## # Friendica Nginx configuration # by Pawlik # # On Debian based distributions you can add this file to # /etc/nginx/sites-available # # Then customize to your needs. To enable the configuration # symlink it to /etc/nginx/sites-enabled and reload Nginx # using /etc/init.d/nginx reload ## ## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # # http://wiki.nginx.org/Pitfalls # http://wiki.nginx.org/QuickStart # http://wiki.nginx.org/Configuration ## ## # This configuration assumes your domain is example.net # You have a separate subdomain friendica.example.net # You want all friendica traffic to be https # You have an SSL certificate and key for your subdomain # You have PHP FastCGI Process Manager (php7-fpm) running on localhost # You have Friendica installed in /mnt/friendica/www ## server { server_name ixyz.com; index index.php; root /home/root/friendica; rewrite ^ https://xyz.com$request_uri? permanent; } ## # Configure Friendica with SSL # # All requests are routed to the front controller # except for certain known file types like images, css, etc. # Those are served statically whenever possible with a # fall back to the front controller (needed for avatars, for example) ## server { listen 443 ssl; listen [::]:443 ssl; server_name xyz.com index index.php; root /home/root/friendica; ssl on; ssl_certificate /etc/nginx/ssl/friendica.example.net.chain.pem; ssl_certificate_key /etc/nginx/ssl/example.net.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; fastcgi_param HTTPS on; # allow uploads up to 20MB in size client_max_body_size 20m; client_body_buffer_size 128k; # rewrite to front controller as default rule location / { rewrite ^/(.*) /index.php?q=$uri&$args last; } # make sure webfinger and other well known services aren't blocked # by denying dot files and rewrite request to the front controller location ^~ /.well-known/ { allow all; rewrite ^/(.*) /index.php?q=$uri&$args last; } include mime.types; # statically serve these file types when possible # otherwise fall back to front controller # allow browser to cache them # added .htm for advanced source code editor library location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|svg)$ { expires 30d; try_files $uri /index.php?q=$uri&$args; } # block these file types location ~* \.(tpl|md|tgz|log|out)$ { deny all; } location ~ [^/]\.php(/|$) { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; # fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; include fastcgi_params; fastcgi_index index.php; # fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~* \.php$ { # fastcgi_split_path_info ^(.+\.php)(/.+)$; # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # With php5-cgi alone: # fastcgi_pass 127.0.0.1:9000; # With php5-fpm: # fastcgi_pass unix:/var/run/php5-fpm.sock; # fastcgi_index index.php; # include fastcgi_params; # } # deny access to all dot files location ~ /\. { deny all; } }