Merge pull request #14 from VirtuBox/master

new nginx configurations

install

@@ -297,6 +297,13 @@ function wo_sync_db()
         sed -i 's/9170/9172/g' /etc/nginx/conf.d/upstream.conf &>> /dev/null
     fi
 
+    ###
+    # Webp mapping
+    ###
+    if [ ! -f /etc/nginx/conf.d/webp.conf ]; then
+        echo -e 'map $http_accept $webp_suffix {\n   default "";\n   "~*webp" ".webp";\n}\n' > /etc/nginx/conf.d/webp.conf
+    fi
+
     echo "UPDATE sites SET php_version = REPLACE(php_version, '5.6', '7.2');" | sqlite3 /var/lib/wo/dbase.db
     echo "UPDATE sites SET php_version = REPLACE(php_version, '7.0', '7.2');" | sqlite3 /var/lib/wo/dbase.db
 
@@ -545,14 +552,6 @@ if [ -f /etc/ImageMagick/policy.xml  ]
         fi
     fi
 
-    #Fix Security Issue. commit #c64f28e
-    if [ -f /etc/nginx/common/locations.conf ]; then
-       grep -0 '$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"' /etc/nginx/common/locations.conf &>> /dev/null
-       if [ $? -eq 0 ]; then
-        sed -i 's/$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/$uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/g' /etc/nginx/common/locations.conf &>> /dev/null
-       fi
-    fi
-
     #Fix Redis-server security issue
     #http://redis.io/topics/security
     if [ -f /etc/redis/redis.conf  ]; then
@@ -563,14 +562,13 @@ if [ -f /etc/ImageMagick/policy.xml  ]
         fi
     fi
 
-    #Fix For --letsencrypt
+    # Let's Encrypt .well-known folder setup
-    if [ -f /etc/nginx/common/locations.conf ]; then
+    if [ ! -d /var/www/html/.well-known/acme-challenge ]; then
-       grep -0 'location ~ \/\\.well-known' /etc/nginx/common/locations.conf &>> /dev/null
+        mkdir -p /var/www/html/.well-known/acme-challenge
-       if [ $? -ne 0 ]; then
+        chown -R www-data:www-data /var/www/html/.well-known
-        sed -i 's/# Deny hidden files/# Deny hidden files\nlocation ~ \/\\.well-known {\n  allow all;\n}\n /g' /etc/nginx/common/locations.conf &>> /dev/null
-       fi
     fi
 
+
     # Fix for 3.3.2 renamed nginx.conf
     nginx -V 2>&1 &>>/dev/null
     if [[ $? -eq 0 ]]; then

wo/cli/templates/locations-php7.mustache

@@ -9,36 +9,47 @@ location = /favicon.ico {
 location = /robots.txt {
 # Some WordPress plugin gererate robots.txt file
 # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
+    try_files $uri $uri/ /index.php?$args @robots;
     access_log off;
     log_not_found off;
 }
+# fallback for robots.txt with default wordpress rules
+location @robots {
+   return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
+}
 # Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
     add_header "Access-Control-Allow-Origin" "*";
     access_log off;
     log_not_found off;
     expires max;
 }
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
 # Security settings for better privacy
 # Deny hidden files
-location ~ /\.well-known {
+location ~ /\.(?!well-known\/) {
-  allow all;
-}
-location ~ /\. {
     deny all;
-  access_log off;
-  log_not_found off;
 }
-# Deny backup extensions & log files
+# letsencrypt validation
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
+location /.well-known/acme-challenge/ {
+   alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
     deny all;
-  access_log off;
-  log_not_found off;
 }
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+# Deny backup extensions & log files and return 403 forbidden
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
-  return 403;
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
 }
 # Status pages
 location = /nginx_status {

wo/cli/templates/locations.mustache

@@ -9,36 +9,47 @@ location = /favicon.ico {
 location = /robots.txt {
 # Some WordPress plugin gererate robots.txt file
 # Refer #340 issue
-  try_files $uri $uri/ /index.php?$args;
+    try_files $uri $uri/ /index.php?$args @robots;
     access_log off;
     log_not_found off;
 }
+# fallback for robots.txt with default wordpress rules
+location @robots {
+   return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
+}
 # Cache static files
-location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
+location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
     add_header "Access-Control-Allow-Origin" "*";
     access_log off;
     log_not_found off;
     expires max;
 }
+# Cache css & js files
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    add_header "Access-Control-Allow-Origin" "*";
+    access_log off;
+    log_not_found off;
+    expires 30d;
+}
 # Security settings for better privacy
 # Deny hidden files
-location ~ /\.well-known {
+location ~ /\.(?!well-known\/) {
-  allow all;
-}
-location ~ /\. {
     deny all;
-  access_log off;
-  log_not_found off;
 }
-# Deny backup extensions & log files
+# letsencrypt validation
-location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
+location /.well-known/acme-challenge/ {
+   alias /var/www/html/.well-known/acme-challenge/;
+}
+# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
+location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
     deny all;
-  access_log off;
-  log_not_found off;
 }
-# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
+# Deny backup extensions & log files and return 403 forbidden
-if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
-  return 403;
+    deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+    deny all;
 }
 # Status pages
 location = /nginx_status {

wo/cli/templates/wpcommon-php7.mustache

@@ -12,10 +12,32 @@ location = /wp-config.txt {
     access_log off;
     log_not_found off;
 }
-# Disallow php in upload folder
+# webp rewrite rules for jpg and png images
-location /wp-content/uploads/ {
+# try to load alternative image.png.webp before image.png
+location /wp-content/uploads {
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
     location ~ \.php$ {
 #Prevent Direct Access Of PHP Files From Web Browsers
         deny all;
     }
 }
+# Deny access to any files with a .php extension in the uploads directory
+# Works in sub-directory installs and also in multisite network
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /(?:uploads|files)/.*\.php$ {
+    deny all;
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}

wo/cli/templates/wpcommon.mustache

@@ -12,10 +12,32 @@ location = /wp-config.txt {
     access_log off;
     log_not_found off;
 }
-# Disallow php in upload folder
+# webp rewrite rules for jpg and png images
-location /wp-content/uploads/ {
+# try to load alternative image.png.webp before image.png
+location /wp-content/uploads {
+    location ~ \.(png|jpe?g)$ {
+        add_header Vary "Accept-Encoding";
+        add_header "Access-Control-Allow-Origin" "*";
+        add_header Cache-Control "public, no-transform";
+        access_log off;
+        log_not_found off;
+        expires max;
+        try_files $uri$webp_suffix $uri =404;
+    }
     location ~ \.php$ {
 #Prevent Direct Access Of PHP Files From Web Browsers
         deny all;
     }
 }
+# Deny access to any files with a .php extension in the uploads directory
+# Works in sub-directory installs and also in multisite network
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /(?:uploads|files)/.*\.php$ {
+    deny all;
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+    deny all;
+}