X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=etc%2Fnginx%2Fsite.d%2Flhc-stats%2Fsite.conf;h=986e3b93b99633a24b861ae0cf929329ac88cb09;hp=b52ba28a6cc71e28e040386b2ec4030ce1bdc514;hb=9075978ae94310fa7a27d9881d3cecc6150ca3e9;hpb=45a4450db64a63643edd37d8e3aba8d57fe6a3ad diff --git a/etc/nginx/site.d/lhc-stats/site.conf b/etc/nginx/site.d/lhc-stats/site.conf index b52ba28..986e3b9 100644 --- a/etc/nginx/site.d/lhc-stats/site.conf +++ b/etc/nginx/site.d/lhc-stats/site.conf @@ -2,50 +2,81 @@ server_name stats.heureux-cyclage.org; client_body_buffer_size 8k; client_max_body_size 10m; -location / { - index index.html index.htm index.php; + +if ($bad_bot) { + return 444; } -location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { - access_log off; - expires 30d; - log_not_found off; +#if ($bad_referer) { +# return 444; +# } + +#location ~ /\. { +# access_log off; +# deny all; +# log_not_found off; +# } +location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ { + ## Defining the valid referers. + ## Disallow any usage of piwik assets if referer is non valid. + valid_referers none blocked + server_names + .cyclocoop.org + .heureux-cyclage.org + .ptitvelo.net + .velosenville.org + .wiklou.org; + if ($invalid_referer) { + return 444; + } + + expires max; + # NOTE: Static files use the OS buffer cache. + open_file_cache max=500 inactive=120s; + open_file_cache_errors off; + open_file_cache_min_uses 2; + open_file_cache_valid 45s; + tcp_nodelay off; + } +location = /favicon.ico { + ## Support for favicon. Return a 204 (No Content) if the favicon doesn't exist. + try_files /favicon.ico =204; } -location ~ /\. { - access_log off; - deny all; - log_not_found off; +location / { + ## Try all locations and relay to index.php as a fallback. + try_files $uri /index.php?$query_string; } -location ~ \.php$ { +location = /piwik.php { + ## Relay all piwik.php requests to fastcgi. include /etc/nginx/conf.d/fastcgi.conf; - set $no_cache "0"; - if ($request_method !~ ^(GET|HEAD)$) { - # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. - set $no_cache "1"; - } - if ($no_cache = "1") { - # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). - add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; - add_header X-Microcachable "0"; - } - if ($http_cookie ~* "_mcnc") { - # NOTE: bypass cache if no-cache cookie is set - set $no_cache "1"; - } + add_header X-Piwik-Long-Cache $upstream_cache_status; + expires epoch; + fastcgi_cache microcache; fastcgi_cache_bypass $no_cache; - fastcgi_cache_use_stale updating; - fastcgi_cache_valid 200 10s; + fastcgi_cache_use_stale error timeout invalid_header updating http_500; + fastcgi_cache_valid 200 301 2h; + fastcgi_cache_valid 302 30m; fastcgi_cache_valid 404 10m; - fastcgi_ignore_headers Cache-Control Expires Set-Cookie; - fastcgi_index index.php; - fastcgi_max_temp_file_size 2M; + fastcgi_ignore_headers Cache-Control Expires; fastcgi_no_cache $no_cache; fastcgi_param REDIRECT_STATUS 200; - # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect - fastcgi_pass_header Cookie; - fastcgi_pass_header Set-Cookie; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php5/fpm/lhc_stats; + fastcgi_pass php_fpm_lhc_stats; + } +location ~* ^.+\.php$ { + ## Any other attempt to access PHP files redirects to the root. + return 302 /; + } +location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { + ## Redirect to the root if attempting to access a txt file. + return 302 /; + } +location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml)$ { + ## Disallow access to several helper files. + return 404; + } +location = /robots.txt { + ## No crawling of this site for bots that obey robots.txt. + return 200 "User-agent: *\nDisallow: /\n"; } # vim: ft=sh