beinglibertarian.com

1. fastcgi_cache_path /var/run/nginx-cachebl levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
2. #fastcgi_cache_key "$scheme$request_method$host$request_uri";
3. #fastcgi_cache_use_stale error timeout invalid_header http_500;
4. #fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
5.  
6. server {
7. listen 80;
8. listen [::]:80;
9. listen 443 ssl http2;
10. listen [::]:443 ssl http2;
11. ssl_certificate /etc/letsencrypt/live/beinglibertarian.com/fullchain.pem; # managed by Certbot
12. ssl_certificate_key /etc/letsencrypt/live/beinglibertarian.com/privkey.pem; # managed by Certbot
13. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
14. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
15.  
16. # force redirect to HTTPS from HTTP
17. if ($scheme != "https") {
18. return 301 https://$host$request_uri;
19. }
20.  
21. client_max_body_size 256M;
22. root /var/www/html/beinglibertarian.com;
23. index index.php index.html;
24.  
25. server_name www.beinglibertarian.com beinglibertarian.com;
26.  
27. set $skip_cache 0;
28.  
29. if ($request_method = POST) {
30. set $skip_cache 1;
31. }
32.  
33. if ($query_string != "") {
34. set $skip_cache 1;
35. }
36.  
37. if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
38. set $skip_cache 1;
39. }
40.  
41. if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
42. set $skip_cache 1;
43. }
44.  
45. location ~ /purge(/.*) {
46. fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
47. }
48.  
49. location / {
50. try_files $uri $uri/ /index.php?$args;
51. }
52.  
53. # Turn off directory indexing
54. autoindex off;
55.  
56. # Deny access to htaccess and other hidden files
57. location ~ /\. {
58. deny all;
59. }
60.  
61. # Deny access to wp-config.php file
62. location = /wp-config.php {
63. deny all;
64. }
65.  
66. # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
67. location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
68. deny all;
69. }
70.  
71. # Stop php access except to needed files in wp-includes
72. location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
73. internal; #internal allows ms-files.php rewrite in multisite to work
74. }
75.  
76. # Specifically locks down upload directories in case full wp-content rule below is skipped
77. location ~* /(?:uploads|files)/.*\.php$ {
78. deny all;
79. }
80.  
81. # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
82. # Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
83. location ~* ^/wp-content/.*\.php$ {
84. deny all;
85. }
86.  
87. location ~ \.php$ {
88. include snippets/fastcgi-php.conf;
89. fastcgi_pass unix:/run/php/php7.2-fpm.sock;
90. fastcgi_cache_bypass $skip_cache;
91. fastcgi_no_cache $skip_cache;
92. fastcgi_cache WORDPRESS;
93. fastcgi_cache_valid 60m;
94. include fastcgi_params;
95. }
96.  
97.  
98. location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
99. internal;
100. }
101.  
102. location = /favicon.ico {
103. log_not_found off;
104. access_log off;
105. }
106.  
107. location = /robots.txt {
108. access_log off;
109. log_not_found off;
110. }
111.  
112. location ~* /(?:uploads|files)/.*\.php$ {
113. deny all;
114. }
115.  
116. location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
117. deny all;
118. }
119. location ~ /\.(ht|svn)? {
120. deny all;
121. }
122. ## Block file injections
123. set $block_file_injections 0;
124. if ($query_string ~ "[a-zA-Z0-9_]=http://") {
125. set $block_file_injections 1;
126. }
127. if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
128. set $block_file_injections 1;
129. }
130. if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
131. set $block_file_injections 1;
132. }
133. if ($block_file_injections = 1) {
134. return 403;
135. }
136.  
137. ## Block SQL injections
138. set $block_sql_injections 0;
139. if ($query_string ~ "union.*select.*\(") {
140. set $block_sql_injections 1;
141. }
142. if ($query_string ~ "union.*all.*select.*") {
143. set $block_sql_injections 1;
144. }
145. if ($query_string ~ "concat.*\(") {
146. set $block_sql_injections 1;
147. }
148. if ($block_sql_injections = 1) {
149. return 403;
150. }
151.  
152. ## Block common exploits
153. set $block_common_exploits 0;
154. if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
155. set $block_common_exploits 1;
156. }
157. if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
158. set $block_common_exploits 1;
159. }
160. if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
161. set $block_common_exploits 1;
162. }
163. if ($query_string ~ "proc/self/environ") {
164. set $block_common_exploits 1;
165. }
166. if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
167. set $block_common_exploits 1;
168. }
169. if ($query_string ~ "base64_(en|de)code\(.*\)") {
170. set $block_common_exploits 1;
171. }
172. if ($block_common_exploits = 1) {
173. return 403;
174. }
175.  
176.  
177. }