Skip to content

D
dev.biuro
Commit 91423d2e authored by Simonas's avatar Simonas
Browse files
Options

Merge branch 'server-update' into dev

parents 990225d1 61678957
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 1643 additions and 1480 deletions
.env
View file @ 91423d2e
PROJECT=dev-biuro PROJECT=dev-biuro
IMAGE_NGINX=nginx:1.15.7 #IMAGE_NGINX=nginx:1.15.7
# IMAGE_NGINX=fholzer/nginx-brotli IMAGE_NGINX=kbenassm/nginx-brotli-tls13
IMAGE_MYSQL=mariadb:10.3 IMAGE_MYSQL=mariadb:10.3
IMAGE_WORDPRESS=wordpress:php7.2-fpm IMAGE_WORDPRESS=wordpress:php7.3-fpm
IMAGE_WORDPRESS_CLI=wordpress:cli-php7.2 IMAGE_WORDPRESS_CLI=wordpress:cli-php7.3
DB_NAME=dev_biuro DB_NAME=dev_biuro
DB_HOST=mysql DB_HOST=mysql
......
Dockerfile
View file @ 91423d2e
FROM php:7.2-fpm FROM php:7.3-fpm
LABEL maintainer="Biuro<info@biuro.lt>" # install the PHP extensions we need
RUN set -ex; \
\
savedAptMark="$(apt-mark showmanual)"; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
libjpeg-dev \
libpng-dev \
libzip-dev \
; \
\
docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; \
docker-php-ext-install gd mysqli opcache zip; \
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
apt-mark auto '.*' > /dev/null; \
apt-mark manual $savedAptMark; \
ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
| awk '/=>/ { print $3 }' \
| sort -u \
| xargs -r dpkg-query -S \
| cut -d: -f1 \
| sort -u \
| xargs -rt apt-mark manual; \
\
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*
# set recommended PHP.ini settings
# see https://secure.php.net/manual/en/opcache.installation.php
RUN { \
echo 'opcache.memory_consumption=128'; \
echo 'opcache.interned_strings_buffer=8'; \
echo 'opcache.max_accelerated_files=4000'; \
echo 'opcache.revalidate_freq=2'; \
echo 'opcache.fast_shutdown=1'; \
echo 'opcache.enable_cli=1'; \
} > /usr/local/etc/php/conf.d/opcache-recommended.ini
VOLUME /var/www/html
ENV WORDPRESS_VERSION 5.0.3
ENV WORDPRESS_SHA1 f9a4b482288b5be7a71e9f3dc9b5b0c1f881102b
RUN set -ex; \
curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz"; \
echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c -; \
# upstream tarballs include ./wordpress/ so this gives us /usr/src/wordpress
tar -xzf wordpress.tar.gz -C /usr/src/; \
rm wordpress.tar.gz; \
chown -R www-data:www-data /usr/src/wordpress
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
FROM php:7.3-fpm
# install the PHP extensions we need # install the PHP extensions we need
RUN set -ex; \ RUN set -ex; \
...@@ -11,6 +67,7 @@ RUN set -ex; \ ...@@ -11,6 +67,7 @@ RUN set -ex; \
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
libjpeg-dev \ libjpeg-dev \
libpng-dev \ libpng-dev \
libzip-dev \
; \ ; \
\ \
docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; \ docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; \
...@@ -72,30 +129,3 @@ RUN \ ...@@ -72,30 +129,3 @@ RUN \
ENTRYPOINT ["docker-entrypoint.sh"] ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["php-fpm"] CMD ["php-fpm"]
#####FROM wordpress:php7.2-fpm
#####
#####LABEL maintainer="Biuro<info@biuro.lt>"
#####
#####RUN \
##### apt-get update && \
##### apt-get install unzip wget mysql-client -y && \
##### rm -rf /var/lib/apt/lists/*
#####
###### COPY ./uploads.ini /usr/local/etc/php/conf.d/uploads.ini
#####
#####COPY docker-entrypoint.sh /usr/local/bin/
#####RUN chmod +x /usr/local/bin/docker-entrypoint.sh
#####
#####COPY ./wp-content/themes/biuro /temp/themes/biuro
#####COPY ./wp-content/plugins/ /temp/plugins/
###### COPY ./base/ /temp/base
#####
#####RUN \
##### unzip '/temp/themes/*.zip' -d /temp/themes && rm /temp/themes/*.zip || true; \
##### unzip '/temp/plugins/*.zip' -d /temp/plugins && rm /temp/plugins/*.zip || true; \
##### # unzip '/temp/base/*.zip' -d /temp/base && rm /temp/base/*.zip || true; \
##### exit 0
# COPY ./app /usr/share/nginx/html
README.md
View file @ 91423d2e
...@@ -114,15 +114,16 @@ Restart docker (sometimes PC restart may be required) ...@@ -114,15 +114,16 @@ Restart docker (sometimes PC restart may be required)
- docker load --input ourdemo.tar - docker load --input ourdemo.tar
- docker build -t simoncereska/biuro-staging:0.0.8 . - docker build -t simoncereska/biuro-staging:0.0.9 .
- docker login --username=simoncereska --password=rlgjsPeOuF2T6VgW8fGss81h - docker login --username=simoncereska --password=rlgjsPeOuF2T6VgW8fGss81h
- docker push simoncereska/biuro-staging:0.0.8 - docker push simoncereska/biuro-staging:0.0.9
- sudo chown -R www-data:www-data wordpress/wp-content/plugins - sudo chown -R www-data:www-data wordpress/wp-content/plugins
### DB preview ### DB preview
- `docker exec -it mysql bash` - `docker exec -it dev-biuro-wordpress bash`
- `docker exec -it dev-biuro-mysql bash`
- `mysql -uroot -pIiIjnsLi2wR9i1kWVbVpUAzP --default-character-set=utf8` - `mysql -uroot -pIiIjnsLi2wR9i1kWVbVpUAzP --default-character-set=utf8`
- `use wordpress;` - `use wordpress;`
- `show tables;` - `show tables;`
......
docker-compose.yml
View file @ 91423d2e
...@@ -26,6 +26,8 @@ services: ...@@ -26,6 +26,8 @@ services:
- "front" - "front"
- "back" - "back"
volumes: volumes:
- ./nginx/php.ini:/usr/local/etc/php/conf.d/php.ini
- ./wp-content/plugins/cookies-warning:/var/www/html/wp-content/plugins/cookies-warning - ./wp-content/plugins/cookies-warning:/var/www/html/wp-content/plugins/cookies-warning
- ./wp-content/plugins/data-controller:/var/www/html/wp-content/plugins/data-controller - ./wp-content/plugins/data-controller:/var/www/html/wp-content/plugins/data-controller
- ./wp-content/plugins/jobs-importer:/var/www/html/wp-content/plugins/jobs-importer - ./wp-content/plugins/jobs-importer:/var/www/html/wp-content/plugins/jobs-importer
...@@ -66,7 +68,19 @@ services: ...@@ -66,7 +68,19 @@ services:
- '80:80' - '80:80'
- '443:443' - '443:443'
volumes: volumes:
- ./nginx:/etc/nginx/conf.d - ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/h5bp:/etc/nginx/h5bp
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/redirects:/etc/nginx/redirects
- ./nginx/cache:/var/cache/nginx
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf
# - ./nginx:/etc/nginx/conf.d
# - ./nginx/conf.d:/etc/nginx/conf.d
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./logs/nginx:/var/log/nginx - ./logs/nginx:/var/log/nginx
- ./certs:/etc/letsencrypt - ./certs:/etc/letsencrypt
- ./certs-data:/data/letsencrypt - ./certs-data:/data/letsencrypt
...@@ -97,6 +111,8 @@ services: ...@@ -97,6 +111,8 @@ services:
networks: networks:
- "back" - "back"
volumes: volumes:
- './var/wp-cli/cache:/etc/X11/fs/.wp-cli/cache'
- ./wp-content/plugins/cookies-warning:/var/www/html/wp-content/plugins/cookies-warning - ./wp-content/plugins/cookies-warning:/var/www/html/wp-content/plugins/cookies-warning
- ./wp-content/plugins/data-controller:/var/www/html/wp-content/plugins/data-controller - ./wp-content/plugins/data-controller:/var/www/html/wp-content/plugins/data-controller
- ./wp-content/plugins/jobs-importer:/var/www/html/wp-content/plugins/jobs-importer - ./wp-content/plugins/jobs-importer:/var/www/html/wp-content/plugins/jobs-importer
......
nginx/_unused_redirects/biuro.ee.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# 301 biuro.ee redirects
# ----------------------------------------------------------------------
# rewrite ^/toeoepakkumised$ / permanent;
# rewrite ^/toeoepakkumised/(.*)$ /? permanent;
# Biuro SEO issues
# https://docs.google.com/spreadsheets/d/1dXP0dh_v2sFajrcwR2_9HONMadCdZQW4Y2dVXvhxG3E/edit?ts=5b5eaa6b#gid=0
#
rewrite ^/toeoeandjatele/suvetoo-pank/?$ /toeoeandjatele/ajutine-toeoehoive/ permanent;
# Intertnal ex 302
rewrite ^/rabotnikam/?$ /rabotnikam/vremennaya-rabota/ permanent;
rewrite ^/toeoeandjatele/?$ /toeoeandjatele/ajutine-toeoehoive/ permanent;
rewrite ^/contacts/?$ /contacts/job-seekers/ permanent;
rewrite ^/toeoeotsijatele/?$ /toeoeotsijatele/ajutine-toeoe/ permanent;
rewrite ^/o-biuro/?$ /o-biuro/o-nas/ permanent;
rewrite ^/job-seekers/?$ /job-seekers/temporary-employment-in-estonia/ permanent;
rewrite ^/home/?$ / permanent;
rewrite ^/employers/?$ /employers/temporary-employees-in-estonia/ permanent;
rewrite ^/kontakty/?$ /kontakty/rabotnikam/ permanent;
rewrite ^/about-biuro/?$ /about-biuro/staffing-agency-in-estonia/ permanent;
rewrite ^/rabotodatelyam/?$ /rabotodatelyam/vremennoe-trudoustrojstvo/ permanent;
rewrite ^/kontaktid/?$ /kontaktid/toeoeotsijad/ permanent;
rewrite (?i)^/Meist/?$ /Meist/meist/ permanent;
nginx/_unused_redirects/biuro.lt.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# 301 biuro.lt redirects
# ----------------------------------------------------------------------
# rewrite ^/darbo-pasiulymai$ / permanent;
# rewrite ^/darbo-pasiulymai/(.*)$ /? permanent;
rewrite ^/employers/staf-search-and-selection-in-lithuania/?$ /employers/staff-search-and-selection-in-lithuania/ permanent;
# Biuro SEO issues
# https://docs.google.com/spreadsheets/d/1dXP0dh_v2sFajrcwR2_9HONMadCdZQW4Y2dVXvhxG3E/edit?ts=5b5eaa6b#gid=0
#
rewrite ^/contacts/course-agentures/?$ /contacts/job-seekers/ permanent;
# Intertnal ex 302
# --- Darbuotojams ---
rewrite ^/darbuotojams/?$ /darbo-pasiulymai/ permanent;
# rewrite ^/darbo-paieska/uzsidirbtilietuvoje/?$ /darbo-paieska/laikinas-darbas/ permanent;
# rewrite ^/darbo-paieska/atvesk-drauga-gauk-dovanu/?$ /darbo-paieska/laikinas-darbas/ permanent;
rewrite ^/darbo-paieska/uzsidirbtilietuvoje/?$ /darbo-pasiulymai/ permanent;
rewrite ^/darbo-paieska/atvesk-drauga-gauk-dovanu/?$ /darbo-pasiulymai/ permanent;
# rewrite ^/darbo-paieska/vasarosdarbubankas/?$ / permanent;
rewrite ^/darbo-paieska/vasarosdarbubankas/?$ /darbo-pasiulymai/ permanent;
rewrite ^/darbo-paieska/?$ /darbo-pasiulymai/ permanent;
rewrite ^/darbo-paieska/laikinas-darbas/?$ /darbo-pasiulymai/ permanent;
rewrite ^/darbo-paieska/siulo-darba/?$ /darbuotojams/siulo-darba/ permanent;
rewrite ^/darbo-paieska/papildomas-darbas/?$ /darbuotojams/duk/ permanent;
rewrite ^/darbo-paieska/klauskite\;/?$ /darbuotojams/kontaktai/ permanent;
rewrite ^/darbo-paieska/klauskite/?$ /darbuotojams/kontaktai/ permanent;
rewrite ^/kontaktai/?$ /darbuotojams/kontaktai/ permanent;
rewrite ^/kontaktai/darbinimo-agenturos/?$ /darbuotojams/kontaktai/ permanent;
# --- Darbdaviams ---
# rewrite ^/personalo-nuoma/vasarosdarbubankas/?$ / permanent;
rewrite ^/darbdaviams/?$ /darbdaviams/pardaviminis-puslapis-lt/ permanent;
rewrite ^/personalo-nuoma/vasarosdarbubankas/?$ /darbdaviams/pardaviminis-puslapis-lt/ permanent;
rewrite ^/personalo-nuoma/?$ /darbdaviams/pardaviminis-puslapis-lt/ permanent;
rewrite ^/personalo-nuoma/laikinas-idarbinimas/?$ /darbdaviams/pardaviminis-puslapis-lt/ permanent;
rewrite ^/personalo-nuoma/specialistu-nuoma/?$ /darbdaviams/specialistu-nuoma/ permanent;
rewrite ^/personalo-nuoma/personalo-paieska-atranka/?$ /darbdaviams/personalo-paieska-ir-atranka/ permanent;
rewrite ^/kontaktai/personalo-nuomai/?$ /darbdaviams/kontaktai/ permanent;
rewrite ^/personalo-nuoma/siuskite-uzklausa/?$ /darbdaviams/kontaktai/ permanent;
# --- Apie Mus
rewrite ^/personalo-nuomos-paslaugos/?$ /apie-mus/ permanent;
rewrite ^/personalo-nuomos-paslaugos/idarbinimo-agentura/?$ /apie-mus/ permanent;
rewrite ^/personalo-nuomos-paslaugos/darbuotoju-paieska-ir-atranka/?$ /tarptautinis-tinklas/ permanent;
rewrite ^/personalo-nuomos-paslaugos/naryste-lietuvoje/?$ /naryste-lietuvoje/ permanent;
rewrite ^/personalo-nuomos-paslaugos/etikos-kodeksas/?$ /etikos-kodeksas/ permanent;
rewrite ^/personalo-nuomos-paslaugos/antikorupcines-priemones/?$ /antikorupcines-priemones/ permanent;
rewrite ^/employers/?$ /employers/temporary-employees-in-lithuania/ permanent;
rewrite ^/job-seekers/?$ /job-seekers/temporary-employment-in-lithuania/ permanent;
rewrite ^/about-biuro/?$ /about-biuro/staffing-agency-in-lithuania/ permanent;
rewrite ^/home/?$ / permanent;
rewrite ^/contacts/?$ /contacts/job-seekers/ permanent;
rewrite ^/rabotnikam/?$ /rabotnikam/vremennoe-trudoustrojstvo-v-litve/ permanent;
rewrite ^/o-biuro/?$ /o-biuro/agenstvo-po-naemu-personala-v-litve/ permanent;
rewrite ^/kontakty/?$ /kontakty/rabotnikam/ permanent;
rewrite ^/rabotodatelyam/?$ /rabotodatelyam/vremennye-rabochie-v-litve/ permanent;
rewrite ^/kontaktanagaben/?$ /kontaktanagaben/personalo-nuomai-de-DE/ permanent;
rewrite ^/fuer-arbeitnehmer/?$ /fuer-arbeitnehmer/befristete-beschaeftigung/ permanent;
rewrite ^/fuer-arbeitgeber/?$ /fuer-arbeitgeber/befristete-beschaeftigung/ permanent;
rewrite ^/ueber-biuro/?$ /ueber-biuro/ueber-die-arbeitsvermittlungsagentur/ permanent;
rewrite ^/assets/(.*)CODE-OF-CONDUCT-LT.pdf$ /wp-content/uploads/2018/10/CODE-OF-CONDUCT-LT.pdf permanent;
rewrite ^/assets/(.*)CODE-OF-CONDUCT-EN.pdf$ /wp-content/uploads/2018/10/CODE-OF-CONDUCT-EN.pdf permanent;
nginx/_unused_redirects/biuro.lv.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# 301 biuro.lv redirects
# ----------------------------------------------------------------------
# rewrite ^/darba-piedavajumi$ / permanent;
# rewrite ^/darba-piedavajumi/(.*)$ /? permanent;
# Biuro SEO issues
# https://docs.google.com/spreadsheets/d/1dXP0dh_v2sFajrcwR2_9HONMadCdZQW4Y2dVXvhxG3E/edit?ts=5b5eaa6b#gid=0
#
rewrite ^/darba-devejiem/vasaras-darbu-banka/?$ /darba-devejiem/pagaidu-nodarbinatiba/ permanent;
# Intertnal ex 302
rewrite ^/darba-mekletajiem/?$ /darba-mekletajiem/pagaidu-darbs/ permanent;
rewrite ^/about-biuro/?$ /about-biuro/staffing-agency-in-latvia/ permanent;
rewrite ^/contacts/?$ /contacts/job-seekers/ permanent;
rewrite ^/rabotnikam/?$ /rabotnikam/vremennoe-trudoustrojstvo-v-latvii/ permanent;
rewrite ^/kontakty/?$ /kontakty/rabotnikam/ permanent;
rewrite ^/par-biuro/?$ /par-biuro/par-mums/ permanent;
rewrite ^/employers/?$ /employers/temporary-employees-in-latvia/ permanent;
rewrite ^/darba-devejiem/?$ /darba-devejiem/pagaidu-nodarbinatiba/ permanent;
rewrite ^/rabotodatelyam/?$ /rabotodatelyam/vremennye-rabochie-v-latvii/ permanent;
rewrite ^/o-biuro/?$ /o-biuro/agenstvo-po-naemu-personala-v-latvii/ permanent;
rewrite ^/home/?$ / permanent;
rewrite ^/kontakti/?$ /kontakti/darba-mekletajiem/ permanent;
rewrite ^/job-seekers/?$ /job-seekers/temporary-job-in-latvia/ permanent;
nginx/conf.d/dev-biuro.conf 0 → 100644
View file @ 91423d2e
server {
listen 80;
listen [::]:80;
server_name dev.biuro.lt dev.biuro.lv dev.biuro.ee;
location ^~ /.well-known {
allow all;
default_type "text/plain";
root /data/letsencrypt/;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.lt;
include /etc/nginx/conf.d/server-shared.conf;
ssl_certificate /etc/letsencrypt/biuro.lt/certificate.crt;
ssl_certificate_key /etc/letsencrypt/biuro.lt/private.key;
ssl_trusted_certificate /etc/letsencrypt/biuro.lt/ca_bundle.crt;
# 301 redirects
include redirects/biuro.lt.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.lv;
include /etc/nginx/conf.d/server-shared.conf;
ssl_certificate /etc/letsencrypt/biuro.lv/certificate.pem;
ssl_certificate_key /etc/letsencrypt/biuro.lv/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/biuro.lv/ca-bundle.pem;
# 301 redirects
include redirects/biuro.lv.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.ee;
include /etc/nginx/conf.d/server-shared.conf;
ssl_certificate /etc/letsencrypt/biuro.ee/certificate.pem;
ssl_certificate_key /etc/letsencrypt/biuro.ee/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/biuro.ee/ca-bundle.pem;
# 301 redirects
include redirects/biuro.ee.conf;
}
nginx/conf.d/server-shared.conf 0 → 100644
View file @ 91423d2e
include h5bp/internet_explorer/x-ua-compatible.conf;
include h5bp/security/content-security-policy.conf;
include h5bp/security/referrer-policy.conf;
include h5bp/security/strict-transport-security.conf;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf;
include h5bp/security/x-xss-protection.conf;
include h5bp/location/security_file_access.conf;
include h5bp/location/web_performance_cache_expiration.conf;
include h5bp/web_performance/no-transform.conf;
include h5bp/cross-origin/requests.conf;
root /var/www/html;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
nginx/dev-biuro.conf deleted 100644 → 0
View file @ 990225d1
server {
listen 80;
listen [::]:80;
server_name dev.biuro.lt dev.biuro.lv dev.biuro.ee;
location ^~ /.well-known {
allow all;
default_type "text/plain";
root /data/letsencrypt/;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.lt;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/biuro.lt/certificate.crt;
ssl_certificate_key /etc/letsencrypt/biuro.lt/private.key;
ssl_trusted_certificate /etc/letsencrypt/biuro.lt/ca_bundle.crt;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# # (1)
# ssl_ecdh_curve X25519;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# 301 redirects
include /etc/nginx/conf.d/redirects/biuro.lt.conf;
#
gzip on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascript text/xml
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
application/xml+rss text/javascript
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
gzip_disable "MSIE [1-6]\.";
# brotli on;
# brotli_comp_level 6;
# brotli_types application/eot application/x-otf application/font application/x-perl application/font-sfnt application/x-ttf application/javascript
# font/eot application/json font/ttf application/opentype font/otf application/otf font/opentype application/pkcs7-mime image/svg+xml
# application/truetype text/css application/ttf text/csv application/vnd.ms-fontobject text/html application/xhtml+xml text/javascript
# application/xml text/js application/xml+rss text/plain application/x-font-opentype text/richtext application/x-font-truetype
# text/tab-separated-values application/x-font-ttf text/xml application/x-httpd-cgi text/x-script application/x-javascript
# text/x-component application/x-mpegurl text/x-java-source application/x-opentype
# ;
#
# Expire rules for static content
# https://serversforhackers.com/c/nginx-caching
# https://github.com/h5bp/server-configs-nginx
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
# access_log logs/static.log; # I don't usually include a static log
}
# Feed
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:webp|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 6M;
access_log off;
add_header Cache-Control "public";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.lv;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/biuro.lv/certificate.pem;
ssl_certificate_key /etc/letsencrypt/biuro.lv/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/biuro.lv/ca-bundle.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# 301 redirects
include /etc/nginx/conf.d/redirects/biuro.lv.conf;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6]\.";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.ee;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/biuro.ee/certificate.pem;
ssl_certificate_key /etc/letsencrypt/biuro.ee/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/biuro.ee/ca-bundle.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# 301 redirects
include /etc/nginx/conf.d/redirects/biuro.ee.conf;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6]\.";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
# RewriteEngine On
# RewriteBase /
# RewriteRule ^index\.php$ - [L]
#
# # add a trailing slash to /wp-admin
# RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
#
# RewriteCond %{REQUEST_FILENAME} -f [OR]
# RewriteCond %{REQUEST_FILENAME} -d
# RewriteRule ^ - [L]
# RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
# RewriteRule ^(.*\.php)$ $1 [L]
# RewriteRule . index.php [L]
nginx/h5bp/basic.conf 0 → 100644
View file @ 91423d2e
# Nginx Server Configs | MIT License
# https://github.com/h5bp/server-configs-nginx
include h5bp/internet_explorer/x-ua-compatible.conf;
include h5bp/security/content-security-policy.conf;
include h5bp/security/referrer-policy.conf;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf;
include h5bp/security/x-xss-protection.conf;
include h5bp/location/security_file_access.conf;
include h5bp/web_performance/no-transform.conf;
include h5bp/cross-origin/requests.conf;
nginx/h5bp/cross-origin/requests.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Cross-origin requests |
# ----------------------------------------------------------------------
# Allow cross-origin requests.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# https://enable-cors.org/
# https://www.w3.org/TR/cors/
# (!) Do not use this without understanding the consequences.
# This will permit access from any other website.
#
# Instead of using this file, consider using a specific rule such as:
#
# Allow access based on [sub]domain:
# add_header Access-Control-Allow-Origin "subdomain.example.com";
add_header Access-Control-Allow-Origin $cors;
nginx/h5bp/cross-origin/resource_timing.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Cross-origin resource timing |
# ----------------------------------------------------------------------
# Allow cross-origin access to the timing information for all resources.
#
# If a resource isn't served with a `Timing-Allow-Origin` header that
# would allow its timing information to be shared with the document,
# some of the attributes of the `PerformanceResourceTiming` object will
# be set to zero.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
# https://www.w3.org/TR/resource-timing/
# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
add_header Timing-Allow-Origin "*";
nginx/h5bp/errors/custom_errors.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Custom error messages/pages |
# ----------------------------------------------------------------------
# Customize what Nginx returns to the client in case of an error.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
error_page 404 /404.html;
nginx/h5bp/internet_explorer/x-ua-compatible.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Document modes |
# ----------------------------------------------------------------------
# Force Internet Explorer 8/9/10 to render pages in the highest mode
# available in the various cases when it may not.
#
# https://hsivonen.fi/doctype/#ie8
#
# (!) Starting with Internet Explorer 11, document modes are deprecated.
# If your business still relies on older web apps and services that were
# designed for older versions of Internet Explorer, you might want to
# consider enabling `Enterprise Mode` throughout your company.
#
# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
# https://msdn.microsoft.com/en-us/library/ff955275.aspx
add_header X-UA-Compatible $x_ua_compatible;
nginx/h5bp/location/security_file_access.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | File access |
# ----------------------------------------------------------------------
# Block access to all hidden files and directories with the exception of
# the visible content from within the `/.well-known/` hidden directory.
#
# These types of files usually contain user preferences or the preserved
# state of an utility, and can include rather private places like, for
# example, the `.git` or `.svn` directories.
#
# The `/.well-known/` directory represents the standard (RFC 5785) path
# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible
# content should not be blocked.
#
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~* /\.(?!well-known\/) {
deny all;
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Block access to files that can expose sensitive information.
#
# By default, block access to backup and source files that may be
# left by some text editors and can pose a security risk when anyone
# has access to them.
#
# https://feross.org/cmsploit/
#
# (!) Update the `location` regular expression from below to
# include any files that might end up on your production server and
# can expose sensitive information about your website. These files may
# include: configuration files, files that contain metadata about the
# project (e.g.: project dependencies), build scripts, etc..
location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
deny all;
}
nginx/h5bp/location/web_performance_cache_expiration.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
# No default expire rule. This config mirrors that of apache as outlined in the
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
# the apache rules are defined by type. A consequence of this difference is that
# if you use no file extension in the url and serve html, with apache you get an
# expire time of 0s, with nginx you'd get an expire header of one month in the
# future (if the default expire rule is 1 month). Therefore, do not use a
# default expire rule with nginx unless your site is completely static
# Documents
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires 0;
}
# Feeds
location ~* \.(?:rss|atom)$ {
expires 1h;
}
# Media files
location ~* \.(?:webp|jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
access_log off;
expires 1M;
}
# Media: svgz files are already compressed.
location ~* \.svgz$ {
access_log off;
gzip off;
expires 1M;
}
# CSS and JavaScript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
}
# Web fonts
# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
expires 1M;
access_log off;
}
nginx/h5bp/location/web_performance_filename-based_cache_busting.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Filename-based cache busting |
# ----------------------------------------------------------------------
# If you're not using a build process to manage your filename version
# revving, you might want to consider enabling the following directives
#
# To understand why this is important and even a better solution than
# using something like `*.css?v231`, please see:
# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
try_files $uri $1.$2;
}
nginx/h5bp/media_types/character_encodings.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Character encodings |
# ----------------------------------------------------------------------
# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
charset utf-8;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Update charset_types to match updated mime.types.
# text/html is always included by charset module.
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
nginx/h5bp/media_types/media_types.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Media types |
# ----------------------------------------------------------------------
# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
include mime.types;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Default: text/plain
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
default_type application/octet-stream;
nginx/h5bp/security/content-security-policy.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Content Security Policy (CSP) |
# ----------------------------------------------------------------------
# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a `Content Security Policy` which
# whitelists trusted sources of content for your website.
#
# The example header below allows ONLY scripts that are loaded from
# the current website's origin (no inline scripts, no CDN, etc).
# That almost certainly won't work as-is for your website!
#
# To make things easier, you can use an online CSP header generator
# such as: https://www.cspisawesome.com/.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://www.w3.org/TR/CSP3/
# https://content-security-policy.com/
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
add_header Content-Security-Policy $content_security_policy always;
nginx/h5bp/security/referrer-policy.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Referrer Policy |
# ----------------------------------------------------------------------
# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
add_header Referrer-Policy $referrer_policy always;
nginx/h5bp/security/server_software_information.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Server software information |
# ----------------------------------------------------------------------
# Prevent Nginx from sending in the `Server` response header its
# exact version number.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
nginx/h5bp/security/strict-transport-security.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS) |
# ----------------------------------------------------------------------
# Force client-side SSL redirection.
#
# If a user types `example.com` in their browser, even if the server
# redirects them to the secure version of the website, that still leaves
# a window of opportunity (the initial HTTP connection) for an attacker
# to downgrade or redirect the request.
#
# The following header ensures that browser will ONLY connect to your
# server via HTTPS, regardless of what the users type in the browser's
# address bar.
#
# (!) Be aware that this, once published, is not revokable and you must ensure
# being able to serve the site via SSL for the duration you've specified
# in max-age. When you don't have a valid SSL connection (anymore) your
# visitors will see a nasty error message even when attempting to connect
# via simple HTTP.
#
# (!) Remove the `includeSubDomains` optional directive if the website's
# subdomains are not using HTTPS.
#
# (1) If you want to submit your site for HSTS preload (2) you must
# * ensure the `includeSubDomains` directive to be present
# * the `preload` directive to be specified
# * the `max-age` to be at least 31536000 seconds (1 year) according to the current status.
#
# It is also advised (3) to only serve the HSTS header via a secure connection.
#
# (2) https://hstspreload.org/
# (3) https://tools.ietf.org/html/rfc6797#section-7.2
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) or if HSTS preloading is desired (respect (2) for current requirements):
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
nginx/h5bp/security/x-content-type-options.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Reducing MIME type security risks |
# ----------------------------------------------------------------------
# Prevent some browsers from MIME-sniffing the response.
#
# This reduces exposure to drive-by download attacks and cross-origin
# data leaks, and should be left uncommented, especially if the server
# is serving user-uploaded content or content that could potentially be
# treated as executable by the browser.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
# https://mimesniff.spec.whatwg.org/
add_header X-Content-Type-Options nosniff always;
nginx/h5bp/security/x-frame-options.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Clickjacking |
# ----------------------------------------------------------------------
# Protect website against clickjacking.
#
# The example below sends the `X-Frame-Options` response header with
# the value `DENY`, informing browsers not to display the content of
# the web page in any frame.
#
# This might not be the best setting for everyone. You should read
# about the other two possible values the `X-Frame-Options` header
# field can have: `SAMEORIGIN` and `ALLOW-FROM`.
# https://tools.ietf.org/html/rfc7034#section-2.1.
#
# Keep in mind that while you could send the `X-Frame-Options` header
# for all of your website’s pages, this has the potential downside that
# it forbids even non-malicious framing of your content (e.g.: when
# users visit your website using a Google Image Search results page).
#
# Nonetheless, you should ensure that you send the `X-Frame-Options`
# header for all pages that allow a user to make a state changing
# operation (e.g: pages that contain one-click purchase links, checkout
# or bank-transfer confirmation pages, pages that make permanent
# configuration changes, etc.).
#
# Sending the `X-Frame-Options` header can also protect your website
# against more than just clickjacking attacks:
# https://cure53.de/xfo-clickjacking.pdf.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
# https://www.owasp.org/index.php/Clickjacking
add_header X-Frame-Options $x_frame_options always;
nginx/h5bp/security/x-xss-protection.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Reflected Cross-Site Scripting (XSS) attacks |
# ----------------------------------------------------------------------
# (1) Try to re-enable the cross-site scripting (XSS) filter built
# into most web browsers.
#
# The filter is usually enabled by default, but in some cases it
# may be disabled by the user. However, in Internet Explorer for
# example, it can be re-enabled just by sending the
# `X-XSS-Protection` header with the value of `1`.
#
# (2) Prevent web browsers from rendering the web page if a potential
# reflected (a.k.a non-persistent) XSS attack is detected by the
# filter.
#
# By default, if the filter is enabled and browsers detect a
# reflected XSS attack, they will attempt to block the attack
# by making the smallest possible modifications to the returned
# web page.
#
# Unfortunately, in some browsers (e.g.: Internet Explorer),
# this default behavior may allow the XSS filter to be exploited,
# thereby, it's better to inform browsers to prevent the rendering
# of the page altogether, instead of attempting to modify it.
#
# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
#
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
# you are taking all possible measures to prevent XSS attacks, the
# most obvious being: validating and sanitizing your website's inputs.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
add_header X-XSS-Protection $x_xss_protection always;
nginx/h5bp/ssl/certificate_files.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Certificate files |
# ----------------------------------------------------------------------
# This default SSL certificate will be served whenever the client lacks
# support for SNI (Server Name Indication).
# Make it a symlink to the most important certificate you have, so that
# users of IE 8 and below on WinXP can see your main site without SSL errors.
#
# (1) Certificate and key files location
# The certificate file can contain intermediate certificate.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
#
# (2) Intermediate certificate location if loaded certificate (1) does not
# contain intermediate certificate when enabling OCSP stanpling.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
#
# (3) CA certificate file location for client certificate authentication
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate
# (1)
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
# (2)
# ssl_trusted_certificate /path/to/ca.crt;
# (3)
# ssl_client_certificate /etc/nginx/default_ssl.crt;
nginx/h5bp/ssl/ocsp_stapling.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Online Certificate Status Protocol stapling |
# ----------------------------------------------------------------------
# OCSP is a lightweight, only one record to help clients verify the
# validity of the server certificate.
# OCSP stapling allow the server to send its cached OCSP record during
# the TLS handshake, whithout the need of 3rd party OCSP responder.
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s;
resolver_timeout 2s;
nginx/h5bp/ssl/policy_deprecated.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | SSL policy - Deprecated |
# ----------------------------------------------------------------------
# For services that don't need compatibility with legacy clients
# (mostly WinXP), but still need to support a wide range of clients,
# this configuration is recommended.
#
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
# If you need to support older browsers (IE6) you may need to add
# SSLv3 to the list of protocols.
#
# Based on intermediate profile recommended by Mozilla.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
#
# (1) Diffie-Hellman parameter for DHE cipher suites
# A 4096 bits or more DH parameter is recommended.
# (!) A DH parameter generation is required to enable this directive.
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
# (1)
# ssl_dhparam /etc/nginx/dhparam.pem;
nginx/h5bp/ssl/policy_intermediate.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | SSL policy - Intermediate |
# ----------------------------------------------------------------------
# For services that don't need backward compatibility, the parameters
# below provide a higher level of security.
#
# (!) This policy enfore a strong SSL configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use intermediate policy.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
# to be weak and potentially vulnerable but are required to support
# Microsoft Edge and Safari.
# https://safecurves.cr.yp.to/
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
nginx/h5bp/ssl/policy_modern.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | SSL policy - Modern |
# ----------------------------------------------------------------------
# For services that want to be on the bleeding edge, the parameters
# below sacrifice compatibility for the highest level of security & performance
#
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# to be installed.
#
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
# subject to replay attacks.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable.
#
# Add them back to the parameter `ssl_ecdh_curve` below to support
# Microsoft Edge and Safari.
#
# https://safecurves.cr.yp.to/
#
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
#
# (!) Requests sent within early data are subject to replay attacks.
# To protect against such attacks at the application layer, the
# $ssl_early_data variable should be used:
# proxy_set_header Early-Data $ssl_early_data;
#
# The application should return response code 425 for anything that
# could contain user supplied data.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
#
# https://github.com/certbot/certbot/issues/6367
# https://github.com/mozilla/server-side-tls/issues/217
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519;
# (2)
#ssl_early_data on;
nginx/h5bp/ssl/ssl_engine.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | SSL engine |
# ----------------------------------------------------------------------
# (1) Optimize SSL by caching session parameters for 10 minutes.
# This cuts down on the number of expensive SSL handshakes.
# By enabling a cache, we tell the client to re-use the already
# negotiated state.
# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions.
#
# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes
# (!) Shouldn't be done unless you serve primarily HTTPS.
# Default is 75s
#
# (3) SSL buffer size
# Set 1400 bytes to fit in one MTU
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
#
# (4) Disable session tickets
# Session tickets keys are not auto-rotated. Only a HUP / restart
# will do so and when a restart is performed the previous key is
# lost, which resets all previous sessions.
# Only enable session tickets if you setup a manual rotation mechanism.
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#
# (5) Basic security improvements
# (1)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
# (2)
keepalive_timeout 300s;
# (3)
# ssl_buffer_size 1400;
# (4)
ssl_session_tickets off;
# (5)
ssl_prefer_server_ciphers on;
nginx/h5bp/web_performance/cache-file-descriptors.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Cache file-descriptors |
