.org/; - } + location / { + proxy_pass https://downloads.openwrt.org/; + } } diff --git a/sites-available/postfixadmin_ffhh b/sites-available/postfixadmin_ffhh index 13005af..b5bf419 100644 --- a/sites-available/postfixadmin_ffhh +++ b/sites-available/postfixadmin_ffhh @@ -1,59 +1,35 @@ -# HTTP redirect to HTTPS - server { - listen 80; - listen [::]:80; -# listen 443; - server_name postmaster.hamburg.freifunk.net postmaster.services.ffhh; -# rewrite ^ https://postmaster.hamburg.freifunk.net permanent; - rewrite ^ https://$server_name$request_uri? permanent; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + include /etc/nginx/include/no_logging.conf; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; + listen 80; + listen [::]:80; + + server_name postmaster.services.ffhh; + + include /etc/nginx/include/postfixadmin_common.conf; } +server { + include /etc/nginx/include/no_logging.conf; -# HTTPS server + listen 80; + listen [::]:80; + + server_name postmaster.hamburg.freifunk.net; + + include /etc/nginx/include/ssl.rewrite; +} server { - listen 443; - listen [::]443; - server_name postmaster.hamburg.freifunk.net postmaster.services.ffhh; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. + include /etc/nginx/include/no_logging.conf; - error_log /dev/null crit; -# error_log /var/log/nginx/error.log; + listen 443 ssl; + listen [::]:443 ssl; - root /var/www/postfixadmin_ffhh; - index index.php index.html index.htm; + server_name postmaster.hamburg.freifunk.net; - ssl on; - ssl_certificate /etc/nginx/ssl/postfix_ssl/server.crt; - ssl_certificate_key /etc/nginx/ssl/postfix_ssl/server.key; - - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - # Only strong ciphers in PFS mode - ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - location ~ \.php$ { - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin_ffhh$fastcgi_script_name; - #fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; - include /etc/nginx/fastcgi_params; - } - - location / { - index index.php; # hinzugefuegt - try_files $uri $uri/index.php; - } # geaendert von ez am 28.02.2014; + include /etc/nginx/include/ssl_wildcard.conf; + include /etc/nginx/include/postfixadmin_common.conf; } + diff --git a/sites-available/start_ffhh b/sites-available/start_ffhh index 32e2870..4c9739e 100644 --- a/sites-available/start_ffhh +++ b/sites-available/start_ffhh @@ -1,24 +1,35 @@ server { - listen 80; - listen [::]:80; - server_name start.hamburg.freifunk.net start.ffhh; + include /etc/nginx/include/no_logging.conf; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + listen 80; + listen [::]:80; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; + server_name start.ffhh; - root /var/www/start-ffhh/_site; - - location ~ /\. { - deny all; - access_log off; - log_not_found off; - } - - location /feeds/hamburg.freifunk.net.rss { - proxy_pass https://hamburg.freifunk.net/feed; - } + include /etc/nginx/include/start_common.conf; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 80; + listen [::]:80; + + server_name start.hamburg.freifunk.net; + + include /etc/nginx/include/ssl.rewrite; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name start.hamburg.freifunk.net; + + include /etc/nginx/include/ssl_wildcard.conf; + + include /etc/nginx/include/start_common.conf; } diff --git a/sites-available/updates b/sites-available/updates new file mode 100644 index 0000000..f370f4d --- /dev/null +++ b/sites-available/updates @@ -0,0 +1,23 @@ +server { + include /etc/nginx/include/no_logging.conf; + + listen 80; + listen [::]:80; + + server_name updates.hamburg.freifunk.net 1.updates.services.ffhh; + + include /etc/nginx/include/updates_common.conf; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + server_name updates.hamburg.freifunk.net 1.updates.services.ffhh; + + include /etc/nginx/include/ssl_wildcard.conf; + + include /etc/nginx/include/updates_common.conf; +} + diff --git a/sites-available/wordpress_ffhh b/sites-available/wordpress_ffhh index da385cb..c893211 100644 --- a/sites-available/wordpress_ffhh +++ b/sites-available/wordpress_ffhh @@ -1,69 +1,48 @@ server { - listen 80; # ipv4 http - listen [::]:80; # ipv6 http + include /etc/nginx/include/no_logging.conf; - server_name hamburg.freifunk.net www.hamburg.freifunk.net freifunk.ffhh; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + listen 80; + listen [::]:80; - rewrite ^ https://$server_name$request_uri? permanent; + server_name freifunk.ffhh; + + include /etc/nginx/include/wordpress_common.conf; } server { - listen 443 ssl; # ipv4 https - listen [::]:443 ssl; # ipv6 https + include /etc/nginx/include/no_logging.conf; - server_name hamburg.freifunk.net www.hamburg.freifunk.net freifunk.ffhh; + listen 80; + listen [::]:80; - access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen. + server_name hamburg.freifunk.net www.hamburg.freifunk.net; - # Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen. - # So stellen wir sicher, dass keine IPs geloggt werden. - error_log /dev/null crit; - - client_max_body_size 16M; - - root /var/www/wordpress; - index index.php index.html index.htm; - - - ssl_certificate /etc/ssl/certs/hamburg.freifunk.net.crt; - ssl_certificate_key /etc/ssl/private/hamburg.freifunk.net.key; - - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - # Only strong ciphers in PFS mode - ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - - # Don't allow to get framed by sites that aren't on the same domain - add_header X-Frame-Options SAMEORIGIN; - - # Tell clients never to use http or self-signed (!) certificates - # There's no way to bypass this option after it has been cached! - add_header Strict-Transport-Security max-age=31536000; - - # This order might seem weird - this is attempted to match last if rules below fail. - # http://wiki.nginx.org/HttpCoreModule - location / { - index index.php; - try_files $uri $uri/ /index.php?$args; - } - - # Directives to send expires headers and turn off 404 error logging. - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { - expires 24h; - log_not_found off; - } - - location ~ \.php$ { - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name; -# fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name; - include /etc/nginx/fastcgi_params; - } + rewrite ^ https://hamburg.freifunk.net$request_uri? permanent; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name www.hamburg.freifunk.net; + + include /etc/nginx/include/ssl_wildcard.conf; + + rewrite ^ https://hamburg.freifunk.net$request_uri? permanent; +} + +server { + include /etc/nginx/include/no_logging.conf; + + listen 443 ssl; + listen [::]:443 ssl; + + server_name hamburg.freifunk.net; + + include /etc/nginx/include/ssl_hamburg_freifunk_net.conf; + + include /etc/nginx/include/wordpress_common.conf; } diff --git a/sites-enabled/default_ffhh b/sites-enabled/default_ffhh deleted file mode 120000 index 9a6a74b..0000000 --- a/sites-enabled/default_ffhh +++ /dev/null @@ -1 +0,0 @@ -../sites-available/default_ffhh \ No newline at end of file diff --git a/sites-enabled/mail b/sites-enabled/mail deleted file mode 120000 index 739c70f..0000000 --- a/sites-enabled/mail +++ /dev/null @@ -1 +0,0 @@ -../sites-available/mail \ No newline at end of file diff --git a/sites-enabled/media_ffhh b/sites-enabled/media_ffhh new file mode 120000 index 0000000..d53307c --- /dev/null +++ b/sites-enabled/media_ffhh @@ -0,0 +1 @@ +../sites-available/media_ffhh \ No newline at end of file diff --git a/sites-enabled/updates b/sites-enabled/updates new file mode 120000 index 0000000..708196c --- /dev/null +++ b/sites-enabled/updates @@ -0,0 +1 @@ +../sites-available/updates \ No newline at end of file