From 86d17dedfaca8184f435688c3fe6b3a143a421de Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Sat, 2 May 2020 16:54:42 +0200
Subject: [PATCH] [framadate] NGINX config

---
 roles/framadate/tasks/main.yml          |  6 +--
 roles/framadate/templates/nginx-site.j2 | 60 +++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 roles/framadate/templates/nginx-site.j2

diff --git a/roles/framadate/tasks/main.yml b/roles/framadate/tasks/main.yml
index 80de2318..507b86e2 100644
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@@ -47,12 +47,12 @@
 - name: Configure nginx site
   template:
     src: nginx-site.j2
-    dest: /etc/nginx/sites-available/framadate.conf
+    dest: /etc/nginx/sites-available/framadate
 
 - name: Enable nginx site
   file:
-    src: /etc/nginx/sites-available/framadate.conf
-    dest: /etc/nginx/stes-enabled/framadate.conf
+    src: /etc/nginx/sites-available/framadate
+    dest: /etc/nginx/sites-enabled/framadate
     state: link
 
 - name: Indicate role in motd
diff --git a/roles/framadate/templates/nginx-site.j2 b/roles/framadate/templates/nginx-site.j2
new file mode 100644
index 00000000..ef963c3e
--- /dev/null
+++ b/roles/framadate/templates/nginx-site.j2
@@ -0,0 +1,60 @@
+{{ ansible_header | comment }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name framadate.crans.org;
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'";
+    add_header Referrer-Policy "strict-origin";
+
+    root {{ framadate.path }};
+
+    index index.php;
+
+    location ~^/(\.git)/{
+        deny all;
+    }
+
+    location ~ /\. {
+        deny all;
+    }
+
+    location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh {
+        deny all;
+    }
+
+    location /admin/ {
+        auth_basic "Restricted access";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+
+        location ~ \.php$ {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include /etc/nginx/fastcgi_params;
+            fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+        }
+        try_files $uri $uri/ =401; 
+    }
+
+    location / {
+        rewrite "^/admin$" "/admin/" permanent;
+
+        # Clean URL
+        rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last;
+        rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last;
+        try_files $uri /index.php; 
+    }
+
+    location ~ \.php$ {
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    }
+}
+