Расширяем gitignore + защита .git

Добавляем некоторые используемые расширения в .gitignore + дополнительные правила для сервера (запрет на доступ к папке .git извне).
2025-08-21 13:54:02 -07:00 · 2014-10-29 20:12:18 +03:00 · 2014-10-29 20:12:18 +03:00 · 6e7595b686
commit 6e7595b686
parent 5e65d7a8d7
3 changed files with 59 additions and 32 deletions
--- a/install/php-fpm+nginx/nginx.conf
+++ b/install/php-fpm+nginx/nginx.conf
@ -1,5 +1,5 @@
-user  www www;
-worker_processes  4;
+user www www;
+worker_processes auto;

 #error_log  /var/log/nginx/error.log;
 #error_log  /var/log/nginx/error.log  notice;
@ -41,9 +41,9 @@ http {

    keepalive_timeout 65;

-    limit_req_zone  $binary_remote_addr  zone=one:16m  rate=5r/s;
+    limit_req_zone $binary_remote_addr  zone=one:16m  rate=5r/s;

-    gzip  on;
+    gzip on;
    gzip_vary on;
    gzip_min_length 2048;
    gzip_comp_level 5;
@ -69,14 +69,13 @@ http {

        location / {
            root  /var/www;
-            index index.html index.htm index.php;
+            index index.php index.html index.htm;
        }

        error_page  404              /404.html;
        error_page  500 502 503 504  /50x.html;

-        # pass the PHP scripts to FastCGI server listening on /tmp/php.sock;
-        #
+        # pass the PHP scripts to FastCGI server listening on /tmp/php.sock
        location ~ \.php$ {
            #limit_req  zone=one  burst=20  nodelay;
            #limit_req_log_level  info;
@ -97,7 +96,7 @@ http {
            include         fastcgi_params;
        }

-        # Old XBTT config
+        # rewrite to XBTT (old)
 #       location ^~ /bt/ {
 #           access_log   off;
 #           if ( $query_string ~ "^uk=([^&?]{10})[&?]+(.*)$" ) {
@ -115,34 +114,41 @@ http {
 #           proxy_pass http://127.0.0.1:2710/;
 #       }

-        # Cached Images
+        # cache static files
        location ~* \.(jpg|jpeg|gif|png|css|js|ico)$ {
            root         /var/www;
            access_log   off;
            expires      30d;
-            add_header   Cache-Control  public;
-        }
-
-        location ~ \/admin|backup\/ {
-            deny all;
-           #allow YOUR_IP;
-        }
-        # Deny folder (Sec. lvl1)
-        location ~ \/(install|internal_data|library)\/ {
-            deny all;
+            add_header   Cache-Control public;
        }

        # sitemap rewrite
        rewrite ^/sitemap.xml$ /internal_data/sitemap/sitemap.xml;

-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        # deny sql,tpl,db,inc,log
-        location ~ /\.ht {
-            deny  all;
+        # deny access to admin folder
+        location ~ \/admin|backup\/ {
+            deny all;
+            #allow YOUR_IP;
        }
+
+        # deny access to system folder
+        location ~ \/(install|internal_data|library)\/ {
+            deny all;
+        }
+
+        # deny access to git folder
+        location ~ /\.git {
+            deny all;
+        }
+
+        # deny access to .htaccess, if apache's document root concurs with nginx's one
+        location ~ /\.ht {
+            deny all;
+        }
+
+        # deny access to critical files
        location ~ \.(.*sql|tpl|db|inc|log|md)$ {
-            deny  all;
+            deny all;
        }
    }
 }