major refactor

public/templates/conf/_general.conf.html

@@ -0,0 +1,52 @@
+# headers
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-UA-Compatible "IE=Edge" always;
+add_header Cache-Control "no-transform" always;
+
+# . files
+location ~ /\. {
+	deny all;
+}<span ng-if="data.expires_assets && data.expires_assets !== data.expires_media">
+
+# assets
+location ~* \.(?:{{ extensions.assets }})$ {
+	expires {{ data.expires_assets }};<!--
+
+	✘ accessLog --><span ng-if="isAccessLog()">
+	access_log off;</span>
+}</span><span ng-if="data.expires_media">
+
+# {{ data.expires_assets && data.expires_assets === data.expires_media ? 'assets, ' : '' }}media
+location ~* \.(?:{{ data.expires_assets && data.expires_assets === data.expires_media ? extensions.assets + '|' : '' }}{{ extensions.images }}|{{ extensions.audio }}|{{ extensions.video }})$ {
+	expires {{ data.expires_media }};<!--
+
+	✘ accessLog --><span ng-if="isAccessLog()">
+	access_log off;</span>
+}</span><span ng-if="data.expires_svg && data.expires_svg !== data.expires_fonts">
+
+# svg
+location ~* \.{{ extensions.svg }}$ {
+	add_header Access-Control-Allow-Origin "*";
+	expires {{ data.expires_svg }};<!--
+
+	✘ accessLog --><span ng-if="isAccessLog()">
+	access_log off;</span>
+}</span><span ng-if="data.expires_fonts">
+
+# {{ data.expires_svg && data.expires_svg === data.expires_fonts ? 'svg, ' : '' }}fonts
+location ~* \.(?:{{ data.expires_svg && data.expires_svg === data.expires_fonts ? extensions.svg + '|' : '' }}{{ extensions.fonts }})$ {
+	add_header Access-Control-Allow-Origin "*";
+	expires {{ data.expires_fonts }};<!--
+
+	✘ accessLog --><span ng-if="isAccessLog()">
+	access_log off;</span>
+}</span>
+<span ng-if="isGzip()">
+# gzip
+gzip on;
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_types {{ gzipTypes }};</span>

public/templates/conf/_letsencrypt.conf.html

@@ -0,0 +1,4 @@
+# ACME-challenge
+location ^~ /.well-known/acme-challenge/ {
+	root /var/www/_letsencrypt;
+}

public/templates/conf/_php.conf.html

@@ -0,0 +1,14 @@
+<!--
+	✔ modularized --><span ng-if="isModularized()"># index
+index {{ isIndexHtml() ? 'index.html ' : '' }}index.php;
+
+</span><!--
+
+--># handle .php
+location ~ \.php$ {<!--
+	✔ modularized || ✔ WordPress --><span ng-if="isModularized() || isWordPress()">
+	include _php_fastcgi.conf;</span><!--
+
+	✔ unified && ✘ WordPress --><span ng-if="isUnified() && !isWordPress()">
+<ng-include ng-include-tabs="{{ isUnified() ? 3 : 1 }}" src="'templates/conf/_php_fastcgi.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+}

public/templates/conf/_php_fastcgi.conf.html

@@ -0,0 +1,23 @@
+try_files $uri =404;
+
+# fastcgi
+fastcgi_pass				{{
+	data.php === 'tcp' ? '127.0.0.1:9000' : (
+		data.php === '5.x' ? 'unix:/var/run/php5-fpm.sock' : (
+			'unix:/var/run/php/php' + data.php +'-fpm.sock'
+		)
+	)
+}};
+fastcgi_index				index.php;
+fastcgi_split_path_info		^(.+\.php)(/.+)$;
+fastcgi_param				SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param				PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
+fastcgi_intercept_errors	off;
+
+fastcgi_buffer_size				128k;
+fastcgi_buffers					256 16k;
+fastcgi_busy_buffers_size		256k;
+fastcgi_temp_file_write_size	256k;
+
+# default fastcgi_params
+include fastcgi_params;

public/templates/conf/_ssl.conf.html

@@ -0,0 +1,22 @@
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites
+ssl_dhparam /etc/nginx/dhparam.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;
+
+# HSTS
+add_header Strict-Transport-Security "max-age=15768000" always;
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+resolver_timeout 2s;

public/templates/conf/_wordpress.conf.html

@@ -0,0 +1,30 @@
+# allow tinymce
+location = /wp-includes/js/tinymce/wp-tinymce.php {
+	include _php_fastcgi.conf;
+}
+
+# wp-content, wp-includes php files
+location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
+	deny all;
+}
+
+# wp-content/uploads nasty stuff
+location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
+	deny all;
+}
+
+# wp-content/plugins nasty stuff
+location ~* ^/wp-content/plugins/.*\.(?!{{ extensions.assets }}|{{ extensions.fonts }}|{{ extensions.svg }}|{{ extensions.images }}|{{ extensions.audio }}|{{ extensions.video }}|{{ extensions.docs }}) {
+	deny all;
+}
+
+# WordPress stuff
+location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
+	deny all;
+}<span ng-if="isLimitReq()">
+
+# wp-login.php throttle
+location = /wp-login.php {
+	limit_req zone=login burst=2 nodelay;
+	include _php_fastcgi.conf;
+}</span>

public/templates/conf/example.com.conf.html

@@ -0,0 +1,168 @@
+server {
+	listen {{ isHTTPS() ? '443 ssl' : '80' }}{{ isHTTP2() ? ' http2' : '' }};
+	listen [::]:{{ isHTTPS() ? '443 ssl' : '80' }}{{ isHTTP2() ? ' http2' : '' }};
+
+	server_name {{ isWWW() ? 'www.' : '' }}{{ domain() }};<!--
+
+	✔ PHP --><span ng-if="isPHP()">
+	set $base /var/www/{{ domain() }};
+	root $base{{ data.document_root }};</span><!--
+
+	✘ PHP --><span ng-if="!isPHP()">
+	root /var/www/{{ domain() }}{{ data.document_root }};</span><!--
+
+	✔ HTTPS --><span ng-if="isHTTPS()">
+
+	# SSL certificate
+	ssl_certificate {{ sslCertificate() }};
+	ssl_certificate_key {{ sslCertificateKey() }};<!--
+
+	✔ Let's Encrypt --><span ng-if="isLetsEncrypt()">
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ domain() }}/fullchain.pem;</span>
+
+	# SSL config
+	include _ssl.conf;</span><!--
+
+	✔ unified && ✔ PHP --><span ng-if="isUnified() && isPHP()">
+
+	# index
+	index {{ isIndexHtml() ? 'index.html ' : '' }}index.php;</span><!--
+
+	(✔ PHP && ✔ index.php) || ✔ index.html --><span ng-if="isIndexPhp() || isIndexHtml()">
+
+	# $uri{{ isIndexHtml() ? ', index.html' : '' }}{{ isIndexPhp() ? ', index.php' : '' }}
+	location / {
+		try_files $uri $uri/ {{ isIndexHtml() ? '/index.html' : '' }}{{ isIndexHtml() && isIndexPhp() ? ' ' : '' }}{{ isIndexPhp() ? '/index.php?$query_string' : '' }};
+	}</span><!--
+
+	✔ unified --><span ng-if="isModularized()">
+</span><!--
+
+
+
+	✔ modularized && ✔ Let's Encrypt --><span ng-if="isModularized() && isLetsEncrypt()">
+	include _letsencrypt.conf;</span><!--
+
+	✔ modularized --><span ng-if="isModularized()">
+	include _general.conf;</span><!--
+
+	✔ modularized && ✔ WordPress --><span ng-if="isModularized() && isWordPress()">
+	include _wordpress.conf;</span><!--
+
+	✔ modularized && ✔ PHP --><span ng-if="isModularized() && isPHP()">
+	include _php.conf;</span><!--
+
+
+
+	✔ unified && ✔ Let's Encrypt --><span ng-if="isUnified() && isLetsEncrypt()">
+
+<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_letsencrypt.conf.html'" onload="refreshHighlighting()"></ng-include></span><!--
+
+	✔ unified --><span ng-if="isUnified()">
+
+<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_general.conf.html'" onload="refreshHighlighting()"></ng-include></span><!--
+
+	✔ unified && ✔ WordPress --><span ng-if="isUnified() && isWordPress()">
+
+<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_wordpress.conf.html'" onload="refreshHighlighting()"></ng-include></span><!--
+
+	✔ modularized && ✔ PHP --><span ng-if="isUnified() && isPHP()">
+
+<!-- --><ng-include ng-include-tabs="2" src="'templates/conf/_php.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+}<!--
+
+
+
+✔ CDN --><span ng-if="isCDN()">
+
+# CDN
+server {
+	listen {{ isHTTPS() ? '443 ssl' : '80' }}{{ isHTTP2() ? ' http2' : '' }};
+	listen [::]:{{ isHTTPS() ? '443 ssl' : '80' }}{{ isHTTP2() ? ' http2' : '' }};
+
+	server_name cdn.{{ domain() }};
+	root /var/www/{{ domain() }}{{ data.document_root }};<span ng-if="!isAccessLog()">
+
+	access_log off;</span><!--
+
+	✔ HTTPS --><span ng-if="isHTTPS()">
+
+	# SSL certificate
+	ssl_certificate {{ sslCertificate() }};
+	ssl_certificate_key {{ sslCertificateKey() }};<!--
+
+	✔ Let's Encrypt --><span ng-if="isLetsEncrypt()">
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ domain() }}/fullchain.pem;</span>
+
+	# SSL config
+	include _ssl.conf;</span><!--
+
+	✔ modularized && ✔ Let's Encrypt --><span ng-if="isModularized() && isLetsEncrypt()">
+	include _letsencrypt.conf;</span><!--
+
+	✔ unified && ✔ Let's Encrypt --><span ng-if="isUnified() && isLetsEncrypt()">
+
+<ng-include ng-include-tabs="2" src="'templates/conf/_letsencrypt.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+
+	# disable access_log
+	access_log off;<!--
+
+	✔ Gzip --><span ng-if="isGzip()">
+
+	# gzip
+	gzip on;
+	gzip_vary on;
+	gzip_proxied any;
+	gzip_comp_level 6;
+	gzip_types {{ gzipTypes }};</span>
+
+	# allow safe files
+	location ~* \.(?:{{ extensions.assets }}|{{ extensions.fonts }}|{{ extensions.svg }}|{{ extensions.images }}|{{ extensions.audio }}|{{ extensions.video }}|{{ extensions.docs }})$ {
+		add_header Access-Control-Allow-Origin "*";
+		add_header Cache-Control "public";
+		expires 30d;
+	}
+
+	# deny everything else
+	location / {
+		deny all;
+	}
+}</span>
+<!--
+
+
+
+-->
+# {{ isWWW() ? 'non-www, ' : '' }}subdomains redirect
+server {
+	listen {{ isHTTPS() ? '443 ssl' : '80' }}{{ isHTTP2() ? ' http2' : '' }};
+	listen [::]:{{ isHTTPS() ? '443 ssl' : '80' }}{{ isHTTP2() ? ' http2' : '' }};
+
+	server_name {{ isWWW() ? domain() + ' ' : '' }}*.{{ domain() }};<!--
+
+	✔ HTTPS --><span ng-if="isHTTPS()">
+
+	# SSL certificate
+	ssl_certificate /etc/letsencrypt/live/{{ domain() }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ domain() }}/privkey.pem;
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ domain() }}/fullchain.pem;
+
+	# SSL config
+	include _ssl.conf;</span>
+
+	return 301 https://{{ isWWW() ? 'www.' : '' }}{{ domain() }}$request_uri;
+}</span><!--
+
+
+
+✔ HTTPS --><span ng-if="isHTTPS()">
+
+# HTTP redirect
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ domain() }} *.{{ domain() }};
+
+	return 301 https://{{ isWWW() ? 'www.' : '' }}{{ domain() }}$request_uri;
+}</span>

