Konfiguration gefixt und massiv aufgeräumt

SSL Redirects funktionieren jetzt
2015-01-31 06:47:41 +00:00 · 2015-01-31 06:47:41 +00:00 · d144bc082c
commit d144bc082c
parent d170593345
30 changed files with 501 additions and 241 deletions
--- a/include/formular_proxy.conf
+++ b/include/formular_proxy.conf
@ -0,0 +1,6 @@
+# Transparenter Proxy für das Formular.
+
+location / {
+    proxy_pass http://localhost:8080;
+}
+
--- a/include/graph_common.conf
+++ b/include/graph_common.conf
@ -0,0 +1,46 @@
+# Grundkonfiguration des Graphen / der Karte
+
+root /var/www/nodes_ffhh;
+index graph.html;
+
+if_modified_since before;
+
+location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+
+    include /etc/nginx/fastcgi_params;
+}
+
+location ~ \.cgi$ {
+    gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
+
+    fastcgi_pass  unix:/var/run/nginx/cgiwrap-dispatch.sock;
+
+    fastcgi_index index.cgi;
+
+    fastcgi_param SCRIPT_FILENAME /var/www/nodes_ffhh/$fastcgi_script_name;
+    fastcgi_param QUERY_STRING     $query_string;
+    fastcgi_param REQUEST_METHOD   $request_method;
+    fastcgi_param CONTENT_TYPE     $content_type;
+    fastcgi_param CONTENT_LENGTH   $content_length;
+    fastcgi_param GATEWAY_INTERFACE  CGI/1.1;
+    fastcgi_param SERVER_SOFTWARE    nginx;
+    fastcgi_param SCRIPT_NAME        $fastcgi_script_name;
+    fastcgi_param REQUEST_URI        $request_uri;
+    fastcgi_param DOCUMENT_URI       $document_uri;
+    fastcgi_param DOCUMENT_ROOT      $document_root;
+    fastcgi_param SERVER_PROTOCOL    $server_protocol;
+    fastcgi_param REMOTE_ADDR        $remote_addr;
+    fastcgi_param REMOTE_PORT        $remote_port;
+    fastcgi_param SERVER_ADDR        $server_addr;
+    fastcgi_param SERVER_PORT        $server_port;
+    fastcgi_param SERVER_NAME        $server_name;
+}
+
+location = /nodes.json {
+    gzip_types application/octet-stream;
+    gzip on;
+}
+
--- a/include/media_common.conf
+++ b/include/media_common.conf
@ -0,0 +1,24 @@
+# Basis-Konfiguration für media.
+
+# Don't allow to get framed by sites that aren't on the same domain
+add_header X-Frame-Options SAMEORIGIN;
+
+# Tell clients never to use http or self-signed (!) certificates
+# There's no way to bypass this option after it has been cached!
+add_header Strict-Transport-Security max-age=31536000;
+
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
+root /var/www/media;
+
+disable_symlinks on from=$document_root;
+
+location / {
+    autoindex on;
+    autoindex_exact_size on;
+    autoindex_localtime off;
+}
--- a/include/meta_common.conf
+++ b/include/meta_common.conf
@ -0,0 +1,16 @@
+# Basis-Konfiguration für meta.
+
+root /var/www/meta_ffhh;
+disable_symlinks on from=$document_root;
+
+location / {
+    autoindex on;
+    autoindex_exact_size on;
+    autoindex_localtime off;
+}
+
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
--- a/include/no_logging.conf
+++ b/include/no_logging.conf
@ -0,0 +1,8 @@
+# Deaktiviert Logging
+
+access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+
+# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
+# So stellen wir sicher, dass keine IPs geloggt werden.
+error_log /dev/null crit;
+
--- a/include/postfixadmin_common.conf
+++ b/include/postfixadmin_common.conf
@ -0,0 +1,18 @@
+# Basis-Konfiguration für den Postfix-Admin
+
+root /var/www/postfixadmin_ffhh;
+index index.php index.html index.htm;
+
+location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin_ffhh$fastcgi_script_name;
+    #fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+    include /etc/nginx/fastcgi_params;
+}
+
+location / {
+    index index.php;
+    try_files $uri $uri/index.php;
+}
+
--- a/include/ssl.rewrite
+++ b/include/ssl.rewrite
@ -0,0 +1,2 @@
+# Generischer Rewrite von HTTP nach HTTPS
+rewrite	^ https://$server_name$request_uri? permanent;
--- a/include/ssl_common.conf
+++ b/include/ssl_common.conf
@ -0,0 +1,10 @@
+# Basis Konfiguration für SSL. Wird von allen vhosts includet.
+
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+# Only strong ciphers in PFS mode
+ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
--- a/include/ssl_hamburg_freifunk_net.conf
+++ b/include/ssl_hamburg_freifunk_net.conf
@ -0,0 +1,7 @@
+# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
+
+ssl_certificate                 /etc/ssl/certs/hamburg.freifunk.net.crt;
+ssl_certificate_key             /etc/ssl/private/hamburg.freifunk.net.key;
+
+include /etc/nginx/include/ssl_common.conf;
+
--- a/include/ssl_wildcard.conf
+++ b/include/ssl_wildcard.conf
@ -0,0 +1,7 @@
+# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
+
+ssl_certificate                 /etc/ssl/certs/*.hamburg.freifunk.net.crt;
+ssl_certificate_key             /etc/ssl/private/*.hamburg.freifunk.net.key;
+
+include /etc/nginx/include/ssl_common.conf;
+
--- a/include/start_common.conf
+++ b/include/start_common.conf
@ -0,0 +1,13 @@
+# Basis-Konfiguration für start.
+
+root /var/www/start-ffhh/_site;
+
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
+location /feeds/hamburg.freifunk.net.rss {
+    proxy_pass https://hamburg.freifunk.net/feed;
+}
--- a/include/updates_common.conf
+++ b/include/updates_common.conf
@ -0,0 +1,9 @@
+# Basis-Konfiguration für updates.
+
+root /var/www/updates;
+
+location / {
+    access_log off;
+    log_not_found off;
+    autoindex on;
+}
--- a/include/wordpress_common.conf
+++ b/include/wordpress_common.conf
@ -0,0 +1,34 @@
+# Basis-Konfiguration für Wordpress
+
+client_max_body_size 16M;
+
+root /var/www/wordpress;
+index index.php index.html index.htm;
+
+# Don't allow to get framed by sites that aren't on the same domain
+add_header X-Frame-Options SAMEORIGIN;
+
+# Tell clients never to use http or self-signed (!) certificates
+# There's no way to bypass this option after it has been cached!
+add_header Strict-Transport-Security max-age=31536000;
+
+# This order might seem weird - this is attempted to match last if rules below fail.
+# http://wiki.nginx.org/HttpCoreModule
+location / {
+    index index.php;
+    try_files $uri $uri/ /index.php?$args;
+}
+
+# Directives to send expires headers and turn off 404 error logging.
+location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+    expires 24h;
+    log_not_found off;
+}
+
+location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name;
+#            fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+        include /etc/nginx/fastcgi_params;
+}