adding #20

4 years ago · a12feebf93
--- a/app/Commands/NginxVhostsCommand.php
+++ b/app/Commands/NginxVhostsCommand.php
@ -108,6 +108,8 @@ class NginxVhostsCommand extends Command
                'redirect_www' => true
            ];

            exec('find /lib/systemd/system/ -name "php[0-9\.]*-fpm.service"', $files);

            // create checkbox for ssl
            $checkboxSSL = new CheckboxItem('ssl', function(CliMenu $menu) use (&$configuration) {
                $configuration['ssl'] = $menu->getSelectedItem()->getChecked();
@ -152,6 +154,18 @@ class NginxVhostsCommand extends Command
                    $menu->getSelectedItem()->setText('index: '.$result->fetch());
                    $menu->redraw();
                })
                ->addLineBreak('-');

            foreach($files as $index => $file) {
                $file = str_replace('/lib/systemd/system/', '', $file);
                $file = str_replace('.service', '', $file);

                $builder->addRadioItem($file, function(CliMenu $menu) use (&$configuration) {
                    $configuration['php_fpm'] = $menu->getSelectedItem()->getText();
                });
            }

            $builder
                ->addLineBreak('-')

                // options
@ -169,7 +183,8 @@ class NginxVhostsCommand extends Command

                    $validator = v::key('domain', v::domain(false))
                        ->key('root', v::directory())
                        ->key('index', v::file());
                        ->key('index', v::file())
                        ->key('php_fpm', v::notEmpty());

                    try {
                        $validator->assert($data);
--- a/resources/nginx/snippts/deny.conf
+++ b/resources/nginx/snippts/deny.conf
@ -0,0 +1,6 @@
 # deny hidden files
 location ~ /\. {
    access_log off;
    log_not_found off;
    deny all;
 }
--- a/resources/nginx/snippts/expires.conf
+++ b/resources/nginx/snippts/expires.conf
@ -0,0 +1,11 @@
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
    access_log off;
    log_not_found off;
    expires -1;
 }

 location ~* \.(?:rss|atom)$ {
    access_log off;
    log_not_found off;
    expires 1h;
 }
--- a/resources/nginx/snippts/secure-headers.conf
+++ b/resources/nginx/snippts/secure-headers.conf
@ -0,0 +1,16 @@
 # X-Frame-Options is an HTTP header that allows sites control over how your site may be framed within an iframe
 # https://infosec.mozilla.org/guidelines/web_security#x-frame-options
 add_header X-Frame-Options DENY;

 # send referrer, but only on requests to the same origin
 # https://infosec.mozilla.org/guidelines/web_security#referrer-policy
 add_header Referrer-Policy same-origin;

 # This header enables the Cross-site scripting (XSS) filter
 # https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
 add_header X-XSS-Protection "1; mode=block";

 # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
 # to disable content-type sniffing on some browsers.
 # https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
 add_header X-Content-Type-Options nosniff;
--- a/resources/nginx/snippts/ssl-params.conf
+++ b/resources/nginx/snippts/ssl-params.conf
@ -0,0 +1,15 @@
 # from https://cipherli.st/
 # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
 ssl_ecdh_curve secp384r1;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;

 ssl_dhparam /etc/ssl/certs/dhparam.pem;
--- a/resources/nginx/templates/flight.blade.php
+++ b/resources/nginx/templates/flight.blade.php
@ -8,4 +8,14 @@
    location / {
        try_files $uri $uri/ /index.php;
    }

    # php-fpm configuration.
    location ~ \.php(/|$) {
        fastcgi_split_path_info  ^(.+\.php)(.*)$;
        fastcgi_pass             unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index            index.php;
        fastcgi_param            SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param            DOCUMENT_ROOT $realpath_root;
        include                  /etc/nginx/fastcgi_params;
    }
@endsection
--- a/resources/nginx/templates/wordpress.blade.php
+++ b/resources/nginx/templates/wordpress.blade.php
@ -1,7 +1,7 @@
@extends($ssl ? 'layouts.ssl' : 'layouts.no-ssl')

@section('server')
    

    root {{ $root }};
    index {{ $index }};

@ -21,9 +21,10 @@
        access_log off;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff|eot|ttf|svg|mp4|webm)$ {
        expires max;
        log_not_found off;
        access_log off;
    }

    location ~ /\. {
@ -34,10 +35,12 @@
        deny all;
    }

    find /lib/systemd/system/ -name 'php[0-9\.]*-fpm.service'php7.2-fpm

    # php-fpm configuration.
    location ~ \.php(/|$) {
        fastcgi_split_path_info  ^(.+\.php)(.*)$;
        fastcgi_pass             unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_pass             unix:/var/run/php/{{ $phpFpmVersion }}.sock;
        fastcgi_index            index.php;
        fastcgi_param            SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param            DOCUMENT_ROOT $realpath_root;