public/templates/conf/nginx.conf.html

@@ -0,0 +1,43 @@
+user {{ data.user }};
+pid {{ data.pid}};
+worker_processes {{ data.worker_processes }};
+worker_rlimit_nofile 409600;
+
+events {
+	worker_connections 4096;
+	multi_accept on;
+}
+
+http {
+	charset utf-8;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;<!--
+
+	✘ serverTokens --><span ng-if="!isServerTokens()">
+	server_tokens off;</span><!--
+
+	✘ logNotFound --><span ng-if="!isLogNotFound()">
+	log_not_found off;</span>
+	types_hash_max_size 2048;
+	client_max_body_size {{ data.client_max_body_size }}M;
+
+	# mime
+	include mime.types;
+	default_type application/octet-stream;
+
+	# logging
+	access_log {{ isAccessLog() ? data.access_log : 'off' }};
+	error_log {{ data.error_log }} warn;<span ng-if="data.limit_req">
+
+	# limits
+	limit_req_log_level warn;
+	limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;</span>
+
+	# load configs
+	include /etc/nginx/conf.d/*.conf;<span ng-if="data.file_structure === 'modularized'">
+	include /etc/nginx/sites-enabled/*;</span><span ng-if="data.file_structure === 'unified'">
+
+	# {{ !data.non_www ? 'www.' : '' }}{{ domain() }}
+<ng-include ng-include-tabs="1" src="'templates/conf/example.com.conf.html'" sonload="refreshHighlighting()"></ng-include></span>
+}