ubuntu-web-server/nginx-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
allan 2024-10-24 12:49:01 +02:00
commit 1d06a5c42a
52 changed files with 1810 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2023 Allan Christensen
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

36
README.md Normal file
View File

@ -0,0 +1,36 @@
## Nginx Php-Fpm install script for Ubuntu 22.04 and 24.04 server.
### Prerequisites
Ubuntu 22.04 server or higher.
### Download the script
```
git clone https://git.x-files.dk/ubuntu-web-server/nginx-install.git
```
### Usage
cd nginx-install
sudo ./nginxinstall
### Nginx configuration contains the following
A directory called nginxsnippets located in /etc/nginx. This directory contains snippets for use with nginx in order to try and have as clean and readable configuration files as possible.
Cloudflare Real IP configuration. I order to see the proxied ip addresses when users are comming from cloudflare.
The default website answering on IP address is disabled and will send a 444 i.e drop the tcp connection this is by my design feal free to change it.
Bad Bots blocking file blocking CSP and SSL settings. Modify as you see fit.
Custom error pages. You can modify them to your needs they are residing in /etc/nginxsnippets/errorpages
### Notes
This setup is really doing some heavy lifting due the the enhanced caching that has been configured. If this turns out to be an issue just comment out the lines containing the caching configuration as well as opcache configuration in php.ini.
### Post install
Nothing to do.
### More guides
More guides can be found on [\[wiki.x-files.dk\]](https://wiki.x-files.dk)
### Last tested
October 19th 2024 on Ubuntu 24.04.

117
cfg-apps/dokuwiki.443.conf Normal file
View File

@ -0,0 +1,117 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
return 301 https://DOMAIN$request_uri;
}
##### Process http stop ########################################################
##### Process https start ######################################################
server {
listen 443 ssl http2;
server_name DOMAIN;
server_tokens off;
root /var/www/html/DOMAIN;
index doku.php;
##### SSL configuration start ##############################################
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.4.4 8.8.8.8;
# resolver_timeout 5s;
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# ssl_session_cache shared:SSL:10m;
# ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
##### SSL configuration stop ###############################################
##### XSS headers start ####################################################
# add_header X-Frame-Options DENY;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header Permissions-Policy interest-cohort=();
# add_header Content-Security-Policy "default-src 'self'";
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
##### XSS headers stop #####################################################
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
try_files $uri $uri/ @dokuwiki;
}
##### Process content stop #################################################
# Dokuwiki hardening start #################################################
# Uncomment these 2 lines containing "location" after dokuwiki is installed
# ||
# \/
# location ~ /(data|conf|bin|inc|vendor)/ { deny all; }
# location ~ /install.php { deny all; }
# /\
# ||
# Uncomment these 2 lines containing "location" after dokuwiki is installed
# Dokuwiki hardening stop ##################################################
##### Dokuwiki specific start ##############################################
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
##### Dokuwiki specific stop ###############################################
##### Process php start ####################################################
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
include /etc/nginx/nginxsnippets/microcache.conf;
}
##### Process php stop #####################################################
##### Cache js css static content and open files start #####################
# include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process https stop #######################################################

81
cfg-apps/dokuwiki.80.conf Normal file
View File

@ -0,0 +1,81 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
root /var/www/html/DOMAIN;
index doku.php;
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
try_files $uri $uri/ @dokuwiki;
}
##### Process content stop #################################################
# Dokuwiki hardening start #################################################
# Uncomment these 2 lines containing "location" after dokuwiki is installed
# ||
# \/
# location ~ /(data|conf|bin|inc|vendor)/ { deny all; }
# location ~ /install.php { deny all; }
# /\
# ||
# Uncomment these 2 lines containing "location" after dokuwiki is installed
# Dokuwiki hardening stop ##################################################
##### Dokuwiki specific start ##############################################
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
##### Dokuwiki specific stop ###############################################
##### Process php start ####################################################
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
include /etc/nginx/nginxsnippets/microcache.conf;
}
##### Process php stop #####################################################
##### Cache js css static content and open files start #####################
# include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process http stop ########################################################

