From e0ae643b84882ecf3598e4fbdff8dfa86bdfd937 Mon Sep 17 00:00:00 2001
From: VirtuBox <thomas@virtubox.net>
Date: Mon, 2 Sep 2019 12:20:20 +0200
Subject: [PATCH] Add mime.types template and xmlrpc.php rate limiter

---
 wo/cli/templates/acl.mustache        |  1 +
 wo/cli/templates/mime.mustache       | 98 ++++++++++++++++++++++++++++
 wo/cli/templates/nginx-core.mustache |  1 +
 wo/cli/templates/wpcommon.mustache   | 12 ++++
 4 files changed, 112 insertions(+)
 create mode 100644 wo/cli/templates/mime.mustache

diff --git a/wo/cli/templates/acl.mustache b/wo/cli/templates/acl.mustache
index c8ff43b..b75c91b 100644
--- a/wo/cli/templates/acl.mustache
+++ b/wo/cli/templates/acl.mustache
@@ -5,4 +5,5 @@ auth_basic "Restricted Area";
 auth_basic_user_file htpasswd-wo;
 # Allowed IP Address List
 allow 127.0.0.1;
+allow ::1;
 deny all;
diff --git a/wo/cli/templates/mime.mustache b/wo/cli/templates/mime.mustache
new file mode 100644
index 0000000..0eac2b4
--- /dev/null
+++ b/wo/cli/templates/mime.mustache
@@ -0,0 +1,98 @@
+
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+    font/ttf                                         ttf;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}
diff --git a/wo/cli/templates/nginx-core.mustache b/wo/cli/templates/nginx-core.mustache
index d79b947..9d205c5 100644
--- a/wo/cli/templates/nginx-core.mustache
+++ b/wo/cli/templates/nginx-core.mustache
@@ -32,6 +32,7 @@ http {
 	# Limit Request
 	limit_req_status 403;
 	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+    limit_req_zone $binary_remote_addr zone=two:10m rate=10r/s;
 
 	# Proxy Settings
 	# set_real_ip_from	proxy-server-ip;
diff --git a/wo/cli/templates/wpcommon.mustache b/wo/cli/templates/wpcommon.mustache
index 89d3e1c..ccc10d7 100644
--- a/wo/cli/templates/wpcommon.mustache
+++ b/wo/cli/templates/wpcommon.mustache
@@ -6,6 +6,18 @@ location = /wp-login.php {
     include fastcgi_params;
     fastcgi_pass {{upstream}};
 }
+# Prevent DoS attacks on wp-cron
+location = /wp-cron.php {
+    limit_req zone=two burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass {{upstream}};
+}
+# Prevent Dos attacks with xmlrpc.php
+location = /xmlrpc.php {
+    limit_req zone=two burst=1 nodelay;
+    include fastcgi_params;
+    fastcgi_pass {{upstream}};
+}
 # Disable wp-config.txt
 location = /wp-config.txt {
     deny all;