| blob | ed76758df49736472208b2a6f19ef2ebe6d0ab2e |
1 worker_processes auto;
2 error_log /var/log/nginx/error.log;
3 events {
4 worker_connections 1024;
5 }
6 # start the http block
7 http {
8 include mime.types;
9 default_type application/octet-stream;
11 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
12 '$status $body_bytes_sent "$http_referer" '
13 '"$http_user_agent" "$http_x_forwarded_for"';
14 access_log /var/log/nginx/access.log main;
16 sendfile on;
17 #tcp_nopush on;
19 #keepalive_timeout 0;
20 server_names_hash_bucket_size 128;
21 keepalive_timeout 65;
23 gzip off;
24 #upstream php {
25 #server unix:/var/run/php-fpm.sock;
26 #}
27 index index.html index.htm index.php;
29 ssl_certificate /etc/nginx/dummy-cert;
30 ssl_certificate_key /etc/nginx/dummy-key;
32 # http host for php 7.1 connect
33 # redirects to ssl only host below
34 server {
35 # Note that the different ports are used below to decide
36 # which version of php-fpm to use
37 listen 80;
38 listen 443 ssl;
39 server_name example.net www.example.net;
40 root /usr/share/nginx/html/openemr;
42 ## redirect www to nowww
43 #if ($host = 'www.example.net' ) {
44 #rewrite ^/(.*)$ https://example.net/$1 permanent;
45 #}
47 #access_log /var/log/*/example.net_access_log main;
48 #error_log /var/log/*/example.net_error_log notice;
50 # openemr specific SSL settings, I am still working on this?
51 #include openemr-ssl.conf;
53 # restrict/protect certain files
54 #include globals.conf;
55 # globals.conf configuration file.
56 # Designed to be included in any server {} block
57 # If this server only hosts openemr, this file can be merged with openemr.conf
59 # Stops the annoying error messages in the logs. robots are not allowed
60 location = /favicon.ico {
61 log_not_found off;
62 access_log off;
63 }
65 location = /robots.txt {
66 log_not_found off;
67 access_log off;
68 }
70 # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
71 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
72 location ~ /\. {
73 deny all;
74 }
76 # protect or deny access to important server information and testing files
77 # alternatively, you can deny access to all files using {deny all; return 404;} or remove them
78 #location ~* /(info|test)\.php$ {
79 #auth_basic "Restricted Access";
80 #auth_basic_user_file /path/to/.htpasswd;
81 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
82 #fastcgi_pass fastcgi_pass dev-php-fpm-7-1:9000;
83 #include fastcgi_params;
84 #}
86 # Not sure if openemr needs this. it comes from wordpress
87 location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
88 access_log off;
89 log_not_found off;
90 expires max;
91 }
93 ## Deny certain Referers
94 if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) {
95 #return 404;
96 return 403;
97 }
99 # Stop deep linking or hot linking
100 location /images/ {
101 valid_referers none blocked www.example.com example.com;
102 if ($invalid_referer) {
103 return 403;
104 }
105 }
106 # end globals.conf configuration file.
108 # deny access to writable files/directories
109 location ~* ^/sites/*/(documents|edi|era) {
110 deny all;
111 }
113 # Pick one of the following two blockc, but not both:
114 # protect special files from outside openemer login, and restrict them to superAdmins only
115 #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php {
116 #auth_basic "Restricted Access";
117 #auth_basic_user_file /path/to/.htpasswd;
118 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
119 #fastcgi_pass dev-php-fpm-7-1:9000;
120 #include fastcgi_params;
121 #}
123 # Alternatively all access to these files can be denied
124 #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php {
125 #deny all;
126 #return 404;
127 #}
129 if (!-e $request_filename) {
130 # Needed for zend to work
131 rewrite ^(.*/zend_modules/public)(.*) $1/index.php?$is_args$args last;
133 # Needed for patient portal to work
134 rewrite ^(.*/portal/patient)(.*) $1/index.php?_REWRITE_COMMAND=$1$2 last;
136 # Needed for REST API/FHIR to work
137 rewrite ^(.*/apis/)(.*) $1/dispatch.php?_REWRITE_COMMAND=$2 last;
139 # Needed for OAuth2 to work
140 rewrite ^(.*/oauth2/)(.*) $1/authorize.php?_REWRITE_COMMAND=$2 last;
141 }
143 location / {
144 # try as file ($uri), as directory ($uri/) if not found, send to index file
145 # no php is touched for static content
146 try_files $uri $uri/ /index.php;
147 }
149 # redirect server error pages to the static page /50x.html
150 #error_page 500 502 503 504 /50x.html;
151 #location = /50x.html {
152 #root /usr/local/www/nginx-dist;
153 #}
155 # pass the PHP scripts to the FastCGI server listening on unix socket, in this case php-fpm
156 # NOTE this is using if statements to decide which version of php-fpm to use, which is
157 # dependent on the port of the server that is used
158 location ~* \.php$ {
159 try_files $uri =404;
160 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
162 # Added below buffers to fix error that was happening in php 7.4 beta (guessing it the the standard error log with all the deprecated messages):
163 # "upstream sent too big header"
164 fastcgi_buffers 16 16k;
165 fastcgi_buffer_size 32k;
167 # Added to support REST API/FHIR
168 fastcgi_param HTTP_AUTHORIZATION $http_authorization;
170 if ($server_port = 80) {
171 fastcgi_pass openemr:9000;
172 }
173 if ($server_port = 443) {
174 fastcgi_pass openemr:9000;
175 }
176 include fastcgi_params;
177 }
178 }
179 } # end http block