From 596e4d5f2cc371481e1ceb341a4840717384d6f0 Mon Sep 17 00:00:00 2001 From: Ed Wildgoose Date: Thu, 14 Mar 2013 16:07:34 +0000 Subject: [PATCH] Update installation_others.rst Update Nginx configuration Fixes a number of potential security holes. Avoids duplication. TODO: Further restrict locations where .php files can be found. --- .../installation/installation_others.rst | 90 +++++++++++-------- 1 file changed, 54 insertions(+), 36 deletions(-) diff --git a/admin_manual/installation/installation_others.rst b/admin_manual/installation/installation_others.rst index 36e0da67f..0044b39bc 100644 --- a/admin_manual/installation/installation_others.rst +++ b/admin_manual/installation/installation_others.rst @@ -16,50 +16,68 @@ Nginx Configuration .. code-block:: python - # redirect http to https. server { - listen 80; - server_name owncloud.example.org; - return 301 https://$server_name$request_uri; # enforce https + listen 80; + server_name cloud.example.com; + rewrite ^ https://$server_name$request_uri? permanent; # enforce https } - # owncloud (ssl/tls) server { - listen 443 ssl; - ssl_certificate /etc/nginx/certs/server.crt; - ssl_certificate_key /etc/nginx/certs/server.key; - server_name owncloud.example.org; - root /path/to/owncloud; - index index.php; - client_max_body_size 1000M; # set maximum upload size + listen 443 ssl; + server_name cloud.example.com; - # deny direct access - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; - } + ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; + ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; - # default try order - location / { - try_files $uri $uri/ @webdav; - } + access_log /var/log/nginx/cloud.example.com.access_log main; + error_log /var/log/nginx/cloud.example.com.error_log info; - # owncloud WebDAV - location @webdav { - fastcgi_split_path_info ^(.+\.php)(/.*)$; - fastcgi_pass 127.0.0.1:9000; # or use php-fpm with: "unix:/var/run/php-fpm/php-fpm.sock;" - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param HTTPS on; - include fastcgi_params; - } + # Path to the root of your installation + root /var/www/$server_name/htdocs; + + client_max_body_size 10G; # set max upload size + fastcgi_buffers 64 4K; + + rewrite ^/caldav((/|$).*)$ /remote.php/caldav$1 last; + rewrite ^/carddav((/|$).*)$ /remote.php/carddav$1 last; + rewrite ^/webdav((/|$).*)$ /remote.php/webdav$1 last; + + index index.php; + error_page 403 = /core/templates/403.php; + error_page 404 = /core/templates/404.php; + + location ~ ^/(data|config|\.ht|db_structure\.xml|README) { + deny all; + } + + location / { + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ index.php; + } + + # regexp required pcre installed, otherwise try: ^(.+?\.php)(/.*)?$ + location ~ ^(?.+?\.php)(?/.*)?$ { + try_files $script_name = 404; + + include fastcgi.conf; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + fastcgi_pass 127.0.0.1:9000; + } + + # Optional: set long EXPIRES header on static assets + location ~* ^.+.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { + expires 30d; + # Optional: Don't log access to assets + access_log off; + } - # enable php - location ~ \.php$ { - try_files $uri = 404; - fastcgi_pass 127.0.0.1:9000; # or use php-fpm with: "unix:/var/run/php-fpm/php-fpm.sock;" - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param HTTPS on; - include fastcgi_params; - } } .. note:: You can use Owncloud without SSL/TLS support, but we strongly encourage you not to do that: