summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-17 20:24:09 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-17 20:34:42 +0200
commit3c7c834a37802e5ca5d93a4b4a91dde3264d9f5d (patch)
tree07abe3c01bb29505ceab94b7bdb587c1d3bd09ba
parenta16b003a9bf101234ca988b6e43466a3d6b99bc7 (diff)
nginx: Add Expires: HTTP headers.
Diffstat
-rw-r--r--roles/git/files/etc/nginx/sites-available/git1
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa6
-rw-r--r--roles/nextcloud/files/etc/nginx/sites-available/nextcloud2
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube1
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website2
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/wiki8
6 files changed, 13 insertions, 7 deletions
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 0aa4345..3f2bc7f 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -22,40 +22,41 @@ server {
server_name git.fripost.org;
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log info;
include snippets/headers.conf;
add_header Content-Security-Policy
"default-src 'none'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self'";
include snippets/ssl.conf;
ssl_certificate ssl/git.fripost.org.pem;
ssl_certificate_key ssl/git.fripost.org.key;
include snippets/git.fripost.org.hpkp-hdr;
gzip on;
gzip_vary on;
gzip_min_length 256;
gzip_types application/javascript application/json application/xml image/svg+xml image/x-icon text/css text/plain;
location ^~ /static/ {
+ expires 30d;
alias /usr/share/cgit/;
}
# disallow push over HTTP/HTTPS
location ~ "^/.+/git-receive-pack$" { return 403; }
location ~ "^/.+/(?:info/refs|git-upload-pack)$" {
limit_except GET POST { deny all; }
fastcgi_buffering off;
gzip off;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param NO_BUFFERING "";
# cf. git-http-backend(1)
fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
fastcgi_param PATH_INFO $uri;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 4cfc11b..89d79f3 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -32,43 +32,43 @@ server {
ssl_certificate ssl/lists.fripost.org.pem;
ssl_certificate_key ssl/lists.fripost.org.key;
include snippets/lists.fripost.org.hpkp-hdr;
gzip on;
gzip_vary on;
gzip_min_length 256;
gzip_types application/font-woff application/font-woff2 application/javascript application/json application/xml image/x-icon text/css text/plain;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
alias /etc/sympa/robots.txt;
}
location = / {
return 302 /sympa$args;
}
- location ^~ /static-sympa/ { alias /usr/share/sympa/static_content/; }
- location ^~ /css-sympa/ { alias /var/lib/sympa/css/; }
- location ^~ /pictures-sympa/ { alias /var/lib/sympa/pictures; }
+ location ^~ /static-sympa/ { expires 30d; try_files $uri =404; alias /usr/share/sympa/static_content/; }
+ location ^~ /css-sympa/ { expires 30d; try_files $uri =404; alias /var/lib/sympa/css/; }
+ location ^~ /pictures-sympa/ { expires 30d; try_files $uri =404; alias /var/lib/sympa/pictures; }
location ~* ^/sympa(?:/|$) {
gzip off; # protect against BREACH
fastcgi_split_path_info ^(/sympa)(.*)$;
include snippets/fastcgi.conf;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/run/wwsympa.socket;
}
location ~* ^/([^/]+)/?$ {
return 302 /$1/sympa$args;
}
location ~* ^/(?<vhost>[^/]+)/sympa(?:/|$) {
gzip off; # protect against BREACH
if (!-f /etc/sympa/$vhost/robot.conf) {
return 404;
}
diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
index e971f99..52f24e0 100644
--- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
+++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
@@ -64,42 +64,42 @@ server {
location / { rewrite ^ /index.php$uri last; }
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { internal; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { internal; }
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|core/templates/40[34])\.php(?:$|/) {
include snippets/fastcgi-php.conf;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock;
}
location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
- try_files $uri /index.php$uri$is_args$args;
expires 30d;
+ try_files $uri /index.php$uri$is_args$args;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$uri$is_args$args;
}
location = /core/img/favicon.ico {
alias /var/www/nextcloud/fripost.ico;
}
}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.cloud.fripost.org;
include /etc/lacme/nginx.conf;
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 6bd4dd1..9cc20ad 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -51,24 +51,25 @@ server {
log_not_found off;
access_log off;
}
access_log /var/log/nginx/roundcube.access.log;
error_log /var/log/nginx/roundcube.error.log info;
client_max_body_size 64m;
location = / { index index.php; }
location = /index.php {
# TODO enable gzip for Roundcube >=1.5: it's immune to BREACH attacks once
# $config['session_samesite'] is set to 'Strict', see
# https://github.com/roundcube/roundcubemail/pull/6772
# https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
gzip off;
include snippets/fastcgi-php-ssl.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm@roundcube.sock;
}
location ~ "^/(?:plugins|program/js|program/resources|skins)(?:/[[:alnum:]][[:alnum:]\-\._]*)+\.(?:css|eot|gif|html|ico|jpg|js|pdf|png|svg|tiff?|ttf|webp|woff2?)$" {
+ expires 30d;
try_files $uri =404;
}
location / { internal; }
}
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index cd6832a..69d3337 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -30,32 +30,34 @@ server {
add_header Content-Security-Policy
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; frame-ancestors 'none'; form-action https://www.paypal.com/; base-uri fripost.org www.fripost.org";
include snippets/ssl.conf;
ssl_certificate ssl/www.fripost.org.pem;
ssl_certificate_key ssl/www.fripost.org.key;
include snippets/fripost.org.hpkp-hdr;
gzip on;
gzip_vary on;
gzip_min_length 256;
gzip_types application/font-woff application/font-woff2 application/javascript application/json application/xml image/svg+xml image/x-icon text/css text/plain;
location / {
try_files $uri $uri/ =404;
index index.html;
root /var/lib/ikiwiki/public_html/fripost-wiki/website;
}
location = /ikiwiki.cgi { internal; }
location /static/ {
+ expires 30d;
+ try_files $uri =404;
alias /var/lib/ikiwiki/public_html/fripost-wiki/static/;
}
location /material/ {
alias /var/www/fripost.org/material/;
}
location /minutes/ {
alias /var/www/fripost.org/minutes/;
}
location /.well-known/autoconfig/ {
alias /var/www/fripost.org/autoconfig/;
}
}
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 89e86d8..153b3e2 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -22,36 +22,38 @@ server {
server_name wiki.fripost.org;
access_log /var/log/nginx/wiki.access.log;
error_log /var/log/nginx/wiki.error.log info;
include snippets/headers.conf;
add_header Content-Security-Policy
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri wiki.fripost.org";
include snippets/ssl.conf;
ssl_certificate ssl/www.fripost.org.pem;
ssl_certificate_key ssl/www.fripost.org.key;
include snippets/fripost.org.hpkp-hdr;
gzip on;
gzip_vary on;
gzip_min_length 256;
gzip_types application/font-woff application/font-woff2 application/javascript application/json application/xml image/svg+xml image/x-icon text/css text/plain;
+ root /var/lib/ikiwiki/public_html/fripost-wiki;
+
+ location /static/ { expires 30d; try_files $uri =404; }
location / {
location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
- try_files $uri $uri/ =404;
index index.html;
- root /var/lib/ikiwiki/public_html/fripost-wiki;
+ try_files $uri $uri/ =404;
}
location = /ikiwiki.cgi {
- fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki;
+ fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi;
fastcgi_index ikiwiki.cgi;
include snippets/fastcgi.conf;
fastcgi_pass unix:/run/ikiwiki.socket;
gzip off; # protect against BREACH
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-24 07:53:42 +0000