├── README.md
├── openssl
    └── ssl.conf
├── site-includes
    ├── expires.conf
    ├── gzip.conf
    ├── laravel.conf
    ├── log-me-not.conf
    └── ssl.conf
└── vhost-template
    ├── reverse-proxy.conf
    └── website.conf


/README.md:
--------------------------------------------------------------------------------
 1 | # Tim's Quick and Easy nginx includes
 2 | 
 3 | **Please Note:** This has only been tested on RHEL6/RHEL7 with EPEL & provided nginx. YMMV.
 4 | 
 5 | **TL;DR:** Check out the [Website Config File](https://github.com/timgws/handy-nginx-includes/blob/master/vhost-template/website.conf)
 6 | 
 7 | # Quick Install Guide
 8 | 
 9 | ```sh
10 | # clone this reporitory to /etc/nginx/templates
11 | git clone git@github.com:timgws/handy-nginx-includes.git /etc/nginx/templates
12 | ln -s /etc/nginx/templates/site-includes /etc/nginx/site-config
13 | ```
14 | 
15 | # Included Templates
16 | 
17 | * **[website.conf](https://github.com/timgws/handy-nginx-includes/blob/master/vhost-template/website.conf)**: A generic vhost domain. Has www and non-www support. Logs access to a seperate log file. Has easy to enable SSL support. Comment out the sections that you don't want or need.
18 | * **[reverse-proxy.conf](https://github.com/timgws/handy-nginx-includes/blob/master/vhost-template/reverse-proxy.conf)**: A generic reverse proxy. Awesome for when you want to migrate servers. Has a block in there for serving files that exist in the root locally. Unfound files will be served by the reverse proxy.
19 | 
20 | # 'Modular Includes'
21 | 
22 | Inside the `site-includes` folder there is a bunch of files that have pre-rolled setting:
23 | 
24 | * `expires.conf`: set high expires values for css, javascript and common image formats
25 | * `gzip.conf`: enable gzip compression for common formats
26 | * `laravel.conf`: a simple laravel config file
27 | * `log-me-not.conf`: don't log images in the access log
28 | * `ssl.conf`: enable ssl, test with Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which provides a comprehensive SSL testing suite. Config should give you a green A+.
29 | 
30 | # Using the SSL template
31 | 
32 | There is a template provided in `vhost-template/website.conf`. I recommend that this template is copied with the required vhost name into `/etc/nginx/conf.d`.
33 | 
34 | For example, when setting up `newdomain.com`, copy `vhost-template/website.conf` as `/etc/nginx/conf.d/newdomain.com.conf`.
35 | 
36 | Edit the newly created file and ensure that the settings are all correct
37 | 
38 | ## quick note about dhparams
39 | 
40 | To avoid Logjam (https://weakdh.org/sysadmin.html) you want to ensure that before you use SSL for the first time on a server that you generate an unique `dhparam` file.
41 | 
42 | ```sh
43 | mkdir /etc/ssl/certs && cd /etc/ssl/certs
44 | openssl dhparam -out dhparam.pem 4096
45 | ```
46 | 
47 | If you don't do this, the SSL templates will not work for you.
48 | 
49 | # Setting up SSL for a domain
50 | 
51 | ## Creating the Certificate Signing Request (CSR)
52 | 
53 | Create an SSL certificate. Use the SSL template to ensure you can't skip required names (like the email address or hostname field).
54 | 
55 | ```sh
56 | cd /etc/nginx/ssl/
57 | openssl req -config ../templates/openssl/ssl.conf -new -nodes -keyout domainname.com.key -out domainname.com.csr
58 | 
59 | # output the CSR and send to the certificate provider
60 | cat domainname.com.csr
61 | 
62 | # or, on a mac, to automatically copy the contents into your clipboard
63 | cat domainname.com.csr | pbcopy
64 | ```
65 | 
66 | ## Order an SSL certificate
67 | 
68 | After ordering an SSL certificate with your favourite SSL provider (I normally order Geotrust $10 certificates from either enom or Namecheap), paste the above generated CSR when asked by your certificate wholesaler. Ensure that you can send an email to one of the listed email addresses.
69 | 
70 | ## Save the certificate
71 | 
72 | Confirm your email address, then save the certificate once you recieve it.
73 | 
74 | ```sh
75 | # on a mac
76 | pbpaste > /etc/nginx/ssl/domainname.com.crt
77 | 
78 | # on Linux
79 | cat > /etc/nginx/ssl/domainname.com.crt
80 | 
81 | {paste certificate from email/web interface}
82 | {CTRL+D}
83 | ```
84 | 
85 | 


