chris/scarif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Switch to nginx-proxy

Browse Source
This commit is contained in:
Chris
2025-07-20 22:21:37 +01:00
parent 650bb88bc0
commit a1e0fb1ebb
10 changed files with 349 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.env.example
View File

@@ -7,6 +7,7 @@ USER_PASSWORD=
DOMAIN=scarif.local
LOCAL_IP=192.168.10.10
SSH_KEY= # Will be added to authorized keys
COMPOSE_PROFILES=prod
#
# Database settings

203
docker-compose.yml
View File

@@ -1,10 +1,3 @@
# Options for building certificates
x-certs: &certs
image: paulczar/omgwtfssl
restart: "no"
volumes:
- /opt/ssl:/certs
x-logging: &logging
logging:
driver: "local"
@@ -13,19 +6,24 @@ x-logging: &logging
max-file: "2"
services:
change:
<<: *logging
container_name: change
image: node:alpine
build: ./change-game
environment:
- PORT=9000
networks:
- nginx
volumes:
- change:/change/public
# change:
# <<: *logging
# profiles: ["prod"]
# container_name: change
# image: node:alpine
# build: ./change-game
# environment:
# - PORT=9000
# - VIRTUAL_HOST=rec.${DOMAIN}
# - CERT_NAME=${DOMAIN}
# - VIRTUAL_PORT=9000
# networks:
# - nginx
# volumes:
# - change:/change/public
foundry:
profiles: ["prod"]
<<: *logging
image: felddy/foundryvtt:release
volumes:
@@ -45,13 +43,18 @@ services:
- CONTAINER_PATCHES=/data/patches
- FOUNDRY_UID=1000
- FOUNDRY_GID=1000
- VIRTUAL_HOST=rec.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=30000
- VIRTUAL_PATH=/foundry
networks:
- nginx
nextcloud:
profiles: ["prod"]
<<: *logging
build: ./nextcloud
image: nextcloud
image: nextcloud:31-fpm-alpine
restart: unless-stopped
user: 1000:1000
volumes:
@@ -59,6 +62,10 @@ services:
- /mnt/tower/stardust:/var/www/html/data
- /mnt/tower/foundry:/var/www/foundry
environment:
- VIRTUAL_HOST=tower.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=9000
- VIRTUAL_PROTO=fastcgi
- REDIS_HOST=redis
- MYSQL_HOST=db
- MYSQL_PASSWORD=${DB_PASSWORD}
@@ -88,12 +95,16 @@ services:
- "office.${DOMAIN}:${LOCAL_IP}"
collabora:
profiles: ["prod", "dev"]
<<: *logging
image: collabora/code
restart: unless-stopped
cap_add:
- MKNOD
environment:
- VIRTUAL_HOST=office.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=9980
- "DONT_GEN_SSL_CERT=True"
- domain=tower.${DOMAIN}
- cert_domain=office.${DOMAIN}
@@ -108,28 +119,14 @@ services:
- "tower.${DOMAIN}:${LOCAL_IP}"
- "office.${DOMAIN}:${LOCAL_IP}"
homebox:
<<: *logging
image: ghcr.io/hay-kot/homebox:latest
restart: unless-stopped
environment:
- HBOX_LOG_LEVEL=info
- HBOX_LOG_FORMAT=text
- HBOX_WEB_MAX_UPLOAD_SIZE=10
- HBOX_OPTIONS_ALLOW_REGISTRATION=false
- HBOX_MAILER_HOST=${MAIL_HOST}
- HBOX_MAILER_PORT=${MAIL_PORT}
- HBOX_MAILER_USERNAME=${MAIL_USER}
- HBOX_MAILER_PASSWORD=${MAIL_PASSWORD}
volumes:
- homebox:/data/
networks:
- nginx
gitea:
profiles: ["prod", "dev"]
<<: *logging
image: gitea/gitea:1
environment:
- VIRTUAL_HOST=labs.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=3000
- "APP_NAME=Labs: Where the good stuff happens"
- RUN_MODE=prod
- DOMAIN=labs.${DOMAIN}
@@ -158,6 +155,7 @@ services:
- db
minecraft:
profiles: ["prod"]
<<: *logging
image: itzg/minecraft-server
tty: true
@@ -176,6 +174,7 @@ services:
- minecraft:/data
mc-backup:
profiles: ["prod"]
<<: *logging
image: itzg/mc-backup
depends_on:
@@ -193,53 +192,15 @@ services:
- minecraft:/data:ro
- /mnt/tower/backups/minecraft:/backups
tt-rss:
<<: *logging
image: cthulhoo/ttrss-fpm-pgsql-static:latest
restart: unless-stopped
environment:
- TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
- TTRSS_DB_USER=${DB_USER}
- TTRSS_DB_NAME=scarif
- TTRSS_DB_PASS=${DB_PASSWORD}
- TTRSS_DB_HOST=psqldb
#- AUTO_CREATE_USER=${TTRSS_USER}
#- AUTO_CREATE_USER_PASS=${TTRSS_USER_PASS}
#- ADMIN_USER_ACCESS_LEVEL=-2
volumes:
- tt-rss:/var/www/html
- ./tt-rss/config.d:/opt/tt-rss/config.d:ro
depends_on:
- psqldb
networks:
- db
- nginx
tt-rss-updater:
<<: *logging
image: cthulhoo/ttrss-fpm-pgsql-static:latest
restart: unless-stopped
environment:
- TTRSS_SELF_URL_PATH=https://intel.${DOMAIN}
- TTRSS_DB_USER=${DB_USER}
- TTRSS_DB_NAME=scarif
- TTRSS_DB_PASS=${DB_PASSWORD}
