diff options
Diffstat (limited to 'grav.patch')
-rw-r--r-- | grav.patch | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/grav.patch b/grav.patch new file mode 100644 index 000000000000..04c3b10797f5 --- /dev/null +++ b/grav.patch @@ -0,0 +1,152 @@ +--- a/system/defines.php 2021-04-15 20:04:58.000000000 +0200 ++++ b/system/defines.php 2021-04-16 22:02:34.702885015 +0200 +@@ -13,6 +13,12 @@ + define('GRAV_SCHEMA', '1.7.0_2020-11-20_1'); + define('GRAV_TESTING', false); + ++define('GRAV_ROOT', '/usr/share/webapps/grav'); ++define('GRAV_CACHE_PATH', '/var/cache/grav/cache'); ++define('GRAV_BACKUP_PATH', '/var/lib/grav/backup'); ++define('GRAV_LOG_PATH', '/var/log/grav'); ++define('GRAV_TMP_PATH', '/var/tmp/grav'); ++ + // PHP minimum requirement + if (!defined('GRAV_PHP_MIN')) { + define('GRAV_PHP_MIN', '7.3.6'); +--- a/system/src/Grav/Console/Gpm/SelfupgradeCommand.php 2021-04-15 20:04:58.000000000 +0200 ++++ b/system/src/Grav/Console/Gpm/SelfupgradeCommand.php 2021-04-21 21:14:16.576531405 +0200 +@@ -94,6 +94,10 @@ + $input = $this->getInput(); + $io = $this->getIO(); + ++ $io->error('Grav cannot be upgraded this way as it has been installed with a distribution package.'); ++ $io->writeln('Use makepkg and pacman (or your preferred pacman wrapper) to upgrade.'); ++ return 1; ++ + if (!class_exists(ZipArchive::class)) { + $io->title('GPM Self Upgrade'); + $io->error('php-zip extension needs to be enabled!'); +--- a/webserver-configs/nginx.conf 2021-05-26 21:06:53.532804914 +0200 ++++ b/webserver-configs/nginx.conf 2021-05-27 10:25:14.985023880 +0200 +@@ -1,10 +1,61 @@ + server { +- #listen 80; ++ listen 80; ++ listen [::]:80; ++ server_name blog.myserver.org; ++ ++ access_log /var/log/nginx/access/blog.log main; ++ ++ ## Begin - ACME (LetsEncrypt) ++ # adapt the alias folder to where your certification job (e.g. CertBot) ++ # puts the domain verification challenges ++ # location ^~ /.well-known/acme-challenge/ { ++ # alias /srv/http/acme; ++ # } ++ ## End - ACME (LetsEncrypt) ++ ++ ## Begin - Enforce HTTPS ++ location / { ++ return 301 https://blog.myserver.org$request_uri; ++ } ++ ## End - Enforce HTTPS ++} ++ ++server { ++ listen 443 ssl http2; ++ listen [::]:443 ssl http2; ++ ++ access_log /var/log/nginx/access/blog.log main; ++ ++ ## Begin - SSL/TLS ++ # Use Mozilla's guidelines for SSL/TLS settings ++ # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ++ ssl_certificate /etc/ssl/certs/blog.myserver.org.pem; ++ ssl_certificate_key /etc/ssl/private/blog.myserver.org.key; ++ ssl_session_timeout 1d; ++ ssl_session_cache shared:sslcache:1m; # about 4000 sessions ++ ssl_session_tickets off; ++ ssl_protocols TLSv1.3; ++ ssl_prefer_server_ciphers off; ++ ++ # HSTS settings ++ # WARNING: Only add the preload option once you read about ++ # the consequences in https://hstspreload.org/. This option ++ # will add the domain to a hardcoded list that is shipped ++ # in all major browsers and getting removed from this list ++ # could take several months. ++ #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; ++ add_header Strict-Transport-Security "max-age=15768000" always; ++ ## End - SSL/TLS ++ ++ # set max upload size ++ client_max_body_size 512M; ++ fastcgi_buffers 64 4K; ++ + index index.html index.php; + + ## Begin - Server Info +- root /home/USER/www/html; +- server_name localhost; ++ server_name blog.myserver.org; ++ root /usr/share/webapps/grav; + ## End - Server Info + + ## Begin - Index +@@ -17,6 +68,13 @@ + ## End - Index + + ## Begin - Security ++ # safety stuff adopted from .htaccess ++ if ($request_uri ~ "{{|}}|{%|%}") { return 403; } ++ if ($query_string ~ "{{|}}|{%25|%25}") { return 403; } ++ if ($query_string ~ "base64_encode[^(]*\([^)]*\)") { return 403; } ++ if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)") { return 403; } ++ if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; } ++ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; } + # deny all direct access for these folders + location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } + # deny running scripts inside core system folders +@@ -25,20 +83,32 @@ + location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny access to specific files in the root folder + location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } ++ # deny all files and folder beginning with a dot (hidden files & folders) ++ location ~ (^|/)\. { return 403; } + ## End - Security + + ## Begin - PHP + location ~ \.php$ { +- # Choose either a socket or TCP/IP address +- fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; +- # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy +- # fastcgi_pass 127.0.0.1:9000; +- +- fastcgi_split_path_info ^(.+\.php)(/.+)$; +- fastcgi_index index.php; +- include fastcgi_params; +- fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; ++ include uwsgi_params; ++ uwsgi_modifier1 14; ++ uwsgi_pass unix:/run/uwsgi/grav.sock; + } ++ # or alternatively if you use php-fpm ++ # location ~ \.php$ { ++ # # Choose either a socket or TCP/IP address ++ # fastcgi_pass unix:/run/php/grav.sock; ++ # # fastcgi_pass 127.0.0.1:9000; ++ # fastcgi_split_path_info ^(.+\.php)(/.+)$; ++ # fastcgi_index index.php; ++ # include fastcgi_params; ++ # fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; ++ # } + ## End - PHP +-} + ++ ## Begin - Static content ++ location ~ \.(?:css|js|svg|gif|jpe?g|png|woff2?)$ { ++ expires 7d; ++ access_log off; ++ } ++ ## End - Static content ++} |