Welcome to Centmin Mod Community
Register Now

Xenforo My Xenforo Nginx vhost configuration

Discussion in 'Forum software usage' started by eva2000, May 30, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    My current Xenforo Nginx vhost configuration for this forum :)


    Code:
    server {
      server_name community.centminmod.com www.community.centminmod.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      ssi  on;
    
      access_log /home/nginx/domains/community.centminmod.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/community.centminmod.com/log/error.log;
    
      root /home/nginx/domains/community.centminmod.com/public;
    
      location / {
    
    auth_basic "Private";
    auth_basic_user_file /usr/local/nginx/conf/htpasswd;
    
      # block common exploits, sql injections etc
      #include /usr/local/nginx/conf/block.conf;
    
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
      }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
      location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myipaddress;
            deny all;
    }
    
        location /install/ {
        index index.php index.html index.htm;
        allow 127.0.0.1;
        allow myipaddress;
        deny all;
        include /usr/local/nginx/conf/php.conf;
            }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    }
    updating my SPDY SSL config to the Cloudflare RC4 Kill patched OpenSSL version outlined at Nginx - Nginx ssl cipher suite | Centmin Mod Community

    went from

    my SPDY HTTP/2 SSL config

    Code:
    server {
      server_name community.centminmod.com www.community.centminmod.com;
       return 301 https://$server_name$request_uri;
    }
    
    server {
    listen 443 ssl http2;
      server_name community.centminmod.com;
    
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            #add_header Alternate-Protocol 443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod.com.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:30m;
            ssl_session_timeout  12h;
    
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    
            ssl_prefer_server_ciphers   on;
            #spdy_headers_comp 5;
            ssl_buffer_size 4000;
            ssl_session_tickets on;
    
    # enable ocsp stapling
            resolver 8.8.8.8 8.8.4.4 valid=10m;
            resolver_timeout 10s;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-trusted2.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      ssi  on;
    
      access_log /home/nginx/domains/community.centminmod.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/community.centminmod.com/log/error.log;
    
      root /home/nginx/domains/community.centminmod.com/public;
    
      location / {
      # Enables directory listings when index file not found
      #autoindex  on;
    
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
    }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
      location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
    }
    
       location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
            }
    
    #        error_page 403 /403.html;
            error_page 404 /404.html;
            error_page 504 /504.html;
    
            location = /504.html {
                    access_log              off;
                    internal;
            }
    
            location = /404.html {
                    access_log              off;
                    internal;
            }
    
    #        location = /403.html {
    #                access_log              off;
    #                internal;
    #        }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    
    }
    to new Cloudflare RC4 Kill patched OpenSSL based SPDY HTTP/2 SSL config

    Code:
    server {
      server_name community.centminmod.com www.community.centminmod.com;
       return 301 https://$server_name$request_uri;
    }
    
    server {
    listen 443 ssl http2;
      server_name community.centminmod.com;
    
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            #add_header Alternate-Protocol 443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod.com.key;
            #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:30m;
            ssl_session_timeout  12h;
    
            #cloudflare
            ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    
            ssl_prefer_server_ciphers   on;
            #spdy_headers_comp 5;
            ssl_buffer_size 4000;
            ssl_session_tickets on;
    
    # enable ocsp stapling
            resolver 8.8.8.8 8.8.4.4 valid=10m;
            resolver_timeout 10s;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-trusted2.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      ssi  on;
    
      access_log /home/nginx/domains/community.centminmod.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/community.centminmod.com/log/error.log;
    
      root /home/nginx/domains/community.centminmod.com/public;
    
      location / {
      # Enables directory listings when index file not found
      #autoindex  on;
    
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
    }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
      location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
    }
    
       location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
            }
    
    #        error_page 403 /403.html;
            error_page 404 /404.html;
            error_page 504 /504.html;
    
            location = /504.html {
                    access_log              off;
                    internal;
            }
    
            location = /404.html {
                    access_log              off;
                    internal;
            }
    
    #        location = /403.html {
    #                access_log              off;
    #                internal;
    #        }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    
    }
     
    Last edited: Apr 9, 2016
  2. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    7:15 AM
    1.5.15
    MariaDB 10.2
    Mine for my z22se site:

    Code:
    # HTTP Server
    server {
            listen 94.23.155.143:80;
            listen [2001:41d0:1:8b0f::2]:80;
            server_name  www.z22se.co.uk z22se.co.uk;
            return 301 https://z22se.co.uk$request_uri;
    }
    
    # HTTPS server
    server {
            listen 94.23.155.143:443 ssl spdy;
            listen [2001:41d0:1:8b0f::2]:443 ssl spdy;
            server_name www.z22se.co.uk;
            return 301 $scheme://z22se.co.uk$request_uri;
            keepalive_timeout  70;
    
            ssl on;
            ssl_certificate      /usr/local/nginx/conf/ssl/z22secouk/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/z22secouk/z22se_co_uk.key;
    
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
            ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            ssl_buffer_size 4k;
            spdy_headers_comp 5;
            ssl_session_tickets on;
            add_header Strict-Transport-Security max-age=31536000;
    
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/z22secouk/ssl-trusted.crt;
            resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
            resolver_timeout 10s;
    }
    
    server {
            listen 94.23.155.143:443 ssl spdy;
            listen [2001:41d0:1:8b0f::2]:443 ssl spdy;
            server_name  z22se.co.uk;
            keepalive_timeout  70;
    
            ssl                  on;
            ssl_certificate      /usr/local/nginx/conf/ssl/z22secouk/ssl-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/z22secouk/z22se_co_uk.key;
    
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
            ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
            ssl_prefer_server_ciphers   on;
            add_header Alternate-Protocol  443:npn-spdy/3;
            ssl_buffer_size 4k;
            spdy_headers_comp 5;
            ssl_session_tickets on;
            add_header Strict-Transport-Security max-age=31536000;
    
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/z22secouk/ssl-trusted.crt;
            resolver [2001:4860:4860::8888] [2001:4860:4860::8844] valid=10m;
            resolver_timeout 10s;
    
            access_log /home/nginx/domains/z22se.co.uk/log/ssl_access.log combined buffer=32k;
            error_log /home/nginx/domains/z22se.co.uk/log/ssl_error.log;
       
            root  /home/nginx/domains/z22se.co.uk/public;
     
            location / {
                    try_files $uri $uri/ /index.php?$uri&$args;
                    location /internal_data {
                            location ~ \.(data|html|php)$ {
                                    internal;
                            }
                            internal;
                    }
                    location /library {
                            location ~ \.(default|html|php|txt|xml)$ {
                                    internal;
                            }
                            internal;
                    }
            }
    
            location /admin.php {
                    allow XXX.XXX.XXX.XXX;
                    allow XXX.XXX.XXX.XXX;
                    deny all;
                    include /usr/local/nginx/conf/z22se_staticfiles.conf;
                    include /usr/local/nginx/conf/php.conf;
            }
    
            location /install/ {
                    index index.php index.html index.htm;
                    allow XXX.XXX.XXX.XXX;
                    allow XXX.XXX.XXX.XXX;
                    deny all;
                    include /usr/local/nginx/conf/z22se_staticfiles.conf;
                    include /usr/local/nginx/conf/php.conf;
            }
    
            location /forum/ {
                    rewrite ^/forum/(.*)?$ /$1 redirect;
                    rewrite ^/forum$ / redirect;
            }
    
            #Old Product Redirects
            rewrite ^/shop/egr-cheater /shop/1-egr-cheater.html permanent;
            rewrite ^/shop/blanking-plate /shop/2-egr-blanking-plate.html permanent;
            rewrite ^/shop/sticker /shop/4-sticker.html permanent;
            rewrite ^/shop/z22se-timing-chain-kit /shop/6-z22se-timing-chain-kit.html permanent;
            rewrite ^/shop/balance-chain-kit /shop/7-balance-chain-kit.html permanent;
            rewrite ^/shop/z20net-tensioner /shop/8-z20net-tensioner.html permanent;
            rewrite ^/shop/z22se-spark-plugs /shop/9-z22se-spark-plugs.html permanent;
            rewrite ^/shop/oil-filter /shop/10-oil-filter.html permanent;
            rewrite ^/shop/astra-g-air-filter /shop/11-astra-g-air-filter.html permanent;
            rewrite ^/shop/z22yh-timing-chain-kit /shop/12-z22yh-timing-chain-kit.html permanent;
            rewrite ^/shop/z22yh-spark-plugs /shop/13-z22yh-spark-plugs.html permanent;
            rewrite ^/shop/z20net-head-gasket /shop/14-z20net-head-gasket.html permanent;
            rewrite ^/shop/cylinder-head-bolt-set /shop/15-cylinder-head-bolt-set.html permanent;
            rewrite ^/shop/water-pump /shop/16-water-pump.html permanent;
            rewrite ^/shop/oil-pump-gasket /shop/17-oil-pump-gasket.html permanent;
            rewrite ^/shop/vectra-b-air-filter /shop/18-vectra-b-air-filter.html permanent;
            rewrite ^/shop/vectra-c-air-filter /shop/19-vectra-c-air-filter.html permanent;
            rewrite ^/shop/zafira-air-filter /shop/20-zafira-air-filter.html permanent;
            rewrite ^/shop/vx220-air-filter /shop/21-vx220-air-filter.html permanent;
            rewrite ^/shop/z22se-head-gasket /shop/22-z22se-head-gasket.html permanent;
            rewrite ^/shop/inlet-valve /shop/23-inlet-valve.html permanent;
            rewrite ^/shop/exhaust-valve /shop/24-exhaust-valve.html permanent;
            rewrite ^/shop/z22yh-head-gasket /shop/25-z22yh-head-gasket.html permanent;
            rewrite ^/shop/slave-cylinder /shop/26-slave-cylinder.html permanent;
            rewrite ^/shop/fuel-filter /shop/27-fuel-filter.html permanent;
            rewrite ^/shop/vectra-b-pollen-filter /shop/28-vectra-b-pollen-filter.html permanent;
            rewrite ^/shop/astra-g-pollen-filter /shop/29-astra-g-pollen-filter.html permanent;
            rewrite ^/shop/astra-g-active-carbon-pollen-filter /shop/30-astra-g-active-carbon-pollen-filter.html permanent;
            rewrite ^/shop/zafira-pollen-filter /shop/31-zafira-pollen-filter.html permanent;
            rewrite ^/shop/zafira-active-carbon-pollen-filter /shop/32-zafira-active-carbon-pollen-filter.html permanent;
            rewrite ^/shop/water-temperature-sensor /shop/33-water-temperature-sensor.html permanent;
            rewrite ^/shop/crankshaft-oil-seal /shop/35-crankshaft-oil-seal.html permanent;
            rewrite ^/shop/exhaust-manifold-gasket /shop/36-exhaust-manifold-gasket.html permanent;
            rewrite ^/shop/exhaust-downpipe-gasket /shop/37-exhaust-downpipe-gasket.html permanent;
            rewrite ^/shop/crankshaft-pulley-bolt /shop/38-crankshaft-pulley-bolt.html permanent;
            rewrite ^/shop/aux-belt-tensioner /shop/39-aux-belt-tensioner.html permanent;
            rewrite ^/shop/fai-z22se-timing-chain-kit-ng /shop/40-fai-z22se-timing-chain-kit-ng.html permanent;
            rewrite ^/shop/fai-z22se-timing-chain-kit /shop/41-fai-z22se-timing-chain-kit.html permanent;
            rewrite ^/shop/fai-balance-chain-kit /shop/42-fai-balance-chain-kit.html permanent;
            rewrite ^/shop/fai-balance-chain-kit-wo /shop/43-fai-balance-chain-kit-wo.html permanent;