# ----------------------------------------------------------------------
# This tells nginx to cache open file handles, "not found" errors and
# metadata about files and their permissions.
#
# Based on these cached metadata, nginx can immediately begin sending
# data when a popular file is requested, and will also know to
# immediately send a 404 if a file is missing on disk, and so on.
#
# (!) It also means that the server won't react immediately to changes
# on disk, which may be undesirable.
# As only metadata are cached, edited files may be troncated until
# the cache is refreshed.
# https://github.com/h5bp/server-configs-nginx/issues/203
#
# In the below configuration, inactive files are released from the cache
# after 20 seconds, whereas active (recently requested) files are
# re-validated every 30 seconds.
# Descriptors will not be cached unless they are used at least 2 times
# within 20 seconds (the inactive time).
# A maximum of the 1000 most recently used file descriptors can be
# cached at any time.
#
# Production servers with stable file collections will definitely want
# to enable the cache.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
nginx/h5bp/web_performance/cache_expiration.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
map $sent_http_content_type $expires {
default 1M;
# CSS
text/css 1y;
# Data interchange
application/atom+xml 1h;
application/rdf+xml 1h;
application/rss+xml 1h;
application/json 0;
application/ld+json 0;
application/schema+json 0;
application/geo+json 0;
application/xml 0;
text/calendar 0;
text/xml 0;
# Favicon (cannot be renamed!) and cursor images
image/vnd.microsoft.icon 1w;
image/x-icon 1w;
# HTML
text/html 0;
# JavaScript
application/javascript 1y;
application/x-javascript 1y;
text/javascript 1y;
# Manifest files
application/manifest+json 1w;
application/x-web-app-manifest+json 0;
text/cache-manifest 0;
# Markdown
text/markdown 0;
# Media files
audio/ogg 1M;
image/bmp 1M;
image/gif 1M;
image/jpeg 1M;
image/png 1M;
image/svg+xml 1M;
image/webp 1M;
video/mp4 1M;
video/ogg 1M;
video/webm 1M;
# WebAssembly
application/wasm 1y;
# Web fonts
font/collection 1M;
application/vnd.ms-fontobject 1M;
font/eot 1M;
font/opentype 1M;
font/otf 1M;
application/x-font-ttf 1M;
font/ttf 1M;
application/font-woff 1M;
application/x-font-woff 1M;
font/woff 1M;
application/font-woff2 1M;
font/woff2 1M;
# Other
text/x-cross-domain-policy 1w;
}
expires $expires;
nginx/h5bp/web_performance/compression-brotli.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Compression brotli |
# ----------------------------------------------------------------------
brotli on;
brotli_comp_level 6;
brotli_types application/eot application/x-otf application/font application/x-perl application/font-sfnt application/x-ttf application/javascript
font/eot application/json font/ttf application/opentype font/otf application/otf font/opentype application/pkcs7-mime image/svg+xml
application/truetype text/css application/ttf text/csv application/vnd.ms-fontobject application/xhtml+xml text/javascript
application/xml text/js application/xml+rss text/plain application/x-font-opentype text/richtext application/x-font-truetype
text/tab-separated-values application/x-font-ttf text/xml application/x-httpd-cgi text/x-script application/x-javascript
text/x-component application/x-mpegurl text/x-java-source application/x-opentype
;
nginx/h5bp/web_performance/compression.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about
# 75% reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 5;
# Don't compress anything that's already small and unlikely to shrink much
# if at all (the default is 20 bytes, which is bad as that usually leads to
# larger files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# text/html is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/geo+json
application/vnd.ms-fontobject
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
application/rdf+xml
font/otf
application/wasm
image/bmp
image/svg+xml
text/cache-manifest
text/css
text/javascript
text/plain
text/markdown
text/vcard
text/calendar
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# This should be turned on if you are going to have pre-compressed copies (.gz) of
# static files available. If not it should be left off as it will cause extra I/O
# for the check. It is best if you enable this in a location{} block for
# a specific directory, or on an individual server{} level.
# gzip_static on;
nginx/h5bp/web_performance/no-transform.conf 0 → 100644
View file @ 91423d2e
# ----------------------------------------------------------------------
# | Content transformation |
# ----------------------------------------------------------------------
# Prevent intermediate caches or proxies (e.g.: such as the ones
# used by mobile network providers) from modifying the website's
# content.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://tools.ietf.org/html/rfc2616#section-14.9.5
#
# (!) If you are using `ngx_pagespeed`, please note that setting
# the `Cache-Control: no-transform` response header will prevent
# `PageSpeed` from rewriting `HTML` files, and, if the
# `pagespeed DisableRewriteOnNoTransform off` directive isn't used,
# also from rewriting other resources.
#
# https://developers.google.com/speed/pagespeed/module/configuration#notransform
add_header Cache-Control "no-transform";
nginx/mime.types 0 → 100644
View file @ 91423d2e
types {
# Data interchange
application/atom+xml atom;
application/json json map topojson;
application/ld+json jsonld;
application/rss+xml rss;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc7946#section-12
application/geo+json geojson;
application/xml xml;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc3870#section-2
application/rdf+xml rdf;
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
text/javascript js mjs;
application/wasm wasm;
# Manifest files
application/manifest+json webmanifest;
application/x-web-app-manifest+json webapp;
text/cache-manifest appcache;
# Media files
audio/midi mid midi kar;
audio/mp4 aac f4a f4b m4a;
audio/mpeg mp3;
audio/ogg oga ogg opus;
audio/x-realaudio ra;
audio/x-wav wav;
audio/x-matroska mka;
image/bmp bmp;
image/gif gif;
image/jpeg jpeg jpg;
image/jxr jxr hdp wdp;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-jng jng;
video/3gpp 3gp 3gpp;
video/mp4 f4p f4v m4v mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-mng mng;
video/x-ms-asf asf asx;
video/x-ms-wmv wmv;
video/x-msvideo avi;
video/x-matroska mkv mk3d;
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying then as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
image/x-icon cur ico;
# Microsoft Office
application/msword doc;
application/vnd.ms-excel xls;
application/vnd.ms-powerpoint ppt;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
# Web fonts
font/woff woff;
font/woff2 woff2;
application/vnd.ms-fontobject eot;
font/ttf ttf;
font/collection ttc;
font/otf otf;
# Other
application/java-archive ear jar war;
application/mac-binhex40 hqx;
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
application/pdf pdf;
application/postscript ai eps ps;
application/rtf rtf;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-bb-appworld bbaw;
application/x-bittorrent torrent;
application/x-chrome-extension crx;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-opera-extension oex;
application/x-perl pl pm;
application/x-pilot pdb prc;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert crt der pem;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl;
application/zip zip;
text/css css;
text/csv csv;
text/html htm html shtml;
text/markdown md markdown;
text/mathml mml;
text/plain txt;
text/vcard vcard vcf;
text/calendar ics;
text/vnd.rim.location.xloc xloc;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/vtt vtt;
text/x-component htc;
}
nginx/nginx.conf 0 → 100644
View file @ 91423d2e
# Configuration File - Nginx Server Configs
# https://nginx.org/en/docs/
# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
# https://nginx.org/en/docs/ngx_core_module.html#user
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
user nginx;
# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192;
# Provides the configuration file context in which the directives
# that affect connection processing are specified.
# https://nginx.org/en/docs/ngx_core_module.html#events
events {
# If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
# Should be < worker_rlimit_nofile.
# Default: 512
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
worker_connections 8000;
}
# Log errors and warnings to this file
# This is only used when you don't override it on a server{} level
# Default: logs/error.log error
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log warn;
# The file storing the process ID of the main process
# Default: logs/nginx.pid
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /var/run/nginx.pid;
http {
# Hide nginx version information.
include h5bp/security/server_software_information.conf;
# Specify MIME types for files.
include h5bp/media_types/media_types.conf;
# Set character encodings.
include h5bp/media_types/character_encodings.conf;
# Include $http_x_forwarded_for within default format used in log files
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Log access to this file
# This is only used when you don't override it on a server{} level
# Default: logs/access.log combined
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log main;
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# Default: 75s
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
# keepalive_timeout 20s;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write().
# For performance reasons, on FreeBSD systems w/ ZFS
# this option should be disabled as ZFS's ARC caches
# frequently used files in RAM by default.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
# Don't send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
# Enable gzip compression.
include h5bp/web_performance/compression.conf;
# Enable brotli compression.
include h5bp/web_performance/compression-brotli.conf;
# Specify file cache expiration.
include h5bp/web_performance/cache_expiration.conf;
# Add X-XSS-Protection for HTML documents.
# h5bp/security/x-xss-protection.conf
map $sent_http_content_type $x_xss_protection {
# (1) (2)
text/html "1; mode=block";
}
# Add X-Frame-Options for HTML documents.
# h5bp/security/x-frame-options.conf
map $sent_http_content_type $x_frame_options {
text/html DENY;
}
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
text/html "script-src 'self'; object-src 'self'";
}
# Add Referrer-Policy for HTML documents.
# h5bp/security/referrer-policy.conf.conf
map $sent_http_content_type $referrer_policy {
text/html "no-referrer-when-downgrade";
}
# Add X-UA-Compatible for HTML documents.
# h5bp/internet_explorer/x-ua-compatible.conf
map $sent_http_content_type $x_ua_compatible {
text/html "IE=edge";
}
# Add Access-Control-Allow-Origin.
# h5bp/cross-origin/requests.conf
map $sent_http_content_type $cors {
# Images
image/bmp "*";
image/gif "*";
image/jpeg "*";
image/png "*";
image/svg+xml "*";
image/webp "*";
image/x-icon "*";
# Web fonts
font/collection "*";
application/vnd.ms-fontobject "*";
font/eot "*";
font/opentype "*";
font/otf "*";
application/x-font-ttf "*";
font/ttf "*";
application/font-woff "*";
application/x-font-woff "*";
font/woff "*";
application/font-woff2 "*";
font/woff2 "*";
}
# Include files in the conf.d folder.
# server{} configuration files should be placed in the conf.d folder.
# The configurations should be disabled by prefixing files with a dot.
include h5bp/ssl/ocsp_stapling.conf;
include h5bp/ssl/policy_modern.conf;
include h5bp/ssl/ssl_engine.conf;
include /etc/nginx/conf.d/dev-biuro.conf;
}
# user nginx;
# worker_processes 1;
# error_log /var/log/nginx/error.log warn;
# pid /var/run/nginx.pid;
# events {
# worker_connections 1024;
# }
# http {
# include /etc/nginx/mime.types;
# default_type application/octet-stream;
# log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
# access_log /var/log/nginx/access.log main;
# sendfile on;
# #tcp_nopush on;
# keepalive_timeout 65;
# gzip on;
# brotli on;
# ################################
# # DO WHATEVER YOU WANT HERE :) #
# ################################
# include /etc/nginx/conf.d/*.conf;
# }
nginx/php.ini 0 → 100644
View file @ 91423d2e
file_uploads = On
memory_limit = 64M
upload_max_filesize = 64M
post_max_size = 64M
max_execution_time = 600
tasks/server.js
View file @ 91423d2e
...@@ -34,17 +34,22 @@ const bundler = webpack(config); ...@@ -34,17 +34,22 @@ const bundler = webpack(config);
export function server () { export function server () {
bs.init({ bs.init({
logPrefix: 'Biuro', logPrefix: 'Biuro',
proxy: { socket: {
target: conf.proxy, domain: 'https://dev.biuro.lt:2000'
// proxyRes: [ // port: 443
// function (proxyRes, req, res) {
// // console.log(proxyRes.headers);
// console.log(req);
// }
// ],
ws: true
}, },
httpModule: http2, proxy: conf.proxy,
// proxy: {
// target: conf.proxy
// // proxyRes: [
// // function (proxyRes, req, res) {
// // // console.log(proxyRes.headers);
// // console.log(req);
// // }
// // ],
// // ws: true
// },
// httpModule: http2,
https: { https: {
key: conf.certs.key, key: conf.certs.key,
cert: conf.certs.cert cert: conf.certs.cert
......
wp-content/themes/biuro/css/core-a25434ed1d.min.css 0 → 100644
View file @ 91423d2e
:root{--color--gray:#4d4d4d;--color--green:#006957;--typo--font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Light","Roboto","Oxygen","Ubuntu","Cantarell","Fira Sans","Droid Sans","Helvetica Neue",sans-serif;--typo--font-size:1.8rem;--typo--weight-slim:100;--typo--weight-regular:400;--typo--weight-bold:600;--typo--line-height:1.2;--typo--font-face:"PT Sans Narrow",sans-serif;--typo--font-face-additional:"Bebas Neue",sans-serif;--layout-width:63em}html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}html{-webkit-box-sizing:border-box;box-sizing:border-box}*,:after,:before{-webkit-box-sizing:inherit;box-sizing:inherit}a,body{color:#4d4d4d;color:var(--color--gray)}body{font-size:1.8rem;font-size:var(--typo--font-size);line-height:1.2;line-height:var(--typo--line-height)}html{min-height:100%;font-size:62.5%;-webkit-tap-highlight-color:rgba(0,0,0,0)}.l-content,.l-footer,.l-header,.l-inner{max-width:63em;max-width:var(--layout-width);margin-right:auto;margin-left:auto;padding-right:1em;padding-left:1em}.l-header{padding-top:15px;padding-bottom:15px}.o-nav{margin:0;padding:0;list-style:none}.c-cookies-warning{display:none}.c-data-controller{padding:0 1em;text-align:center;font-size:88%}.c-data-controller p{margin-bottom:0}.c-jobs-list{width:100%;margin:0 0 20px}.c-jobs-list--head{padding:10px}.c-jobs-list--col{padding:0 10px}.c-logo--svg{display:block}.c-nav--main{display:-webkit-box;display:-ms-flexbox;display:flex}.c-nav--sub,.u-hidden{display:none}@media (min-width:48em){:root{--typo--font-size:1.6rem;--typo--line-height:1.3}body{font-family:PT Sans Narrow,sans-serif;font-family:var(--typo--font-face)}.l-header{-webkit-box-align:center;-ms-flex-align:center;align-items:center}.l-content,.l-header{display:-webkit-box;display:-ms-flexbox;display:flex}.l-aside{-webkit-box-flex:0;-ms-flex:0 0 16.25em;flex:0 0 16.25em}.l-main,.l-nav{-webkit-box-flex:1;-ms-flex:1 1 100%;flex:1 1 100%}.c-nav--main{padding-left:2em}}@media (max-width:47.999em){body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI Light,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;font-family:var(--typo--font-family);letter-spacing:-.08rem}.c-nav--main{margin:20px 0}}@media (min-width:30em){.c-jobs-list--col{padding:10px}}@media (max-width:29.999em){.c-jobs-list--col-position{padding-top:10px}}
\ No newline at end of file
wp-content/themes/biuro/css/core.min.css deleted 100644 → 0
View file @ 990225d1
This diff is collapsed.
wp-content/themes/biuro/css/main.css
View file @ 91423d2e
...@@ -39,20 +39,18 @@ qa-: Signify that a QA or Test Engineering team is running an automated UI test ...@@ -39,20 +39,18 @@ qa-: Signify that a QA or Test Engineering team is running an automated UI test
/* critical:end */ /* critical:end */
.tmp-contacts { .tmp-contacts {
img { display: none; } img { display: none; }
ul { padding-left: 5px } ul { padding-left: 5px }
} }
.c-logos { display: flex; flex-wrap: wrap; justify-content: space-between; .c-logos { display: flex; flex-wrap: wrap; justify-content: space-between;
div { flex: 0 0 21%; border: 1px solid gray; padding: 1em; margin-bottom: 1em; text-align: center; } div { flex: 0 0 21%; border: 1px solid gray; padding: 1em; margin-bottom: 1em; text-align: center; }
} }
.c-fixed-footer { .c-fixed-footer {
@media (--max--small) { @media (--max--small) {
position: fixed; left: 0; bottom: 0; width: 100%; background: rgba(255, 255, 255, .85); padding: 20px 20px 0; box-shadow: 0 -1px 1px 0 rgba(0, 0, 0, .45); position: fixed; left: 0; bottom: 0; width: 100%; background: rgba(255, 255, 255, .85); padding: 20px 20px 0; box-shadow: 0 -1px 1px 0 rgba(0, 0, 0, .45);
} }
} }
.biuro-ti-img { display: none; } .biuro-ti-img { display: none; }
wp-content/themes/biuro/css/main.min.css.map deleted 100644 → 0
View file @ 990225d1
This diff is collapsed.
wp-content/themes/biuro/footer.php
View file @ 91423d2e
...@@ -100,6 +100,6 @@ ...@@ -100,6 +100,6 @@
endif; endif;
?> ?>
<script src="/wp-content/themes/biuro/js/main.min.js" async></script> <script src="/wp-content/themes/biuro/js/main-2a9639b0.min.js" async></script>
</body> </body>
</html> </html>
wp-content/themes/biuro/header.php
View file @ 91423d2e
...@@ -31,16 +31,16 @@ define('cityID', $cityID); ...@@ -31,16 +31,16 @@ define('cityID', $cityID);
get_template_part( 'template-parts/meta/canonical'); get_template_part( 'template-parts/meta/canonical');
?> ?>
<style><?php include 'css/core.min.css'; ?></style> <style><?php include 'css/core-a25434ed1d.min.css'; ?></style>
<link rel="preload" href="/wp-content/themes/biuro/css/main.min.css" as="style" onload="this.rel='stylesheet'"> <link rel="preload" href="/wp-content/themes/biuro/css/main-8c9c954583.min.css" as="style" onload="this.rel='stylesheet'">
<link rel="preload" href="/wp-content/themes/biuro/fonts/pt_sans_narrow.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/wp-content/themes/biuro/fonts/pt_sans_narrow.woff2" as="font" type="font/woff2" crossorigin>
<link rel="preload" href="/wp-content/themes/biuro/fonts/pt_sans_narrow_bold.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/wp-content/themes/biuro/fonts/pt_sans_narrow_bold.woff2" as="font" type="font/woff2" crossorigin>
<link rel="preload" href="/wp-content/themes/biuro/fonts/bebas-neue.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/wp-content/themes/biuro/fonts/bebas-neue.woff2" as="font" type="font/woff2" crossorigin>
<noscript> <noscript>
<link rel="stylesheet" href="/wp-content/themes/biuro/css/main.min.css"> <link rel="stylesheet" href="/wp-content/themes/biuro/css/main-8c9c954583.min.css">
</noscript> </noscript>
<?php wp_head(); ?> <?php wp_head(); ?>
......
wp-content/themes/biuro/js/main-2a9639b0.min.js 0 → 100644
View file @ 91423d2e
This diff is collapsed.
wp-content/themes/biuro/js/main.js
View file @ 91423d2e
...@@ -123,25 +123,13 @@ function initDivisionsMap (node, data) { ...@@ -123,25 +123,13 @@ function initDivisionsMap (node, data) {
setMarkers(map, divisions.filter((d) => { return d.lat && d.lng; })); setMarkers(map, divisions.filter((d) => { return d.lat && d.lng; }));
} }
const search = document.getElementById('search');
// console.error('Awesomplete');
// console.dir(Awesomplete);
const city = document.getElementById('search-city'); const city = document.getElementById('search-city');
const search = document.getElementById('search-query'); const query = document.getElementById('search-query');
const cityBox = new Awesomplete(city, { const cityBox = new Awesomplete(city, {
minChars: 0, minChars: 0,
sort: false, sort: false
// data: (item, input) => { // data: (item, input) => {
// console.error('----------'); // console.error('----------');
// console.dir(item); // console.dir(item);
...@@ -169,8 +157,6 @@ const cityBox = new Awesomplete(city, { ...@@ -169,8 +157,6 @@ const cityBox = new Awesomplete(city, {
// // } // // }
// // hidden.dispatchEvent(event); // // hidden.dispatchEvent(event);
// } // }
// }); // });
}); });
...@@ -179,115 +165,118 @@ city.addEventListener('focus', () => { ...@@ -179,115 +165,118 @@ city.addEventListener('focus', () => {
cityBox.evaluate(); cityBox.evaluate();
}); });
const searchBox = new Awesomplete(search, { const queryBox = new Awesomplete(query, {
minChars: 0, minChars: 0,
sort: false sort: false
}); });
search.addEventListener('focus', () => { query.addEventListener('focus', () => {
searchBox.evaluate(); queryBox.evaluate();
}); });
if (search) {
search.addEventListener('submit', (e) => {
if (!city.value && !query.value) {
city.focus();
e.preventDefault();
}
}, false);
}
// function initDatalist() {
// var nodes = document.querySelectorAll('.js-datalist, .js-datalist-ajax'),
// node,
// getHidden = function(node) {
// function initDatalist() { // return document.querySelector('[name="' + node.dataset.name + '"]');
// },
// var nodes = document.querySelectorAll('.js-datalist, .js-datalist-ajax'), // event = new Event('input', {
// node, // 'bubbles': true,
// getHidden = function(node) { // 'cancelable': true
// return document.querySelector('[name="' + node.dataset.name + '"]'); // });
// },
// event = new Event('input', { // for (var i = 0; i < nodes.length; i++) {
// 'bubbles': true, // node = nodes[i];
// 'cancelable': true
// }); // if (node.comboplete) {
// return;
// for (var i = 0; i < nodes.length; i++) { // }
// node = nodes[i];
// node.comboplete = new Awesomplete(node, {
// if (node.comboplete) { // minChars: 0,
// return; // maxItems: 50,
// } // replace: function(text) {
// node.comboplete = new Awesomplete(node, { // var hidden = getHidden(this.input);
// minChars: 0,
// maxItems: 50, // this.input.value = text.label;
// replace: function(text) {
// if (!hidden) {
// var hidden = getHidden(this.input); // return;
// }
// this.input.value = text.label;
// hidden.value = text.value;
// if (!hidden) {
// return; // if (hidden.classList.contains('js-trigger-datalist')) {
// } // hidden.dispatchEvent(new Event('change', {
// 'bubbles': true,
// hidden.value = text.value; // 'cancelable': true
// }));
// if (hidden.classList.contains('js-trigger-datalist')) { // }
// hidden.dispatchEvent(new Event('change', {
// 'bubbles': true, // hidden.dispatchEvent(event);
// 'cancelable': true
// }));
// } // }
// });
// hidden.dispatchEvent(event);
// node.addEventListener('click', function() {
// if (this.comboplete.ul.childNodes.length === 0 || !node.value) {
// } // this.comboplete.minChars = 0;
// }); // this.comboplete.evaluate();
// }
// node.addEventListener('click', function() { // else if (this.comboplete.ul.hasAttribute('hidden')) {
// if (this.comboplete.ul.childNodes.length === 0 || !node.value) { // this.comboplete.open();
// this.comboplete.minChars = 0; // }
// this.comboplete.evaluate(); // else {
// } // this.comboplete.close();
// else if (this.comboplete.ul.hasAttribute('hidden')) { // }
// this.comboplete.open(); // });
// }
// else { // node.addEventListener('keyup', function(e) {
// this.comboplete.close(); // var code = e.keyCode || 0;
// }
// }); // if (code === 13) {
// if (this.comboplete.ul.childNodes.length === 1) {
// node.addEventListener('keyup', function(e) { // this.comboplete.select(this.comboplete.ul.childNodes[0]);
// var code = e.keyCode || 0; // }
// }
// if (code === 13) { // });
// if (this.comboplete.ul.childNodes.length === 1) {
// this.comboplete.select(this.comboplete.ul.childNodes[0]); // node.addEventListener('input', function() {
// } // var value = this.value,
// } // exists = false,
// }); // hidden;
// node.addEventListener('input', function() { // this.comboplete.ul.childNodes.forEach(function(n) {
// var value = this.value, // if (n.innerText === value) {
// exists = false, // exists = true;
// hidden; // }
// });
// this.comboplete.ul.childNodes.forEach(function(n) {
// if (n.innerText === value) { // if (exists) {
// exists = true; // return;
// } // }
// });
// hidden = getHidden(this);
// if (exists) {
// return; // if (!hidden) {
// } // return;
// }
// hidden = getHidden(this);
// hidden.value = '';
// if (!hidden) {
// return; // hidden.dispatchEvent(event);
// } // })
// }
// hidden.value = ''; // }
// hidden.dispatchEvent(event);
// })
// }
// }
wp-content/themes/biuro/js/main.min.js deleted 100644 → 0
View file @ 990225d1
This source diff could not be displayed because it is too large. You can view the blob instead.
wp-content/themes/biuro/searchform.php
View file @ 91423d2e
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
<form class="c-search" action="<?php echo $searchPageURL; ?>" method="get"> <form class="c-search" action="<?php echo $searchPageURL; ?>" method="get">
*/ ?> */ ?>
<form class="c-search" action="<?php echo home_url(); ?>" method="get"> <form id="search" class="c-search" action="<?php echo home_url(); ?>" method="get">
<?php <?php
......
wp-init.sh
View file @ 91423d2e
...@@ -44,15 +44,13 @@ wp plugin activate cookies-warning --network ...@@ -44,15 +44,13 @@ wp plugin activate cookies-warning --network
wp plugin activate data-controller --network wp plugin activate data-controller --network
# wp plugin activate jobs-importer # wp plugin activate jobs-importer
# Update translations
wp language core update
wp language plugin update --all
# WP themes # WP themes
wp theme update --all;
wp theme activate biuro wp theme activate biuro
wp theme delete twentynineteen # Update translations
wp theme delete twentyseventeen wp language core update
wp theme delete twentysixteen wp language theme update --all
wp language plugin update --all
echo "WP CLI done. Ready to use." echo "WP CLI done. Ready to use."
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment