Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add more details and examples to nginx config #640

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 38 additions & 3 deletions docs/nginx-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ Altis Cloud uses Nginx within your [web containers](./architecture.md). For adva

**Note:** Custom configuration will only apply to traffic served by the web container, which does not include media or tachyon (see the [architecture diagram for more information](./architecture.md)). Specifically, any URLs beginning with `/uploads/` or `/tachyon/` are routed directly to [S3](./s3-storage.md) and [Tachyon](docs://media/dynamic-images.md) directly.

**Important:** Nginx configuration is a powerful low-level tool, and incorrect configuration may prohibit access to your site. Ensure that any configuration changes are carefully tested on local and pre-production environments. Altis is not responsible for downtime resulting from misconfiguration of nginx.


## Server Configuration

Expand Down Expand Up @@ -45,9 +47,9 @@ http {

## Examples

Developers can use this advanced configuration to do complex redirect, rewrites or other server-level routing.
### Redirection

For example, if you want to redirect a specific domain to a new domain and for some reason not able to do this at the PHP / application layer:
If you want to redirect a specific domain to a new domain and for some reason not able to do this at the PHP / application layer:

`.config/nginx-additions.conf`

Expand All @@ -57,7 +59,10 @@ if ( $host = "example.com" ) {
}
```

Alternatively, if you have one or more local files in your repository you wish to explicitly block from being publicly accessed you may manually configure a 404 for a specific resource or filename pattern:

### Block access to files

If you have one or more local files in your repository you wish to explicitly block from being publicly accessed you may manually configure a 404 for a specific resource or filename pattern:

```
# Block access to any file entitled `config.local.yaml`.
Expand All @@ -66,3 +71,33 @@ location ~* config.local.yaml {
return 404;
}
```


### Limit access based on IP address

Access to certain URLs can be limited based on IP address, using the `allow` and `deny` directives.

Any URLs limited through this manner **must not** be set as cacheable, otherwise the response will be cached at the CDN layer. If this behaviour is desired, limitations must be made at the firewall layer instead; contact support for further details.

Additionally, be careful to ensure internal systems and loopback (localhost) requests are permitted to access these URLs, as this may cause problems with functionality or may cause your site to be marked as unhealthy.

```
# Block access to /internal/ to known subnets
location /internal/ {
# Allow known subnets.
allow 152.37.71.106;
allow 8.8.8.8/16;

# Allow internal Altis systems.
allow 172.16.0.0/12;

# Deny access to all others.
deny all;

# Mark as uncacheable.
add_header Cache-Control 'no-store, no-cache';

# Route as per usual.
try_files $uri $uri/ /index.php?$args;
}
```