From 8dbb543d72a2140bd008babfafe476a1e40fa041 Mon Sep 17 00:00:00 2001
From: Valentin Kleibel <valentin@vrvis.at>
Date: Mon, 4 Apr 2022 16:20:22 +0200
Subject: [PATCH] devuan: merge nginx changes from debian

---
 devuan/resources/nginx.sh        |  82 ++---
 devuan/resources/nginx/fusionpbx | 553 +++++++++++++++++--------------
 2 files changed, 327 insertions(+), 308 deletions(-)

diff --git a/devuan/resources/nginx.sh b/devuan/resources/nginx.sh
index 3156887..3f2cb63 100755
--- a/devuan/resources/nginx.sh
+++ b/devuan/resources/nginx.sh
@@ -9,69 +9,36 @@ cd "$(dirname "$0")"
 . ./environment.sh
 
 #send a message
-verbose "Installing Nginx"
+verbose "Installing the web server"
 
-#if [ ."$cpu_architecture" = ."arm" ]; then
-        #9.x - */stretch/
-        #8.x - */jessie/
-#fi
-if [ ."$php_version" = ."5" ]; then
-        #verbose "Switching forcefully to php5* packages"
-        which add-apt-repository || apt-get install -y software-properties-common
-        #LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php
-        #LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php5-compat
-        apt-get update
-elif [ ."$os_name" = ."Ubuntu" ]; then
-        #16.10.x - */yakkety/
-        #16.04.x - */xenial/
-        #14.04.x - */trusty/
-        if [ ."$os_codename" = ."trusty" ]; then
-                which add-apt-repository || apt-get install -y software-properties-common
-                LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php
-                apt-get -q update
-        fi
-elif [ ."$cpu_architecture" = ."arm" ]; then
-        #Pi2 and Pi3 Raspbian
-        #Odroid
-        if [ ."$os_codename" = ."jessie" ]; then
-                echo "deb http://packages.moopi.uk/debian jessie main" > /etc/apt/sources.list.d/moopi.list
-                wget -O - http://packages.moopi.uk/debian/moopi.gpg.key | apt-key add -
-                apt-get -q update
-        fi
-else
-        #9.x - */stretch/
-        #8.x - */jessie/
-        if [ ."$os_codename" = ."jessie" ]; then
-                echo "deb http://packages.dotdeb.org $os_codename all" > /etc/apt/sources.list.d/dotdeb.list
-                echo "deb-src http://packages.dotdeb.org $os_codename all" >> /etc/apt/sources.list.d/dotdeb.list
-                wget -O - https://www.dotdeb.org/dotdeb.gpg | apt-key add -
-                apt-get -q update
-        fi
+#change the version of php for arm
+if [ ."$cpu_architecture" = ."arm" ]; then
+	#Pi2 and Pi3 Raspbian
+	#Odroid
+	if [ ."$os_codename" = ."stretch" ]; then
+	      php_version=7.2
+	else
+	      php_version=5.6
+	fi
 fi
 
-#use php version 5 for arm
-#if [ .$cpu_architecture = .'arm' ]; then
-#        php_version=5
-#fi
-
-#install dependencies
-apt-get install -y -q nginx
-if [ ."$php_version" = ."5" ]; then
-        apt-get install -y -q php5 php5-cli php5-fpm php5-pgsql php5-sqlite php5-odbc php5-curl php5-imap
+#set the version of php
+if [ ."$os_codename" = ."chimaera" ]; then
+	php_version=7.4
 fi
-if [ ."$php_version" = ."7" ]; then
-        apt-get install -y -q php7.0 php7.0-cli php7.0-fpm php7.0-pgsql php7.0-sqlite3 php7.0-odbc php7.0-curl php7.0-imap php7.0-xml
+if [ ."$os_codename" = ."beowulf" ]; then
+	php_version=7.3
 fi
 
 #enable fusionpbx nginx config
 cp nginx/fusionpbx /etc/nginx/sites-available/fusionpbx
 
 #prepare socket name
-if [ ."$php_version" = ."5" ]; then
-        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php5-fpm.sock;#g'
+if [ ."$php_version" = ."7.3" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.3-fpm.sock;#g'
 fi
-if [ ."$php_version" = ."7" ]; then
-        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.0-fpm.sock;#g'
+if [ ."$php_version" = ."7.4" ]; then
+        sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.4-fpm.sock;#g'
 fi
 ln -s /etc/nginx/sites-available/fusionpbx /etc/nginx/sites-enabled/fusionpbx
 
@@ -82,8 +49,15 @@ ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/nginx.crt
 #remove the default site
 rm /etc/nginx/sites-enabled/default
 
