server { listen 0.0.0.0:80 default; listen [2a01:4f8:151:51a3:176:9:184:3]:80 default; server_name www.kraut.space; access_log /var/log/nginx/www.krautspace.de_access.log ano; error_log /var/log/nginx/www.krautspace.de_error.log; # weiterleiten rewrite ^ https://$host$request_uri? permanent; } server { listen 0.0.0.0:443 ssl default; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl default; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate_key /etc/ssl/private/star.kraut.space.key; server_name kraut.space www.kraut.space; access_log /var/log/nginx/kraut.space_access.log ano; error_log /var/log/nginx/kraut.space_error.log; add_header Public-Key-Pins 'pin-sha256="h1eF+0TRBTfD0ksblNkZnC3XQ8/w1tKDotkBiZcyThc="; pin-sha256="2r/gJIym/afOi0tM9pcbibG1b0uixXHzwInOT+KVKPE="; pin-sha256="LUZ6gnGnIWtu/uXeQMfEEBlP8J6azBxFhPct2qpGYYk="; max-age=1209600; includeSubDomains'; add_header Strict-Transport-Security max-age=15768000; # six months if ($host = www.kraut.space) { return 301 https://kraut.space$request_uri; } root /var/www/wiki.hackspace-jena.de; # falls es mal (global) an sein sollte autoindex off; index doku.php; client_max_body_size 15M; client_body_buffer_size 128k; location ^~ /.well-known/ { allow all; } location = /robots.txt { log_not_found off; } location = /favicon.ico { log_not_found off; } location ~ /\. { deny all; } location ~ ~$ { deny all; } # versuche Datei zu finden, leite sonst an @dw weiter location / { try_files $uri $uri/ @dw; } # setze Header location ~ ^/lib/.*\.(gif|png|ico|jpg|svg|ttf)$ { expires 30d; } # versuche was passendes für die anfrage zu finden location @dw { rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1 last; } # führe PHP-Script aus location ~ \.php$ { include fastcgi_params; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; fastcgi_param HTTPS $php_https; # DW checks $_SERVER['HTTPS'] fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php5-fpm.sock; # entferne Header "X-Powered-By: PHP/5.4.40-1~dotdeb+wheezy.1" fastcgi_hide_header "X-Powered-By"; } # das ist mit absicht hier hinten! # soll erst nach dokuwiki verarbeitung überprüft werden, nicht das einige Artikel nicht zu öffnen sind location ~ /(data|conf|bin|inc)/ { deny all; } ### XMPP # forward http-bind requests to the prosody instance location /http-bind { proxy_pass http://localhost:5280/http-bind; proxy_buffering off; tcp_nodelay on; # add_header Access-Control-Allow-Origin *; proxy_set_header Host anon.krautspace.de; } # forward xmpp registrations to prosody location /xmpp/ { index index.php; # Idee für schönere umsetzung # expires 7d; # try_file $uri $uri/ /xmpp/index.php; if (-f $request_filename) { expires 7d; break; } rewrite ^/xmpp/(.*) /xmpp/index.php last; } ### CHAT # setze Header location ~* ^/chat/*.\.(js|css|json|map|gif|png|swf|mp3)$ { expires 7d; } # sonstige anfragen an /chat/, versuche datei zu finden location /chat/ { # forward /chat/ to /chat/index.html as per request of qbi index index.html; try_files $uri $uri/ =404; } location ~* ^/chat2/*.\.(js|css|json|map|gif|png|swf|mp3)$ { expires 7d; } location /chat2/ { index index.html; try_files $uri $uri/ =404; } }