            rewrite ^/shop/fai-z22yh-timing-chain-kit-ng /shop/44-fai-z22yh-timing-chain-kit-ng.html permanent;
            rewrite ^/shop/fai-water-pump /shop/45-fai-water-pump.html permanent;
            rewrite ^/shop/fai-z20net-timing-chain-kit /shop/46-fai-z20net-timing-chain-kit.html permanent;
            rewrite ^/shop/fai-z20net-timing-chain-kit-ng /shop/47-fai-z20net-timing-chain-kit-ng.html permanent;
            rewrite ^/shop/stabiliser-link-rod /shop/48-stabiliser-link-rod.html permanent;
            rewrite ^/shop/tie-rod-end /shop/49-tie-rod-end.html permanent;
            rewrite ^/shop/wishbone-r-h /shop/50-wishbone-r-h.html permanent;
            rewrite ^/shop/wishbone-l-h /shop/51-wishbone-l-h.html permanent;
            rewrite ^/shop/camshaft-followers /shop/52-camshaft-followers.html permanent;
            rewrite ^/shop/exhaust-manifold-stud /shop/53-exhaust-manifold-stud.html permanent;
            rewrite ^/shop/exhaust-manifold-nut /shop/54-exhaust-manifold-nut.html permanent;
            rewrite ^/shop/conrod-bolts /shop/56-conrod-bolts.html permanent;
            rewrite ^/shop/camshaft-followers-bsf82 /shop/58-camshaft-followers-bsf82.html permanent;
            rewrite ^/shop/x20xev-head-gasket /shop/59-x20xev-head-gasket.html permanent;
            rewrite ^/shop/fai-cylinder-head-bolt-set /shop/60-fai-cylinder-head-bolt-set.html permanent;
            rewrite ^/shop/fai-exhaust-manifold-gasket /shop/61-fai-exhaust-manifold-gasket.html permanent;
            rewrite ^/shop/fai-z22se-head-gasket /shop/62-fai-z22se-head-gasket.html permanent;
            rewrite ^/shop/fai-z22se-head-gasket-set /shop/63-fai-z22se-head-gasket-set.html permanent;
            rewrite ^/shop/fai-intake-manifold-gasket-set /shop/64-fai-intake-manifold-gasket-set.html permanent;
            rewrite ^/shop/fai-z22se-valve-cover-gasket /shop/65-fai-z22se-valve-cover-gasket.html permanent;
            rewrite ^/shop/fai-oil-pump-gasket /shop/66-fai-oil-pump-gasket.html permanent;
            rewrite ^/shop/x20xev-waterpump /shop/67-x20xev-waterpump.html permanent;
            rewrite ^/shop/x20xev-timing-belt-kit /shop/68-x20xev-timing-belt-kit.html permanent;
            rewrite ^/shop/pvs-2014 /shop/69-performance-vauxhall-show-2014.html permanent;
            rewrite ^/shop/z22se-keyring /shop/70-z22se-keyring.html permanent;
            #Prestashop SEO URLS
            rewrite ^/shop/api/?(.*)$ /shop/webservice/dispatcher.php?url=$1 last;
            rewrite ^/shop/([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$1$2$3.jpg last;
            rewrite ^/shop/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$1$2$3$4.jpg last;
            rewrite ^/shop/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$3/$1$2$3$4$5.jpg last;
            rewrite ^/shop/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg last;
            rewrite ^/shop/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg last;
            rewrite ^/shop/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg last;
            rewrite ^/shop/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg last;
            rewrite ^/shop/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ /shop/img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jpg last;
            rewrite ^/shop/c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ /shop/img/c/$1$2$3.jpg last;
            rewrite ^/shop/c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ /shop/img/c/$1$2.jpg last;
            rewrite ^/shop/images_ie/?([^/]+)\.(jpe?g|png|gif)$ /shop/js/jquery/plugins/fancybox/images/$1.$2 last;
            if (!-e $request_filename) {
                    rewrite ^/shop/.*$ /shop/index.php last;
            }
    
            location /shop/ {
                    try_files $uri $uri/ /shop/index.php$is_args$args;
            }
    
            location /shop/adminZZYY/ {
                    index index.php index.html index.htm;
                    allow XXX.XXX.XXX.XXX;
                    allow XXX.XXX.XXX.XXX;
                    deny all;
                    include /usr/local/nginx/conf/staticfiles.conf;
                    include /usr/local/nginx/conf/php.conf;
            }
    
            location /shop/generator/ {
                    index index.php index.html index.htm;
                    allow XXX.XXX.XXX.XXX;
                    allow XXX.XXX.XXX.XXX;
                    deny all;
                    include /usr/local/nginx/conf/staticfiles.conf;
                    include /usr/local/nginx/conf/php.conf;
            }
    
            include /usr/local/nginx/conf/z22se_staticfiles.conf;
            include /usr/local/nginx/conf/php.conf;
            include /usr/local/nginx/conf/drop.conf;
            #include /usr/local/nginx/conf/errorpage.conf;
    }
     
  3. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:15 PM
    Mainline
    10.2
    Here's mine:
    Code:
    server {
            listen      80;
            server_name phcorner.net www.phcorner.net;
            return      301 https://www.phcorner.net$request_uri;
    }
    
    server {
            listen      443 ssl spdy;
            server_name phcorner.net;
            keepalive_timeout  70;
            return      301 https://www.phcorner.net$request_uri;
    
            ssl on;
            ssl_certificate /usr/local/nginx/conf/ssl/phc_rapidssl/ssl-unified.crt;
            ssl_certificate_key /usr/local/nginx/conf/ssl/phc_rapidssl/www_phcorner_net.key;
     
           ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
           ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
           ssl_prefer_server_ciphers on;
           ssl_session_cache shared:SSL:20m;
           ssl_session_timeout 10m;
           add_header Alternate-Protocol 443:npn-spdy/3;
           spdy_headers_comp 5;
           ssl_buffer_size 4000;
           ssl_session_tickets on;
    
          # enable ocsp stapling
          resolver 8.8.8.8 8.8.4.4 valid=10m;
          resolver_timeout 10s;
          ssl_stapling on;
          ssl_stapling_verify on;
          ssl_trusted_certificate /usr/local/nginx/conf/ssl/phc_rapidssl/ssl-trusted.crt;
     
          # custom added
          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
          add_header X-Content-Type-Options "nosniff";
          add_header X-Frame-Options SAMEORIGIN;
    }
    
    server {
            listen      443 ssl spdy;
            server_name www.phcorner.net;
           keepalive_timeout  70;
         
          ssl on;
          ssl_certificate /usr/local/nginx/conf/ssl/phc_rapidssl/ssl-unified.crt;
          ssl_certificate_key /usr/local/nginx/conf/ssl/phc_rapidssl/www_phcorner_net.key;
     
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:20m;
            ssl_session_timeout 10m;
            add_header Alternate-Protocol 443:npn-spdy/3;
        spdy_headers_comp 5;
        ssl_buffer_size 4000;
        ssl_session_tickets on;
    
        # enable ocsp stapling
        resolver 8.8.8.8 8.8.4.4 valid=10m;
        resolver_timeout 10s;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/phc_rapidssl/ssl-trusted.crt;
     
        # custom added
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        add_header X-Content-Type-Options "nosniff";
        add_header X-Frame-Options SAMEORIGIN;
    
        # logs
            access_log off;
        error_log /home/nginx/domains/phcorner.net/log/error.log;
        root /home/nginx/domains/phcorner.net/public;
    
        # ngx_pagespeed & ngx_pagespeed handler
            include /usr/local/nginx/conf/pagespeed.conf;
            include /usr/local/nginx/conf/pagespeedhandler.conf;
            include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
     
           # Redirect for maintenance
           #location / {
           #rewrite ^ https://www.facebook.com/www.phcorner.net;
           #}
    
    
      location / {
      
            # Start XenForo
        index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
        location /install/ {
        index index.php index.html index.htm;
        allow 127.0.0.1;
        allow x.x.x.x;
        deny all;
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
            }
    
      # End Xenforo
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
    }
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @RoldanLT going to borrow your install location protection :)
     
  5. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    7:15 AM
    1.5.15
    MariaDB 10.2
    did you miss mine? I also do admin.php and lock that down to my static IPs
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah you did too :) Already doing it for admin.php didn't think of /install
     
    Last edited: Jun 2, 2014
  7. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:15 PM
    Mainline
    10.2
    I do not protect my admin.php because I have 2 other admins on my forum :)
    With non static IP.
     
  8. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:15 PM
    Mainline
    10.2
    And now that your on https already ? :)
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah need to update my post for https SPDY SSL vhost :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:15 PM
    Mainline
    10.2
    Any reason you don't have "ssl on;" on your ssl config?
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    listen 443 ssl spdy would already do that AFAIK
     
  13. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:15 PM
    Mainline
    10.2
    So safe to remove it on my config also?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    of course.. it's what this forum uses ;)
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated my SSL config's ssl_ciphers suite configuration as some folks were getting SSL errors probably due to their browser/client not supporting the SSL ciphers my server is set to use https://community.centminmod.com/threads/my-xenforo-nginx-vhost-configuration.136/#post-670

    one visitor reported errors like

     
    Last edited: Jun 19, 2014
  16. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updating my SPDY SSL config to the Cloudflare RC4 Kill patched OpenSSL version outlined at https://community.centminmod.com/threads/nginx-ssl-cipher-suite.714/#post-3341

    Nginx 1.7.3 updated too

    Code:
    nginx -V
    nginx version: nginx/1.7.3
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) 
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-I/svr-setup/staticlibssl/include -I/usr/include' --with-ld-opt='-L/svr-setup/staticlibssl/lib -Wl,-rpath -lssl -lcrypto -ldl -lz' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --with-openssl=../openssl-1.0.1h --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.8.31.4-beta
    
    went from

    my SPDY/SSL config

    Code:
    server {
      server_name community.centminmod.com www.community.centminmod.com;
       return 301 https://$server_name$request_uri;
    }
    
    server {
    listen 443 ssl spdy;
      server_name community.centminmod.com www.community.centminmod.com;
    
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            add_header Alternate-Protocol 443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod.com.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:30m;
            ssl_session_timeout  12h;
    
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
    
            ssl_prefer_server_ciphers   on;
            spdy_headers_comp 5;
            ssl_buffer_size 4000;
            ssl_session_tickets on;
    
    # enable ocsp stapling
            resolver 8.8.8.8 8.8.4.4 valid=10m;
            resolver_timeout 10s;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-trusted2.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      ssi  on;
    
      access_log /home/nginx/domains/community.centminmod.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/community.centminmod.com/log/error.log;
    
      root /home/nginx/domains/community.centminmod.com/public;
    
      location / {
      # Enables directory listings when index file not found
      #autoindex  on;
    
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
    }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
      location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
    }
    
       location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
            }
    
    #        error_page 403 /403.html;
            error_page 404 /404.html;
            error_page 504 /504.html;
    
            location = /504.html {
                    access_log              off;
                    internal;
            }
    
            location = /404.html {
                    access_log              off;
                    internal;
            }
    
    #        location = /403.html {
    #                access_log              off;
    #                internal;
    #        }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    
    }
    to new Cloudflare RC4 Kill patched OpenSSL based SPDY/SSL config

    Code:
    server {
      server_name community.centminmod.com www.community.centminmod.com;
       return 301 https://$server_name$request_uri;
    }
    
    server {
    listen 443 ssl spdy;
      server_name community.centminmod.com www.community.centminmod.com;
    
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
            add_header Alternate-Protocol 443:npn-spdy/3;
            ssl_certificate      /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-unified.crt;
            ssl_certificate_key  /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod.com.key;
            #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache      shared:SSL:30m;
            ssl_session_timeout  12h;
    
            #cloudflare
            ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers     EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
    
            ssl_prefer_server_ciphers   on;
            spdy_headers_comp 5;
            ssl_buffer_size 4000;
            ssl_session_tickets on;
    
    # enable ocsp stapling
            resolver 8.8.8.8 8.8.4.4 valid=10m;
            resolver_timeout 10s;
            ssl_stapling on;
            ssl_stapling_verify on;
            ssl_trusted_certificate /usr/local/nginx/conf/ssl/centminmod.comwild/centminmod-trusted2.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      ssi  on;
    
      access_log /home/nginx/domains/community.centminmod.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/community.centminmod.com/log/error.log;
    
      root /home/nginx/domains/community.centminmod.com/public;
    
      location / {
      # Enables directory listings when index file not found
      #autoindex  on;
    
      index index.php index.html index.htm;
      try_files $uri $uri/ /index.php?$uri&$args;
    
    }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
      location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow myip;
            deny all;
    }
    
       location /install/ {
            index index.php index.html index.htm;
            allow 127.0.0.1;
            allow myip;
            deny all;
            include /usr/local/nginx/conf/php.conf;
            }
    