- TTRSS_DB_HOST=psqldb
volumes:
- tt-rss:/var/www/html
- ./tt-rss/config.d:/opt/tt-rss/config.d:ro
depends_on:
- tt-rss
- psqldb
command: /opt/tt-rss/updater.sh
networks:
- db
navidrome:
profiles: ["prod"]
<<: *logging
image: deluan/navidrome:latest
restart: unless-stopped
environment:
- VIRTUAL_HOST=radio.${DOMAIN}
- CERT_NAME=${DOMAIN}
- VIRTUAL_PORT=4533
- ND_SCANSCHEDULE=1h
- ND_LOGLEVEL=info
- ND_SESSIONTIMEOUT=24h
@@ -251,15 +212,17 @@ services:
- nginx
pihole:
profiles: ["prod"]
<<: *logging
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
environment:
TZ: "Europe/London"
WEBPASSWORD: ${PIHOLE_PASSWORD}
VIRTUAL_HOST: net.${DOMAIN}
- VIRTUAL_HOST=net.${DOMAIN}
- CERT_NAME=${DOMAIN}
- TZ="Europe/London"
- WEBPASSWORD=${PIHOLE_PASSWORD}
volumes:
- "/docker/pihole/etc-pihole:/etc/pihole"
- "/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
@@ -267,22 +230,8 @@ services:
networks:
- nginx
pdf2audiobook:
<<: *logging
build: ./pdf-to-audiobook
image: pdf2audiobook:latest
container_name: pdf2audiobook
working_dir: /app
volumes:
- ./pdf-to-audiobook:/app
- /mnt/tower/stardust/chris/files/Library:/books:ro
- /mnt/tower/stardust/chris/files/Audiobooks:/audio
environment:
- OPENAI_API_KEY=${OPENAI_API_KEY}
- OPENAI_API_BASE=${OPENAI_API_BASE:-https://aihubmix.com/v1}
- OPENAI_MODEL=${OPENAI_MODEL:-aihubmix-Llama-3-3-70B-Instruct}
jitsi:
profiles: ["prod"]
<<: *logging
image: jitsi/web:stable
restart: unless-stopped
@@ -291,6 +240,9 @@ services:
- ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z
- ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z
environment:
- VIRTUAL_HOST=comms.${DOMAIN}
- VIRTUAL_PORT=80
- CERT_NAME=${DOMAIN}
- AMPLITUDE_ID
- ANALYTICS_SCRIPT_URLS
- ANALYTICS_WHITELISTED_EVENTS
@@ -435,6 +387,7 @@ services:
# XMPP server
prosody:
profiles: ["prod"]
<<: *logging
image: jitsi/prosody:stable
restart: unless-stopped
@@ -532,6 +485,7 @@ services:
# Focus component
jicofo:
profiles: ["prod"]
<<: *logging
image: jitsi/jicofo:stable
restart: unless-stopped
@@ -581,6 +535,7 @@ services:
# Video bridge
jvb:
profiles: ["prod"]
<<: *logging
image: jitsi/jvb:stable
restart: unless-stopped
@@ -627,6 +582,7 @@ services:
db:
profiles: ["prod", "dev"]
<<: *logging
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
@@ -642,41 +598,40 @@ services:
- db
redis:
profiles: ["prod", "dev"]
image: redis:alpine
restart: always
networks:
- redis
nginx:
<<: *logging
image: nginx:alpine
profiles: ["prod", "dev"]
image: nginxproxy/nginx-proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- /opt/ssl:/etc/nginx/certs:ro
- ./nginx/nginx.conf.template:/etc/nginx/conf.d/nginx.conf.template
- ./nginx/generate_conf.sh:/docker-entrypoint.d/generate_conf.sh
- ./nginx-proxy/vhost.d/labs_location:/etc/nginx/vhost.d/labs.${DOMAIN}_location:ro
- ./nginx-proxy/vhost.d/office:/etc/nginx/vhost.d/office.${DOMAIN}:ro
- ./nginx-proxy/vhost.d/rec:/etc/nginx/vhost.d/rec.${DOMAIN}:ro
- ./nginx-proxy/vhost.d/tower_location_override:/etc/nginx/vhost.d/tower.${DOMAIN}_location_override:ro
- ./nginx-proxy/vhost.d/tower:/etc/nginx/vhost.d/tower.${DOMAIN}:ro
- ./nginx-proxy/conf.d/custom_proxy.conf:/etc/nginx/conf.d/custom_proxy.conf:ro
- nextcloud:/var/www/html/nextcloud:ro
- ./christmas:/var/www/html/christmas:ro
- tt-rss:/var/www/html/tt-rss:ro
- change:/var/www/html/change:ro
environment:
- DOMAIN=${DOMAIN}
depends_on:
- nextcloud
- gitea
- collabora
- pihole
- foundry
- tt-rss
- homebox
- navidrome
ports:
- 443:443
networks:
- nginx
certs:
<<: *certs
profiles: ["dev"]
image: paulczar/omgwtfssl
restart: "no"
volumes:
- /opt/ssl:/certs
environment:
- SSL_SUBJECT=${DOMAIN}
- CA_SUBJECT=chris@${DOMAIN}
@@ -684,27 +639,11 @@ services:
- SSL_CSR=/certs/${DOMAIN}.csr
- SSL_CERT=/certs/${DOMAIN}.crt
psqldb:
<<: *logging
image: postgres:12-alpine
restart: unless-stopped
environment:
- POSTGRES_USER=${DB_USER}
- POSTGRES_PASSWORD=${DB_PASSWORD}
- POSTGRES_DB=scarif
volumes:
- psqldb:/var/lib/postgresql/data
networks:
- db
volumes:
db:
psqldb:
tt-rss:
gitea:
nextcloud:
foundry:
homebox:
navidrome:
minecraft:
change:

28
nextcloud/Dockerfile
View File

@@ -3,30 +3,30 @@ FROM nextcloud:30-fpm-alpine
RUN set -ex; \
\
apk add --no-cache \
ffmpeg \
#imagemagick \
procps \
supervisor \
ffmpeg \
#imagemagick \
procps \
supervisor \
;
RUN set -ex; \
\
apk add --no-cache --virtual .build-deps \
$PHPIZE_DEPS \
krb5-dev \
openssl-dev \
bzip2-dev \
$PHPIZE_DEPS \
krb5-dev \
openssl-dev \
bzip2-dev \
; \
\
docker-php-ext-install \
bz2 \
bz2 \
; \
\
runDeps="$( \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
)"; \
apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
apk del .build-deps
@@ -34,7 +34,7 @@ RUN set -ex; \
RUN mkdir -p \
/var/log/supervisord \
/var/run/supervisord \
;
;
RUN addgroup -S -g 1000 nextcloud; \
adduser -S -u 1000 -G nextcloud nextcloud; \

20
nginx/conf.d/custom_proxy.conf Normal file
View File

@@ -0,0 +1,20 @@
# server {
# listen 443 ssl http2;
#
# ssl_certificate /etc/nginx/certs/${DOMAIN}.crt;
# ssl_certificate_key /etc/nginx/certs/${DOMAIN}.key;
#
# server_name christmas.${DOMAIN};
#
# gzip_types text/plain text/css application/json application/x-javascript
# text/xml application/xml application/xml+rss text/javascript;
#
# root "/var/www/html/christmas";
#
# location / {
# try_files $uri.html $uri /default.html;
# }
# }
proxy_buffering off;

26
nginx/nginx.conf.template
View File

@@ -376,7 +376,6 @@ http {
client_max_body_size 300M;
location /foundry {
# Set proxy headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -385,23 +384,22 @@ http {
# These are important to support WebSockets;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://foundry-handler;
}
location ~ ^/change/(socket\.io|peer) {
proxy_pass http://change-handler;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header Host $host;
location ~ ^/change/(socket\.io|peer) {
proxy_pass http://change-handler;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header Host $host;
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
}
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
}
location /change {

6
nginx/vhost.d/labs_location Normal file
View File

@@ -0,0 +1,6 @@
if ($http_origin ~* (https?://(?:www\.)?5e\.tools|https?://(?:www\.)?rec\.scarif\.space)) {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}

42
nginx/vhost.d/office Normal file
View File

@@ -0,0 +1,42 @@
# static files
location ^~ /browser {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://$server_name;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://$server_name;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://$server_name;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}

23
nginx/vhost.d/rec Normal file
View File

@@ -0,0 +1,23 @@
Need to figure out how to get this working with nginx-proxy
# This file is for the /change/socket.io and /change/peer paths
location ~ ^/change/(socket\.io|peer) {
# Set proxy headers
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket specific headers
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# WebSocket specific settings
proxy_buffering off;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_pass http://$server_name;
}

67
nginx/vhost.d/tower Normal file
View File

@@ -0,0 +1,67 @@
root /var/www/html/nextcloud;
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# set max upload size and increase upload timeout:
client_max_body_size 10G;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript mjs;
application/wasm wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;

93
nginx/vhost.d/tower_location_override Normal file
View File

@@ -0,0 +1,93 @@
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass http://$server_name;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}