#:nginx:Nginx+ PHP-FPM Default Stand Alone:2.0:server { listen 144.21

1. #:nginx:Nginx+ PHP-FPM Default Stand Alone:2.0:
2. server {
3. listen 144.217.68.82:443 ssl http2 ;
4. server_name ni-dieu-ni-maitre.com www.ni-dieu-ni-maitre.com;
5. root /home/anarchoi/public_html;
6. index index.php index.php5 index.php4 index.php3 index.perl index.pl index.cgi index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.ht$
7.  
8. ssl on;
9. ssl_certificate /usr/local/nginx/conf/ssl.cert.d/ni-dieu-ni-maitre.com_cert;
10. ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/ni-dieu-ni-maitre.com_key;
11. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
12. ssl_prefer_server_ciphers on;
13. ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-G$
14. ssl_session_cache shared:SSL:10m;
15. ssl_session_timeout 5m;
16.  
17. #.............. Cpnginx OCSP stapling protection for security start ....................
18. ssl_stapling on;
19. ssl_stapling_verify on;
20. ssl_trusted_certificate /usr/local/nginx/conf/ssl.ca.d/ni-dieu-ni-maitre.com_ca-bundle;
21. resolver 127.0.0.1 8.8.8.8 4.2.2.1 8.8.4.4 4.2.2.2 valid=300s;
22. resolver_timeout 5s;
23. #.............. Cpnginx OCSP stapling protection for security end....................
24.  
25. location = /favicon.ico {
26. log_not_found off;
27. }
28.  
29.  
30. access_log /usr/local/apache/domlogs/ni-dieu-ni-maitre.com-bytes_log bytes_log buffer=32k flush=5m;
31. access_log /usr/local/apache/domlogs/ni-dieu-ni-maitre.com-ssl_log combined buffer=32k flush=5m;
32.  
33. referer_hash_bucket_size 512;
34. # Run Staic file directly from nginx
35. # location ~* ^.+.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|iso|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|ogv|ogg|flv|swf|mpeg|mpg|mpeg4|mp4|avi|wmv|js|css|3gp|si$
36. # expires 30d;
37. # add_header Pragma public;
38. # add_header Cache-Control "public, must-revalidate, proxy-revalidate";
39. # }
40. # redirect non-www to www
41. if ($host = 'ni-dieu-ni-maitre.com' ) { $
42. rewrite ^/(.*)$ https://www.ni-dieu-ni-maitre.com/$1 permanent; $
43. }
44. keepalive_requests 100;
45. keepalive_timeout 60s;
46. # Symlink attack
47. disable_symlinks on from=$document_root;
48.  
49. autoindex on;
50. # Disable direct access to .ht files and folders
51. location ~ /\.ht {
52. deny all;
53. }
54. # Access all cpanel services
55. location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
56. proxy_pass http://144.217.68.82:9080;
57. proxy_set_header Host $host;
58. proxy_set_header X-Real-IP $remote_addr;
59. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
60. }
61.  
62.  
63.  
64. # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD
65. if ($badmethod = 1) {
66. return 444;
67. }
68.  
69.  
70. # X-XSS protection
71. add_header X-XSS-Protection "1; mode=block";
72.  
73. # X-FRAME attach protection
74. add_header X-Frame-Options "SAMEORIGIN";
75.  
76. # Protect from bad site scanners
77. if ($badscanner = 1){
78. return 448;
79. }
80.  
81.  
82. # Protect sql injections
83. set $block_sql_injections 0;
84. if ($query_string ~ "union.*select.*\(") {
85. set $block_sql_injections 1;
86. }
87. if ($query_string ~ "union.*all.*select.*") {
88. set $block_sql_injections 1;
89. }
90. if ($query_string ~ "concat.*\(") {
91. set $block_sql_injections 1;
92. }
93. if ($block_sql_injections = 1) {
94. return 403;
95. }
96.  
97.  
98. # Protect file injections
99. set $block_file_injections 0;
100. if ($query_string ~ "[a-zA-Z0-9_]=http://") {
101. set $block_file_injections 1;
102. }
103. if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
104. set $block_file_injections 1;
105. }
106. if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
107. set $block_file_injections 1;
108. }
109. if ($block_file_injections = 1) {
110. return 403;
111. }
112.  
113.  
114. # Protect file injections
115. set $block_file_injections 0;
116. if ($query_string ~ "[a-zA-Z0-9_]=http://") {
117. set $block_file_injections 1;
118. }
119. if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
120. set $block_file_injections 1;
121. }
122. if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
123. set $block_file_injections 1;
124. }
125. if ($block_file_injections = 1) {
126. return 403;
127. }
128.  
129. # common exploit protection
130. set $block_common_exploits 0;
131. if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
132. set $block_common_exploits 1;
133. }
134. if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
135. set $block_common_exploits 1;
136. }
137. if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
138. set $block_common_exploits 1;
139. }
140. if ($query_string ~ "proc/self/environ") {
141. set $block_common_exploits 1;
142. }
143. if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
144. set $block_common_exploits 1;
145. }
146. if ($query_string ~ "base64_(en|de)code\(.*\)") {
147. set $block_common_exploits 1;
148. }
149. if ($block_common_exploits = 1) {
150. return 403;
151. }
152.  
153.  
154. location ~ \.php$ {
155. try_files $uri =404;
156. fastcgi_pass unix:/opt/cpanel/ea-php70/root/usr/var/run/php-fpm/anarchoi.sock;
157. fastcgi_index index.php;
158. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
159. include /usr/local/nginx/conf/fastcgi_params;
160.  
161. }
162.  
163. # Enable google Page speed
164. pagespeed on;
165. pagespeed RespectVary on;
166. # Ensure requests for pagespeed optimized resources go to the pagespeed handler and no extraneous headers get set.
167. location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
168. add_header "" "";
169. }
170. location ~ "^/pagespeed_static/" { }
171. location ~ "^/ngx_pagespeed_beacon$" { }
172. location /ngx_pagespeed_statistics { allow 127.0.0.1; deny all; }
173. location /ngx_pagespeed_global_statistics { allow 127.0.0.1; deny all; }
174. location /ngx_pagespeed_message { allow 127.0.0.1; deny all; }
175. location /pagespeed_console { allow 127.0.0.1; deny all; }
176. location ~ ^/pagespeed_admin { allow 127.0.0.1; deny all; }
177. location ~ ^/pagespeed_global_admin { allow 127.0.0.1; deny all; }
178. # filters
179. pagespeed RewriteLevel CoreFilters;
180. pagespeed PreserveUrlRelativity on;
181. pagespeed DisableFilters rewrite_css,rewrite_javascript,combine_css,inline_css,rewrite_images;
182. pagespeed EnableFilters fallback_rewrite_css_urls;
183.  
184. # Map domain works as a cdn
185. pagespeed Domain https://cpnginxcdn.ni-dieu-ni-maitre.com;
186.  
187. # Map Original Domains
188. pagespeed MapOriginDomain origin_to_fetch_from origin_specified_in_html [host_header];
189.  
190. # Respect froned Proxy
191. pagespeed RespectXForwardedProto on;
192. # Allow Let's Encrypt client authentication - letsencrypt.org RFC 5785
193. location ~ /.well-known { allow all; }
194.  
195. location / {
196. include /usr/local/nginx/conf/vhost.ssl.d/ngnm.rewrite;
197. client_max_body_size 2000m;
198. client_body_buffer_size 512k;
199. try_files $uri $uri/ /index.php?$args;
200.  
201.  
202. }
203. # include /usr/local/nginx/conf/vhost.ssl.d/ni-dieu-ni-maitre.com.include;
204.  
205. }
206.  
207. server {
208. listen 144.217.68.82:443 ssl http2 ;
209. server_name cpanel.ni-dieu-ni-maitre.com whm.ni-dieu-ni-maitre.com webmail.ni-dieu-ni-maitre.com webdisk.ni-dieu-ni-maitre.com cpcalendars.ni-dieu-ni-maitre.com cpcontacts$
210. ssl on;
211. ssl_certificate /usr/local/nginx/conf/ssl.cert.d/ni-dieu-ni-maitre.com_cert;
212. ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/ni-dieu-ni-maitre.com_key;
213. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
214. ssl_session_cache shared:SSL:10m;
215. ssl_session_timeout 5m;
216. access_log off;
217. location / {
218. location ~ /.well-known{
219. root /home/anarchoi/public_html;
220. }
221. proxy_pass https://127.0.0.1:9443;
222. proxy_set_header Host $host;
223. proxy_set_header X-Real-IP $remote_addr;
224. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
225. }
226. }