Beiträge von DesasterMaster

server {
    listen 127.0.0.1:82;
    server_name 127.0.0.1;
 
    # Path to the root of your installation
    root /var/www/;
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    location ^~ /nextcloud {
        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;
 
        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;
 
        location /nextcloud {
            rewrite ^ /nextcloud/index.php$request_uri;
        }
 
        location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }
 
        location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }
 
        location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            
            # Important: disable HTTPS, otherwise no [definition='1','0']log[/definition] in will be possible!
            #fastcgi_param HTTPS on;
 
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_param front_controller_active true;
            fastcgi_pass unix:/run/php/php8.1-fpm.sock;
            fastcgi_intercept_errors on;
 
            # Raise timeout values.
            # This is especially important when the Nextcloud setup runs into timeouts (504 gateway errors)
            fastcgi_read_timeout 600;
            fastcgi_send_timeout 600;
            fastcgi_connect_timeout 600;
            fastcgi_request_buffering off;
        
            # Pass PHP variables directly to PHP.
            # This is usually done in the php.ini. For more flexibility, these variables are configured in the nginx config.
            # All the PHP parameters have to be set in one fastcgi_param. When using more 'fastcgi_param PHP_VALUE' directives, the last one will override all the others.
            fastcgi_param PHP_VALUE "open_basedir=/var/www:/tmp/:/var/nextcloud_data:/dev/urandom:/proc/meminfo
                upload_max_filesize = 10G
                post_max_size = 10G
                max_execution_time = 3600
                max_input_time = 3600
                output_buffering = off";
            
            # Make sure that the real IP of the remote host is passed to PHP.
            fastcgi_param REMOTE_ADDR $http_x_real_ip;
        }
 
        location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }
 
        # Adding the cache control header for js and css files
        # Make sure it is BELOW the PHP block
        location ~* \.(?:css|js|woff2?|svg|gif)$ {
            try_files $uri /nextcloud/index.php$request_uri;
            proxy_set_header Cache-Control "public, max-age=15778463";
            # Add headers to serve security related headers
            # Use 'proxy_set_header' (not 'add_header') as the headers have to be passed
            proxy_set_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
            proxy_set_header X-Content-Type-Options nosniff;
            proxy_set_header X-XSS-Protection "1; mode=block";
            proxy_set_header X-Robots-Tag none;
            proxy_set_header X-Download-Options noopen;
            proxy_set_header X-Permitted-Cross-Domain-Policies none;
            proxy_set_header Referrer-Policy no-referrer;
            # Optional: Don't [definition='1','0']log[/definition] access to assets
            access_log off;
        }
 
        location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
            try_files $uri /nextcloud/index.php$request_uri;
            # Optional: Don't [definition='1','0']log[/definition] access to other assets
            access_log off;
        }
    }
}

upstream php-handler {
    server unix:/run/php/php8.1-fpm.sock;
}

server {
    listen 80 default_server;
      listen [::]:80 ipv6only=on default_server;
    server_name my.site.com 192.168.178.32;
 
    root /var/www;
    
    location ^~ /.well-known/acme-challenge {
        proxy_pass http://127.0.0.1:81;
        proxy_redirect off;
    }
        location / {
        # Enforce HTTPS
        # Use this if you always want to redirect to the DynDNS address (no local access).
        return 301 https://$server_name$request_uri;
        
        # Use this if you also want to access the server by local IP:
        #return 301 https://$server_addr$request_uri;

    }    
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name my.site.com 192.168.178.32;
  
    # Certificates used
    ssl_certificate /etc/letsencrypt/live/my.site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my.site.com/privkey.pem;
  
    # Not using TLSv1 will break:
    #    Android <= 4.4.40
    #    IE <= 10
    #    IE mobile <=10
    # Removing TLSv1.1 breaks nothing else!
    # TLSv1.3 is not supported by most clients, but it should be enabled.
    ssl_protocols TLSv1.2 TLSv1.3;
    
    # Cipher suite from https://cipherli.st/
    # Max. security, but lower compatibility 
    ssl_ciphers '00000';
 
    # Cipher suite from https://wiki.mozilla.org/Security/Server_Side_TLS
    #ssl_ciphers '00000;
 
    # (Modern) cipher suite from https://mozilla.github.io/server-side-tls/ssl-config-generator/
    #ssl_ciphers '00000;
 
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;
  
    # Use multiple curves.
    # secp521r1: Not supported by Chrome
    # secp384r1: Not supported by Android (DAVdroid)
    ssl_ecdh_curve 000000;
 
    # Server should determine the ciphers, not the client
    ssl_prefer_server_ciphers on;
  
    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    
    # This should be chain.pem
    # See here: https://certbot.eff.org/docs/using.html
    ssl_trusted_certificate /etc/letsencrypt/live/my.site.com/chain.pem;
    
    resolver 192.168.178.1;
  
    # SSL session handling
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
 
    #
    # Add headers to serve security related headers
    #  
    # HSTS (ngx_http_headers_module is required)
    # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    add_header X-Robots-Tag "noindex, nofollow" always;
        add_header X-Frame-Options "SAMEORIGIN"; 
        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;    
    
    location = / {
        # Disable access to the web root, otherwise nginx will show the default site here.
        deny all;
        }    
 
    #
    # Nextcloud
    #
    location ^~ /nextcloud/ {
        # Set max. size of a request (important for uploads to Nextcloud)
        client_max_body_size 10G;
        # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be raised for the proxy as well
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_max_temp_file_size 10240m;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:82;
        proxy_redirect off;
    }
        location ^~ /.well-known {
                # The rules in this block are an adaptation of the rules
                # in the Nextcloud `.htaccess` that concern `/.well-known`.
                location = /.well-known/carddav { return 301 $scheme://$host/nextcloud/remote.php/dav/; }
                location = /.well-known/caldav  { return 301 $scheme://$host/nextcloud/remote.php/dav/; }
                location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
                location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
                # Let Nextcloud's API for `/.well-known` URIs handle all other
                # requests by passing them to the front-end controller.
                return 301 $scheme://$host/nextcloud/index.php$request_uri;
         } 

     location ^~ /mysite/ {
                proxy_pass http://127.0.0.1:8199; # Local# ip and non SSL port

                proxy_hide_header X-Powered-By;
                proxy_set_header Range $http_range;
                proxy_set_header If-Range $http_if_range;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

               #Next three lines allow websockets
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
        location ^~ /mysite/ {
                proxy_pass http://127.0.0.1:9999; # Local ip and non SSL port

                proxy_hide_header X-Powered-By;
                proxy_set_header Range $http_range;
                proxy_set_header If-Range $http_if_range;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

               #Next three lines allow websockets
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
        location ^~ /mysite/ {
                proxy_pass http://127.0.0.1:5252; # Local ip and non SSL port

                proxy_hide_header X-Powered-By;
                proxy_set_header Range $http_range;
                proxy_set_header If-Range $http_if_range;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

               #Next three lines allow websockets
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
         }
}

; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
;       --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
;                 If the group is not set, the user's group is used.
user = www-data
group = www-data

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php8.1-fpm.sock

; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
;                 is not set, the owner's group is used. Mode is set to 0660.
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660

systemctl status php8.1-fpm.service
● php8.1-fpm.service - The PHP 8.1 FastCGI Process Manager
     Loaded: loaded (/lib/systemd/system/php8.1-fpm.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-06-22 19:28:16 CEST; 5min ago
       Docs: man:php-fpm8.1(8)
   Main PID: 1334 (php-fpm8.1)
     Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec"
      Tasks: 3 (limit: 3902)
     Memory: 23.8M
        CPU: 510ms
     CGroup: /system.slice/php8.1-fpm.service
             ├─1334 "php-fpm: master process (/etc/php/8.1/fpm/php-fpm.conf)" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ├─2320 "php-fpm: pool www" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">
             └─2321 "php-fpm: pool www" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "">


Jun 22 19:26:47 htpc systemd[1]: Starting The PHP 8.1 FastCGI Process Manager...
Jun 22 19:28:16 htpc systemd[1]: Started The PHP 8.1 FastCGI Process Manager.