## DOC: http://wiki.nginx.org/HttpFastcgiModule
fastcgi_buffer_size 128k;
-fastcgi_buffers 4 256k;
+fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_connect_timeout 60;
fastcgi_ignore_client_abort off;
fastcgi_intercept_errors on;
+fastcgi_max_temp_file_size 2M;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_read_timeout 180;
fastcgi_send_timeout 180;
fastcgi_temp_file_write_size 256k;
+
+# vim: ft=sh
default_type application/octet-stream;
error_log /var/log/nginx/error.log warn;
error_page 403 = 404;
- fastcgi_cache_key "$request_method $scheme://$host$request_uri";
+ fastcgi_cache_key "$request_method $scheme://$http_host$request_uri";
fastcgi_cache_path /run/shm/cache/nginx/fastcgi
+ inactive=10m
+ keys_zone=microcache:2M
levels=1:2
- keys_zone=microcache:10m
- inactive=5m
- max_size=64m;
- fastcgi_cache microcache;
+ loader_files=100000
+ loader_sleep=1
+ loader_threshold=2592000000
+ max_size=64M;
+ fastcgi_temp_path /run/shm/tmp/nginx/ 1 2;
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
# This is useful for prepending headers before calling sendfile,
# or for throughput optimization.
types_hash_max_size 2048;
+ ## Add here all user agents that are to be blocked.
+ map $http_user_agent $bad_bot {
+ default 0;
+ libwww-perl 1;
+ ~(?i)(httrack|htmlparser|libwww) 1;
+ }
+ ## Add here all referrers that are to blocked.
+ #map $http_referer $bad_referer {
+ # default 0;
+ # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1;
+ # }
+ geo $not_local {
+ default 1;
+ 127.0.0.1 0;
+ }
+ include /etc/nginx/site.d/*/http.conf;
include /etc/nginx/site.d/*/server.conf;
}
pid /run/nginx.pid;
user www-data;
worker_processes 2;
+
+# vim: ft=sh
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 404 30m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
fastcgi_param PATH_INFO $uri;
fastcgi_cache_valid 404 10m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_index index.php;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param REDIRECT_STATUS 200;
# NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
include /etc/nginx/conf.d/ssl.conf;
ssl_certificate /etc/nginx/x509.d/lhc-stats-tls/crt.pem;
ssl_certificate_key /etc/nginx/x509.d/lhc-stats-tls/key.pem;
+
+location = /index.php {
+ ## Relay all index.php requests to fastcgi.
+ include /etc/nginx/conf.d/fastcgi.conf;
+ add_header X-Piwik-Cache $upstream_cache_status;
+ expires epoch;
+ fastcgi_cache microcache;
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+ fastcgi_cache_valid 200 301 5m;
+ fastcgi_cache_valid 302 3m;
+ fastcgi_cache_valid 404 1m;
+ fastcgi_ignore_headers Cache-Control Expires;
+ fastcgi_index index.php;
+ fastcgi_no_cache $no_cache;
+ fastcgi_param REDIRECT_STATUS 200;
+
+ fastcgi_pass php5_fpm_lhc_stats;
+ }
+
+# vim: ft=sh
--- /dev/null
+upstream php5_fpm_lhc_stats {
+ server unix:/run/php5/fpm/lhc_stats;
+ }
+
+map $request_method $no_cache {
+ # NOTE: if non GET/HEAD, don't cache.
+ default 1;
+ HEAD 0;
+ GET 0;
+ }
+map $arg_module $no_cache {
+ ## When we go through installation
+ ## or when we're on the dashboard for specific tasks.
+ Installation 1; # when invoking the installation module.
+ ~[^\&]*(?:Dashboard|Live|Goals|Admin|Manager) 1; # some tasks
+ }
+map $arg_action $no_cache {
+ ## The first installation steps don't invoke the installation module.
+ systemCheck 1;
+ databaseSetup 1;
+ }
+map $http_cookie $no_cache {
+ ## Testing for the session cookie being present.
+ ## If there is then no caching is to be done.
+ ~PIWIK_SESSID 1; # Piwik session cookie
+ }
+
+# vim: ft=sh
listen 80;
+
+location = /index.php {
+ return 302 "https://$http_host/index.php";
+ }
client_body_buffer_size 8k;
client_max_body_size 10m;
-location / {
- index index.html index.htm index.php;
+
+if ($bad_bot) {
+ return 444;
}
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
- access_log off;
- expires 30d;
- log_not_found off;
+#if ($bad_referer) {
+# return 444;
+# }
+
+#location ~ /\. {
+# access_log off;
+# deny all;
+# log_not_found off;
+# }
+location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ {
+ ## Defining the valid referers.
