Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### /etc/nginx/nginx.conf
- user www-data;
- worker_processes 4;
- pid /run/nginx.pid;
- events {
- worker_connections 4096;
- multi_accept on;
- use epoll;
- }
- http {
- ##
- # Basic Settings
- ##
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 15;
- keepalive_requests 65536;
- client_body_timeout 12;
- client_header_timeout 15;
- send_timeout 15;
- types_hash_max_size 2048;
- server_tokens off;
- server_names_hash_max_size 1024;
- server_names_hash_bucket_size 1024;
- # server_name_in_redirect off;
- include /etc/nginx/mime.types;
- include fastcgi_params;
- index index.php index.html index.htm;
- client_body_temp_path /tmp/client_body;
- proxy_temp_path /tmp/proxy;
- fastcgi_temp_path /tmp/fastcgi;
- uwsgi_temp_path /tmp/uwsgi;
- scgi_temp_path /tmp/scgi;
- fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=phpcache:100m inactive=60m;
- fastcgi_cache_key "$scheme$request_method$host$request_uri";
- default_type application/octet-stream;
- client_body_buffer_size 16K;
- client_header_buffer_size 1K;
- client_max_body_size 8m;
- large_client_header_buffers 2 1k;
- ##
- # Logging Settings
- ##
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log warn;
- ##
- # Gzip Settings
- ##
- gzip on;
- gzip_disable "msie6";
- gzip_min_length 1000;
- gzip_vary on;
- gzip_proxied any;
- gzip_comp_level 2;
- gzip_buffers 16 8k;
- gzip_http_version 1.1;
- gzip_types text/plain text/css application/json image/svg+xml image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript font/ttf font/otf font/eot x-font/woff application/x-font-ttf application/x-font-truetype application/x-font-opentype application/font-woff application/font-woff2 application/vnd.ms-fontobject audio/mpeg3 audio/x-mpeg-3 audio/ogg audio/flac audio/mpeg application/mpeg application/mpeg3 application/ogg;
- ##
- # nginx-naxsi config
- ##
- # Uncomment it if you installed nginx-naxsi
- ##
- #include /etc/nginx/naxsi_core.rules;
- ##
- # nginx-passenger config
- ##
- # Uncomment it if you installed nginx-passenger
- ##
- #passenger_root /usr;
- #passenger_ruby /usr/bin/ruby;
- ##
- # Virtual Host Configs
- ##
- include /etc/nginx/conf.d/blacklist.conf;
- include /etc/nginx/sites-enabled/*;
- upstream php {
- server unix:/var/run/php/php7.0-fpm.sock;
- }
- server {
- listen 80; # IPv4
- listen [::]:80; # IPv6
- server_name example.com www.example.com;
- return 301 https://$server_name$request_uri;
- }
- server {
- server_name example.com www.example.com;
- listen 443 default http2 ssl; # SSL
- listen [::]:443 default http2 ssl; # IPv6
- ssl on;
- ssl_certificate /etc/nginx/ssl/tls.crt;
- ssl_certificate_key /etc/nginx/ssl/ssl.key;
- ssl_dhparam /etc/nginx/ssl/dhparam.pem;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 24h;
- ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256+EECDH:AES256+EDH:!aNULL;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_prefer_server_ciphers on;
- ssl_stapling on;
- ssl_stapling_verify on;
- add_header Public-Key-Pins 'pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; max-age=2592000';
- add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
- add_header X-Content-Type-Options "nosniff";
- add_header X-Frame-Options SAMEORIGIN;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Dns-Prefetch-Control 'content=on';
- # autoindex on; # File listing
- # auth_basic "Personal File Server";
- # auth_basic_user_file $PATH/htpasswd.conf;
- root /home/user/selfhost/html;
- include /etc/nginx/includes/*.conf; # Extra config
- client_max_body_size 10M;
- location / {
- set $memcached_key "$uri?$args";
- memcached_pass 127.0.0.1:11211;
- error_page 404 502 504 = @fallback;
- }
- location @fallback {
- try_files $uri $uri/ /index.php$args;
- if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) {
- add_header 'Access-Control-Allow-Origin' "$http_origin";
- }
- if (-f $document_root/maintenance.html) {
- return 503;
- }
- }
- location ~ [^/]\.php(/|$) {
- # set cgi.fix_pathinfo = 0; in php.ini
- include fastcgi.conf;
- #fastcgi_intercept_errors on;