+#update config if LetsEncrypt folder is unwanted
+# if [ .$letsencrypt_folder = .false ]; then
+#         sed -i '151,155d' /etc/nginx/sites-available/fusionpbx
+# fi
+
 #add the letsencrypt directory
-mkdir -p /var/www/letsencrypt/
+if [ .$letsencrypt_folder = .true ]; then
+        mkdir -p /var/www/letsencrypt/
+fi
 
 #restart nginx
-service nginx restart
+/usr/sbin/service nginx restart
diff --git a/devuan/resources/nginx/fusionpbx b/devuan/resources/nginx/fusionpbx
index 4a9256a..3446dee 100755
--- a/devuan/resources/nginx/fusionpbx
+++ b/devuan/resources/nginx/fusionpbx
@@ -1,254 +1,299 @@
-
-server {
-	listen 127.0.0.1:80;
-	server_name 127.0.0.1;
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	client_max_body_size 80M;
-	client_body_buffer_size 128k;
-
-	location / {
-		root /var/www/fusionpbx;
-		index index.php;
-	}
-
-	location ~ \.php$ {
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-		#fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
-	}
-
-	# Allow the upgrade routines to run longer than normal
-	location = /core/upgrade/index.php {
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-		#fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
-		fastcgi_read_timeout 15m;
-	}
-
-	# Disable viewing .htaccess & .htpassword & .db
-	location ~ .htaccess {
-			deny all;
-	}
-	location ~ .htpassword {
-			deny all;
-	}
-	location ~^.+.(db)$ {
-			deny all;
-	}
-}
-
-server {
-	listen 80;
-	server_name fusionpbx;
-	if ($uri !~* ^.*(provision|xml_cdr).*$) {
-		rewrite ^(.*) https://$host$1 permanent;
-		break;
-	}
-
-	#REST api
-	if ($uri ~* ^.*/api/.*$) {
-		rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
-		break;
-	}
-
-        #algo
-        rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
-
-	#mitel
-	rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
-	rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
-
-	#grandstream
-	rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
-	rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
-	#grandstream-wave softphone by ext because Android doesn't pass MAC.
-	rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
-
-	#aastra
-	rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
-	#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
-
-	#yealink common
-	rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
-
-	#yealink mac
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
-
-	#polycom
-	rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
-	#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
-	rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
-
-	#cisco
-	rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
-
-	#Escene
-	rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
-	rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
-
-	#Vtech
-	rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
-	rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
-
-	#Digium
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	client_max_body_size 80M;
-	client_body_buffer_size 128k;
-
-	location / {
-		root /var/www/fusionpbx;
-		index index.php;
-	}
-
-	location ~ \.php$ {
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-		#fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
-	}
-
-	# Allow the upgrade routines to run longer than normal
-	location = /core/upgrade/index.php {
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-		#fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
-		fastcgi_read_timeout 15m;
-	}
-
-	# Disable viewing .htaccess & .htpassword & .db
-	location ~ .htaccess {
-		deny all;
-	}
-	location ~ .htpassword {
-		deny all;
-	}
-	location ~^.+.(db)$ {
-		deny all;
-	}
-}
-
-server {
-	listen 443;
-	server_name fusionpbx;
-	ssl                     on;
-	ssl_certificate         /etc/ssl/certs/nginx.crt;
-	ssl_certificate_key     /etc/ssl/private/nginx.key;
-	ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers             HIGH:!ADH:!MD5:!aNULL;
-
-	#letsencrypt
-	location /.well-known/acme-challenge {
-        	root /var/www/letsencrypt;
-    	}
-
-	#REST api
-	if ($uri ~* ^.*/api/.*$) {
-		rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
-		break;
-	}
-
-        #algo
-        rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
-
-	#mitel
-	rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
-	rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
-
-	#grandstream
-	rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
-	rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
-	#grandstream-wave softphone by ext because Android doesn't pass MAC.
-	rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
-
-	#aastra
-	rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
-	#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
-
-	#yealink common
-	rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
-
-	#yealink mac
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
-
-	#polycom
-	rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
-	#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
-	rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
-
-	#cisco
-	rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
-
-	#Escene
-	rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
-	rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
-
-	#Vtech
-	rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
-	rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
-
-	#Digium
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
-	rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	client_max_body_size 80M;
-	client_body_buffer_size 128k;
-
-	location / {
-		root /var/www/fusionpbx;
-		index index.php;
-	}
-
-	# Allow the upgrade routines to run longer than normal
-	location = /core/upgrade/index.php {
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-		#fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
-		fastcgi_read_timeout 15m;
-	}
-
-	location ~ \.php$ {
-		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
-		#fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include fastcgi_params;
-		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
-	}
-
-	# Disable viewing .htaccess & .htpassword & .db
-	location ~ .htaccess {
-		deny all;
-	}
-	location ~ .htpassword {
-		deny all;
-	}
-	location ~^.+.(db)$ {
-		deny all;
-	}
-}
+
+server {
+	listen 127.0.0.1:80;
+	server_name 127.0.0.1;
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	client_max_body_size 80M;
+	client_body_buffer_size 128k;
+
+	location / {
+		root /var/www/fusionpbx;
+		index index.php;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+	}
+
+	# Allow the upgrade routines to run longer than normal
+	location = /core/upgrade/index.php {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+		fastcgi_read_timeout 15m;
+	}
+
+	# Disable viewing .htaccess & .htpassword & .db & .git
+	location ~ .htaccess {
+		deny all;
+	}
+	location ~ .htpassword {
+		deny all;
+	}
+	location ~^.+.(db)$ {
+		deny all;
+	}
+	location ~ /\.git {
+		deny all;
+	}
+	location ~ /\.lua {
+		deny all;
+	}
+	location ~ /\. {
+		deny all;
+	}
+}
+
+server {
+	listen 80;
+	server_name fusionpbx;
+
+	#redirect letsencrypt to dehydrated
+	location ^~ /.well-known/acme-challenge {
+		default_type "text/plain";
+		auth_basic "off";
+		alias /var/www/dehydrated;
+	}
+
+	#rewrite rule - send to https with an exception for provisioning
+	if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
+		rewrite ^(.*) https://$host$1 permanent;
+		break;
+	}
+
+	#REST api
+	if ($uri ~* ^.*/api/.*$) {
+		rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
+		break;
+	}
+
+	#algo
+	rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
+
+	#mitel
+	rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
+	rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
+
+	#grandstream
+	rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
+	rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
+	#grandstream-wave softphone by ext because Android doesn't pass MAC.
+	rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
+
+	#aastra
+	rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
+	#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
+
+	#yealink
+	#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
+	rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
+
+	#polycom
+	rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
+	#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
+	rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
+
+	#cisco
+	rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
+
+	#Escene
+	rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
+	rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
+
+	#Vtech
+	rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
+
+	#Digium
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
+
+	#Snom
+	rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	client_max_body_size 80M;
+	client_body_buffer_size 128k;
+
+	location / {
+		root /var/www/fusionpbx;
+		index index.php;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+	}
+
+	# Allow the upgrade routines to run longer than normal
+	location = /core/upgrade/index.php {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+		fastcgi_read_timeout 15m;
+	}
+
+	# Disable viewing .htaccess & .htpassword & .db & .git
+	location ~ .htaccess {
+		deny all;
+	}
+	location ~ .htpassword {
+		deny all;
+	}
+	location ~^.+.(db)$ {
+		deny all;
+	}
+	location ~ /\.git {
+		deny all;
+	}
+	location ~ /\.lua {
+		deny all;
+	}
+	location ~ /\. {
+		deny all;
+	}
+}
+
+server {
+	listen 443 ssl;
+	server_name fusionpbx;
+
+	ssl_certificate         /etc/ssl/certs/nginx.crt;
+	ssl_certificate_key     /etc/ssl/private/nginx.key;
+	ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers             HIGH:!ADH:!MD5:!aNULL;
+	#ssl_dhparam
+
+	#redirect letsencrypt to dehydrated
+	location ^~ /.well-known/acme-challenge {
+		default_type "text/plain";
+		auth_basic "off";
+		alias /var/www/dehydrated;
+	}
+
+	#REST api
+	if ($uri ~* ^.*/api/.*$) {
+		rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
+		break;
+	}
+
+	#message media
+	rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;
+
+	#algo
+	rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
+
+	#mitel
+	rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
+	rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
+
+	#grandstream
+	rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
+	rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
+	#grandstream-wave softphone by ext because Android doesn't pass MAC.
+	rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
+
+	#aastra
+	rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
+	#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
+
+	#yealink
+	#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
+	rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
+
+	#polycom
+	rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
+	#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
+	rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
+
+	#cisco
+	rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
+
+	#Escene
+	rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
+	rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
+
+	#Vtech
+	rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
+	rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
+
+	#Digium
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
+	rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	client_max_body_size 80M;
+	client_body_buffer_size 128k;
+
+	location / {
+		root /var/www/fusionpbx;
+		index index.php;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+	}
+
+	# Allow the upgrade routines to run longer than normal
+	location = /core/upgrade/index.php {
+		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+		#fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include fastcgi_params;
+		fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
+		fastcgi_read_timeout 15m;
+	}
+
+	# Disable viewing .htaccess & .htpassword & .db & .git
+	location ~ .htaccess {
+		deny all;
+	}
+	location ~ .htpassword {
+		deny all;
+	}
+	location ~^.+.(db)$ {
+		deny all;
+	}
+	location ~ /\.git {
+		deny all;
+	}
+	location ~ /\.lua {
+		deny all;
+	}
+	location ~ /\. {
+		deny all;
+	}
+}