ansible-wordpress-host-init/roles/configure-nginx/files/vhost.conf.j2

map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

server {
    root /var/www/{{ vhost_name }};
    index  index.php;
    server_name {{ domain }};
    listen 80;

    #Cache settings
    expires $expires;

    #Upload max size
    client_max_body_size 50M;

    error_log /var/log/nginx/{{ vhost_name }}-error.log
    access_log /var/log/nginx/{{ vhost_name }}-access.log combined

    #Disable directory listing
    autoindex off;

    location / {
       try_files $uri $uri/ @handler;
    }

    location @handler {
        if (!-e $request_filename) { rewrite / /index.php last; }
        rewrite ^(.*.php)/ $1 last;
    }

    location ~ \.php$ {
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
     }

    #Disable access to wp-config.php
    location ~* /(wp-config.php) {
        deny all;
        }

    #Limit XMLRPC access
    location ~* /xmlrpc.php$ {
        allow 172.0.1.1;
        deny all;
    }

    #Limit request types
    if ($request_method !~ ^(GET|POST)$ ) {
        return 444;
    }

    #Limit direct PHP access
    location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    #Hide nginx version
    server_tokens off;

    #Hide PHP version
    fastcgi_hide_header X-Powered-By;
    proxy_hide_header X-Powered-By;

    #Security headers
    add_header X-Frame-Options SAMEORIGIN; #Comment it to allow iframe
    add_header Strict-Transport-Security "max-age=31536000";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # Disable logs for favicon and robots
    location = /favicon.ico {
        try_files /favicon.ico @empty;
        access_log off;
        log_not_found off;
        expires max;
        }

    location @empty {
        empty_gif;
        }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
        try_files $uri /index.php?$args;
        }

    # Deny access to uploads that are not media files
    location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
        deny all;
        }

    # Nginx common security
    location ~* "(eval\()" {
        deny all;
        }
    location ~* "(127\.0\.0\.1)" {
        deny all;
        }
    location ~* "([a-z0-9]{2000})" {
        deny all;
        }
    location ~* "(javascript\:)(.*)(\;)" {
        deny all;
        }
    location ~* "(base64_encode)(.*)(\()" {
        deny all;
        }
    location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
        deny all;
        }
    location ~* "(<|%3C).*script.*(>|%3)" {
        deny all;
        }
    location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
        deny all;
        }
    location ~* "(boot\.ini|etc/passwd|self/environ)" {
        deny all;
        }
    location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
        deny all;
        }
    location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
        deny all;
        }
    location ~* "(https?|ftp|php):/" {
        deny all;
        }
    location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
        deny all;
        }
    location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
        deny all;
        }
    location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
        deny all;
        }
    location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
        deny all;
        }
    location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
        deny all;
        }
    location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
        deny all;
        }
}
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00			`map $sent_http_content_type $expires {`
			`default off;`
			`text/html epoch;`
			`text/css max;`
			`application/javascript max;`
			`~image/ max;`
			`}`

			`server {`
			`root /var/www/{{ vhost_name }};`
Security hardening nginx 2023-04-07 17:11:46 +00:00			`index index.php;`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00			`server_name {{ domain }};`
			`listen 80;`

Security hardening nginx 2023-04-07 17:11:46 +00:00			`#Cache settings`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00			`expires $expires;`
Security hardening nginx 2023-04-07 17:11:46 +00:00
			`#Upload max size`
Vhost log separation 2023-04-07 16:13:15 +00:00			`client_max_body_size 50M;`

Syntax fix 2023-04-09 16:09:41 +00:00			`error_log /var/log/nginx/{{ vhost_name }}-error.log`
			`access_log /var/log/nginx/{{ vhost_name }}-access.log combined`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00
Security hardening nginx 2023-04-07 17:11:46 +00:00			`#Disable directory listing`
			`autoindex off;`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00
Security hardening nginx 2023-04-07 17:11:46 +00:00			`location / {`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00			`try_files $uri $uri/ @handler;`
Security hardening nginx 2023-04-07 17:11:46 +00:00			`}`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00
			`location @handler {`
			`if (!-e $request_filename) { rewrite / /index.php last; }`
			`rewrite ^(.*.php)/ $1 last;`
Security hardening nginx 2023-04-07 17:11:46 +00:00			`}`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00
			`location ~ \.php$ {`
			`include snippets/fastcgi-php.conf;`
			`fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;`
			`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
			`include fastcgi_params;`
			`}`
Security hardening nginx 2023-04-07 17:11:46 +00:00
			`#Disable access to wp-config.php`
			`location ~* /(wp-config.php) {`
			`deny all;`
			`}`

			`#Limit XMLRPC access`
			`location ~* /xmlrpc.php$ {`
			`allow 172.0.1.1;`
			`deny all;`
			`}`

			`#Limit request types`
			`if ($request_method !~ ^(GET\|POST)$ ) {`
			`return 444;`
			`}`

			`#Limit direct PHP access`
			`location ~* /(?:uploads\|files\|wp-content\|wp-includes\|akismet)/.*.php$ {`
			`deny all;`
			`access_log off;`
			`log_not_found off;`
			`}`

			`#Hide nginx version`
			`server_tokens off;`

			`#Hide PHP version`
			`fastcgi_hide_header X-Powered-By;`
			`proxy_hide_header X-Powered-By;`

			`#Security headers`
			`add_header X-Frame-Options SAMEORIGIN; #Comment it to allow iframe`
			`add_header Strict-Transport-Security "max-age=31536000";`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`

			`# Disable logs for favicon and robots`
			`location = /favicon.ico {`
			`try_files /favicon.ico @empty;`
			`access_log off;`
			`log_not_found off;`
			`expires max;`
			`}`

			`location @empty {`
			`empty_gif;`
			`}`

			`location = /robots.txt {`
			`allow all;`
			`log_not_found off;`
			`access_log off;`
			`try_files $uri /index.php?$args;`
			`}`

			`# Deny access to uploads that are not media files`
			`location ~* ^/wp-content/uploads/.*.(html\|htm\|shtml\|php\|js\|swf)$ {`
			`deny all;`
			`}`

			`# Nginx common security`
			`location ~* "(eval\()" {`
			`deny all;`
			`}`
			`location ~* "(127\.0\.0\.1)" {`
			`deny all;`
			`}`
			`location ~* "([a-z0-9]{2000})" {`
			`deny all;`
			`}`
			`location ~* "(javascript\:)(.*)(\;)" {`
			`deny all;`
			`}`
			`location ~* "(base64_encode)(.*)(\()" {`
			`deny all;`
			`}`
			`location ~* "(GLOBALS\|REQUEST)(=\|\[\|%)" {`
			`deny all;`
			`}`
			`location ~* "(<\|%3C).script.(>\|%3)" {`
			`deny all;`
			`}`
			location ~ "(\\\|\.\.\.\|\.\./\|~\|`\|<\|>\|\\|)" {
			`deny all;`
			`}`
			`location ~* "(boot\.ini\|etc/passwd\|self/environ)" {`
			`deny all;`
			`}`
			`location ~* "(thumbs?(_editor\|open)?\|tim(thumb)?)\.php" {`
			`deny all;`
			`}`
			`location ~* "(\'\|\")(.*)(drop\|insert\|md5\|select\|union)" {`
			`deny all;`
			`}`
			`location ~* "(https?\|ftp\|php):/" {`
			`deny all;`
			`}`
			`location ~* "(=\\\'\|=\\%27\|/\\\'/?)\." {`
			`deny all;`
			`}`
			`location ~ "(\{0\}\|\(/\(\|\.\.\.\|\+\+\+\|\\\"\\\")" {`
			`deny all;`
			`}`
			location ~ "(~\|`\|<\|>\|:\|;\|%\|\\\|\s\|\{\|\}\|\[\|\]\|\\|)" {
			`deny all;`
			`}`
			`location ~* "/(=\|\$&\|_mm\|(wp-)?config\.\|cgi-\|etc/passwd\|muieblack)" {`
			`deny all;`
			`}`
			`location ~* "(&pws=0\|_vti_\|\(null\)\|\{\$itemURL\}\|echo(.*)kae\|etc/passwd\|eval\(\|self/environ)" {`
			`deny all;`
			`}`
			`location ~* "/(^$\|mobiquo\|phpinfo\|shell\|sqlpatch\|thumb\|thumb_editor\|thumbopen\|timthumb\|webshell\|config\|settings\|configuration)\.php" {`
			`deny all;`
			`}`
Wordpress download / Vhost config 2023-03-27 16:24:16 +00:00			`}`