Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #:nginx:Nginx+ PHP-FPM Default Stand Alone:2.0:
- server {
- listen 144.217.68.82:443 ssl http2 ;
- server_name ni-dieu-ni-maitre.com www.ni-dieu-ni-maitre.com;
- root /home/anarchoi/public_html;
- index index.php index.php5 index.php4 index.php3 index.perl index.pl index.cgi index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.ht$
- ssl on;
- ssl_certificate /usr/local/nginx/conf/ssl.cert.d/ni-dieu-ni-maitre.com_cert;
- ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/ni-dieu-ni-maitre.com_key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_prefer_server_ciphers on;
- ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-G$
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 5m;
- #.............. Cpnginx OCSP stapling protection for security start ....................
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /usr/local/nginx/conf/ssl.ca.d/ni-dieu-ni-maitre.com_ca-bundle;
- resolver 127.0.0.1 8.8.8.8 4.2.2.1 8.8.4.4 4.2.2.2 valid=300s;
- resolver_timeout 5s;
- #.............. Cpnginx OCSP stapling protection for security end....................
- location = /favicon.ico {
- log_not_found off;
- }
- access_log /usr/local/apache/domlogs/ni-dieu-ni-maitre.com-bytes_log bytes_log buffer=32k flush=5m;
- access_log /usr/local/apache/domlogs/ni-dieu-ni-maitre.com-ssl_log combined buffer=32k flush=5m;
- referer_hash_bucket_size 512;
- # Run Staic file directly from nginx
- # location ~* ^.+.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|iso|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|ogv|ogg|flv|swf|mpeg|mpg|mpeg4|mp4|avi|wmv|js|css|3gp|si$
- # expires 30d;
- # add_header Pragma public;
- # add_header Cache-Control "public, must-revalidate, proxy-revalidate";
- # }
- # redirect non-www to www
- if ($host = 'ni-dieu-ni-maitre.com' ) { $
- rewrite ^/(.*)$ https://www.ni-dieu-ni-maitre.com/$1 permanent; $
- }
- keepalive_requests 100;
- keepalive_timeout 60s;
- # Symlink attack
- disable_symlinks on from=$document_root;
- autoindex on;
- # Disable direct access to .ht files and folders
- location ~ /\.ht {
- deny all;
- }
- # Access all cpanel services
- location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
- proxy_pass http://144.217.68.82:9080;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
- # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD
- if ($badmethod = 1) {
- return 444;
- }
- # X-XSS protection
- add_header X-XSS-Protection "1; mode=block";
- # X-FRAME attach protection
- add_header X-Frame-Options "SAMEORIGIN";
- # Protect from bad site scanners
- if ($badscanner = 1){
- return 448;
- }
- # Protect sql injections
- set $block_sql_injections 0;
- if ($query_string ~ "union.*select.*\(") {
- set $block_sql_injections 1;
- }
- if ($query_string ~ "union.*all.*select.*") {
- set $block_sql_injections 1;
- }
- if ($query_string ~ "concat.*\(") {
- set $block_sql_injections 1;
- }
- if ($block_sql_injections = 1) {
- return 403;
- }
- # Protect file injections
- set $block_file_injections 0;
- if ($query_string ~ "[a-zA-Z0-9_]=http://") {
- set $block_file_injections 1;
- }
- if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
- set $block_file_injections 1;
- }
- if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
- set $block_file_injections 1;
- }
- if ($block_file_injections = 1) {
- return 403;
- }
- # Protect file injections
- set $block_file_injections 0;
- if ($query_string ~ "[a-zA-Z0-9_]=http://") {
- set $block_file_injections 1;
- }
- if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
- set $block_file_injections 1;
- }
- if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
- set $block_file_injections 1;
- }
- if ($block_file_injections = 1) {
- return 403;
- }
- # common exploit protection
- set $block_common_exploits 0;
- if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "proc/self/environ") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "base64_(en|de)code\(.*\)") {
- set $block_common_exploits 1;
- }
- if ($block_common_exploits = 1) {
- return 403;
- }
- location ~ \.php$ {
- try_files $uri =404;
- fastcgi_pass unix:/opt/cpanel/ea-php70/root/usr/var/run/php-fpm/anarchoi.sock;
- fastcgi_index index.php;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- include /usr/local/nginx/conf/fastcgi_params;
- }
- # Enable google Page speed
- pagespeed on;
- pagespeed RespectVary on;
- # Ensure requests for pagespeed optimized resources go to the pagespeed handler and no extraneous headers get set.
- location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
- add_header "" "";
- }
- location ~ "^/pagespeed_static/" { }
- location ~ "^/ngx_pagespeed_beacon$" { }
- location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; }
- location /ngx_pagespeed_global_statistics { allow 127.0.0.1; deny all; }
- location /ngx_pagespeed_message { allow 127.0.0.1; deny all; }
- location /pagespeed_console { allow 127.0.0.1; deny all; }
- location ~ ^/pagespeed_admin { allow 127.0.0.1; deny all; }
- location ~ ^/pagespeed_global_admin { allow 127.0.0.1; deny all; }
- # filters
- pagespeed RewriteLevel CoreFilters;
- pagespeed PreserveUrlRelativity on;
- pagespeed DisableFilters rewrite_css,rewrite_javascript,combine_css,inline_css,rewrite_images;
- pagespeed EnableFilters fallback_rewrite_css_urls;
- # Map domain works as a cdn
- pagespeed Domain https://cpnginxcdn.ni-dieu-ni-maitre.com;
- # Map Original Domains
- pagespeed MapOriginDomain origin_to_fetch_from origin_specified_in_html [host_header];
- # Respect froned Proxy
- pagespeed RespectXForwardedProto on;
- # Allow Let's Encrypt client authentication - letsencrypt.org RFC 5785
- location ~ /.well-known { allow all; }
- location / {
- include /usr/local/nginx/conf/vhost.ssl.d/ngnm.rewrite;
- client_max_body_size 2000m;
- client_body_buffer_size 512k;
- try_files $uri $uri/ /index.php?$args;
- }
- # include /usr/local/nginx/conf/vhost.ssl.d/ni-dieu-ni-maitre.com.include;
- }
- server {
- listen 144.217.68.82:443 ssl http2 ;
- server_name cpanel.ni-dieu-ni-maitre.com whm.ni-dieu-ni-maitre.com webmail.ni-dieu-ni-maitre.com webdisk.ni-dieu-ni-maitre.com cpcalendars.ni-dieu-ni-maitre.com cpcontacts$
- ssl on;
- ssl_certificate /usr/local/nginx/conf/ssl.cert.d/ni-dieu-ni-maitre.com_cert;
- ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/ni-dieu-ni-maitre.com_key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 5m;
- access_log off;
- location / {
- location ~ /.well-known{
- root /home/anarchoi/public_html;
- }
- proxy_pass https://127.0.0.1:9443;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
- }
Add Comment
Please, Sign In to add comment