Advertisement
Guest User

Untitled

a guest
Oct 9th, 2016
531
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Nginx 9.14 KB | None | 0 0
  1. ### /etc/nginx/nginx.conf
  2. user www-data;
  3. worker_processes 4;
  4. pid /run/nginx.pid;
  5.  
  6. events {
  7.     worker_connections 4096;
  8.     multi_accept on;
  9.     use epoll;
  10. }
  11.  
  12. http {
  13.  
  14.     ##
  15.     # Basic Settings
  16.     ##
  17.  
  18.     sendfile on;
  19.     tcp_nopush on;
  20.     tcp_nodelay on;
  21.     keepalive_timeout 15;
  22.     keepalive_requests 65536;
  23.     client_body_timeout 12;
  24.     client_header_timeout 15;
  25.     send_timeout 15;
  26.     types_hash_max_size 2048;
  27.     server_tokens off;
  28.  
  29.     server_names_hash_max_size 1024;
  30.     server_names_hash_bucket_size 1024;
  31.     # server_name_in_redirect off;
  32.  
  33.     include /etc/nginx/mime.types;
  34.     include fastcgi_params;
  35.  
  36.     index index.php index.html index.htm;
  37.    
  38.     client_body_temp_path /tmp/client_body;
  39.         proxy_temp_path /tmp/proxy;
  40.         fastcgi_temp_path /tmp/fastcgi;
  41.         uwsgi_temp_path /tmp/uwsgi;
  42.         scgi_temp_path /tmp/scgi;  
  43.         fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=phpcache:100m inactive=60m;
  44.         fastcgi_cache_key "$scheme$request_method$host$request_uri";
  45.     default_type application/octet-stream;
  46.  
  47.     client_body_buffer_size 16K;
  48.     client_header_buffer_size 1K;
  49.     client_max_body_size 8m;
  50.     large_client_header_buffers 2 1k;
  51.  
  52.     ##
  53.     # Logging Settings
  54.     ##
  55.  
  56.     access_log /var/log/nginx/access.log;
  57.     error_log /var/log/nginx/error.log warn;
  58.  
  59.     ##
  60.     # Gzip Settings
  61.     ##
  62.  
  63.     gzip on;
  64.     gzip_disable "msie6";
  65.     gzip_min_length 1000;
  66.     gzip_vary on;
  67.     gzip_proxied any;
  68.     gzip_comp_level 2;
  69.     gzip_buffers 16 8k;
  70.     gzip_http_version 1.1;
  71.     gzip_types text/plain text/css application/json image/svg+xml image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript font/ttf font/otf font/eot x-font/woff application/x-font-ttf application/x-font-truetype application/x-font-opentype application/font-woff application/font-woff2 application/vnd.ms-fontobject audio/mpeg3 audio/x-mpeg-3 audio/ogg audio/flac audio/mpeg application/mpeg application/mpeg3 application/ogg;
  72.  
  73.     ##
  74.     # nginx-naxsi config
  75.     ##
  76.     # Uncomment it if you installed nginx-naxsi
  77.     ##
  78.  
  79.     #include /etc/nginx/naxsi_core.rules;
  80.  
  81.     ##
  82.     # nginx-passenger config
  83.     ##
  84.     # Uncomment it if you installed nginx-passenger
  85.     ##
  86.    
  87.     #passenger_root /usr;
  88.     #passenger_ruby /usr/bin/ruby;
  89.  
  90.     ##
  91.     # Virtual Host Configs
  92.     ##
  93.  
  94.     include /etc/nginx/conf.d/blacklist.conf;
  95.     include /etc/nginx/sites-enabled/*;
  96.    
  97.     upstream php {
  98.         server unix:/var/run/php/php7.0-fpm.sock;
  99.     }
  100.  
  101.     server {   
  102.         listen 80; # IPv4
  103.         listen [::]:80; # IPv6
  104.         server_name example.com www.example.com;
  105.         return 301 https://$server_name$request_uri;
  106.  
  107.             }
  108.  
  109.     server {
  110.         server_name example.com www.example.com;
  111.         listen 443 default http2 ssl; # SSL
  112.         listen [::]:443 default http2 ssl; # IPv6
  113.         ssl on;
  114.         ssl_certificate /etc/nginx/ssl/tls.crt;
  115.         ssl_certificate_key /etc/nginx/ssl/ssl.key;
  116.         ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  117.         ssl_session_cache shared:SSL:10m;
  118.         ssl_session_timeout 24h;
  119.         ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256+EECDH:AES256+EDH:!aNULL;
  120.         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  121.         ssl_prefer_server_ciphers on;
  122.         ssl_stapling on;
  123.         ssl_stapling_verify on;
  124.  
  125.         add_header Public-Key-Pins 'pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; max-age=2592000';
  126.                 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
  127.                 add_header X-Content-Type-Options "nosniff";
  128.                 add_header X-Frame-Options SAMEORIGIN;
  129.                 add_header X-XSS-Protection "1; mode=block";
  130.         add_header X-Dns-Prefetch-Control 'content=on';
  131.        
  132.         # autoindex on; # File listing
  133.         # auth_basic "Personal File Server";
  134.         # auth_basic_user_file $PATH/htpasswd.conf;
  135.         root /home/user/selfhost/html;
  136.         include /etc/nginx/includes/*.conf; # Extra config
  137.        
  138.         client_max_body_size 10M;
  139.  
  140.         location / {
  141.             set $memcached_key "$uri?$args";
  142.             memcached_pass  127.0.0.1:11211;
  143.             error_page 404 502 504 = @fallback;    
  144.         }
  145.  
  146.         location @fallback {
  147.             try_files $uri $uri/ /index.php$args;
  148.             if ($http_origin ~* (https?://[^/]*\.example\.com(:[0-9]+)?)) {
  149.                         add_header 'Access-Control-Allow-Origin' "$http_origin";
  150.                         }
  151.             if (-f $document_root/maintenance.html) {
  152.                 return 503;
  153.             }
  154.         }
  155.  
  156.         location ~ [^/]\.php(/|$) {
  157.             # set cgi.fix_pathinfo = 0; in php.ini
  158.             include fastcgi.conf;
  159.             #fastcgi_intercept_errors on;
  160.             fastcgi_intercept_errors off;
  161.             fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  162.             fastcgi_cache phpcache;
  163.             fastcgi_cache_valid 200 60m;
  164.             #add_header X-Fastcgi-Cache $upstream_cache_status;
  165.         }
  166.  
  167.         location /happenings-and-events {
  168.             proxy_pass https://example.com/posts/category/happenings-and-events;
  169.         }
  170.         location /gallery {
  171.             proxy_pass https://example.com/posts/category/gallery;
  172.         }
  173.         location ~ /nginx.conf {
  174.             deny all;
  175.         }
  176.  
  177.         include /etc/nginx/conf.d/nginx.conf;
  178.  
  179.         error_page 503 @maintenance;
  180.         location @maintenance {
  181.             rewrite ^(.*)$ /.maintenance.html break;
  182.         }
  183.  
  184.                 }
  185.     }
  186. }
  187. # /etc/nginx/fastcgi_params
  188. fastcgi_param  QUERY_STRING       $query_string;
  189. fastcgi_param  REQUEST_METHOD     $request_method;
  190. fastcgi_param  CONTENT_TYPE       $content_type;
  191. fastcgi_param  CONTENT_LENGTH     $content_length;
  192.  
  193. fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
  194. fastcgi_param  REQUEST_URI        $request_uri;
  195. fastcgi_param  DOCUMENT_URI       $document_uri;
  196. fastcgi_param  DOCUMENT_ROOT      $document_root;
  197. fastcgi_param  SERVER_PROTOCOL    $server_protocol;
  198. fastcgi_param  REQUEST_SCHEME     $scheme;
  199. fastcgi_param  HTTPS              $https if_not_empty;
  200.  
  201. fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
  202. fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
  203.  
  204. fastcgi_param  REMOTE_ADDR        $remote_addr;
  205. fastcgi_param  REMOTE_PORT        $remote_port;
  206. fastcgi_param  SERVER_ADDR        $server_addr;
  207. fastcgi_param  SERVER_PORT        $server_port;
  208. fastcgi_param  SERVER_NAME        $server_name;
  209.  
  210. # PHP only, required if PHP was built with --enable-force-cgi-redirect
  211. fastcgi_param  REDIRECT_STATUS    200;
  212.  
  213. fastcgi_connect_timeout 60;
  214. fastcgi_send_timeout 180;
  215. fastcgi_read_timeout 180;
  216. fastcgi_buffer_size 128k;
  217. fastcgi_buffers 256 16k;
  218. fastcgi_busy_buffers_size 256k;
  219. fastcgi_temp_file_write_size 256k;
  220. fastcgi_intercept_errors on;
  221. fastcgi_max_temp_file_size 0;
  222. # Wordpress iThemes security config
  223. # BEGIN iThemes Security - Do not modify or remove this line
  224. # iThemes Security Config Details: 2
  225.     # Ban Hosts - Security > Settings > Banned Users
  226.     deny xxx.xxx.xxx.xxx;
  227.  
  228.     # Protect System Files - Security > Settings > System Tweaks > System Files
  229.     location ~ /\.ht { deny all; }
  230.     location ~ wp-config.php { deny all; }
  231.     location ~ readme.html { deny all; }
  232.     location ~ readme.txt { deny all; }
  233.     location ~ /install.php { deny all; }
  234.     location ^wp-includes/(.*).php { deny all; }
  235.     location ^/wp-admin/includes(.*)$ { deny all; }
  236.  
  237.     # Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads
  238.     location ^wp\-content/uploads/(.*).php(.?) { deny all; }
  239.  
  240.     # Filter Request Methods - Security > Settings > System Tweaks > Request Methods
  241.     if ($request_method ~* "^(TRACE|DELETE|TRACK)") { return 403; }
  242.  
  243.     # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings
  244.     set $susquery 0;
  245.     if ($args ~* "\.\./") { set $susquery 1; }
  246.     if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
  247.     if ($args ~* "etc/passwd") { set $susquery 1; }
  248.     if ($args ~* "boot.ini") { set $susquery 1; }
  249.     if ($args ~* "ftp:") { set $susquery 1; }
  250.     if ($args ~* "http:") { set $susquery 1; }
  251.     if ($args ~* "https:") { set $susquery 1; }
  252.     if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
  253.     if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
  254.     if ($args ~* "base64_encode") { set $susquery 1; }
  255.     if ($args ~* "(%24&x)") { set $susquery 1; }
  256.     if ($args ~* "(127.0)") { set $susquery 1; }
  257.     if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
  258.     if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
  259.     if ($args !~ "^loggedout=true") { set $susquery 0; }
  260.     if ($args !~ "^action=jetpack-sso") { set $susquery 0; }
  261.     if ($args !~ "^action=rp") { set $susquery 0; }
  262.     if ($http_cookie !~ "^.*wordpress_logged_in_.*$") { set $susquery 0; }
  263.     if ($http_referer !~ "^http://maps.googleapis.com(.*)$") { set $susquery 0; }
  264.     if ($susquery = 1) { return 403; }
  265.  
  266.     # Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters
  267.     if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { return 403; }
  268. # END iThemes Security - Do not modify or remove this line
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement