infrastructure/roles/archwiki/templates/nginx.d.conf.j2

fastcgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=wiki:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

upstream archwiki {
    server unix://{{ archwiki_socket }};
}

server {
    listen       80;
    listen       [::]:80;
    server_name  {{ archwiki_domain }};

    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archwiki_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  {{ archwiki_domain }};

    access_log   /var/log/nginx/{{ archwiki_domain }}/access.log reduced;
    error_log    /var/log/nginx/{{ archwiki_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ archwiki_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ archwiki_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ archwiki_domain }}/chain.pem;

    root {{ archwiki_dir }}/public;
    index index.php;

    # Block search bot that apparently never heared the term rate limiting
    if ($http_user_agent ~ "Bytespider$" ) {
        return 403;
    }

    location /robots.txt {
        alias {{ archwiki_dir }}/robots.txt;
    }

    location ^~ /. {
        log_not_found off;
        deny all;
    }

    # special case due to our '/index.php/Main_Page' type URLs
    location ~ ^/(?:index|redirect)\.php(?:/.*)$ {
        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
        fastcgi_pass   archwiki;
        fastcgi_index  index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  PATH_INFO        $fastcgi_path_info;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;
    }

    # special case for '/load.php' type URLs to cache css/js in nginx to relieve php-fpm
    location = /load.php {
        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
        fastcgi_pass   archwiki;
        fastcgi_index  index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  PATH_INFO        $fastcgi_path_info;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;

        fastcgi_cache wiki;
        fastcgi_cache_valid 200 10m;

        add_header X-Cache $upstream_cache_status;
    }

    # normal PHP FastCGI handler
    location ~ ^/[^/]+\.php$ {
        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
        fastcgi_pass   archwiki;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  HTTPS            on;
        include        fastcgi_params;
    }

    # whitelist known OK directories
    location ~ ^/(?:skins|resources|images|extensions/ArchLinux/modules)/ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    # block all other directories
    location ~ ^/[^/]+/ {
        log_not_found off;
        deny all;
    }
}