worker_processes auto; error_log /var/log/nginx/error.log; events { worker_connections 1024; } # start the http block http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; server_names_hash_bucket_size 128; keepalive_timeout 65; gzip off; #upstream php { #server unix:/var/run/php-fpm.sock; #} index index.html index.htm index.php; ssl_certificate /etc/nginx/dummy-cert; ssl_certificate_key /etc/nginx/dummy-key; # http host for php 7.1 connect # redirects to ssl only host below server { # Note that the different ports are used below to decide # which version of php-fpm to use listen 80; listen 443 ssl; server_name example.net www.example.net; root /usr/share/nginx/html/openemr; ## redirect www to nowww #if ($host = 'www.example.net' ) { #rewrite ^/(.*)$ https://example.net/$1 permanent; #} #access_log /var/log/*/example.net_access_log main; #error_log /var/log/*/example.net_error_log notice; # openemr specific SSL settings, I am still working on this? #include openemr-ssl.conf; # restrict/protect certain files #include globals.conf; # globals.conf configuration file. # Designed to be included in any server {} block # If this server only hosts openemr, this file can be merged with openemr.conf # Stops the annoying error messages in the logs. robots are not allowed location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) location ~ /\. { deny all; } # protect or deny access to important server information and testing files # alternatively, you can deny access to all files using {deny all; return 404;} or remove them #location ~* /(info|test)\.php$ { #auth_basic "Restricted Access"; #auth_basic_user_file /path/to/.htpasswd; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_pass fastcgi_pass dev-php-fpm-7-1:9000; #include fastcgi_params; #} # Not sure if openemr needs this. it comes from wordpress location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { access_log off; log_not_found off; expires max; } ## Deny certain Referers if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) ) { #return 404; return 403; } # Stop deep linking or hot linking location /images/ { valid_referers none blocked www.example.com example.com; if ($invalid_referer) { return 403; } } # end globals.conf configuration file. # deny access to writable files/directories location ~* ^/sites/*/(documents|edi|era) { deny all; } # Pick one of the following two blockc, but not both: # protect special files from outside openemer login, and restrict them to superAdmins only #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php { #auth_basic "Restricted Access"; #auth_basic_user_file /path/to/.htpasswd; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #fastcgi_pass dev-php-fpm-7-1:9000; #include fastcgi_params; #} # Alternatively all access to these files can be denied #location ~* ^/(admin|setup|acl_setup|acl_upgrade|sl_convert|sql_upgrade|gacl/setup|ippf_upgrade|sql_patch)\.php { #deny all; #return 404; #} if (!-e $request_filename) { # Needed for zend to work rewrite ^(.*/zend_modules/public)(.*) $1/index.php?$is_args$args last; # Needed for patient portal to work rewrite ^(.*/portal/patient)(.*) $1/index.php?_REWRITE_COMMAND=$1$2 last; } location / { # try as file ($uri), as directory ($uri/) if not found, send to index file # no php is touched for static content try_files $uri $uri/ /index.php; } # redirect server error pages to the static page /50x.html #error_page 500 502 503 504 /50x.html; #location = /50x.html { #root /usr/local/www/nginx-dist; #} # pass the PHP scripts to the FastCGI server listening on unix socket, in this case php-fpm # NOTE this is using if statements to decide which version of php-fpm to use, which is # dependent on the port of the server that is used location ~* \.php$ { try_files $uri =404; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # Added below buffers to fix error that was happening in php 7.4 beta (guessing it the the standard error log with all the deprecated messages): # "upstream sent too big header" fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; if ($server_port = 80) { fastcgi_pass openemr:9000; } if ($server_port = 443) { fastcgi_pass openemr:9000; } include fastcgi_params; } } } # end http block