ponepaste/doc/nginx.conf

# Request limit zone to help mitigate attacks
limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;

# Cleartext listener for LetsEncrypt and HTTPS redirects.
server {
    listen 80;

    server_name ponepaste.org;

    location ^~ /.well-known/acme-challenge/ {
        root /var/www/letsencrypt/;
    }

    location / {
        return 301 https://ponepaste.org$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/ponepaste.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ponepaste.org/privkey.pem;
    add_header Strict-Transport-Security "max-age=63072000" always;

    # ModSecurity config; optional, but recommended.
    modsecurity on;
    modsecurity_rules_file /etc/modsecurity/modsecurity.conf;

    root /srv/http/ponepaste.org;
    index index.html index.php;

    server_name ponepaste.org;

    # Rewrites for pretty URLs
    rewrite ^/([0-9]+) /paste.php?id=$1 last;
    rewrite ^/page/([a-zA-Z0-9]+)/? /pages.php?page=$1 last;
    rewrite ^/archive /archive.php last;
    rewrite ^/discover /discover.php last;
    rewrite ^/profile /profile.php last;
    rewrite ^/user/([^/]+)/?$ /user.php?user=$1 last;
    rewrite ^/user/([^/]+)/([^/]+)/?$ /user.php?user=$1&q=$2 last;
    rewrite ^/contact /contact.php last;
    rewrite ^/download/(.*)$  /paste.php?download&id=$1 last;
    rewrite ^/raw/(.*)$  /paste.php?raw&id=$1 last;
    rewrite ^/embed/(.*)$  /paste.php?embed&id=$1 last;
    rewrite ^/report  /report.php last;
    rewrite ^/event  /event.php last;

    location ~* \.(jpg|jpeg|png|gif|ico|css|js) {
      add_header "Cache-Control" "public";
      expires 1h;
    }

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        limit_req zone=ip burst=10 delay=8;
        include snippets/fastcgi-php.conf;

        fastcgi_pass unix:/run/php/php-fpm.sock;
    }

    # Deny directories that should not be publicly accessible.
    location ~ (/doc|/tmp|/includes|/config|/.git|/.ht|/js|/node_modules).* {
        deny all;
    }

    location ~ /\.ht {
        deny all;
    }
}
Move some stuff around. 2021-11-04 11:04:22 -04:00			`# Request limit zone to help mitigate attacks`
			`limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s;`

			`# Cleartext listener for LetsEncrypt and HTTPS redirects.`
			`server {`
			`listen 80;`

			`server_name ponepaste.org;`

			`location ^~ /.well-known/acme-challenge/ {`
			`root /var/www/letsencrypt/;`
			`}`

			`location / {`
			`return 301 https://ponepaste.org$request_uri;`
			`}`
			`}`

			`server {`
			`listen 443 ssl;`
			`listen [::]:443 ssl;`

			`# SSL Configuration`
			`ssl_certificate /etc/letsencrypt/live/ponepaste.org/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/ponepaste.org/privkey.pem;`
			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# ModSecurity config; optional, but recommended.`
			`modsecurity on;`
			`modsecurity_rules_file /etc/modsecurity/modsecurity.conf;`

			`root /srv/http/ponepaste.org;`
			`index index.html index.php;`

			`server_name ponepaste.org;`

			`# Rewrites for pretty URLs`
			`rewrite ^/([0-9]+) /paste.php?id=$1 last;`
			`rewrite ^/page/([a-zA-Z0-9]+)/? /pages.php?page=$1 last;`
			`rewrite ^/archive /archive.php last;`
			`rewrite ^/discover /discover.php last;`
			`rewrite ^/profile /profile.php last;`
			`rewrite ^/user/([^/]+)/?$ /user.php?user=$1 last;`
			`rewrite ^/user/([^/]+)/([^/]+)/?$ /user.php?user=$1&q=$2 last;`
			`rewrite ^/contact /contact.php last;`
			`rewrite ^/download/(.*)$ /paste.php?download&id=$1 last;`
			`rewrite ^/raw/(.*)$ /paste.php?raw&id=$1 last;`
			`rewrite ^/embed/(.*)$ /paste.php?embed&id=$1 last;`
			`rewrite ^/report /report.php last;`
			`rewrite ^/event /event.php last;`

			`location ~* \.(jpg\|jpeg\|png\|gif\|ico\|css\|js) {`
			`add_header "Cache-Control" "public";`
			`expires 1h;`
			`}`

			`location / {`
			`try_files $uri $uri/ =404;`
			`}`

			`location ~ \.php$ {`
			`limit_req zone=ip burst=10 delay=8;`
			`include snippets/fastcgi-php.conf;`

			`fastcgi_pass unix:/run/php/php-fpm.sock;`
			`}`

			`# Deny directories that should not be publicly accessible.`
			`location ~ (/doc\|/tmp\|/includes\|/config\|/.git\|/.ht\|/js\|/node_modules).* {`
			`deny all;`
			`}`

			`location ~ /\.ht {`
			`deny all;`
			`}`
			`}`