Skip to content

Instantly share code, notes, and snippets.

@hwdsl2

hwdsl2/nginx.conf

Last active July 25, 2023 09:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hwdsl2/801f73fdd6c032b7539c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hwdsl2/801f73fdd6c032b7539c to your computer and use it in GitHub Desktop.
Download ZIP
Example nginx.conf for Ghost blog with Nginx and ModSecurity - https://blog.ls20.com/install-ghost-0-3-3-with-nginx-and-modsecurity/
Raw
Ghost blog - Nginx config with ModSecurity
worker_processes 2; # Set this equal to the number of CPU cores
events {
worker_connections 768;
}
http {
server_names_hash_bucket_size 64;
types_hash_max_size 2048;
server_tokens off;
include mime.types;
default_type application/octet-stream;
add_header X-Frame-Options SAMEORIGIN; # May prevent StumbleUpon from working
add_header X-Content-Type-Options nosniff;
sendfile on;
keepalive_timeout 10;
gzip on;
gzip_comp_level 6;
gzip_disable "msie6";
gzip_min_length 150;
gzip_proxied any;
gzip_types text/plain text/xml text/css application/json application/javascript;
gzip_vary on;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=one:8m max_size=1000M inactive=60m;
proxy_temp_path /var/tmp;
client_max_body_size 20m;
client_body_buffer_size 128k;
upstream ghost_upstream {
server 127.0.0.1:2368;
keepalive 64;
}
server {
listen 80;
listen 443 default ssl;
server_name YOUR.DOMAIN.NAME;
ssl_certificate /opt/nginx/conf/ssl-unified.crt;
ssl_certificate_key /opt/nginx/conf/YOUR.DOMAIN.NAME.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!MEDIUM:!aNULL:!MD5:!DH:!EDH;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }
if ($host != $server_name) {
return 301 $scheme://$server_name$request_uri;
}
location ~* \.(db|hbs|conf)$ { deny all; }
location ~ /\.ht { deny all; }
location ~ /\. { deny all; }
location ~ ~$ { deny all; }
location ~ ^/(sitemap\.xml|robots\.txt|favicon\.ico)$ {
root /var/www/YOUR.DOMAIN.NAME/public;
access_log off;
log_not_found off;
}
# Static files served directly by Nginx
location ~ ^/assets/(images|js|css|fonts)/ {
root /var/www/YOUR.DOMAIN.NAME/content/themes/YOUR_THEME;
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
expires 30d;
access_log off;
}
location ~ ^/(img/|css/|lib/|vendor/|fonts/) {
root /var/www/YOUR.DOMAIN.NAME/core/client/assets;
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
expires 30d;
access_log off;
}
location ~ ^/(content/images/) {
root /var/www/YOUR.DOMAIN.NAME;
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
expires 30d;
access_log off;
}
location ~ ^/(shared/|built/) {
root /var/www/YOUR.DOMAIN.NAME/core;
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
expires 30d;
access_log off;
}
location ~ ^/public/ {
root /var/www/YOUR.DOMAIN.NAME/core/built;
expires 30d;
access_log off;
}
location ~ ^/signout/ { deny all; }
location ~ ^/ghost/ { deny all; }
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
proxy_pass http://ghost_upstream;
proxy_redirect off;
proxy_read_timeout 180s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_pass_header X-CSRF-TOKEN;
proxy_http_version 1.1;
proxy_cache one;
proxy_cache_key "$scheme$host$request_uri";
proxy_hide_header X-Powered-By;
}
location = /50x.html { root html; }
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment