dokuwiki not in root problem of regexp

Jiff nginx-forum at nginx.us
Sun Jul 1 16:40:34 UTC 2012


myserver.org_dokuwiki_http_https_main.conf
==================================

# DOKUWIKI NOT-ON-ROOT MAIN FILE: BROWSE HTTP + DANGEROUS AREAS HTTPS
#====================================================================

# 2012-07-01 - Author: Jean-Yves F. Barbier - lazyvirus<at]gmx{dot)com

# File: myserver.org_dokuwiki_http_https_main.conf

# MOD'OP: Just symlink this file into /etc/nginx/sites-enabled

# Works on Debian squeeze + backports:
#   nginx-full                  1.2.1-1~dotdeb.0
#   php5                        5.3.14-1~dotdeb.0
#   php5-fpm                    5.3.14-1~dotdeb.0
# Works under Debian sid.

# Solutions mostly coming from:
# http://wiki.nginx.org
# http://agentzh.org/misc/nginx/agentzh-nginx-tutorials-enuk.html
# http://blog.slucas.fr/en/oss/dokuwiki-nginx-config
# http://www.dokuwiki.org/install:nginx?s[]=nginx
# http://www.dokuwiki.org/tips:httpslogin#nginx

# With this conf, leave parm 'securecookie' enabled.

# No tested w/ clean URL (but who cares?)

# CAUTION: MANY TIME WASTED: DW DON'T SET 'useacl' to 1 WHEN
INSTALLING,
#          WHICH ALLOW TO LOGIN BUT SEND A 'Permission denied' ASA YOU
#          MAKE ANY MODIFICATION!
# SOLT:    Install, then manually edit /conf/dokuwiki.php to set it to
1.

# NB: You can also redirect sensitive areas to localhost (unencrypted).

#=============================================================================
  HTTP/HTTPS DISCRIMINATOR

# In case of redirection to localhost, comment this line
# (and the one using this VAR in the common file).
map    $scheme $php_https {  default off;  https on;  }

#=============================================================================
  HTTP

server {
    listen                  80;
    server_name             myserver.org;
    root                    /var/www;
    index                   index.html    index.php    doku.php;

    access_log              /var/log/nginx/dokuwiki.http.access.log;
    error_log               /var/log/nginx/dokuwiki.http.error.log;
    rewrite_log             on;    # TEST ONLY (logs all rewrites)

    #-------------------------------------------------------------

    # Enforce HTTPS for /log…, /admin…, & /profile…

    if ($args  ~  do=(log|admin|profile)) {
        rewrite  ^  https://$host$request_uri?    redirect;
        # locahost (unencrypted) version
###        rewrite  ^  http://localhost$request_uri?    redirect;
    }

    # Common conf file

    include   
/etc/nginx/sites-available/myserver.org_dokuwiki_http_https_common.conf;
}

#=============================================================================
  HTTPS


server {
    listen                  443    ssl;
    server_name             myserver.org;
    root                    /var/www;
    index                   index.html    index.php    doku.php;

    ssl_certificate         /etc/nginx/SSL/nginx.crt;
    ssl_certificate_key     /etc/nginx/SSL/nginx-insecure.key;

    access_log              /var/log/nginx/dokuwiki.https.access.log;
    error_log               /var/log/nginx/dokuwiki.https.error.log;
    rewrite_log             on;    # TEST ONLY (log all rewrites)

    #-------------------------------------------------------------

    # CAUTION: DON'T enforce HTTP for normal requests (do=show|^$),
this
    #          renders any modification in DW worthless!

    # Common conf file

    include   
/etc/nginx/sites-available/myserver.org_dokuwiki_http_https_common.conf;
}

#=============================================================================
  EOF


myserver.org_dokuwiki_http_https_common.conf
====================================

    # DOKUWIKI NOT-ON-ROOT COMMON FILE: BROWSE HTTP + DANGEROUS AREAS
HTTPS
   
#======================================================================

    # 2012-07-01 - Author: Jean-Yves F. Barbier -
lazyvirus<at]gmx{dot)com

    # File: myserver.org_dokuwiki_http_https_common.conf

    # As DW is not on the HTTP/S svr root, redirect any root query
toward it
    # from:   http://myserver.org/   to:   http://myserver.org/dokuwiki
    # (until other services being available).

    location  =  / {
        error_page 403 = http://$host/dokuwiki;
    }

    #-------------------------------------------------------------

    location  /dokuwiki {
        try_files    $uri    $uri/    @dw;
    }

    location  @dw {
        rewrite    ^/dokuwiki/_media/(.*)           
/lib/exe/fetch.php?media=$1     last;
        rewrite    ^/dokuwiki/_detail/(.*)          
/lib/exe/detail.php?media=$1    last;
        rewrite    ^/dokuwiki/_export/([^/]+)/(.*)  
/doku.php?do=export_$1&id=$2    last;
        rewrite    ^/dokuwiki/(.*)                  
/doku.php?id=$1&$args           last;
    }

    #-------------------------------------------------------------

    location  ~  \.php$ {
        if (!-f $request_filename) { 
            return          404;
        }

        include          fastcgi_params;
        fastcgi_param    SCRIPT_FILENAME    
$document_root$fastcgi_script_name;
        # Comment the line below if redirecting to localhost
(unencrypted)
        fastcgi_param    HTTPS               $php_https;  # DW checks
$_SERVER['HTTPS']
        # Gain the TCP/IP overhead: use socket instead
        fastcgi_pass     unix:/var/run/php5-fpm.socket;
    }

    #-------------------------------------------------------------

    # For security reasons (http://www.dokuwiki.org/security) some
    # directories must not be reachable from the outside.  But a
    # 'deny all' isn't a good solution, as it returns a 403 which
    # is visible by the client.  The solution comes from a nginx
    # special extension: the 444 error that returns no information
    # to the client and closes its connection.  Useful as a deterrent
    # for malware as it is silent:)

    location  ~  ^/dokuwiki/(bin|conf|data|inc)/  {
        return      444;
    }
    
    #-------------------------------------------------------------

    # Force a long expiration delay on static files

    location  ~*  \.(js|css|png|jpg|jpeg|gif|ico)$  {
        expires             30d;
        access_log          off;
        log_not_found       off;
    }

    # This location serves static files

    location  ~  ^/dokuwiki/lib/ {
        expires     30d;
    }

    #-------------------------------------------------------------

    # As of nginx wiki this should go to /etc/nginx/conf.d/drop.conf,
    # but I like to have everything on sight.
    
    # NTS: It is normal not to see the pink icon about
    #      "data directory not properly secured": this is
    #      when I can see it that there's something wrong:)

    location  =  /dokuwiki/robots.txt {
        access_log      off;
        log_not_found   off;
    }

    location  =  /dokuwiki/favicon.ico {
        access_log      off;
        log_not_found   off;
    }

    # Silently protect all Linux hidden files (but log get attempts)
    location  ~  /\. {
        return          444;
    }

    # I spent some time to understand what this block was meant for:
    # http://kbeezie.com/view/nginx-configuration-examples/
    # This block is mainly for people who use vim, or any other command
line
    # editor that creates a backup copy of a file being worked on with a
file
    # name ending in ~.
    # Hiding this prevents someone from accessing a backup copy of a
file you
    # have been working on.
    location  ~  ~$ {
        access_log      off;
        log_not_found   off;
        return          444;
    }

#=============================================================================
  EOF

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,228124,228155#msg-228155



More information about the nginx mailing list