    #        error_page 403 /403.html;
            error_page 404 /404.html;
            error_page 504 /504.html;
    
            location = /504.html {
                    access_log              off;
                    internal;
            }
    
            location = /404.html {
                    access_log              off;
                    internal;
            }
    
    #        location = /403.html {
    #                access_log              off;
    #                internal;
    #        }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    
    }
     
  17. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    11:15 PM
    Looking through this--why do you guys have
    Code:
    internal;
    allow 127.0.0.1;
    deny all;
    Doesn't the "internal;" do the exact same thing as "allow 127.0.0.1; deny all;"? So the latter is just redundant--all you really need is "internal;"?

    Also--any reason why you don't nest your location blocks? For example, nesting the location blocks for "/internal_data/" and "/library/" under root?

    For those putting their xenforo install in a subfolder, I think nesting location blocks rather than treating them as siblings would lead to faster routing because nginx would only try to match to /library/ and /internal_data/ if it had already matched on /forum/. When /forum/ hadn't matched, it wouldn't worry about also trying /library/ and /internal_data/... at least not according to this fairly lucid explanation of Nginx's location parsing algorithm: Understanding Nginx Server and Location Block Selection Algorithms | DigitalOcean

    The one thing I had to doublecheck on this was the interaction of 'try_files" and "location" when they're in the same context... sounds like basically the try_files gets treated as a pseudo-location and never executes if a more specific location is matched in the same context: Understanding the Nginx Configuration Inheritance Model
     
    Last edited: Dec 17, 2014
  18. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    5:15 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    internal has a different meaning according to Module ngx_http_core_module although it's effectively the same for what external requests see

    And yeah technically nesting them is ideal way but it's easily to lay things out in a structure for Nginx noobs to see. Also gets confusing once you add additional non-Xenforo web apps to the Nginx vhost mix.
     
  19. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    11:15 PM
    Yes, that was the point of my question. I know they have different meanings, but I can't come up with a logical situation where some activity is allowed by the `internal` directive, but disallowed by the `allow localhost` + `deny all` directive combo... Do you actually prevent anything by adding the allow/deny lines after an `internal` directive?

    Additionally, perhaps using `allow localhost` instead of `allow 127.0.0.1` might be faster?
    On unix, some applications such as mysql treat localhost as a special keyword to skip DNS lookup and just use local sockets which are slightly faster than TCP/IP... For this, would want to make sure 'localhost' is configured properly in the /etc/resolv.conf file so that nslookup works properly, but if Centminmod sets this by default, most people won't touch it... but looking further, there's also this Stackoverflow question which makes me wonder if Nginx will always do a DNS lookup for localhost rather than treating it as a keyword for local socket... I'm not sure of the answer, and granted it doesn't matter that much as it's only a small bit of speed; but speed never hurts ;-)

    Interesting. I find it a lot simpler mentally to nest them as then it's a tree structure because when I'm working on /forum/ and not other apps, I know that I only have to worry about stuff within the /forum/ location context, rather than trying to hold all locations in my head simultaneously. To each their own. Although doing it this way, I did hit one issue with rewrites of static file urls conflicting with the staticfile.conf include.

    Thanks again George for all your hard work on Centminmod; while I've enjoyed fiddling with Nginx conf files, I really appreciate having a defaults right out of the box that are both optimized and structured in a sane manner.
     
  20. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    11:15 PM
    Was just reviewing this thread to lockdown install and admin to my IP.

    Three questions:
    1) Why not lock down /install/ using a regex such as "~ /install.*"?
    That way you lock down everything in the install directory. Currently, anything other than "/install/index[.php, .html, .htm]" is still wide open. CSS isn't a big deal, but I wouldn't be excited about someone tampering with the XML or template files.

    2) Why do you use a regex on the admin.php restriction? Why not just hardcode "/admin.php"?
    It's a specific file, not contained within a folder, so no need for a regex.

    3) Why do you have to include the php.conf file?
    It's already included at the server block level, so is it really needed within the location blocks?

    To be clear--not trying to criticize, I'm just curious why you made these choices.