1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
--- a/system/defines.php 2021-04-15 20:04:58.000000000 +0200
+++ b/system/defines.php 2021-04-16 22:02:34.702885015 +0200
@@ -13,6 +13,12 @@
define('GRAV_SCHEMA', '1.7.0_2020-11-20_1');
define('GRAV_TESTING', false);
+define('GRAV_ROOT', '/usr/share/webapps/grav');
+define('GRAV_CACHE_PATH', '/var/cache/grav/cache');
+define('GRAV_BACKUP_PATH', '/var/lib/grav/backup');
+define('GRAV_LOG_PATH', '/var/log/grav');
+define('GRAV_TMP_PATH', '/var/tmp/grav');
+
// PHP minimum requirement
if (!defined('GRAV_PHP_MIN')) {
define('GRAV_PHP_MIN', '7.3.6');
--- a/system/src/Grav/Console/Gpm/SelfupgradeCommand.php 2021-04-15 20:04:58.000000000 +0200
+++ b/system/src/Grav/Console/Gpm/SelfupgradeCommand.php 2021-04-21 21:14:16.576531405 +0200
@@ -94,6 +94,10 @@
$input = $this->getInput();
$io = $this->getIO();
+ $io->error('Grav cannot be upgraded this way as it has been installed with a distribution package.');
+ $io->writeln('Use makepkg and pacman (or your preferred pacman wrapper) to upgrade.');
+ return 1;
+
if (!class_exists(ZipArchive::class)) {
$io->title('GPM Self Upgrade');
$io->error('php-zip extension needs to be enabled!');
--- a/webserver-configs/nginx.conf 2024-01-05 13:46:02.000000000 +0100
+++ b/webserver-configs/nginx.conf 2024-01-06 21:27:25.574913828 +0100
@@ -1,10 +1,61 @@
server {
- #listen 80;
+ listen 80;
+ listen [::]:80;
+ server_name blog.myserver.org;
+
+ access_log /var/log/nginx/access/blog.log main;
+
+ ## Begin - ACME (LetsEncrypt)
+ # adapt the alias folder to where your certification job (e.g. CertBot)
+ # puts the domain verification challenges
+ # location ^~ /.well-known/acme-challenge/ {
+ # alias /srv/http/acme;
+ # }
+ ## End - ACME (LetsEncrypt)
+
+ ## Begin - Enforce HTTPS
+ location / {
+ return 301 https://blog.myserver.org$request_uri;
+ }
+ ## End - Enforce HTTPS
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ access_log /var/log/nginx/access/blog.log main;
+
+ ## Begin - SSL/TLS
+ # Use Mozilla's guidelines for SSL/TLS settings
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ ssl_certificate /etc/ssl/certs/blog.myserver.org.pem;
+ ssl_certificate_key /etc/ssl/private/blog.myserver.org.key;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:sslcache:1m; # about 4000 sessions
+ ssl_session_tickets off;
+ ssl_protocols TLSv1.3;
+ ssl_prefer_server_ciphers off;
+
+ # HSTS settings
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+ add_header Strict-Transport-Security "max-age=15768000" always;
+ ## End - SSL/TLS
+
+ # set max upload size
+ client_max_body_size 512M;
+ # fastcgi_buffers 64 4K; only required when using fastcgi (see below)
+
index index.html index.php;
## Begin - Server Info
- root /home/USER/www/html;
- server_name localhost;
+ server_name blog.myserver.org;
+ root /usr/share/webapps/grav;
## End - Server Info
## Begin - Index
@@ -17,6 +68,13 @@
## End - Index
## Begin - Security
+ # safety stuff adopted from .htaccess
+ if ($request_uri ~ "{{|}}|{%|%}") { return 403; }
+ if ($query_string ~ "{{|}}|{%25|%25}") { return 403; }
+ if ($query_string ~ "base64_encode[^(]*\([^)]*\)") { return 403; }
+ if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)") { return 403; }
+ if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
+ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
# deny all direct access for these folders
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
# deny running scripts inside core system folders
@@ -25,20 +83,32 @@
location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+ # deny all files and folder beginning with a dot (hidden files & folders)
+ location ~ (^|/)\. { return 403; }
## End - Security
## Begin - PHP
location ~ \.php$ {
- # Choose either a socket or TCP/IP address
- fastcgi_pass unix:/var/run/php/php-fpm.sock;
- # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy
- # fastcgi_pass 127.0.0.1:9000;
-
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_index index.php;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+ include uwsgi_params;
+ uwsgi_modifier1 14;
+ uwsgi_pass unix:/run/uwsgi/grav.sock;
}
+ # or alternatively if you use php-fpm
+ # location ~ \.php$ {
+ # # Choose either a socket or TCP/IP address
+ # fastcgi_pass unix:/run/php-fpm/grav.sock;
+ # # fastcgi_pass 127.0.0.1:9000;
+ # fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ # fastcgi_index index.php;
+ # include fastcgi_params;
+ # fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+ # }
## End - PHP
-}
+ ## Begin - Static content
+ location ~ \.(?:css|js|svg|gif|jpe?g|png|woff2?)$ {
+ expires 7d;
+ access_log off;
+ }
+ ## End - Static content
+}
|