khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 02:09:45 +07:00
Code Issues Packages Projects Releases Wiki Activity

Update installation_others.rst

Browse Source 
Update Nginx configuration

Fixes a number of potential security holes. Avoids duplication.
TODO: Further restrict locations where .php files can be found.
This commit is contained in:
Ed Wildgoose
2013-03-14 16:07:34 +00:00
parent a25c267c84
commit 596e4d5f2c
1 changed files with 54 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
admin_manual/installation/installation_others.rst
View File

@@ -16,50 +16,68 @@ Nginx Configuration
.. code-block:: python
# redirect http to https.
server {
listen 80;
server_name owncloud.example.org;
return 301 https://$server_name$request_uri; # enforce https
listen 80;
server_name cloud.example.com;
rewrite ^ https://$server_name$request_uri? permanent; # enforce https
}
# owncloud (ssl/tls)
server {
listen 443 ssl;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
server_name owncloud.example.org;
root /path/to/owncloud;
index index.php;
client_max_body_size 1000M; # set maximum upload size
listen 443 ssl;
server_name cloud.example.com;
# deny direct access
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# default try order
location / {
try_files $uri $uri/ @webdav;
}
access_log /var/log/nginx/cloud.example.com.access_log main;
error_log /var/log/nginx/cloud.example.com.error_log info;
# owncloud WebDAV
location @webdav {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass 127.0.0.1:9000; # or use php-fpm with: "unix:/var/run/php-fpm/php-fpm.sock;"
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
# Path to the root of your installation
root /var/www/$server_name/htdocs;
client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;
rewrite ^/caldav((/|$).*)$ /remote.php/caldav$1 last;
rewrite ^/carddav((/|$).*)$ /remote.php/carddav$1 last;
rewrite ^/webdav((/|$).*)$ /remote.php/webdav$1 last;
index index.php;
error_page 403 = /core/templates/403.php;
error_page 404 = /core/templates/404.php;
location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}
location / {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ index.php;
}
# regexp required pcre installed, otherwise try: ^(.+?\.php)(/.*)?$
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
try_files $script_name = 404;
include fastcgi.conf;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_pass 127.0.0.1:9000;
}
# Optional: set long EXPIRES header on static assets
location ~* ^.+.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don't log access to assets
access_log off;
}
# enable php
location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass 127.0.0.1:9000; # or use php-fpm with: "unix:/var/run/php-fpm/php-fpm.sock;"
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
.. note:: You can use Owncloud without SSL/TLS support, but we strongly encourage you not to do that: