From a14bb019ed9bc165253a9a4446d1dc70ac2ba6ff Mon Sep 17 00:00:00 2001
From: Marwolf <cleako@gmail.com>
Date: Sun, 8 Jul 2018 15:50:17 -0400
Subject: [PATCH] Nginx config updates

---
 Website/etc/nginx/default.conf          | 75 ++++++++++++++++++++++++-
 Website/etc/nginx/default.template.conf | 75 ++++++++++++++++++++++++-
 2 files changed, 146 insertions(+), 4 deletions(-)

diff --git a/Website/etc/nginx/default.conf b/Website/etc/nginx/default.conf
index aaf83ab..e55a0b6 100644
--- a/Website/etc/nginx/default.conf
+++ b/Website/etc/nginx/default.conf
@@ -1,14 +1,23 @@
 # Nginx configuration
 
+server_tokens off;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options nosniff;
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
+		gzip on;
+		gzip_static on;
+		gzip_vary on;
+		gzip_http_version 1.1;
+		gzip_min_length 700;
+		gzip_comp_level 6;
     server_name localhost;
-
-    index index.php index.html;
     error_log  /var/log/nginx/error.log;
     access_log /var/log/nginx/access.log;
     root /var/www/html/public;
+		index index.php index.html index.htm;
 
     location ~ \.php$ {
         try_files $uri =404;
@@ -19,6 +28,68 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
     }
+
+    location ~ /\.ht {
+    		deny all;
+    }
+
+    location /downloads {
+        autoindex on;
+        autoindex_exact_size off;
+    }
+
+		location /board {
+				index index.php index.html index.htm;
+        try_files $uri $uri/ @rewriteapp;
+    }
+
+    location @rewriteapp {
+    		rewrite ^(.*)$ /app.php/$1 last;
+    }
+
+    # Deny access to internal phpbb files.
+    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+    		deny all;
+        # deny was ignored before 0.8.40 for connections over IPv6.
+        # Use internal directive to prohibit access on older versions.
+        internal;
+		}
+
+		# Pass the php scripts to fastcgi server specified in upstream declaration.
+    location ~ \.php(/|$) {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Correctly pass scripts for installer
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+
+				location ~ \.php(/|$) {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass php:9000;
+            fastcgi_index index.php;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+        }
+		}
+
+    location @rewrite_installapp {
+        rewrite ^(.*)$ /board/install/app.php/$1 last;
+    }
+
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
+    }
 }
 
 # server { #SSL configuration below
diff --git a/Website/etc/nginx/default.template.conf b/Website/etc/nginx/default.template.conf
index 4eaa0bf..2247bd4 100644
--- a/Website/etc/nginx/default.template.conf
+++ b/Website/etc/nginx/default.template.conf
@@ -1,14 +1,23 @@
 # Nginx configuration
 
+server_tokens off;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options nosniff;
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
+		gzip on;
+		gzip_static on;
+		gzip_vary on;
+		gzip_http_version 1.1;
+		gzip_min_length 700;
+		gzip_comp_level 6;
     server_name ${NGINX_HOST};
-
-    index index.php index.html;
     error_log  /var/log/nginx/error.log;
     access_log /var/log/nginx/access.log;
     root /var/www/html/public;
+		index index.php index.html index.htm;
 
     location ~ \.php$ {
         try_files $uri =404;
@@ -19,6 +28,68 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
     }
+
+    location ~ /\.ht {
+    		deny all;
+    }
+
+    location /downloads {
+        autoindex on;
+        autoindex_exact_size off;
+    }
+
+		location /board {
+				index index.php index.html index.htm;
+        try_files $uri $uri/ @rewriteapp;
+    }
+
+    location @rewriteapp {
+    		rewrite ^(.*)$ /app.php/$1 last;
+    }
+
+    # Deny access to internal phpbb files.
+    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+    		deny all;
+        # deny was ignored before 0.8.40 for connections over IPv6.
+        # Use internal directive to prohibit access on older versions.
+        internal;
+		}
+
+		# Pass the php scripts to fastcgi server specified in upstream declaration.
+    location ~ \.php(/|$) {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Correctly pass scripts for installer
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+
+				location ~ \.php(/|$) {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass php:9000;
+            fastcgi_index index.php;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+        }
+		}
+
+    location @rewrite_installapp {
+        rewrite ^(.*)$ /board/install/app.php/$1 last;
+    }
+
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
+    }
 }
 
 # server { #SSL configuration below