| blob | ce0098472f504b997dea26a0c96227806ec85274 |
1 worker_processes auto;
2 error_log /var/log/nginx/error.log;
3 events {
4 worker_connections 1024;
5 }
6 # start the http block
7 http {
8 include mime.types;
9 default_type application/octet-stream;
11 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
12 '$status $body_bytes_sent "$http_referer" '
13 '"$http_user_agent" "$http_x_forwarded_for"';
14 access_log /var/log/nginx/access.log main;
16 sendfile on;
17 #tcp_nopush on;
19 #keepalive_timeout 0;
20 server_names_hash_bucket_size 128;
21 keepalive_timeout 65;
23 gzip off;
24 #upstream php {
25 #server unix:/var/run/php-fpm.sock;
26 #}
27 index index.html index.htm index.php;
29 ssl_certificate /etc/nginx/dummy-cert;
30 ssl_certificate_key /etc/nginx/dummy-key;
32 # http host for php 7.1 connect
33 # redirects to ssl only host below
34 server {
35 # Note that the different ports are used below to decide
36 # which version of php-fpm to use
37 listen 80;
38 listen 81;
39 listen 82;
40 listen 83;
41 listen 443 ssl;
42 listen 444 ssl;
43 listen 445 ssl;
44 listen 446 ssl;
45 server_name example.net www.example.net;
46 root /usr/share/nginx/html/openemr;
48 ## redirect www to nowww
49 #if ($host = 'www.example.net' ) {
50 #rewrite ^/(.*)$ https://example.net/$1 permanent;
51 #}
53 #access_log /var/log/*/example.net_access_log main;
54 #error_log /var/log/*/example.net_error_log notice;
56 # openemr specific SSL settings, I am still working on this?
57 #include openemr-ssl.conf;
59 # restrict/protect certain files
60 #include globals.conf;
61 # globals.conf configuration file.
62 # Designed to be included in any server {} block
63 # If this server only hosts openemr, this file can be merged with openemr.conf
65 # Stops the annoying error messages in the logs. robots are not allowed
66 location = /favicon.ico {
67 log_not_found off;
68 access_log off;
69 }
71 location = /robots.txt {
72 log_not_found off;
73 access_log off;
74 }
76 # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
77 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
78 location ~ /\. {
79 deny all;
80 }
82 # protect or deny access to important server information and testing files
83 # alternatively, you can deny access to all files using {deny all; return 404;} or remove them
84 #location ~* /(info|test)\.php$ {
85 #auth_basic "Restricted Access";
86 #auth_basic_user_file /path/to/.htpasswd;
87 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
88 #fastcgi_pass fastcgi_pass dev-php-fpm-7-1:9000;
89 #include fastcgi_params;
90 #}
92 # Not sure if openemr needs this. it comes from wordpress
93 location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
94 access_log off;
95 log_not_found off;
96 expires max;
97 }
99 ## Deny certain Referers
100 if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) {
101 #return 404;
102 return 403;
103 }
105 # Stop deep linking or hot linking
106 location /images/ {
107 valid_referers none blocked www.example.com example.com;
108 if ($invalid_referer) {
109 return 403;
110 }
111 }
112 # end globals.conf configuration file.
114 # deny access to writable files/directories
115 location ~* ^/sites/*/(documents|edi|era) {
116 deny all;
117 }
119 # Pick one of the following two blockc, but not both:
120 # protect special files from outside openemer login, and restrict them to superAdmins only
121 #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php {
122 #auth_basic "Restricted Access";
123 #auth_basic_user_file /path/to/.htpasswd;
124 #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
125 #fastcgi_pass dev-php-fpm-7-1:9000;
126 #include fastcgi_params;
127 #}
129 # Alternatively all access to these files can be denied
130 #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php {
131 #deny all;
132 #return 404;
133 #}
135 if (!-e $request_filename) {
136 # Needed for zend to work
137 rewrite ^(.*/zend_modules/public)(.*) $1/index.php?$is_args$args last;
139 # Needed for patient portal to work
140 rewrite ^(.*/portal/patient)(.*) $1/index.php?_REWRITE_COMMAND=$1$2 last;
141 }
143 location / {
144 # try as file ($uri), as directory ($uri/) if not found, send to index file
145 # no php is touched for static content
146 try_files $uri $uri/ /index.php;
147 }
149 # redirect server error pages to the static page /50x.html
150 #error_page 500 502 503 504 /50x.html;
151 #location = /50x.html {
152 #root /usr/local/www/nginx-dist;
153 #}
155 # pass the PHP scripts to the FastCGI server listening on unix socket, in this case php-fpm
156 # NOTE this is using if statements to decide which version of php-fpm to use, which is
157 # dependent on the port of the server that is used
158 location ~* \.php$ {
159 try_files $uri =404;
160 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
161 if ($server_port = 80) {
162 fastcgi_pass dev-php-fpm-7-1:9000;
163 }
164 if ($server_port = 443) {
165 fastcgi_pass dev-php-fpm-7-1:9000;
166 }
167 if ($server_port = 81) {
168 fastcgi_pass dev-php-fpm-7-2:9000;
169 }
170 if ($server_port = 444) {
171 fastcgi_pass dev-php-fpm-7-2:9000;
172 }
173 if ($server_port = 82) {
174 fastcgi_pass dev-php-fpm-7-1-redis:9000;
175 }
176 if ($server_port = 445) {
177 fastcgi_pass dev-php-fpm-7-1-redis:9000;
178 }
179 if ($server_port = 83) {
180 fastcgi_pass dev-php-fpm-7-2-redis:9000;
181 }
182 if ($server_port = 446) {
183 fastcgi_pass dev-php-fpm-7-2-redis:9000;
184 }
185 include fastcgi_params;
186 }
187 }
188 } # end http block