Some more conf files

2025-11-06 03:06:09 +08:00 · 2020-05-14 18:01:55 +01:00
parent 742b0c8999
commit adf4752e1c
6 changed files with 228 additions and 1 deletions
--- a/src/nginxconfig/generators/drupal.conf.js
+++ b/src/nginxconfig/generators/drupal.conf.js
@@ -0,0 +1,34 @@
+export default (domains, global) => {
+    const config = {};
+
+    config['# Drupal: deny private files'] = '';
+    config['location ~ ^/sites/.*/private/'] = {
+        deny: 'all',
+    };
+
+    config['# Drupal: deny php in files'] = '';
+    config['location ~ ^/sites/[^/]+/files/.*\\.php$'] = {
+        deny: 'all',
+    };
+
+    config['# Drupal: deny php in vendor'] = '';
+    config['location ~ /vendor/.*\\.php$'] = {
+        deny: 'all',
+    };
+
+    config['# Drupal: handle private files'] = '';
+    config['location ~ ^(/[a-z\\-]+)?/system/files/'] = {
+        try_files: '$uri /index.php?$query_string',
+    };
+
+    if (global.security.limitReq.computed) {
+        config['# Drupal: throttle user functions'] = '';
+        config['location ~ ^/user/(?:login|register|password)'] = {
+            limit_req: 'zone=login burst=2 nodelay',
+            try_files: '$uri /index.php?$query_string',
+        };
+    }
+
+    // Done!
+    return config;
+};
--- a/src/nginxconfig/generators/general.conf.js
+++ b/src/nginxconfig/generators/general.conf.js
@@ -0,0 +1,103 @@
+import { gzipTypes, extensions } from '../util/types_extensions';
+
+export default (domains, global) => {
+    const config = {};
+
+    config['# favicon.ico'] = '';
+    config['location = /favicon.ico'] = {
+        log_not_found: 'off',
+    };
+    if (global.logging.accessLog.computed) config['location = /favicon.ico'].access_log = 'off';
+
+    config['# robots.txt'] = '';
+    config['location = /robots.txt'] = {
+        log_not_found: 'off',
+    };
+    if (global.logging.accessLog.computed) config['location = /robots.txt'].access_log = 'off';
+
+    if (domains.every(d => d.routing.root.computed)) {
+        if (global.performance.assetsExpiration.computed === global.performance.mediaExpiration.computed) {
+            if (global.performance.assetsExpiration.computed) {
+                // Assets & media combined
+                config['# assets, media'] = '';
+                const loc = `location ~* \\.(?:${extensions.assets}|${extensions.images}|${extensions.audio}|${extensions.video})$`;
+                config[loc] = {
+                    expires: global.performance.assetsExpiration.computed,
+                };
+                if (global.logging.accessLog.computed) config[loc].access_log = 'off';
+            }
+        } else {
+            // Assets & media separately
+            if (global.performance.assetsExpiration.computed) {
+                config['# assets'] = '';
+                const loc = `location ~* \\.(?:${extensions.assets})$`;
+                config[loc] = {
+                    expires: global.performance.assetsExpiration.computed,
+                };
+                if (global.logging.accessLog.computed) config[loc].access_log = 'off';
+            }
+
+            if (global.performance.mediaExpiration.computed) {
+                config['# media'] = '';
+                const loc = `location ~* \\.(?:${extensions.images}|${extensions.audio}|${extensions.video})$`;
+                config[loc] = {
+                    expires: global.performance.mediaExpiration.computed,
+                };
+                if (global.logging.accessLog.computed) config[loc].access_log = 'off';
+            }
+        }
+
+        if (global.performance.svgExpiration.computed === global.performance.fontsExpiration.computed) {
+            if (global.performance.svgExpiration.computed) {
+                // SVG & fonts combined
+                config['# svg, fonts'] = '';
+                const loc = `location ~* \\.(?:${extensions.svg}|${extensions.fonts})$`;
+                config[loc] = {
+                    add_header: 'Access-Control-Allow-Origin "*"',
+                    expires: global.performance.svgExpiration.computed,
+                };
+                if (global.logging.accessLog.computed) config[loc].access_log = 'off';
+            }
+        } else {
+            // SVG & fonts separately
+            if (global.performance.svgExpiration.computed) {
+                config['# svg'] = '';
+                const loc = `location ~* \\.${extensions.svg}$`;
+                config[loc] = {
+                    add_header: 'Access-Control-Allow-Origin "*"',
+                    expires: global.performance.svgExpiration.computed,
+                };
+                if (global.logging.accessLog.computed) config[loc].access_log = 'off';
+            }
+
+            if (global.performance.fontsExpiration.computed) {
+                config['# fonts'] = '';
+                const loc = `location ~* \\.${extensions.fonts}$`;
+                config[loc] = {
+                    add_header: 'Access-Control-Allow-Origin "*"',
+                    expires: global.performance.fontsExpiration.computed,
+                };
+                if (global.logging.accessLog.computed) config[loc].access_log = 'off';
+            }
+        }
+    }
+
+    if (global.performance.gzipCompression.computed) {
+        config['# gzip'] = '';
+        config.gzip = 'on';
+        config.gzip_vary = 'on';
+        config.gzip_proxied = 'any';
+        config.gzip_comp_level = 6;
+        config.gzip_types = gzipTypes;
+    }
+
+    if (global.performance.brotliCompression.computed) {
+        config['# brotli'] = '';
+        config.brotli = 'on';
+        config.brotli_comp_level = 6;
+        config.brotli_types = gzipTypes;
+    }
+
+    // Done!
+    return config;
+};
--- a/src/nginxconfig/generators/letsencrypt.conf.js
+++ b/src/nginxconfig/generators/letsencrypt.conf.js
@@ -0,0 +1,11 @@
+export default (domains, global) => {
+    const config = {};
+
+    config['# ACME-challenge'] = '';
+    config['location ^~ /.well-known/acme-challenge/'] = {
+        root: global.https.letsEncryptRoot.computed.replace(/\/+$/, ''),
+    };
+
+    // Done!
+    return config;
+};
--- a/src/nginxconfig/generators/magento.conf.js
+++ b/src/nginxconfig/generators/magento.conf.js
@@ -0,0 +1,65 @@
+export default () => {
+    const config = {};
+
+    config['# Magento: setup'] = '';
+    config['location ^~ /setup'] = {
+        root: '$base',
+
+        '# allow index.php': '',
+        'location ~ ^/setup/index.php': {
+            include: 'nginxconfig.io/php_fastcgi.conf',
+        },
+
+        '# deny everything except pub': '',
+        'location ~ ^/setup/(?!pub/).': {
+            deny: 'all',
+        },
+    };
+
+    config['# Magento: update'] = '';
+    config['location ^~ /update'] = {
+        root: '$base',
+
+        '# allow index.php': '',
+        'location ~ ^/update/index.php': {
+            include: 'nginxconfig.io/php_fastcgi.conf',
+        },
+
+        '# deny everything except pub': '',
+        'location ~ ^/update/(?!pub/).': {
+            deny: 'all',
+        },
+    };
+
+    config['# Magento: media files'] = '';
+    config['location ^~ /media/'] = {
+        try_files: '$uri $uri/ /get.php?$args',
+
+        'location ~* .(?:ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$': {
+            expires: '+1y',
+            add_header: 'Cache-Control "public"',
+            try_files: '$uri $uri/ /get.php?$args',
+        },
+
+        'location ~* .(?:zip|gz|gzip|bz2|csv|xml)$': {
+            expires: 'off',
+            add_header: 'Cache-Control "no-store"',
+            try_files: '$uri $uri/ /get.php?$args',
+        },
+
+        'location ~ ^/media/theme_customization/.*.xml': {
+            deny: 'all',
+        },
+
+        'location ~ ^/media/(?:customer|downloadable|import)/': {
+            deny: 'all',
+        },
+    };
+
+    // TODO: static route
+    // TODO: static files
+    // TODO: deny cron
+
+    // Done!
+    return config;
+};