blob: a3823d3121581f9d04a19fa69c39a1455739a348 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
# Example nginx configuration file
# Edited from https://ubuntu.self-hosted.fr/installation-piwigo-nginx-mariadb/
server {
listen 80;
listen [::]:80;
server_name piwigo.domain.tld; # TODO: edit-me
# Path to the root of your installation
root /usr/share/webapps/piwigo/;
# Add headers to serve security related headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
add_header Referrer-Policy no-referrer always;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
index index.php;
try_files $uri $uri/ @rewrite =404;
}
location @rewrite {
rewrite ^/picture((/|$).*)$ /picture.php$1 last;
rewrite ^/index((/|$).*)$ /index.php$1 last;
rewrite ^/i((/|$).*)$ /i.php$1 last;
}
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
try_files $script_name =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/run/php-fpm/piwigo.sock;
fastcgi_param PATH_INFO $path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ ^/favicon.ico$ {
log_not_found off;
access_log off;
expires max;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# piwigo distribution files
location ~ ^/(README|doc)$ {
deny all;
}
# prevent direct acces to uploaded images, derivates and logs
location ~ ^/(_data/logs|upload)/ {
deny all;
}
# prevent any hotlinks and direct access to alias URIs (/i/upload/...)
# which are not from Piwigo itself (happens when exporting from lightroom via ws.php)
set $check_referal "";
# very restrictive
valid_referers *.domain.tld; # TODO: edit-me
# if you want google etc to be able to show your images:
#valid_referers ~google\.com ~bing\.com *.domain.tld
if ($invalid_referer) {
set $check_referal "invalid";
}
if ($http_user_agent !~ "Piwigo") {
set $check_referal "${check_referal}+not_piwigo";
}
}
|