====== Nginx ======
===== VirtualHost padrĂ£o =====
server {
listen 80;
server_name dominio.ufrj.br;
return 302 https://dominio.ufrj.br$request_uri;
}
server {
listen 443 ssl;
server_name dominio.ufrj.br;
## Keep alive timeout set to a greater value for SSL/TLS.
keepalive_timeout 75 75;
## Access and error logs.
access_log /var/log/nginx/dominio.access.log;
error_log /var/log/nginx/dominio.error.log;
## See the keepalive_timeout directive in nginx.conf.
ssl_certificate /etc/ssl/localcerts/dominio.ufrj.br.crt;
ssl_certificate_key /etc/ssl/private/dominio.ufrj.br.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!SSLv3:!SSLv2;
ssl_prefer_server_ciphers on;
## Strict Transport Security header for enhanced security. See
## http://www.chromium.org/sts.
add_header Strict-Transport-Security "max-age=15768000";
root /usr/share/redmine/public;
index index.html;
## See the blacklist.conf file at the parent dir: /etc/nginx.
## All static files will be served directly.
location ~* ^.+\.(?:css|js|jpe?g|gif|htc|ico|png|html)$ {
access_log off;
expires 30d;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=3000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## Support for favicon. Return an 1x1 transparent GIF if it doesn't
## exist.
location = /favicon.ico {
expires 30d;
try_files /favicon.ico @empty;
}
## Return an in memory 1x1 transparent GIF.
location @empty {
expires 30d;
empty_gif;
}
## Protect .git files.
location ^~ /.git {
return 404;
}
}
===== VirtualHost para Drupal =====
server {
server_name dominio.ufrj.br;
root /srv/www/dominio.ufrj.br/site;
access_log /var/log/nginx/access.dominio.ufrj.br.log;
error_log /var/log/nginx/error.dominio.ufrj.br.log;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
#allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
# Block access to "hidden" files and directories whose names begin with a
# period. This includes directories used by version control systems such
# as Subversion or Git to store control files.
location ~ (^|/)\. {
return 403;
}
location / {
# try_files $uri @rewrite; # For Drupal <= 6
try_files $uri /index.php?$query_string; # For Drupal >= 7
}
location @rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
fastcgi_pass unix:/srv/www/dominio.ufrj.br/php-fpm.sock;
}
# Fighting with Styles? This little gem is amazing.
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
location ~ ^/sites/.*/files/styles/ { # For Drpal >= 7
try_files $uri @rewrite;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}