[framadate] NGINX config

2020-05-02 16:54:42 +02:00 · 2020-05-02 16:54:42 +02:00 · af9d904ea3
parent 0ece2dd51c
commit af9d904ea3
2 changed files with 63 additions and 3 deletions
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@ -47,12 +47,12 @@
 - name: Configure nginx site
  template:
    src: nginx-site.j2
-    dest: /etc/nginx/sites-available/framadate.conf
+    dest: /etc/nginx/sites-available/framadate

 - name: Enable nginx site
  file:
-    src: /etc/nginx/sites-available/framadate.conf
-    dest: /etc/nginx/stes-enabled/framadate.conf
+    src: /etc/nginx/sites-available/framadate
+    dest: /etc/nginx/sites-enabled/framadate
    state: link

 - name: Indicate role in motd
--- a/roles/framadate/templates/nginx-site.j2
+++ b/roles/framadate/templates/nginx-site.j2
@ -0,0 +1,60 @@
+{{ ansible_header | comment }}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name framadate.crans.org;
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'";
+    add_header Referrer-Policy "strict-origin";
+
+    root {{ framadate.path }};
+
+    index index.php;
+
+    location ~^/(\.git)/{
+        deny all;
+    }
+
+    location ~ /\. {
+        deny all;
+    }
+
+    location ~ ^/composer\.json.*$|^/composer\.lock.*$|^/php\.ini.*$|^/.*\.sh {
+        deny all;
+    }
+
+    location /admin/ {
+        auth_basic "Restricted access";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+
+        location ~ \.php$ {
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include /etc/nginx/fastcgi_params;
+            fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+        }
+        try_files $uri $uri/ =401; 
+    }
+
+    location / {
+        rewrite "^/admin$" "/admin/" permanent;
+
+        # Clean URL
+        rewrite "^/([a-zA-Z0-9-]+)$" "/studs.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$" "/studs.php?poll=$1&$2=$3" last;
+        rewrite "^/([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$" "/studs.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin$" "/adminstuds.php?poll=$1" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/vote/([a-zA-Z0-9]{16})$" "/adminstuds.php?poll=$1&vote=$2" last;
+        rewrite "^/([a-zA-Z0-9]{24})/admin/action/([a-zA-Z_-]+)(/([A-Za-z0-9]+))?$" "/adminstuds.php?poll=$1&$2=$4" last;
+        try_files $uri /index.php; 
+    }
+
+    location ~ \.php$ {
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    }
+}
+