diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ce8577..bde6a04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Nginx-Craft Changelog +## 1.0.34 - 2021.04.18 +### Added +* Added a [Forge Template](https://forge.laravel.com/docs/1.0/servers/nginx-templates.html) `NginxFastCGICacheTemplate.conf` +* Opt out of Google Federated Learning of Cohorts ("FLoC") via the `Permissions-Policy` header. [ref:](https://amifloced.org/) + ## 1.0.33 - 2021.03.17 ### Changed * Updated the Forge template to use more Forge-provided variables diff --git a/forge-templates/NginxFastCGICacheTemplate.conf b/forge-templates/NginxFastCGICacheTemplate.conf new file mode 100644 index 0000000..42d359b --- /dev/null +++ b/forge-templates/NginxFastCGICacheTemplate.conf @@ -0,0 +1,232 @@ +# FastCGI Cache +fastcgi_cache_path /var/run/nginx-cache/{{ SITE }} levels=1:2 keys_zone={{ SITE }}:100m inactive=1d use_temp_path=off max_size=100m; + +# FORGE CONFIG (DO NOT REMOVE!) +include forge-conf/{{ SITE }}/before/*; + +# Bots to ban via user agent +map $http_user_agent $limit_bots { + default 0; + ~*(AhrefsBot|Baiduspider|PaperLiBot) 1; +} + +server { + # Listen for both IPv4 & IPv6 requests on port 443 with http2 enabled + listen {{ PORT }}; + listen {{ PORT_V6 }}; + + # General virtual host settings + server_name {{ DOMAINS }}; + server_tokens off; + root {{ PATH }}; + index index.html index.htm index.php; + charset utf-8; + + # Enable serving of static gzip files as per: http://nginx.org/en/docs/http/ngx_http_gzip_static_module.html + gzip_static on; + + # Enable server-side includes as per: http://nginx.org/en/docs/http/ngx_http_ssi_module.html + ssi on; + + # Disable limits on the maximum allowed size of the client request body + client_max_body_size 0; + + # Ban certain bots from crawling the site + if ($limit_bots = 1) { + return 403; + } + + # 404 error handler + error_page 404 /index.php?$query_string; + + # 301 Redirect URLs with trailing /'s as per https://webmasters.googleblog.com/2010/04/to-slash-or-not-to-slash.html + rewrite ^/(.*)/$ /$1 permanent; + + # Change // -> / for all URLs, so it works for our php location block, too + merge_slashes off; + rewrite (.*)//+(.*) $1/$2 permanent; + + # Handle Do Not Track as per https://www.eff.org/dnt-policy + location /.well-known/dnt-policy.txt { + try_files /dnt-policy.txt /index.php?p=/dnt-policy.txt; + } + + # For WordPress bots/users + location ~ ^/(wp-login|wp-admin|wp-config|wp-content|wp-includes|xmlrpc) { + return 301 https://wordpress.com/wp-login.php; + } + + #Cache everything by default + fastcgi_cache_key "$scheme$request_method$host$request_uri"; + add_header X-Cache-Status $upstream_cache_status; + set $no_cache 0; + if ($request_method = POST) + { + set $no_cache 1; + } + if ($request_uri ~* "/(admin/|cpresources/)") + { + set $no_cache 1; + } + + # Access and error logging + access_log off; + error_log /var/log/nginx/{{ SITE }}-error.log error; + # If you want error logging to go to SYSLOG (for services like Papertrailapp.com), uncomment the following: + #error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=error; + + # FORGE SSL (DO NOT REMOVE!) + ssl_certificate /etc/nginx/ssl/{{ SITE }}/XXXXXX/server.crt; + ssl_certificate_key /etc/nginx/ssl/{{ SITE }}/XXXXXX/server.key; + + # SSL/TLS configuration, with TLSv1.0 disabled because it is insecure; note that IE 8, 9 & 10 support + # TLSv1.1, but it's not enabled by default clients using those browsers will not be able to connect + ssl_protocols TLSv1.2 TLSv1.1; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; + ssl_buffer_size 4k; + ssl_session_timeout 4h; + ssl_session_cache shared:SSL:40m; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; + + # FORGE CONFIG (DO NOT REMOVE!) + include forge-conf/{{ SITE }}/server/*; + + # Load configuration files from nginx-partials + # For this to work, you must clone the repo into /home/forge via: + # git clone https://github.com/nystudio107/nginx-craft.git /home/forge + include /home/forge/nginx-craft/nginx-partials/*.conf; + + # Root directory location handler + location / { + try_files $uri/index.html $uri $uri/ /index.php?