digitalocean / nginxconfig.io Goto Github PK
View Code? Open in Web Editor NEWโ๏ธ NGINX config generator on steroids ๐
Home Page: https://do.co/nginxconfig
License: MIT License
โ๏ธ NGINX config generator on steroids ๐
Home Page: https://do.co/nginxconfig
License: MIT License
Is there an intention to create an API to enable generating the config automatically?
That will help much with provisioning tools.
For example, "single page application", "php application", "progressive web app", "restful api", etc...
Create a downloadable package from generated config files.
Here is the docs for nginx rate limiting.
It would be good to add known, privacy-first DNS lookup options for OCSP Stapling.
i.e 1.1.1.1, 1.0.0.1
https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
specifically, add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Hi. I am looking for advise. I using TeamCity server behind Nginx reverse proxy. Recently faced a problem when Nginx deny to download zip files from path my-site/some-url/.teamcity/coverage_idea/coverage.zip
My workaround looks like:
location ~ /\.(?!well-known|teamcity) { deny all; }
But I wish to be more precise. Should I include "allow-block" in reverse-proxy block?
Right now the tool points ssl_trusted_certificate to fullchain.pem
, but I believe it should just point to chain.pem
.
Reference threads:
Thank you!
When creating a new config and unchecking the Modularized structure under common tools section, the server_name, redirect, and ssl_trusted_certificate directives lose the domain.
`server {
listen :443 ssl http2;
listen []:443 ssl http2;
server_name ;
set $base /srv/www/domains/domain.com/magento/v230;
root $base;
# SSL
ssl_certificate /etc/letsencrypt/live/magento.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/magento.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live//chain.pem; `
And the redirect server block:
`# HTTP redirect
server {
listen :80;
listen []:80;
server_name .;
# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
root /var/www/_letsencrypt;
}
location / {
return 301 https://$request_uri;
}
}`
It also appears that the listen port is incorrect and the : is not required for ipv4 and the ipv6 listen should be [::]
Please add support for hhvm and fallback to php-fpm and vice versa
As I've been thrown into the role as system administrator I was thrilled to find nginxconfig.io to help me out with a rock solid WP config. I would very much like to see a version for the rising Statamic CMS as well. Is there any way that could happen?
When using the "preset" section up top (switching between frontend, backend, Node.js etc.) some properties seems to be applied before the UI has been updated, leading to the new value/setting not registering properly. I noticed this with the Routing tab, connected to the PHP enabled setting.
To easily reproduce, apply either the Frontend or Node.js preset, any one where PHP is not enabled.
Then switch to to a preset where PHP is enabled and the index is index.php, such as backend, Wordpress or Drupal.
At this point PHP becomes enabled, but the index is never set to index.php.
If at this point you click the preset button again, same one again, the index is set to the correct value.
My guess/assumption is that the php setting is applied after the index setting, thus invalidating the new index setting as it tries to apply it before index.php is considered a valid choice.
Please check this regex in nginxconfig.io/wordpress.conf
# WordPress: deny wp-content/plugins nasty stuff location ~* ^/wp-content/plugins/.*\.(?!css(\.map)?|js(\.map)?...) { deny all; }
/wp-content/plugins/responsive-lightbox/assets/swipebox/css/swipebox.css
--> ALLOW
/wp-content/plugins/responsive-lightbox/assets/swipebox/css/swipebox.min.css
--> DENY
/wp-content/plugins/responsive-lightbox/assets/swipebox/js/jquery.swipebox.js
--> DENY
/wp-content/plugins/responsive-lightbox/assets/swipebox/js/jquery.swipebox.min.js
--> DENY
It means:
/wp-content/plugins/xxx.{allow_extension}
--> OK
/wp-content/plugins/xxx.yyy.{allow_extension}
--> Not working
just like
location = /favicon.ico {
log_not_found off;
access_log off;
return 404;
}
if access device is mobile ,please redirect to mobile directory or mobile domain
from /etc/nginx/nginxconfig.io/php_fastcgi.conf
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
change to
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
Thank.
The "HTTP Redirect" block is missing a "www.example.com" version of the domain. I've encountered problems on redirecting without it.
server_name .{{ domain() }};<!--
It could be something like this: (but is needed to verify if the "www" is checked)
server_name .{{ domain() }} www.{{ domain() }};<!--
File: public/templates/conf/sites-available/example.com.conf.html
Line: 200
I tried to pull request but guess that I don't have the permissions to do pull request.
Commit: https://github.com/rafaelfesi/nginxconfig.io/pull/1/commits/61e31cd1253f096afd369de1823a8ef8d9b7b169
# add_header Cache-Control "public,max-age=3600,immutable";
# add_header Cache-Control "public,max-age=604800,immutable";
# add_header Cache-Control "public,max-age=31536000,immutable";
In the subdomain section.
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.my.domain.com;
# SSL
include _ssl.conf;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
return 301 https://my.domain.com$request_uri;
}
This website is a very good idea.
I mainly use Python as a backend language (not PHP, have you ever tried Python? ;-) ). To use nginx with Python, the WSGI interface was defined. Do you think that Python support could be added to nginxconfig.io?
Some starting points could be:
Content security policy configurator and/or security level validator as in https://csp-evaluator.withgoogle.com/
Anyway the default policy is too insecure.
Hello, I had a strange problem and finally figured it out.
When I use the configuration to proxy content like with this configuration: https://nginxconfig.io/?0.domain=192.168.1.198&0.https=false&0.php=false&0.proxy&0.proxy_pass=http:%2F%2F192.168.1.119:8080%2F&user=nginx&pid=%2Frun%2Fnginx%2Fnginx.pid&client_max_body_size=100
My page looks like this:
But when I go to the /etc/nginx/nginxconfig.io/general.conf
and comment out these parts:
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$
{
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
then it works
The reason for this is, that the "location" settings will just be appended to the .conf file of the site.
Which means, if these location blocks don't also have the proxy pass lines (which doesn't even work at the moment see #57 ) the site won't forward any images,etc.
When user specifies that they want to use a proxy, the cache directives will have to be added to the server block (after the inclusion of general.conf) and will have to include the proxy pass thing. like so:
server {
listen 80;
listen [::]:80;
server_name 192.168.1.198;
# reverse proxy
location / {
proxy_pass http://192.168.1.119:8080/;
include nginxconfig.io/proxy.conf;
}
include nginxconfig.io/general.conf;
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
proxy_pass http://192.168.1.119:8080/;
include nginxconfig.io/proxy.conf;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
proxy_pass http://192.168.1.119:8080/;
include nginxconfig.io/proxy.conf;
}
}
Site Main Example code use TLSv1(June 18, 2018, Deprecated ) TLSv1.1((December 20, 2018, Soon)
https://tools.ietf.org/id/draft-moriarty-tls-oldversions-diediedie-00.html
# Generated by nginxconfig.io
user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
# MIME
include mime.types;
default_type application/octet-stream;
# logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# load configs
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and also relevant cache strategies
Also I'll use this issue to say this project is very useful even without this requested feature, I'm bookmarking it and sharing too :)
I only had to add the stuff for location ^~ /thumbs to your config and it worked.
If I knew how to do this I would do a PR instead of creating an issue
When using a separated file structure it is best to define the log path to be specific to that domain.
For example;
access_log /var/log/nginx/domain.com_access_log;
error_log /var/log/nginx/domain.com_error_log;
Leaving the defaults in /etc/nginx/nginx.conf
shouldn't matter but the above should be followed (or very close to it) when doing multi domains for diagnostic purposes.
After I added config generated by the website to my site-available/domain.conf file I get the following warnings.
nginx: [warn] conflicting server name ".domain.com" on 0.0.0.0:80, ignored
Here's my domain.com conf file
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com;
access_log /var/log/nginx/domain.com.access.log rt_cache;
error_log /var/log/nginx/domain.com.error.log;
root /var/www/domain.com/htdocs;
index index.php index.html index.htm;
include common/wpfc-php7.conf;
include common/wpcommon-php7.conf;
include common/locations-php7.conf;
include /var/www/domain.com/conf/nginx/*.conf;
}
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.domain.com;
return 301 https://domain.com$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name .domain.com;
location / {
return 301 https://domain.com$request_uri;
}
}
This is happening to all my website where I used a similar configuration.
Let me know if I'm missing something.
sites-enabled are intended to be symlinked from sites-available, allowing the ability to disable a site without deleting the config.
Details;
Change /etc/nginx/sites-enabled/example.com.conf
to /etc/nginx/sites-available/example.com.conf
Add command ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf
Would be great to have a single button support for let's encrypt configuration.
Would also be great to allow multiple site on the same page. Just click add to add another site into the multi-sites config.
Thanks for this!
When Drupal is configured to use private files, those files should be served by Drupal and not NGINX directly.
# Handle private files through Drupal. Private file's path can come # with a language prefix. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; }
It would be nice to have Magento 1.x and 2.x specific config.
This is happening in Chrome 64 and Epiphany 3.26. However it is not happening in Firefox 58. I'm using nginx:latest and php:fpm inside of Docker.
'X-Content-Type-Options "nosniff" always' is enabled:
'X-Content-Type-Options "nosniff" always' is disabled:
This is my /etc/nginx/conf.d/default.conf (really the only modification I made was to "fastcgi_pass"):
server {
listen 80;
listen [::]:80;
server_name localhost;
set $base /var/www/html;
root $base/public;
# index
index index.php;
# $uri, index.php
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline'" always;
# . files
location ~ /\. {
deny all;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
# handle .php
location ~ \.php$ {
try_files $uri =404;
# fastcgi
#fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_pass php:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
fastcgi_intercept_errors off;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
# default fastcgi_params
include fastcgi_params;
}
}
# subdomains redirect
server {
listen 80;
listen [::]:80;
server_name *.localhost;
return 301 https://localhost$request_uri;
}
Hi ,
Can you add OIDC Auth -
https://github.com/tarachandverma/nginx-openidc ?
Can wordpress rule cover subdirectory or just root directory?
Greetings.
Is this config generator works on the 1.15.X version of NGINX?
(Sorry for mu bad English)
This would make it even easier for beginners to do it the right way, could also add a preview for the regex so it's easy to see what the results will become.
As described in Weak DH section 2, it is not reccomended to use distribution default DH params.
Solution (as described here) is to generate own dh param file, and then use ssl_dhparam
statement.
Hello. I see in a new version single-file config option is removed? But for what reasons?
To make sure everything is working as intended :)
When I run " # HTTPS - certbot (before first run): create ACME-challenge common directory"
I got error: "mkdir: cannot create directory โ/var/www/_letsencryptโ: Permission denied"
Environment: AWS Ubuntu 18.04
Hello and thanks for this awesome project.
Currently when you select something with a reverse proxy (eg: https://nginxconfig.io/?0.php=false&0.proxy&client_max_body_size=41 ) you get this snipped in your example.com.conf:
# reverse proxy
location / {
proxy_pass http://127.0.0.1:3000;
include nginxconfig.io/proxy.conf;
}
But the config file include nginxconfig.io/proxy.conf
is not displayed. Worked a (few) week(s) ago but not anymore.
Also I don't get any JS errors, have enabled and disabled an adblocker and tried it on latest Chrome on Windows and lates Chromium on Linux
Excuse me if im missing something here but won't this config always redirect to www.example.org
, regardless of subdomain?
# non-www, subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .example.org;
# SSL
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
return 301 https://www.example.org$request_uri;
}
This is the default if you want both www redirect and a cdn(or any cdn for that matter)
Should it not be server_name example.org
instead of .example.org
I'd love to see support for Nginx servers binding to specific IPs for servers that have more than one IP. I know this is super simple to do after the general configuration files have been generated, but it may prove useful for people that may not be sure how to do it.
NGINX publishes container images in Docker hub that includes default configuration and layout:
https://github.com/nginxinc/docker-nginx/tree/master/mainline/alpine
The default configuration of the containers differs in subtle ways; like user
being nginx
, pid
being /var/run/nginx.pid;
etc. I realize this tool provides sections to setup these values and thus match the values in container. However, I was wondering whether the tool could have out-of-the-box support for configuration to be put in the Docker container image. Perhaps a checkbox in 'Tools' section that indicates that deployment will be via Docker. If checked, the recommended configuration could be optimized for docker deployments.
First: very nice project! Thank you very much for giving the world this tool!
Only very little room for optimization:
The sed command for disabling SSL directives leaves the redirect to the ssl site active.
Nice holidays!
In php_fastcgi.conf
there is this rule fastcgi_split_path_info ^(.+\.php)(/.+)$;
which does not work because the location regex only matches \.php$
.
It will be more useful to match [^/]\.php(/|$)
in the location regex.
Hi. First of all, I must thank you for a great tool.
Did I miss it or there is no functionality for proxying specific ports?
In my case, there is a Node application that works on port 3000 (http://127.0.0.1:3000) and can be accessible from outside, even without Nginx. It would be great to add functionality to generate config for proxying all incoming traffic on port 80 (443) to specific port. Just like that:
location @server.app {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
Perhaps it can be done via upstream? Really, I dont know, still new to Nginx:
http {
upstream server.app {
server 127.0.0.1:3000
}
server {
listen 80;
server_name www.domain.com;
location / {
proxy_pass http://server.app
}
}
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.