From 5c42a4d606c3fb4de3420b220d45077b08f13a40 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 19 Apr 2013 00:43:30 +0200 Subject: [PATCH] =?utf8?q?Modification=20:=20etc/nginx/site.d/lhc-stats/si?= =?utf8?q?te.conf=20:=20int=C3=A8gre=20de=20la=20conf=20de=20piwik-nginx.g?= =?utf8?q?it=20.?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- etc/nginx/conf.d/fastcgi.conf | 5 +- etc/nginx/nginx.conf | 31 +++++- etc/nginx/site.d/gitweb/site.conf | 1 - etc/nginx/site.d/lhc-questionnaires/site.conf | 1 - etc/nginx/site.d/lhc-stats-tls/local.conf | 21 ++++ etc/nginx/site.d/lhc-stats/http.conf | 28 ++++++ etc/nginx/site.d/lhc-stats/local.conf | 4 + etc/nginx/site.d/lhc-stats/site.conf | 99 ++++++++++++------- etc/nginx/site.d/lhc-www/site.conf | 1 - etc/nginx/site.d/sympa/site.conf | 1 - etc/sv/nginx/configure.sh | 6 +- etc/sv/nginx/run | 3 +- 12 files changed, 154 insertions(+), 47 deletions(-) create mode 100644 etc/nginx/site.d/lhc-stats/http.conf diff --git a/etc/nginx/conf.d/fastcgi.conf b/etc/nginx/conf.d/fastcgi.conf index 72a1588..fdc5f6d 100644 --- a/etc/nginx/conf.d/fastcgi.conf +++ b/etc/nginx/conf.d/fastcgi.conf @@ -1,10 +1,11 @@ ## DOC: http://wiki.nginx.org/HttpFastcgiModule fastcgi_buffer_size 128k; -fastcgi_buffers 4 256k; +fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_connect_timeout 60; fastcgi_ignore_client_abort off; fastcgi_intercept_errors on; +fastcgi_max_temp_file_size 2M; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param DOCUMENT_ROOT $document_root; @@ -30,3 +31,5 @@ fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_read_timeout 180; fastcgi_send_timeout 180; fastcgi_temp_file_write_size 256k; + +# vim: ft=sh diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 4be2606..216e273 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -21,13 +21,16 @@ http { default_type application/octet-stream; error_log /var/log/nginx/error.log warn; error_page 403 = 404; - fastcgi_cache_key "$request_method $scheme://$host$request_uri"; + fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; fastcgi_cache_path /run/shm/cache/nginx/fastcgi + inactive=10m + keys_zone=microcache:2M levels=1:2 - keys_zone=microcache:10m - inactive=5m - max_size=64m; - fastcgi_cache microcache; + loader_files=100000 + loader_sleep=1 + loader_threshold=2592000000 + max_size=64M; + fastcgi_temp_path /run/shm/tmp/nginx/ 1 2; gzip on; gzip_buffers 16 8k; gzip_comp_level 6; @@ -78,8 +81,26 @@ http { # This is useful for prepending headers before calling sendfile, # or for throughput optimization. types_hash_max_size 2048; + ## Add here all user agents that are to be blocked. + map $http_user_agent $bad_bot { + default 0; + libwww-perl 1; + ~(?i)(httrack|htmlparser|libwww) 1; + } + ## Add here all referrers that are to blocked. + #map $http_referer $bad_referer { + # default 0; + # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; + # } + geo $not_local { + default 1; + 127.0.0.1 0; + } + include /etc/nginx/site.d/*/http.conf; include /etc/nginx/site.d/*/server.conf; } pid /run/nginx.pid; user www-data; worker_processes 2; + +# vim: ft=sh diff --git a/etc/nginx/site.d/gitweb/site.conf b/etc/nginx/site.d/gitweb/site.conf index d27614c..70fb600 100644 --- a/etc/nginx/site.d/gitweb/site.conf +++ b/etc/nginx/site.d/gitweb/site.conf @@ -51,7 +51,6 @@ location @gitweb { fastcgi_cache_valid 200 10s; fastcgi_cache_valid 404 30m; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; - fastcgi_max_temp_file_size 2M; fastcgi_no_cache $no_cache; fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf; fastcgi_param PATH_INFO $uri; diff --git a/etc/nginx/site.d/lhc-questionnaires/site.conf b/etc/nginx/site.d/lhc-questionnaires/site.conf index f0e1134..bd4365d 100644 --- a/etc/nginx/site.d/lhc-questionnaires/site.conf +++ b/etc/nginx/site.d/lhc-questionnaires/site.conf @@ -40,7 +40,6 @@ location ~ \.php$ { fastcgi_cache_valid 404 10m; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_index index.php; - fastcgi_max_temp_file_size 2M; fastcgi_no_cache $no_cache; fastcgi_param REDIRECT_STATUS 200; # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect diff --git a/etc/nginx/site.d/lhc-stats-tls/local.conf b/etc/nginx/site.d/lhc-stats-tls/local.conf index 1d12581..d81e006 100644 --- a/etc/nginx/site.d/lhc-stats-tls/local.conf +++ b/etc/nginx/site.d/lhc-stats-tls/local.conf @@ -2,3 +2,24 @@ listen 443; include /etc/nginx/conf.d/ssl.conf; ssl_certificate /etc/nginx/x509.d/lhc-stats-tls/crt.pem; ssl_certificate_key /etc/nginx/x509.d/lhc-stats-tls/key.pem; + +location = /index.php { + ## Relay all index.php requests to fastcgi. + include /etc/nginx/conf.d/fastcgi.conf; + add_header X-Piwik-Cache $upstream_cache_status; + expires epoch; + fastcgi_cache microcache; + fastcgi_cache_bypass $no_cache; + fastcgi_cache_use_stale error timeout invalid_header updating http_500; + fastcgi_cache_valid 200 301 5m; + fastcgi_cache_valid 302 3m; + fastcgi_cache_valid 404 1m; + fastcgi_ignore_headers Cache-Control Expires; + fastcgi_index index.php; + fastcgi_no_cache $no_cache; + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_pass php5_fpm_lhc_stats; + } + +# vim: ft=sh diff --git a/etc/nginx/site.d/lhc-stats/http.conf b/etc/nginx/site.d/lhc-stats/http.conf new file mode 100644 index 0000000..58563f7 --- /dev/null +++ b/etc/nginx/site.d/lhc-stats/http.conf @@ -0,0 +1,28 @@ +upstream php5_fpm_lhc_stats { + server unix:/run/php5/fpm/lhc_stats; + } + +map $request_method $no_cache { + # NOTE: if non GET/HEAD, don't cache. + default 1; + HEAD 0; + GET 0; + } +map $arg_module $no_cache { + ## When we go through installation + ## or when we're on the dashboard for specific tasks. + Installation 1; # when invoking the installation module. + ~[^\&]*(?:Dashboard|Live|Goals|Admin|Manager) 1; # some tasks + } +map $arg_action $no_cache { + ## The first installation steps don't invoke the installation module. + systemCheck 1; + databaseSetup 1; + } +map $http_cookie $no_cache { + ## Testing for the session cookie being present. + ## If there is then no caching is to be done. + ~PIWIK_SESSID 1; # Piwik session cookie + } + +# vim: ft=sh diff --git a/etc/nginx/site.d/lhc-stats/local.conf b/etc/nginx/site.d/lhc-stats/local.conf index 56b9f1c..b5f622c 100644 --- a/etc/nginx/site.d/lhc-stats/local.conf +++ b/etc/nginx/site.d/lhc-stats/local.conf @@ -1 +1,5 @@ listen 80; + +location = /index.php { + return 302 "https://$http_host/index.php"; + } diff --git a/etc/nginx/site.d/lhc-stats/site.conf b/etc/nginx/site.d/lhc-stats/site.conf index b52ba28..a98a1a1 100644 --- a/etc/nginx/site.d/lhc-stats/site.conf +++ b/etc/nginx/site.d/lhc-stats/site.conf @@ -2,50 +2,79 @@ server_name stats.heureux-cyclage.org; client_body_buffer_size 8k; client_max_body_size 10m; -location / { - index index.html index.htm index.php; + +if ($bad_bot) { + return 444; } -location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { - access_log off; - expires 30d; - log_not_found off; +#if ($bad_referer) { +# return 444; +# } + +#location ~ /\. { +# access_log off; +# deny all; +# log_not_found off; +# } +location ~* ^.+\.(?:css|gif|jpe?g|js|png|swf)$ { + ## Defining the valid referers. + ## Disallow any usage of piwik assets if referer is non valid. + valid_referers none blocked + *.cyclocoop.org + *.heureux-cyclage.org + *.ptitvelo.net + *.velosenville.org; + if ($invalid_referer) { + return 444; + } + + expires max; + # NOTE: Static files use the OS buffer cache. + open_file_cache max=500 inactive=120s; + open_file_cache_errors off; + open_file_cache_min_uses 2; + open_file_cache_valid 45s; + tcp_nodelay off; + } +location = /favicon.ico { + ## Support for favicon. Return a 204 (No Content) if the favicon doesn't exist. + try_files /favicon.ico =204; } -location ~ /\. { - access_log off; - deny all; - log_not_found off; +location / { + ## Try all locations and relay to index.php as a fallback. + try_files $uri /index.php?$query_string; } -location ~ \.php$ { +location = /piwik.php { + ## Relay all piwik.php requests to fastcgi. include /etc/nginx/conf.d/fastcgi.conf; - set $no_cache "0"; - if ($request_method !~ ^(GET|HEAD)$) { - # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. - set $no_cache "1"; - } - if ($no_cache = "1") { - # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). - add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; - add_header X-Microcachable "0"; - } - if ($http_cookie ~* "_mcnc") { - # NOTE: bypass cache if no-cache cookie is set - set $no_cache "1"; - } + add_header X-Piwik-Long-Cache $upstream_cache_status; + expires epoch; + fastcgi_cache microcache; fastcgi_cache_bypass $no_cache; - fastcgi_cache_use_stale updating; - fastcgi_cache_valid 200 10s; + fastcgi_cache_use_stale error timeout invalid_header updating http_500; + fastcgi_cache_valid 200 301 2h; + fastcgi_cache_valid 302 30m; fastcgi_cache_valid 404 10m; - fastcgi_ignore_headers Cache-Control Expires Set-Cookie; - fastcgi_index index.php; - fastcgi_max_temp_file_size 2M; + fastcgi_ignore_headers Cache-Control Expires; fastcgi_no_cache $no_cache; fastcgi_param REDIRECT_STATUS 200; - # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect - fastcgi_pass_header Cookie; - fastcgi_pass_header Set-Cookie; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php5/fpm/lhc_stats; + fastcgi_pass php5_fpm_lhc_stats; + } +location ~* ^.+\.php$ { + ## Any other attempt to access PHP files redirects to the root. + return 302 /; + } +location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { + ## Redirect to the root if attempting to access a txt file. + return 302 /; + } +location ~* \.(?:bat|html?|git|ini|sh|svn[^.]*|txt|tpl|xml)$ { + ## Disallow access to several helper files. + return 404; + } +location = /robots.txt { + ## No crawling of this site for bots that obey robots.txt. + return 200 "User-agent: *\nDisallow: /\n"; } # vim: ft=sh diff --git a/etc/nginx/site.d/lhc-www/site.conf b/etc/nginx/site.d/lhc-www/site.conf index 5eabe39..13786a6 100644 --- a/etc/nginx/site.d/lhc-www/site.conf +++ b/etc/nginx/site.d/lhc-www/site.conf @@ -37,7 +37,6 @@ location ~ \.php$ { fastcgi_cache_valid 404 10m; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_index index.php; - fastcgi_max_temp_file_size 2M; fastcgi_no_cache $no_cache; fastcgi_param REDIRECT_STATUS 200; # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect diff --git a/etc/nginx/site.d/sympa/site.conf b/etc/nginx/site.d/sympa/site.conf index 7fd9353..d627aa4 100644 --- a/etc/nginx/site.d/sympa/site.conf +++ b/etc/nginx/site.d/sympa/site.conf @@ -31,7 +31,6 @@ location / { fastcgi_cache_valid 200 10s; fastcgi_cache_valid 404 30m; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; - fastcgi_max_temp_file_size 2M; fastcgi_no_cache $no_cache; fastcgi_param SCRIPT_NAME ''; fastcgi_param SERVER_NAME $host; diff --git a/etc/sv/nginx/configure.sh b/etc/sv/nginx/configure.sh index 2cfa7f7..a44c647 100644 --- a/etc/sv/nginx/configure.sh +++ b/etc/sv/nginx/configure.sh @@ -53,7 +53,7 @@ for site in $(find "$tool"/etc/nginx/site.d \ /etc/nginx/site.d/"$site" sudo install -d -m 770 -o www -g www \ /etc/nginx/x509.d/"$site" - test -L /home/www/pub/"$site" || + sudo test -L /home/www/pub/"$site" || sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ /home/www/pub/"$site" sudo adduser www-data www-"$site" @@ -61,6 +61,10 @@ for site in $(find "$tool"/etc/nginx/site.d \ sudo install -m 660 -o www -g www \ "$tool"/etc/nginx/site.d/"$site"/local.conf \ /etc/nginx/site.d/"$site"/local.conf + test ! -e "$tool"/etc/nginx/site.d/"$site"/http.conf || + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/http.conf \ + /etc/nginx/site.d/"$site"/http.conf if test -L "$tool"/etc/nginx/site.d/"$site"/site.conf then sudo cp --force --preserve=links --no-dereference \ diff --git a/etc/sv/nginx/run b/etc/sv/nginx/run index 8bc0f31..3b876fb 100755 --- a/etc/sv/nginx/run +++ b/etc/sv/nginx/run @@ -12,7 +12,8 @@ install -d -m 770 -o www-data -g www-data \ /run/nginx/fastcgi \ /run/shm/cache/nginx \ /run/shm/cache/nginx/fastcgi \ - /run/shm/cache/nginx/client_body + /run/shm/cache/nginx/client_body \ + /run/shm/tmp/nginx exec /usr/sbin/nginx \ -c /etc/nginx/nginx.conf \ -- 2.20.1