1 files changed, 73 insertions, 0 deletions

diff --git a/volumes/hubzilla/nginx.conf b/volumes/hubzilla/nginx.conf
new file mode 100644
index 0000000..0680a2b
--- /dev/null
+++ b/volumes/hubzilla/nginx.conf
@@ -0,0 +1,73 @@
+#
+# Hubzilla nginx configuration for sandcastles
+#
+# TLS is terminated by the traefik router, so we will only ever see http
+# trafic here.
+#
+
+server {
+  listen 80;
+  server_name hubzilla.castle;
+
+  index index.php;
+  charset utf-8;
+  root /var/www/html;
+
+  # allow uploads up to 20MB in size
+  client_max_body_size 20m;
+  client_body_buffer_size 128k;
+
+  include mime.types;
+
+  # rewrite to front controller as default rule
+  location / {
+    if (!-e $request_filename) {
+      rewrite ^(.*)$ /index.php?q=$1;
+    }
+  }
+
+  # make sure webfinger and other well known services aren't blocked
+  # by denying dot files and rewrite request to the front controller
+  location ^~ /.well-known/ {
+    allow all;
+    if (!-e $request_filename) {
+      rewrite ^(.*)$ /index.php?q=$1;
+    }
+  }
+
+  # block these file types
+  location ~* \.(tpl|md|tgz|log|out)$ {
+    deny all;
+  }
+
+  # pass the PHP scripts to the fpm container
+  location ~* \.php$ {
+    try_files $uri =404;
+
+    fastcgi_param HTTPS on;
+
+    # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+    fastcgi_pass hubzilla_fpm:9000;
+
+    include fastcgi_params;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+  }
+
+  # deny access to all dot files
+  location ~ /\. {
+    deny all;
+  }
+
+  #deny access to store
+  location ~ /store {
+        deny  all;
+  }
+
+  #deny access to util
+  location ~ /util {
+        deny  all;
+  }
+}