--------------------------------------------------------------------------------
/openssl/ssl.conf:
--------------------------------------------------------------------------------
 1 | [ req ]
 2 | default_bits           = 4096
 3 | distinguished_name     = req_ssl
 4 | 
 5 | #attributes             = req_attributes
 6 | #req_extensions         = v3_ca
 7 | policy                 = policy_no_skipping
 8 | 
 9 | [ req_ssl ]
10 | countryName                    = Country Name (2 letter code)
11 | countryName_default            = AU
12 | countryName_min                = 2
13 | countryName_max                = 2
14 | 
15 | localityName                   = Locality Name (eg, city)
16 | localityName_default           = Sydney
17 | 
18 | stateOrProvinceName            = State or Province Name (full name)
19 | stateOrProvinceName_default    = New South Wales 
20 | 
21 | organizationalUnitName         = Organizational Unit Name (eg, section)
22 | organizationalUnitName_default = Sales
23 | 
24 | commonName                     = Common Name/FQDN (eg, www.domainname.com) [required] 
25 | commonName_default             = *
26 | commonName_min                 = 2
27 | commonName_max                 = 64
28 | 
29 | emailAddress                   = Email Address
30 | emailAddress_default           = @
31 | emailAddress_min               = 2
32 | emailAddress_max               = 40
33 | 
34 | [ policy_no_skipping ]
35 | countryName                    = match 
36 | stateOrProvinceName            = match
37 | localityName                   = match
38 | organizationName               = match
39 | organizationalUnitName         = match
40 | commonName                     = supplied
41 | emailAddress                   = supplied
42 | 
43 | 


--------------------------------------------------------------------------------
/site-includes/expires.conf:
--------------------------------------------------------------------------------
1 | location ~* \.(?:ico|css|js|gif|jpe?g|png|css)$ {
2 |     expires 30d;
3 |     add_header Pragma public;
4 |     add_header Cache-Control "public";
5 | }
6 | 


--------------------------------------------------------------------------------
/site-includes/gzip.conf:
--------------------------------------------------------------------------------
1 | gzip on;
2 | gzip_types text/html text/css application/javascript;
3 | 


--------------------------------------------------------------------------------
/site-includes/laravel.conf:
--------------------------------------------------------------------------------
 1 | # removes trailing slashes (prevents SEO duplicate content issues)
 2 | if (!-d $request_filename)
 3 | {
 4 |     rewrite ^/(.+)/$ /$1 permanent;
 5 | }
 6 | 
 7 | # enforce NO www
 8 | if ($host ~* ^www\.(.*))
 9 | {
10 |     set $host_without_www $1;
11 |     rewrite ^/(.*)$ $scheme://$host_without_www/$1 permanent;
12 | }
13 | 
14 | # if your default controller is something other than "welcome" you should change the following
15 | if ($request_uri ~* ^(/lobby(/index)?|/index(.php)?)/?$)
16 | {
17 |     rewrite ^(.*)$ / permanent;
18 | }
19 | 
20 | # removes trailing "index" from all controllers
21 | if ($request_uri ~* index/?$)
22 | {
23 |     rewrite ^/(.*)/index/?$ /$1 permanent;
24 | }
25 | 
26 | # unless the request is for a valid file (image, js, css, etc.), send to bootstrap
27 | if (!-e $request_filename)
28 | {
29 |     rewrite ^/(.*)$ /index.php?/$1 last;
30 |     break;
31 | }
32 | 


--------------------------------------------------------------------------------
/site-includes/log-me-not.conf:
--------------------------------------------------------------------------------
1 | location ~* \.(css|jpe?g|gif|png|ico|js)$ {
2 |     access_log off;
3 |     expires max;
4 | }
5 | 


--------------------------------------------------------------------------------
/site-includes/ssl.conf:
--------------------------------------------------------------------------------
 1 | #---
 2 | # Before using, make sure that you:
 3 | #
 4 | # mkdir /etc/ssl/certs && cd /etc/ssl/certs
 5 | # openssl dhparam -out dhparam.pem 4096
 6 | #---
 7 | 
 8 | ssl on;
 9 | 
10 | ssl_dhparam /etc/nginx/ssl/dhparams.pem;
11 | 
12 | ssl_session_cache shared:SSL:50m;
13 | ssl_session_timeout 5m;
14 | ssl_session_tickets off;
15 | 
16 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/
17 | ssl_protocols       TLSv1.2;
18 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
19 | ssl_prefer_server_ciphers on;
20 | 


