Initial Commit

nginx/Dockerfile

@@ -0,0 +1,2 @@
+FROM nginx:latest
+COPY . /etc/nginx/

nginx/nginx.conf

@@ -0,0 +1,57 @@
+# Generated by nginxconfig.io
+# See nginxconfig.txt for the configuration share link
+
+user                 nginx;
+pid                  /var/run/nginx.pid;
+worker_processes     auto;
+worker_rlimit_nofile 65535;
+
+# Load modules
+include              /etc/nginx/modules-enabled/*.conf;
+
+events {
+    multi_accept       on;
+    worker_connections 65535;
+}
+
+http {
+    charset                utf-8;
+    sendfile               on;
+    tcp_nopush             on;
+    tcp_nodelay            on;
+    server_tokens          off;
+    log_not_found          off;
+    types_hash_max_size    2048;
+    types_hash_bucket_size 64;
+    client_max_body_size   16M;
+
+    # MIME
+    include                mime.types;
+    default_type           application/octet-stream;
+
+    # Logging
+    access_log             off;
+    error_log              /dev/null;
+
+    # SSL
+    ssl_session_timeout    1d;
+    ssl_session_cache      shared:SSL:10m;
+    ssl_session_tickets    off;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    ssl_dhparam            /etc/nginx/ssl/dhparam.pem;
+
+    # Mozilla Intermediate configuration
+    ssl_protocols          TLSv1.2 TLSv1.3;
+    ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+    # OCSP Stapling
+    ssl_stapling           on;
+    ssl_stapling_verify    on;
+    resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+    resolver_timeout       2s;
+
+    # Load configs
+    include                /etc/nginx/conf.d/*.conf;
+    include                /etc/nginx/sites-enabled/*;
+}

nginx/nginxconfig.io/general.conf

@@ -0,0 +1,27 @@
+# favicon.ico
+location = /favicon.ico {
+    log_not_found off;
+}
+
+# robots.txt
+location = /robots.txt {
+    log_not_found off;
+}
+
+# assets, media
+location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+    expires 7d;
+}
+
+# svg, fonts
+location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
+    add_header Access-Control-Allow-Origin "*";
+    expires    7d;
+}
+
+# gzip
+gzip            on;
+gzip_vary       on;
+gzip_proxied    any;
+gzip_comp_level 6;
+gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

nginx/nginxconfig.io/php_fastcgi.conf

@@ -0,0 +1,15 @@
+# 404
+try_files                     $fastcgi_script_name =404;
+
+# default fastcgi_params
+include                       fastcgi_params;
+
+# fastcgi settings
+fastcgi_index                 index.php;
+fastcgi_buffers               8 16k;
+fastcgi_buffer_size           32k;
+
+# fastcgi params
+fastcgi_param DOCUMENT_ROOT   $realpath_root;
+fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";

nginx/nginxconfig.io/security.conf

@@ -0,0 +1,12 @@
+# security headers
+add_header X-XSS-Protection          "1; mode=block" always;
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';" always;
+add_header Permissions-Policy        "interest-cohort=()" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+# . files
+location ~ /\.(?!well-known) {
+    deny all;
+}

nginx/nginxconfig.txt

@@ -0,0 +1 @@
+https://www.digitalocean.com/community/tools/nginx?domains.0.server.domain=&domains.0.server.path=%2Fvar%2Fwww%2Fhtml&domains.0.server.redirectSubdomains=false&domains.0.https.certType=custom&domains.0.https.sslCertificate=%2Fetc%2Fnginx%2Fssl%2Fcert.pem&domains.0.https.sslCertificateKey=%2Fetc%2Fnginx%2Fssl%2Fkey.pem&domains.0.php.phpServer=custom&domains.0.php.phpServerCustom=phpfpm%3A9000&domains.0.routing.fallbackHtml=true&global.nginx.user=nginx&global.nginx.pid=%2Fvar%2Frun%2Fnginx.pid&global.docker.dockerfile=true

nginx/sites-available/default.conf

@@ -0,0 +1,49 @@
+server {
+    listen              443 ssl default_server;
+    listen              [::]:443 ssl default_server;
+    server_name         _;
+    http2               on;
+    set                 $base /var/www/html;
+    root                $base/public;
+
+    # SSL
+    ssl_certificate     /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+
+    # security
+    include             nginxconfig.io/security.conf;
+
+    # logging
+    access_log          /var/log/nginx/access.log combined buffer=512k flush=1m;
+    error_log           /var/log/nginx/error.log warn;
+
+    # index.php
+    index               index.php;
+
+    # index.html fallback
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # index.php fallback
+    location ~ ^/api/ {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # additional config
+    include nginxconfig.io/general.conf;
+
+    # handle .php
+    location ~ \.php$ {
+        fastcgi_pass phpfpm:9000;
+        include      nginxconfig.io/php_fastcgi.conf;
+    }
+}
+
+# HTTP redirect
+server {
+    listen      80 default_server;
+    listen      [::]:80 default_server;
+    server_name _;
+    return      301 https://$host:8443$request_uri;
+}

nginx/sites-enabled/default.conf

@@ -0,0 +1 @@
+../sites-available/default.conf