## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # upstream websocket { server 127.0.0.1:2424; } upstream mainhost { server 127.0.0.1; keepalive 20; } upstream sv { server 127.0.0.1; keepalive 20; } upstream alexa { server 127.0.0.1:9000; } upstream shng { server 127.0.0.1:8383; } upstream nodered { server 127.0.0.1:1880; } upstream shnet { server 127.0.0.1:8888; } upstream monithost { server 127.0.0.1:2812; } upstream grafanahost { server 127.0.0.1:3000; } server { listen 80 default_server; listen [::]:80 default_server; include /etc/nginx/snippets/letsencrypt.conf; root /var/www/html; # Auf HTTPS umleiten if ($http_x_forwarded_proto = "http") { return 301 https://$server_name$request_uri; } ## Blocken, wenn Zugriff aus einem nicht erlaubten Land erfolgt ## if ($allowed_country = no) { return 403; } # https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html ## Block download agents ## if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403; } ## Block some robots ## if ($http_user_agent ~* msnbot|scrapbot) { return 403; } ## Deny certain Referers ## if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) { return 403; } # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html index.php; server_name DOMAIN_HERE $hostname; # Skip^1 caching variable init set $nocache 0; # Bypass^2 caching variable init set $purgecache 0; # Bypass^2 cache on no-cache (et al.) browser request if ($http_cache_control ~ "max-age=0") { set $purgecache 1; } if ($http_cache_control ~ "no-cache") { set $purgecache 1; } # Bypass^2 cache with custom header set on request if ($http_x_cache_purge ~* "true") { set $purgecache 1; } location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; if ($http_upgrade = websocket) { proxy_pass http://websocket; } } # pass PHP scripts to FastCGI server location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php/php8.2-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~* \.(js|css|png|jpg|jpeg|gif|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; } location ~* favicon|apple-touch-icon|android-chrome-|mstile-|safari-pinned-tab.svg|browserconfig.xml|manifest.json|apple-icon|ms-icon|android-icon|mstile { try_files $uri @favicons; include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; } location @favicons { rewrite ^/(.+)$ /favicons/$1 last; } location /visu_websocket/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Backend"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_ignore_client_abort on; proxy_pass http://$host:8383; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8383; } } location /api/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Backend"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_ignore_client_abort on; proxy_pass http://$host:8383; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8383; } } location /influxdb/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Influx Backend"; #auth_basic_user_file /etc/nginx/.influx; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_ignore_client_abort on; proxy_pass http://$host:8386; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8386; } } location /plugin/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Backend"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_ignore_client_abort on; proxy_pass http://$host:8383; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8383; } } location /admin/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Backend"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_pass http://$host:8383; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8383; } } location /backend/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Backend"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_pass http://$host:8383; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8383; } } location /gstatic/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Backend"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_pass http://$host:8383; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://$host:8383; } } # Network Plugin Weiterleitung location /shnet/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Network"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_pass http://shnet; rewrite ^/shnet/(.*) /$1 break; } # Nodered Weiterleitung location /nodered/ { include /etc/nginx/headers.conf; satisfy any; #auth_basic "Restricted Area: Smarthome NG Network"; #auth_basic_user_file /etc/nginx/.shng; allow 127.0.0.1; allow 192.168.0.0/16; allow 10.0.0.0/16; allow ::1; deny all; proxy_pass http://nodered; #rewrite ^/nodered/(.*) /$1 break; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://nodered; } } # Weiterleitung zu Grafana location /grafana/ { satisfy any; allow 127.0.0.1; allow 10.0.0.0/8; allow 192.168.0.0/16; # auth_basic "Restricted Area: Monit"; # auth_basic_user_file /etc/nginx/.monit; allow ::1; deny all; proxy_pass http://grafanahost/; include /etc/nginx/headers.conf; location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { rewrite ^/grafana/(.*) /$1 break; include /etc/nginx/headers.conf; expires 7d; add_header Cache-Control "public, no-transform"; proxy_pass http://grafanahost; } } # Weiterleitung zu Monit location /monit/ { satisfy any; allow 127.0.0.1; allow 10.0.0.0/8; allow 192.168.0.0/16; allow ::1; #auth_basic "Restricted Area: Monit"; #auth_basic_user_file /etc/nginx/.monit; deny all; proxy_ignore_client_abort on; rewrite ^/monit/(.*) /$1 break; proxy_pass http://monithost; include /etc/nginx/headers.conf; location ~* favicon|apple-touch-icon|android-chrome-|mstile-|safari-pinned-tab.svg|browserconfig.xml|manifest.json|apple-icon|ms-icon|android-icon|mstile { alias /var/www/html/favicons/monit/favicon.ico; } } location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { alias /usr/share/phpmyadmin/$1; fastcgi_pass unix:/run/php/php8.2-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; # From fastcgi_params fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT /usr/share/phpmyadmin; # <-- Changed fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param REDIRECT_STATUS 200; fastcgi_intercept_errors on; fastcgi_buffers 8 16k; fastcgi_buffer_size 32k; fastcgi_connect_timeout 900; fastcgi_send_timeout 900; fastcgi_read_timeout 900; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } # Dealing with the uppercased letters location /phpMyAdmin { rewrite ^/* /phpmyadmin last; } }