--------------------------------------------------------------------------------
/vhost-template/reverse-proxy.conf:
--------------------------------------------------------------------------------
 1 | # ---
 2 | # Reverse Proxy Configuration
 3 | # ---
 4 | upstream upstream.server {
 5 |     # source server
 6 | 	server loadb01.live.com.au:80;
 7 | }
 8 | 
 9 | server {
10 |     listen       80;
11 | 
12 |     # ---
13 |     # The server name (or names) that you are going to put this site live as...
14 |     # ---
15 |     server_name  www.mywebsite.com;
16 | 
17 |     # redirect server error pages to the static page /50x.html
18 |     #
19 |     error_page   500 502 503 504  /50x.html;
20 |     location = /50x.html {
21 |         root   /usr/share/nginx/html;
22 |     }
23 | 
24 |     # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
25 |     #
26 |     #location ~ \.php$ {
27 |     #    root           html;
28 |     #    fastcgi_pass   127.0.0.1:9000;
29 |     #    fastcgi_index  index.php;
30 |     #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
31 |     #    include        fastcgi_params;
32 |     #}
33 | 
34 |     location / {
35 | 
36 |         # redirect non-www to www.
37 | 		if ($http_host ~* "^mywebsite.com"){
38 | 			rewrite ^(.*)$ http://www.live.com.au$1 redirect;
39 | 		}
40 | 
41 | 		proxy_pass  http://upstream.server;
42 | 		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
43 | 		proxy_redirect off;
44 | 		proxy_buffering off;
45 | 
46 |         # ---
47 |         # Change the host here to rewrite the hostname on the main server server
48 |         # ---
49 | 		proxy_set_header        Host            loadb01.live.com.au;
50 | 		proxy_set_header        X-Real-IP       $remote_addr;
51 | 		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
52 | 	}
53 | 
54 |     location /blog {
55 | 		# This is cool because no php is touched for static content.
56 | 		# include the "?$args" part so non-default permalinks doesn't break when using query string
57 | 		try_files $uri $uri/ /blog/index.php?$args;
58 | 		root   /srv/html;
59 | 
60 | 		include        fastcgi_params;
61 | 
62 | 		fastcgi_param SCRIPT_FILENAME /srv/html/$fastcgi_script_name;
63 | 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
64 | 		fastcgi_index  index.php;
65 | 		#fastcgi_pass   127.0.0.1:9000;
66 | 
67 | 		#index  index.html index.htm;
68 | 		index index.php;
69 |     }
70 | 
71 |     location ~ \.php$ {
72 |         #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
73 | 		root   /usr/share/nginx/html;
74 | 		include        fastcgi_params;
75 | 
76 |         fastcgi_intercept_errors on;
77 | 		fastcgi_param SCRIPT_FILENAME /srv/html/$fastcgi_script_name;
78 | 		fastcgi_index  index.php;
79 |         fastcgi_pass 127.0.0.1:9000;
80 |     }
81 | }
82 | 


--------------------------------------------------------------------------------
/vhost-template/website.conf:
--------------------------------------------------------------------------------
 1 | server {
 2 |     # ---
 3 |     # VHOST SETUP
 4 |     # ---
 5 |     server_name my-first-website.com www.my-first-website.com;
 6 |     root /var/www/1st-site/public/;
 7 |     index index.php index.html;
 8 | 
 9 |     listen 80;
10 | 
11 |     add_header X-Content-Type-Options nosniff;
12 |     add_header X-Frame-Options SAMEORIGIN;
13 | 
14 |     return 301 https://$host$request_uri;
15 | }
16 | 
17 | 
18 | server {
19 |     # ---
20 |     # VHOST SETUP
21 |     # ---
22 |     server_name my-first-website.com www.my-first-website.com; 
23 |     root /var/www/1st-site/public/;
24 |     index index.php index.html;
25 |     listen 443;
26 | 
27 |     # ---
28 |     # LOG FILES
29 |     # ---
30 |     access_log /var/log/http/my-first-website.com.access.log;
31 |     error_log  /var/log/http/my-first-website.com.error.log;
32 | 
33 |     # ---
34 |     # SSL CONFIGURATION
35 |     # ---
36 |     include site-config/ssl.conf;
37 |     ssl_certificate     /etc/nginx/ssl/my-first-website.com.crt;
38 |     ssl_certificate_key /etc/nginx/ssl/my-first-website.com.key;
39 |     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
40 | 
41 |     # ---
42 |     # Generic Includes
43 |     # ---
44 |     include site-config/expires.conf;
45 |     include site-config/gzip.conf;
46 |     include site-config/laravel.conf;
47 |     include site-config/log-me-not.conf;
48 | }
49 | 
50 | 


--------------------------------------------------------------------------------