- fastcgi_intercept_errors off;
- fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
- fastcgi_cache phpcache;
- fastcgi_cache_valid 200 60m;
- #add_header X-Fastcgi-Cache $upstream_cache_status;
- }
- location /happenings-and-events {
- proxy_pass https://example.com/posts/category/happenings-and-events;
- }
- location /gallery {
- proxy_pass https://example.com/posts/category/gallery;
- }
- location ~ /nginx.conf {
- deny all;
- }
- include /etc/nginx/conf.d/nginx.conf;
- error_page 503 @maintenance;
- location @maintenance {
- rewrite ^(.*)$ /.maintenance.html break;
- }
- }
- }
- }
- # /etc/nginx/fastcgi_params
- fastcgi_param QUERY_STRING $query_string;
- fastcgi_param REQUEST_METHOD $request_method;
- fastcgi_param CONTENT_TYPE $content_type;
- fastcgi_param CONTENT_LENGTH $content_length;
- fastcgi_param SCRIPT_NAME $fastcgi_script_name;
- fastcgi_param REQUEST_URI $request_uri;
- fastcgi_param DOCUMENT_URI $document_uri;
- fastcgi_param DOCUMENT_ROOT $document_root;
- fastcgi_param SERVER_PROTOCOL $server_protocol;
- fastcgi_param REQUEST_SCHEME $scheme;
- fastcgi_param HTTPS $https if_not_empty;
- fastcgi_param GATEWAY_INTERFACE CGI/1.1;
- fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
- fastcgi_param REMOTE_ADDR $remote_addr;
- fastcgi_param REMOTE_PORT $remote_port;
- fastcgi_param SERVER_ADDR $server_addr;
- fastcgi_param SERVER_PORT $server_port;
- fastcgi_param SERVER_NAME $server_name;
- # PHP only, required if PHP was built with --enable-force-cgi-redirect
- fastcgi_param REDIRECT_STATUS 200;
- fastcgi_connect_timeout 60;
- fastcgi_send_timeout 180;
- fastcgi_read_timeout 180;
- fastcgi_buffer_size 128k;
- fastcgi_buffers 256 16k;
- fastcgi_busy_buffers_size 256k;
- fastcgi_temp_file_write_size 256k;
- fastcgi_intercept_errors on;
- fastcgi_max_temp_file_size 0;
- # Wordpress iThemes security config
- # BEGIN iThemes Security - Do not modify or remove this line
- # iThemes Security Config Details: 2
- # Ban Hosts - Security > Settings > Banned Users
- deny xxx.xxx.xxx.xxx;
- # Protect System Files - Security > Settings > System Tweaks > System Files
- location ~ /\.ht { deny all; }
- location ~ wp-config.php { deny all; }
- location ~ readme.html { deny all; }
- location ~ readme.txt { deny all; }
- location ~ /install.php { deny all; }
- location ^wp-includes/(.*).php { deny all; }
- location ^/wp-admin/includes(.*)$ { deny all; }
- # Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads
- location ^wp\-content/uploads/(.*).php(.?) { deny all; }
- # Filter Request Methods - Security > Settings > System Tweaks > Request Methods
- if ($request_method ~* "^(TRACE|DELETE|TRACK)") { return 403; }
- # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
- set $susquery 0;
- if ($args ~* "\.\./") { set $susquery 1; }
- if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
- if ($args ~* "etc/passwd") { set $susquery 1; }
- if ($args ~* "boot.ini") { set $susquery 1; }
- if ($args ~* "ftp:") { set $susquery 1; }
- if ($args ~* "http:") { set $susquery 1; }
- if ($args ~* "https:") { set $susquery 1; }
- if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
- if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
- if ($args ~* "base64_encode") { set $susquery 1; }
- if ($args ~* "(%24&x)") { set $susquery 1; }
- if ($args ~* "(127.0)") { set $susquery 1; }
- if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
- if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
- if ($args !~ "^loggedout=true") { set $susquery 0; }
- if ($args !~ "^action=jetpack-sso") { set $susquery 0; }
- if ($args !~ "^action=rp") { set $susquery 0; }
- if ($http_cookie !~ "^.*wordpress_logged_in_.*$") { set $susquery 0; }
- if ($http_referer !~ "^http://maps.googleapis.com(.*)$") { set $susquery 0; }
- if ($susquery = 1) { return 403; }
- # Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters
- if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { return 403; }
- # END iThemes Security - Do not modify or remove this line
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement