summarylogtreecommitdiffstats
path: root/nginx.conf
blob: a3823d3121581f9d04a19fa69c39a1455739a348 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Example nginx configuration file
# Edited from https://ubuntu.self-hosted.fr/installation-piwigo-nginx-mariadb/

server {
    listen                        80;
    listen                        [::]:80;
    server_name                   piwigo.domain.tld;  # TODO: edit-me

    # Path to the root of your installation
    root                          /usr/share/webapps/piwigo/;

    # Add headers to serve security related headers
    add_header                    X-Frame-Options "SAMEORIGIN";
    add_header                    X-Content-Type-Options nosniff;
    add_header                    X-XSS-Protection "1; mode=block";
    add_header                    X-Robots-Tag none;
    add_header                    X-Download-Options noopen;
    add_header                    X-Permitted-Cross-Domain-Policies none;
    add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
    add_header                    Referrer-Policy no-referrer always;

    # set max upload size
    client_max_body_size          512M;
    fastcgi_buffers               64 4K;

    # Enable gzip but do not remove ETag headers
    gzip                          on;
    gzip_vary                     on;
    gzip_comp_level               4;
    gzip_min_length               256;
    gzip_proxied                  expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types                    application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        index                     index.php;
        try_files                 $uri $uri/ @rewrite =404;
    }

    location @rewrite {
        rewrite                   ^/picture((/|$).*)$ /picture.php$1 last;
        rewrite                   ^/index((/|$).*)$ /index.php$1 last;
        rewrite                   ^/i((/|$).*)$ /i.php$1 last;
    }

    location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
        try_files                 $script_name =404;
        include                   /etc/nginx/fastcgi_params;
        fastcgi_pass              unix:/run/php-fpm/piwigo.sock;
        fastcgi_param             PATH_INFO $path_info;
        fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    location ~ ^/favicon.ico$ {
        log_not_found             off;
        access_log                off;
        expires                   max;
    }

    location = /robots.txt {
        allow                     all;
        log_not_found             off;
        access_log                off;
    }

    # piwigo distribution files
    location ~ ^/(README|doc)$ {
        deny                      all;
    }

    # prevent direct acces to uploaded images, derivates and logs
    location ~ ^/(_data/logs|upload)/ {
        deny                      all;
    }

    # prevent any hotlinks and direct access to alias URIs (/i/upload/...)
    # which are not from Piwigo itself (happens when exporting from lightroom via ws.php)
    set                           $check_referal "";

    # very restrictive
    valid_referers                *.domain.tld;  # TODO: edit-me
    # if you want google etc to be able to show your images:
    #valid_referers ~google\.com ~bing\.com *.domain.tld

    if ($invalid_referer) {
        set                       $check_referal "invalid";
    }
    if ($http_user_agent !~ "Piwigo") {
        set                       $check_referal "${check_referal}+not_piwigo";
    }
}