server { ######################################################################### # Basic vhost settings listen 443 ssl; http2 on; server_name survey.example.org; root /var/www/html/limesurvey; index index.php; charset utf-8; client_max_body_size 100M; ######################################################################### # Redirect to index.php for limesurvey routing try_files $uri /index.php?$uri&$args; ######################################################################### # Limesurvey specific access restrictions # Disallow reading inside php script directory, see issue with debug > 1 on note location ~ ^/(application|docs|framework|locale|protected|tests|themes/\w+/views) { deny all; } # Deny all attempts to access hidden files location ~ /\. { deny all; } #Disallow direct read user upload files location ~ ^/upload/surveys/.*/fu_[a-z0-9]*$ { return 444; } #Disallow uploaded potential executable files in upload directory location ~* /upload/.*\.(pl|cgi|py|pyc|pyo|phtml|sh|lua|php|php3|php4|php5|php6|pcgi|pcgi3|pcgi4|pcgi5|pcgi6|icn)$ { return 444; } #avoid processing of calls to unexisting static files by yii location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ { try_files $uri =404; } # Disallow reading inside runtime directory location ~ ^/var/www/survey-runtime/ { deny all; } ######################################################################### # PHP-FPM Configuration location ~ \.php$ { include snippets/fastcgi-php.conf; #fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass unix:/run/php/php8.4-fpm.sock; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_param SCRIPT_NAME $fastcgi_script_name; include fastcgi_params; # increase buffer size fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; } ######################################################################### # SSL Configuration ssl_certificate /etc/ssl/certs/survey.example.org-cert.pem; ssl_certificate_key /etc/ssl/private/survey.example.org-key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # necessary for perfect forward secrecy ssl_session_timeout 15m; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # HSTS keepalive_timeout 70; gzip off; ######################################################################### # Logging / anonymized access log access_log "/var/log/nginx/survey-access.log combined_anon"; error_log "/var/log/nginx/survey-error.log warn"; } server { if ($host = survey.example.org) { return 301 https://$host$request_uri; } listen 80; listen [::]:80; server_name default; return 404; }