ponepaste/doc/nginx.conf

# Request limit zone to help mitigate attacks
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;

# Cleartext listener for LetsEncrypt and HTTPS redirects.
server {
    listen 80;

    server_name ponepaste.org;

    location ^~ /.well-known/acme-challenge/ {
        root /var/www/letsencrypt/;
    }

    location / {
        return 301 https://ponepaste.org$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/ponepaste.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ponepaste.org/privkey.pem;
    add_header Strict-Transport-Security "max-age=63072000" always;

    # ModSecurity config; optional, but recommended.
    modsecurity on;
    modsecurity_rules_file /etc/modsecurity/modsecurity.conf;

    root /srv/http/ponepaste.org;
    index index.html index.php;

    server_name ponepaste.org;

    rewrite ^/$ /index.php last;
    rewrite ^/([0-9]+)$ /paste.php?id=$1 last;
    rewrite ^/page/([a-zA-Z0-9]+)/?$ /pages.php?page=$1 last;

    # simple routes that just map to $1.php
    rewrite ^/(archive|discover|profile|contact|report|event|captcha|login|logout)/?$ /$1.php last;

    # routes for users
    rewrite ^/user/([^/]+)/?$ /user.php?user=$1 last;
    rewrite ^/user/([^/]+)/([^/]+)/?$ /user.php?user=$1&q=$2 last;

    # routes for pastes
    rewrite ^/(download|raw|embed)/(.+)$ /paste.php?$1&id=$2 last;

    # weird registration routes that use a URL parameter rather than a different page (FIXME)
    rewrite ^/register$ /login.php last;
    rewrite ^/forgot$ /login.php last;


    location ~* \.(jpg|jpeg|png|gif|ico|css|js) {
      add_header "Cache-Control" "public";
      expires 1h;
    }

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        limit_req zone=ip burst=10 delay=8;
        include snippets/fastcgi-php.conf;

        fastcgi_pass unix:/run/php/php-fpm.sock;
    }

    # Deny directories that should not be publicly accessible.
    location ~ (/doc|/tmp|/includes|/config|/.git|/.ht|/js|/node_modules|/composer).* {
        deny all;
    }

    location ~ /\.ht {
        deny all;
    }
}
Move some stuff around. 2021-11-04 11:04:22 -04:00			`# Request limit zone to help mitigate attacks`
			`limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;`

			`# Cleartext listener for LetsEncrypt and HTTPS redirects.`
			`server {`
			`listen 80;`

			`server_name ponepaste.org;`

			`location ^~ /.well-known/acme-challenge/ {`
			`root /var/www/letsencrypt/;`
			`}`

			`location / {`
			`return 301 https://ponepaste.org$request_uri;`
			`}`
			`}`

			`server {`
			`listen 443 ssl;`
			`listen [::]:443 ssl;`

			`# SSL Configuration`
			`ssl_certificate /etc/letsencrypt/live/ponepaste.org/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/ponepaste.org/privkey.pem;`
			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# ModSecurity config; optional, but recommended.`
			`modsecurity on;`
			`modsecurity_rules_file /etc/modsecurity/modsecurity.conf;`

			`root /srv/http/ponepaste.org;`
			`index index.html index.php;`

			`server_name ponepaste.org;`

fix broken nginx config and other stuff that I didn't commit 2 years ago 2023-03-28 12:00:22 -04:00			`rewrite ^/$ /index.php last;`
			`rewrite ^/([0-9]+)$ /paste.php?id=$1 last;`
			`rewrite ^/page/([a-zA-Z0-9]+)/?$ /pages.php?page=$1 last;`

			`# simple routes that just map to $1.php`
			`rewrite ^/(archive\|discover\|profile\|contact\|report\|event\|captcha\|login\|logout)/?$ /$1.php last;`

			`# routes for users`
Move some stuff around. 2021-11-04 11:04:22 -04:00			`rewrite ^/user/([^/]+)/?$ /user.php?user=$1 last;`
			`rewrite ^/user/([^/]+)/([^/]+)/?$ /user.php?user=$1&q=$2 last;`
fix broken nginx config and other stuff that I didn't commit 2 years ago 2023-03-28 12:00:22 -04:00
			`# routes for pastes`
			`rewrite ^/(download\|raw\|embed)/(.+)$ /paste.php?$1&id=$2 last;`

			`# weird registration routes that use a URL parameter rather than a different page (FIXME)`
			`rewrite ^/register$ /login.php last;`
			`rewrite ^/forgot$ /login.php last;`

Move some stuff around. 2021-11-04 11:04:22 -04:00
			`location ~* \.(jpg\|jpeg\|png\|gif\|ico\|css\|js) {`
			`add_header "Cache-Control" "public";`
			`expires 1h;`
			`}`

			`location / {`
			`try_files $uri $uri/ =404;`
			`}`

			`location ~ \.php$ {`
			`limit_req zone=ip burst=10 delay=8;`
			`include snippets/fastcgi-php.conf;`

			`fastcgi_pass unix:/run/php/php-fpm.sock;`
			`}`

			`# Deny directories that should not be publicly accessible.`
Frontend search works alright I guess 2022-01-06 07:58:29 -05:00			`location ~ (/doc\|/tmp\|/includes\|/config\|/.git\|/.ht\|/js\|/node_modules\|/composer).* {`
Move some stuff around. 2021-11-04 11:04:22 -04:00			`deny all;`
			`}`

			`location ~ /\.ht {`
			`deny all;`
			`}`
			`}`