158 lines
3.9 KiB
Django/Jinja
158 lines
3.9 KiB
Django/Jinja
map $sent_http_content_type $expires {
|
|
default off;
|
|
text/html epoch;
|
|
text/css max;
|
|
application/javascript max;
|
|
~image/ max;
|
|
}
|
|
|
|
server {
|
|
root /var/www/{{ vhost_name }};
|
|
index index.php;
|
|
server_name {{ domain }};
|
|
listen 80;
|
|
|
|
#Cache settings
|
|
expires $expires;
|
|
|
|
#Upload max size
|
|
client_max_body_size 50M;
|
|
|
|
error_log /var/log/nginx/{{ vhost_name }}-error.log
|
|
access_log /var/log/nginx/{{ vhost_name }}-access.log combined
|
|
|
|
#Disable directory listing
|
|
autoindex off;
|
|
|
|
location / {
|
|
try_files $uri $uri/ @handler;
|
|
}
|
|
|
|
location @handler {
|
|
if (!-e $request_filename) { rewrite / /index.php last; }
|
|
rewrite ^(.*.php)/ $1 last;
|
|
}
|
|
|
|
location ~ \.php$ {
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
#Disable access to wp-config.php
|
|
location ~* /(wp-config.php) {
|
|
deny all;
|
|
}
|
|
|
|
#Limit XMLRPC access
|
|
location ~* /xmlrpc.php$ {
|
|
allow 172.0.1.1;
|
|
deny all;
|
|
}
|
|
|
|
#Limit request types
|
|
if ($request_method !~ ^(GET|POST)$ ) {
|
|
return 444;
|
|
}
|
|
|
|
#Limit direct PHP access
|
|
location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
#Hide nginx version
|
|
server_tokens off;
|
|
|
|
#Hide PHP version
|
|
fastcgi_hide_header X-Powered-By;
|
|
proxy_hide_header X-Powered-By;
|
|
|
|
#Security headers
|
|
add_header X-Frame-Options SAMEORIGIN; #Comment it to allow iframe
|
|
add_header Strict-Transport-Security "max-age=31536000";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# Disable logs for favicon and robots
|
|
location = /favicon.ico {
|
|
try_files /favicon.ico @empty;
|
|
access_log off;
|
|
log_not_found off;
|
|
expires max;
|
|
}
|
|
|
|
location @empty {
|
|
empty_gif;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
try_files $uri /index.php?$args;
|
|
}
|
|
|
|
# Deny access to uploads that are not media files
|
|
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
|
|
deny all;
|
|
}
|
|
|
|
# Nginx common security
|
|
location ~* "(eval\()" {
|
|
deny all;
|
|
}
|
|
location ~* "(127\.0\.0\.1)" {
|
|
deny all;
|
|
}
|
|
location ~* "([a-z0-9]{2000})" {
|
|
deny all;
|
|
}
|
|
location ~* "(javascript\:)(.*)(\;)" {
|
|
deny all;
|
|
}
|
|
location ~* "(base64_encode)(.*)(\()" {
|
|
deny all;
|
|
}
|
|
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
|
deny all;
|
|
}
|
|
location ~* "(<|%3C).*script.*(>|%3)" {
|
|
deny all;
|
|
}
|
|
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
|
deny all;
|
|
}
|
|
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
|
deny all;
|
|
}
|
|
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
|
deny all;
|
|
}
|
|
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
|
deny all;
|
|
}
|
|
location ~* "(https?|ftp|php):/" {
|
|
deny all;
|
|
}
|
|
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
|
deny all;
|
|
}
|
|
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
|
deny all;
|
|
}
|
|
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
|
deny all;
|
|
}
|
|
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
|
deny all;
|
|
}
|
|
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
|
deny all;
|
|
}
|
|
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
|
|
deny all;
|
|
}
|
|
} |