$query_string; + } + + # Localized sites, hat tip to Johannes -- https://gist.github.com/johanneslamers/f6d2bc0d7435dca130fc + + # If you are creating a localized site as per: https://craftcms.com/docs/localization-guide + # the directives here will help you handle the locale redirection so that requests will + # be routed through the appropriate index.php wherein you set the `CRAFT_LOCALE` + + # Enable this by un-commenting it, and changing the language codes as appropriate + # Add a new location @XXrewrites and location /XX/ block for each language that + # you need to support + + #location @enrewrites { + # rewrite ^/en/(.*)$ /en/index.php?$query_string? last; + #} + # + #location /en/ { + # try_files $uri $uri/ @enrewrites; + #} + + # Craft-specific location handlers to ensure AdminCP requests route through index.php + # If you change your `cpTrigger`, change it here as well + location ^~ /admin { + try_files $uri $uri/ @phpfpm_nocache; + } + location ^~ /index.php/admin { + try_files $uri $uri/ @phpfpm_nocache; + } + location ^~ /cpresources { + try_files $uri $uri/ /index.php?$query_string; + } + location ^~ /actions { + try_files $uri $uri/ /index.php?$query_string; + } + + # php-fpm configuration + location ~ [^/]\.php(/|$) { + try_files $uri $uri/ /index.php?$query_string; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # Change this to whatever version of php you are using + fastcgi_pass {{ PROXY_PASS }}; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + fastcgi_param HTTP_PROXY ""; + fastcgi_param HTTP_HOST {{ SITE }}; + + # Don't allow browser caching of dynamically generated content + add_header Last-Modified $date_gmt; + add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"; + if_modified_since off; + expires off; + etag off; + # Load security.conf from nginx-partials again, because add_header used in this location + # block removes any already added headers https://nginx.org/en/docs/http/ngx_http_headers_module.html + include /home/forge/nginx-partials/security.conf; + + # Use Dotenvy to generate the .env variables as per: https://github.com/nystudio107/dotenvy + # and then uncomment this line to include them: + # include /home/forge/SOMEDOMAIN/.env_nginx.txt + + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + fastcgi_connect_timeout 300; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + + # FastCGI Cache settings + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_cache {{ SITE }}; + fastcgi_hide_header Set-Cookie; + fastcgi_cache_valid 200 1d; + fastcgi_cache_use_stale updating error timeout invalid_header http_500; + fastcgi_cache_bypass $no_cache; + fastcgi_no_cache $no_cache; + } + + # php-fpm configuration for non-cached content + location @phpfpm_nocache { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # Change this to whatever version of php you are using + fastcgi_pass {{ PROXY_PASS }}; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param PATH_INFO $query_string; + fastcgi_param SCRIPT_FILENAME $realpath_root/index.php; + fastcgi_param DOCUMENT_ROOT $realpath_root; + fastcgi_param HTTP_PROXY ""; + fastcgi_param HTTP_HOST {{ SITE }}; + + # Don't allow browser caching of dynamically generated content + add_header X-Cache-Status $upstream_cache_status; + add_header Last-Modified $date_gmt; + add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"; + if_modified_since off; + expires off; + etag off; + # Load security.conf from nginx-partials again, because add_header used in this location + # block removes any already added headers https://nginx.org/en/docs/http/ngx_http_headers_module.html + include /home/forge/nginx-craft/nginx-partials/security.conf; + + # Use Dotenvy to generate the .env variables as per: https://github.com/nystudio107/dotenvy + # and then uncomment this line to include them: + # include /home/forge/SOMEDOMAIN/.env_nginx.txt + + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + fastcgi_connect_timeout 300; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + + # No FastCGI Cache + fastcgi_cache_bypass 1; + fastcgi_no_cache 1; + } + + location ~ /\.ht { + deny all; + } +} + +# FORGE CONFIG (DO NOT REMOVE!) +include forge-conf/{{ SITE }}/after/*; diff --git a/nginx-partials/security.conf b/nginx-partials/security.conf index 1ffc783..479fba2 100644 --- a/nginx-partials/security.conf +++ b/nginx-partials/security.conf @@ -5,6 +5,8 @@ add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; +# Opt out of Google Federated Learning of Cohorts ("FLoC"). ref:(https://amifloced.org/) +add_header Permissions-Policy "interest-cohort=()" always; # Add Content-Security-Policy HTTP response header. Helps reduce XSS risks on # modern browsers by declaring what dynamic resources are allowed to load via a