Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #14 from VirtuBox/master

Browse Source 
new nginx configurations
This commit is contained in:
Jeroen Janssen
2018-12-28 10:41:59 +01:00
committed by GitHub
parent afe8d0c9d5 fd6f091b81
commit 54059de0e7
5 changed files with 306 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
install
View File

@@ -297,6 +297,13 @@ function wo_sync_db()
sed -i 's/9170/9172/g' /etc/nginx/conf.d/upstream.conf &>> /dev/null
fi
###
# Webp mapping
###
if [ ! -f /etc/nginx/conf.d/webp.conf ]; then
echo -e 'map $http_accept $webp_suffix {\n default "";\n "~*webp" ".webp";\n}\n' > /etc/nginx/conf.d/webp.conf
fi
echo "UPDATE sites SET php_version = REPLACE(php_version, '5.6', '7.2');" | sqlite3 /var/lib/wo/dbase.db
echo "UPDATE sites SET php_version = REPLACE(php_version, '7.0', '7.2');" | sqlite3 /var/lib/wo/dbase.db
@@ -374,17 +381,17 @@ function wo_install()
function wo_update_latest()
{
if [ -f /etc/nginx/fastcgi_params ]
then
if [ -f /etc/nginx/fastcgi_params ]
then
cat /etc/nginx/fastcgi_params| grep -q 'HTTP_PROXY'
if [[ $? -ne 0 ]]; then
echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi_params
echo "fastcgi_param HTTP_PROXY \"\";" >> /etc/nginx/fastcgi.conf
service nginx restart &>> /dev/null
fi
fi
fi
if [ -f /etc/ImageMagick/policy.xml ]
if [ -f /etc/ImageMagick/policy.xml ]
then
if [ ! -f /etc/ImageMagick/patch.txt ]
then
@@ -545,14 +552,6 @@ if [ -f /etc/ImageMagick/policy.xml ]
fi
fi
#Fix Security Issue. commit #c64f28e
if [ -f /etc/nginx/common/locations.conf ]; then
grep -0 '$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"' /etc/nginx/common/locations.conf &>> /dev/null
if [ $? -eq 0 ]; then
sed -i 's/$request_uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/$uri ~\* \"^.+(readme|license|example)\\.(txt|html)$\"/g' /etc/nginx/common/locations.conf &>> /dev/null
fi
fi
#Fix Redis-server security issue
#http://redis.io/topics/security
if [ -f /etc/redis/redis.conf ]; then
@@ -563,14 +562,13 @@ if [ -f /etc/ImageMagick/policy.xml ]
fi
fi
#Fix For --letsencrypt
if [ -f /etc/nginx/common/locations.conf ]; then
grep -0 'location ~ \/\\.well-known' /etc/nginx/common/locations.conf &>> /dev/null
if [ $? -ne 0 ]; then
sed -i 's/# Deny hidden files/# Deny hidden files\nlocation ~ \/\\.well-known {\n allow all;\n}\n /g' /etc/nginx/common/locations.conf &>> /dev/null
fi
# Let's Encrypt .well-known folder setup
if [ ! -d /var/www/html/.well-known/acme-challenge ]; then
mkdir -p /var/www/html/.well-known/acme-challenge
chown -R www-data:www-data /var/www/html/.well-known
fi
# Fix for 3.3.2 renamed nginx.conf
nginx -V 2>&1 &>>/dev/null
if [[ $? -eq 0 ]]; then

45
wo/cli/templates/locations-php7.mustache
View File

@@ -7,38 +7,49 @@ location = /favicon.ico {
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args @robots;
access_log off;
log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
allow all;
}
location ~ /\. {
location ~ /\.(?!well-known\/) {
deny all;
access_log off;
log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all;
access_log off;
log_not_found off;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
# Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
# Status pages
location = /nginx_status {

45
wo/cli/templates/locations.mustache
View File

@@ -7,38 +7,49 @@ location = /favicon.ico {
expires max;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args;
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
try_files $uri $uri/ /index.php?$args @robots;
access_log off;
log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
}
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires 30d;
}
# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
allow all;
}
location ~ /\. {
location ~ /\.(?!well-known\/) {
deny all;
access_log off;
log_not_found off;
}
# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
# letsencrypt validation
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
deny all;
access_log off;
log_not_found off;
}
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
return 403;
# Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
# Status pages
location = /nginx_status {

28
wo/cli/templates/wpcommon-php7.mustache
View File

@@ -12,10 +12,32 @@ location = /wp-config.txt {
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

28
wo/cli/templates/wpcommon.mustache
View File

@@ -12,10 +12,32 @@ location = /wp-config.txt {
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}