Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- fastcgi_cache_path /var/run/nginx-cachebl levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
- #fastcgi_cache_key "$scheme$request_method$host$request_uri";
- #fastcgi_cache_use_stale error timeout invalid_header http_500;
- #fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- server {
- listen 80;
- listen [::]:80;
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- ssl_certificate /etc/letsencrypt/live/beinglibertarian.com/fullchain.pem; # managed by Certbot
- ssl_certificate_key /etc/letsencrypt/live/beinglibertarian.com/privkey.pem; # managed by Certbot
- include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
- ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
- # force redirect to HTTPS from HTTP
- if ($scheme != "https") {
- return 301 https://$host$request_uri;
- }
- client_max_body_size 256M;
- root /var/www/html/beinglibertarian.com;
- index index.php index.html;
- server_name www.beinglibertarian.com beinglibertarian.com;
- set $skip_cache 0;
- if ($request_method = POST) {
- set $skip_cache 1;
- }
- if ($query_string != "") {
- set $skip_cache 1;
- }
- if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
- set $skip_cache 1;
- }
- if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
- set $skip_cache 1;
- }
- location ~ /purge(/.*) {
- fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
- }
- location / {
- try_files $uri $uri/ /index.php?$args;
- }
- # Turn off directory indexing
- autoindex off;
- # Deny access to htaccess and other hidden files
- location ~ /\. {
- deny all;
- }
- # Deny access to wp-config.php file
- location = /wp-config.php {
- deny all;
- }
- # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
- location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
- deny all;
- }
- # Stop php access except to needed files in wp-includes
- location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
- internal; #internal allows ms-files.php rewrite in multisite to work
- }
- # Specifically locks down upload directories in case full wp-content rule below is skipped
- location ~* /(?:uploads|files)/.*\.php$ {
- deny all;
- }
- # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
- # Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
- location ~* ^/wp-content/.*\.php$ {
- deny all;
- }
- location ~ \.php$ {
- include snippets/fastcgi-php.conf;
- fastcgi_pass unix:/run/php/php7.2-fpm.sock;
- fastcgi_cache_bypass $skip_cache;
- fastcgi_no_cache $skip_cache;
- fastcgi_cache WORDPRESS;
- fastcgi_cache_valid 60m;
- include fastcgi_params;
- }
- location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
- internal;
- }
- location = /favicon.ico {
- log_not_found off;
- access_log off;
- }
- location = /robots.txt {
- access_log off;
- log_not_found off;
- }
- location ~* /(?:uploads|files)/.*\.php$ {
- deny all;
- }
- location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|php|pot|po|mo|log|sql)$ {
- deny all;
- }
- location ~ /\.(ht|svn)? {
- deny all;
- }
- ## Block file injections
- set $block_file_injections 0;
- if ($query_string ~ "[a-zA-Z0-9_]=http://") {
- set $block_file_injections 1;
- }
- if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
- set $block_file_injections 1;
- }
- if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
- set $block_file_injections 1;
- }
- if ($block_file_injections = 1) {
- return 403;
- }
- ## Block SQL injections
- set $block_sql_injections 0;
- if ($query_string ~ "union.*select.*\(") {
- set $block_sql_injections 1;
- }
- if ($query_string ~ "union.*all.*select.*") {
- set $block_sql_injections 1;
- }
- if ($query_string ~ "concat.*\(") {
- set $block_sql_injections 1;
- }
- if ($block_sql_injections = 1) {
- return 403;
- }
- ## Block common exploits
- set $block_common_exploits 0;
- if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "proc/self/environ") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
- set $block_common_exploits 1;
- }
- if ($query_string ~ "base64_(en|de)code\(.*\)") {
- set $block_common_exploits 1;
- }
- if ($block_common_exploits = 1) {
- return 403;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement