server { listen 80; server_name localhost; root /var/www/html; index index.html; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; # Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # PHP routing - everything under /tkr goes through index.php location /tkr { alias /var/www/html/public; index index.php; # Cache static files # Note that I don't actually serve most of this (just js and css to start) # but including them all will let caching work later if I add images or something location ~* ^/tkr/.+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; try_files $uri =404; } # index.php is the entry point # It needs to be sent to php-fpm # But if someone tries to directly access index.php, that file will throw a 404 # so bots and scanners can't tell this is a php app location = /tkr/index.php { fastcgi_pass php:9000; fastcgi_param SCRIPT_FILENAME /var/www/html/public/index.php; include fastcgi_params; # Additional FastCGI params fastcgi_param REQUEST_METHOD $request_method; fastcgi_param REQUEST_URI $request_uri; fastcgi_param QUERY_STRING $query_string; } # Block attempts to access all other .php files directly # (these are bots and scanners) location ~ ^/tkr/.+\.php$ { return 404; } # forward other requests to the fallback block, # which sends them to php-fpm for handling try_files $uri $uri/ @tkr_fallback; } # Fallback for /tkr routing - all non-file requests go to index.php location @tkr_fallback { fastcgi_pass php:9000; fastcgi_param SCRIPT_FILENAME /var/www/html/public/index.php; include fastcgi_params; # Additional FastCGI params fastcgi_param REQUEST_METHOD $request_method; fastcgi_param REQUEST_URI $request_uri; fastcgi_param QUERY_STRING $query_string; } # Deny access to sensitive directories location ~ ^/tkr/(storage|lib|vendor|config) { deny all; return 404; } }