new nginx configurations
* letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations
This commit is contained in:
VirtuBox
@@ -7,38 +7,49 @@ location = /favicon.ico {
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args @robots;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# fallback for robots.txt with default wordpress rules
|
||||
location @robots {
|
||||
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\.well-known {
|
||||
allow all;
|
||||
location ~ /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
# letsencrypt validation
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
|
||||
return 403;
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location = /nginx_status {
|
||||
|
||||
@@ -7,38 +7,49 @@ location = /favicon.ico {
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args @robots;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# fallback for robots.txt with default wordpress rules
|
||||
location @robots {
|
||||
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\.well-known {
|
||||
allow all;
|
||||
location ~ /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
# letsencrypt validation
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
|
||||
return 403;
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location = /nginx_status {
|
||||
|
||||
@@ -2,20 +2,42 @@
|
||||
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# webp rewrite rules for jpg and png images
|
||||
# try to load alternative image.png.webp before image.png
|
||||
location /wp-content/uploads {
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory
|
||||
# Works in sub-directory installs and also in multisite network
|
||||
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||
location ~* /(?:uploads|files)/.*\.php$ {
|
||||
deny all;
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
||||
@@ -2,20 +2,42 @@
|
||||
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php;
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# webp rewrite rules for jpg and png images
|
||||
# try to load alternative image.png.webp before image.png
|
||||
location /wp-content/uploads {
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory
|
||||
# Works in sub-directory installs and also in multisite network
|
||||
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||
location ~* /(?:uploads|files)/.*\.php$ {
|
||||
deny all;
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user