+ ## Disallow any usage of piwik assets if referer is non valid.
+ valid_referers none blocked
+ *.cyclocoop.org
+ *.heureux-cyclage.org
+ *.ptitvelo.net
+ *.velosenville.org;
+ if ($invalid_referer) {
+ return 444;
+ }
+
+ expires max;
+ # NOTE: Static files use the OS buffer cache.
+ open_file_cache max=500 inactive=120s;
+ open_file_cache_errors off;
+ open_file_cache_min_uses 2;
+ open_file_cache_valid 45s;
+ tcp_nodelay off;
+ }
+location = /favicon.ico {
+ ## Support for favicon. Return a 204 (No Content) if the favicon doesn't exist.
+ try_files /favicon.ico =204;
}
-location ~ /\. {
- access_log off;
- deny all;
- log_not_found off;
+location / {
+ ## Try all locations and relay to index.php as a fallback.
+ try_files $uri /index.php?$query_string;
}
-location ~ \.php$ {
+location = /piwik.php {
+ ## Relay all piwik.php requests to fastcgi.
include /etc/nginx/conf.d/fastcgi.conf;
- set $no_cache "0";
- if ($request_method !~ ^(GET|HEAD)$) {
- # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
- set $no_cache "1";
- }
- if ($no_cache = "1") {
- # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
- add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
- add_header X-Microcachable "0";
- }
- if ($http_cookie ~* "_mcnc") {
- # NOTE: bypass cache if no-cache cookie is set
- set $no_cache "1";
- }
+ add_header X-Piwik-Long-Cache $upstream_cache_status;
+ expires epoch;
+ fastcgi_cache microcache;
fastcgi_cache_bypass $no_cache;
- fastcgi_cache_use_stale updating;
- fastcgi_cache_valid 200 10s;
+ fastcgi_cache_use_stale error timeout invalid_header updating http_500;
+ fastcgi_cache_valid 200 301 2h;
+ fastcgi_cache_valid 302 30m;
fastcgi_cache_valid 404 10m;
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_index index.php;
- fastcgi_max_temp_file_size 2M;
+ fastcgi_ignore_headers Cache-Control Expires;
fastcgi_no_cache $no_cache;
fastcgi_param REDIRECT_STATUS 200;
- # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
- fastcgi_pass_header Cookie;
- fastcgi_pass_header Set-Cookie;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:/run/php5/fpm/lhc_stats;
+ fastcgi_pass php5_fpm_lhc_stats;
+ }
+location ~* ^.+\.php$ {
+ ## Any other attempt to access PHP files redirects to the root.
+ return 302 /;
+ }
+location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
+ ## Redirect to the root if attempting to access a txt file.
+ return 302 /;
+ }
+location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
+ ## Disallow access to several helper files.
+ return 404;
+ }
+location = /robots.txt {
+ ## No crawling of this site for bots that obey robots.txt.
+ return 200 "User-agent: *\nDisallow: /\n";
}
# vim: ft=sh
fastcgi_cache_valid 404 10m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_index index.php;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param REDIRECT_STATUS 200;
# NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 404 30m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param SCRIPT_NAME '';
fastcgi_param SERVER_NAME $host;
/etc/nginx/site.d/"$site"
sudo install -d -m 770 -o www -g www \
/etc/nginx/x509.d/"$site"
- test -L /home/www/pub/"$site" ||
+ sudo test -L /home/www/pub/"$site" ||
sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
/home/www/pub/"$site"
sudo adduser www-data www-"$site"
sudo install -m 660 -o www -g www \
"$tool"/etc/nginx/site.d/"$site"/local.conf \
/etc/nginx/site.d/"$site"/local.conf
+ test ! -e "$tool"/etc/nginx/site.d/"$site"/http.conf ||
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/http.conf \
+ /etc/nginx/site.d/"$site"/http.conf
if test -L "$tool"/etc/nginx/site.d/"$site"/site.conf
then
sudo cp --force --preserve=links --no-dereference \
/run/nginx/fastcgi \
/run/shm/cache/nginx \
/run/shm/cache/nginx/fastcgi \
- /run/shm/cache/nginx/client_body
+ /run/shm/cache/nginx/client_body \
+ /run/shm/tmp/nginx
exec /usr/sbin/nginx \
-c /etc/nginx/nginx.conf \