From 2941ad1317d36acd717872ac273701d4d3e86463 Mon Sep 17 00:00:00 2001
From: Dale Anderson <danderson@acromedia.com>
Date: Fri, 25 Oct 2024 18:53:00 -0700
Subject: [PATCH] Add rudimentary support for Laravel

@todo to support laravel, php also write access to:
  ../bootstrap/cache
  ../storage
dirs (relative to "public" web dir)
---
 defaults/main.yml                             |  1 +
 tasks/main.yml                                |  1 +
 .../includes/ACCOUNT-PROJECT.core.conf.j2     | 29 +++++++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 7f46686..e885d3c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,6 +26,7 @@ vhost_default_location_try_files_defaults:
   drupal8: "{{ vhost_try_files_rewrite_file_only }}"
   mediawiki: "{{ vhost_try_files_rewrite_file_or_dir }}"
   moodle: "{{ vhost_try_files_rewrite_file_or_dir }}"
+  laravel: "{{ vhost_try_files_rewrite_file_or_dir }}"
   wordpress: "{{ vhost_try_files_rewrite_file_or_dir }}"
   php: "{{ vhost_try_files_rewrite_none }}"
   proxy_pass: "{{ vhost_try_files_rewrite_none }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 3c75bfe..52a14fd 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -29,6 +29,7 @@
           or web_application == 'wordpress'
           or web_application == 'mediawiki'
           or web_application == 'moodle'
+          or web_application == 'laravel'
     fail_msg: "ERROR: Value for web_application is not supported: {{ web_application }}"
 
 - name: Make sure linux_owner is not the same as php_service_user
diff --git a/templates/etc/nginx/includes/ACCOUNT-PROJECT.core.conf.j2 b/templates/etc/nginx/includes/ACCOUNT-PROJECT.core.conf.j2
index 933af35..5bacae4 100644
--- a/templates/etc/nginx/includes/ACCOUNT-PROJECT.core.conf.j2
+++ b/templates/etc/nginx/includes/ACCOUNT-PROJECT.core.conf.j2
@@ -326,6 +326,35 @@
     {{ nginx_proxy_pass_blob }}
   }
 
+{% elif web_application == 'laravel' %}
+
+  # Dont allow requests for PHP files in parent directories
+  location ~ \..*/.*\.php$ {
+    return 403;
+  }
+
+  # Dont serve any filename ending with a tilde ... these are almost always backup files
+  location ~* /*~$ {
+    return 403;
+  }
+
+  # Block access to "hidden" files and directories whose names begin with a
+  # period. This includes directories used by version control systems such
+  # as Subversion or Git to store control files.
+  location ~ (^|/)\. {
+    return 403;
+  }
+
+  location / {
+    # try_files $uri $uri/ @rewrite;
+    {{ vhost_try_files_rewrite_conf | indent(4, false) }}
+  }
+
+  location @rewrite {
+    # rewrite ^ /index.php$is_args$args;
+    rewrite ^ {{ rewrite_target }};
+  }
+
 {% elif web_application == 'php' %}
 
   # Generic PHP website