94
cfg-apps/example.443.conf Normal file
View File

@ -0,0 +1,94 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
server_tokens off;
}
##### Process http stop ########################################################
##### Process https start ######################################################
server {
listen 443 ssl http2;
server_name DOMAIN;
server_tokens off;
root /var/www/html/DOMAIN;
index index.php index.html;
##### SSL configuration start ##############################################
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.4.4 8.8.8.8;
# resolver_timeout 5s;
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# ssl_session_cache shared:SSL:10m;
# ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
##### SSL configuration stop ###############################################
##### XSS headers start ####################################################
# add_header X-Frame-Options DENY;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header Permissions-Policy interest-cohort=();
# add_header Content-Security-Policy "default-src 'self'";
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
##### XSS headers stop #####################################################
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
##### Process content stop #################################################
##### Process php start ####################################################
location ~ \.php$ {
# include /etc/nginx/nginxsnippets/proxyheader.conf;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
include /etc/nginx/nginxsnippets/microcache.conf;
}
##### Process php stop #####################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process https stop #######################################################

58
cfg-apps/example.80.conf Normal file
View File

@ -0,0 +1,58 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
root /var/www/html/DOMAIN;
index index.php index.html;
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
##### Process content stop #################################################
##### Process php start ####################################################
location ~ \.php$ {
# include /etc/nginx/nginxsnippets/proxyheader.conf;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
include /etc/nginx/nginxsnippets/microcache.conf;
}
##### Process php stop #####################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process http stop ########################################################

125
cfg-apps/focalboard.443.conf Normal file
View File

@ -0,0 +1,125 @@
##### Define upstream start ####################################################
upstream focalboard {
server localhost:8000;
keepalive 32;
}
##### Define upstream stop #####################################################
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
server_tokens off;
}
##### Process http stop ########################################################
##### Process https start ######################################################
server {
listen 443 ssl http2;
server_name DOMAIN;
server_tokens off;
##### SSL configuration start ##############################################
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.4.4 8.8.8.8;
# resolver_timeout 5s;
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# ssl_session_cache shared:SSL:10m;
# ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
##### SSL configuration stop ###############################################
##### XSS headers start ####################################################
# add_header X-Frame-Options DENY;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header Permissions-Policy interest-cohort=();
# add_header Content-Security-Policy "default-src 'self'";
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
##### XSS headers stop #####################################################
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location ~ /ws/* {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
proxy_pass http://focalboard;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://focalboard;
}
##### Process content stop #################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process https stop ######################################################

89
cfg-apps/focalboard.80.conf Normal file
View File

@ -0,0 +1,89 @@
##### Define upstream start ####################################################
upstream focalboard {
server localhost:8000;
keepalive 32;
}
##### Define upstream stop #####################################################
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location ~ /ws/* {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 1d;
proxy_send_timeout 1d;
proxy_read_timeout 1d;
proxy_pass http://focalboard;
}
location / {
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_pass http://focalboard;
}
##### Process content stop #################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process http stop #######################################################

88
cfg-apps/gitea.443.conf Normal file
View File

@ -0,0 +1,88 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
server_tokens off;
}
##### Process http stop ########################################################
##### Process https start ######################################################
server {
listen 443 ssl http2;
server_name DOMAIN;
server_tokens off;
##### SSL configuration start ##############################################
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.4.4 8.8.8.8;
# resolver_timeout 5s;
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# ssl_session_cache shared:SSL:10m;
# ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
##### SSL configuration stop ###############################################
##### XSS headers start ####################################################
# add_header X-Frame-Options DENY;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header Permissions-Policy interest-cohort=();
# add_header Content-Security-Policy "default-src 'self'";
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
##### XSS headers stop #####################################################
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
# include /etc/nginx/nginxsnippets/log-exclude.conf;
location = /.env { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
# include /etc/nginx/nginxsnippets/proxyheader.conf;
# proxy_set_header Host $host; # May fix som proxy issues
# proxy_ssl_verify off; # Disable cert check with internal proxy
proxy_pass http://127.0.0.1:3000;
}
##### Process content stop #################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process https stop #######################################################

52
cfg-apps/gitea.80.conf Normal file
View File

@ -0,0 +1,52 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
# include /etc/nginx/nginxsnippets/log-exclude.conf;
location = /.env { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
# include /etc/nginx/nginxsnippets/proxyheader.conf;
# proxy_set_header Host $host; # May fix som proxy issues
# proxy_ssl_verify off; # Disable cert check with internal proxy
proxy_pass http://127.0.0.1:3000;
}
##### Process content stop #################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
# Optional include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process http stop ########################################################

98
cfg-apps/wordpress.443.conf Normal file
View File

@ -0,0 +1,98 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
server_tokens off;
}
##### Process http stop ########################################################
##### Process https start ######################################################
server {
listen 443 ssl http2;
server_name DOMAIN;
server_tokens off;
root /var/www/html/DOMAIN;
index index.php index.html;
##### SSL configuration start ##############################################
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.4.4 8.8.8.8;
# resolver_timeout 5s;
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# ssl_session_cache shared:SSL:10m;
# ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
##### SSL configuration stop ###############################################
##### XSS headers start ####################################################
# add_header X-Frame-Options DENY;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header Permissions-Policy interest-cohort=();
# add_header Content-Security-Policy "default-src 'self'";
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
##### XSS headers stop #####################################################
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
##### Process content stop #################################################
##### Wordpress Hardeing start #############################################
include /etc/nginx/nginxsnippets/wphardening.conf;
##### Wordpress Hardeing stop ##############################################
##### Process php start ####################################################
location ~ \.php$ {
# include /etc/nginx/nginxsnippets/proxyheader.conf;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
include /etc/nginx/nginxsnippets/microcache.conf;
}
##### Process php stop #####################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process https stop #######################################################

62
cfg-apps/wordpress.80.conf Normal file
View File

@ -0,0 +1,62 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
root /var/www/html/DOMAIN;
index index.php index.html;
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Process content start ################################################
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
##### Process content stop #################################################
##### Wordpress Hardeing start #############################################
include /etc/nginx/nginxsnippets/wphardening.conf;
##### Wordpress Hardeing stop ##############################################
##### Process php start ####################################################
location ~ \.php$ {
# include /etc/nginx/nginxsnippets/proxyheader.conf;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
include /etc/nginx/nginxsnippets/microcache.conf;
}
##### Process php stop #####################################################
##### Cache js css static content and open files start #####################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css static content and open files stop ######################
}
##### Process http stop ########################################################

122
cfg-apps/zabbix.443.conf Normal file
View File

@ -0,0 +1,122 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
server_tokens off;
}
##### Process http stop ########################################################
##### Process https start ######################################################
server {
listen 443 ssl http2;
server_name DOMAIN;
server_tokens off;
root /usr/share/zabbix;
index index.php;
##### SSL configuration start ##############################################
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
# ssl_prefer_server_ciphers off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.4.4 8.8.8.8;
# resolver_timeout 5s;
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# ssl_session_cache shared:SSL:10m;
# ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
# ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
##### SSL configuration stop ###############################################
##### XSS headers start ####################################################
# add_header X-Frame-Options DENY;
# add_header X-Frame-Options SAMEORIGIN;
# add_header X-Content-Type-Options nosniff;
# add_header X-XSS-Protection "1; mode=block";
# add_header Permissions-Policy interest-cohort=();
# add_header Content-Security-Policy "default-src 'self'";
# add_header Referrer-Policy strict-origin-when-cross-origin;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
##### XSS headers stop #####################################################
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Misc content start ###################################################
location / {
try_files $uri $uri/ =404;
}
location /assets {
access_log off;
expires 10d;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
##### Misc content stop ####################################################
##### Process php ##########################################################
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/var/run/php/zabbix.sock;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
##### Process php ##########################################################
##### Cache js css and all statics start ###################################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css and all statics stop ####################################
}
##### Process https start ######################################################

86
cfg-apps/zabbix.80.conf Normal file
View File

@ -0,0 +1,86 @@
##### Process http start #######################################################
server {
listen 80;
server_name DOMAIN;
server_tokens off;
root /usr/share/zabbix;
index index.php;
##### Optional include custom Error pages start ############################
include /etc/nginx/nginxsnippets/custom-errors.conf;
##### Optional include custom Error pages stop #############################
##### Optional disable gzip start ##########################################
# gzip off;
##### Optional disable gzip stop ###########################################
##### Optional disable access log start ####################################
# access_log off;
##### Optional disable access log stop #####################################
##### Block Bad referers and bad bots start ################################
if ($bad_referer) { return 444; }
if ($bad_user_agent) { return 444; }
##### Block Bad referers and bad bots stop #################################
##### Optional stuff start #################################################
# include /etc/nginx/nginxsnippets/block-engines.conf;
include /etc/nginx/nginxsnippets/log-exclude.conf;
include /etc/nginx/nginxsnippets/block-htaccess.conf;
include /etc/nginx/nginxsnippets/block-file-access.conf;
##### Optional stuff stop ##################################################
##### Enable fastcgi cache start ###########################################
set $skip_cache 0;
##### Enable fastcgi cache stop ############################################
##### Misc content start ###################################################
location / {
try_files $uri $uri/ =404;
}
location /assets {
access_log off;
expires 10d;
}
location ~ /(api\/|conf[^\.]|include|locale) {
deny all;
return 404;
}
##### Misc content stop ####################################################
##### Process php ##########################################################
location ~ [^/]\.php(/|$) {
fastcgi_pass unix:/var/run/php/zabbix.sock;
fastcgi_param DOCUMENT_ROOT /usr/share/zabbix;
fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
##### Process php ##########################################################
##### Cache js css and all statics start ###################################
include /etc/nginx/nginxsnippets/cache-open-files.conf;
include /etc/nginx/nginxsnippets/cache-statics.conf;
include /etc/nginx/nginxsnippets/cache-js-css.conf;
##### Cache js css and all statics stop ####################################
}
##### Process http start #######################################################

12
cfg/default Normal file
View File

@ -0,0 +1,12 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_tokens off;
root /var/www/html/default;
index index.html index.htm;
server_name _;
location / {
return 444;
try_files $uri $uri/ =404;
}
}

98
cfg/nginx.conf Normal file
View File

@ -0,0 +1,98 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
##### BASIC SETTINGS ####################### LAST UPDATED 08022021 #####
#
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 100;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_body_buffer_size 10K;
client_header_buffer_size 4k;
client_max_body_size 50m;
large_client_header_buffers 2 4k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 2;
reset_timedout_connection on;
#
##### BASIC SETTINGS ####################### LAST UPDATED 08022021 #####
##### SSL SETTINGS ######################### LAST UPDATED 08022021 #####
#
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
#
##### SSL SETTINGS ######################### LAST UPDATED 08022021 #####
##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 #####
include /etc/nginx/nginxsnippets/cloudflare.conf;
##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 #####
# BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 #####
include /etc/nginx/nginxsnippets/block-referer.conf;
include /etc/nginx/nginxsnippets/block-bots.conf;
# BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 #####
##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 #####
include /etc/nginx/nginxsnippets/log.conf;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log crit;
access_log on;
log_not_found off;
#
##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 #####
##### GZIP SETTINGS ######################## LAST UPDATED 08022021 #####
#
include /etc/nginx/nginxsnippets/gzipconfig.conf;
#
##### GZIP SETTINGS ######################## LAST UPDATED 08022021 #####
##### CACHE SETTINGS ####################### LAST UPDATED 08022021 #####
#
# open_file_cache max=10000 inactive=20s;
# open_file_cache_valid 30s;
# open_file_cache_min_uses 2;
# open_file_cache_errors on;
#
##### CACHE SETTINGS ####################### LAST UPDATED 08022021 #####
##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 #####
#
upstream php-fpm {
server unix:/var/run/php/phpVERSION-fpm.sock;
}
fastcgi_read_timeout 300;
fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h;
#
##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 #####
##### VHOST SETTINGS ####################### LAST UPDATED 08022021 #####
#
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /etc/nginx/static-sites/*.conf;
#
##### VHOST SETTINGS ####################### LAST UPDATED 08022021 #####
}

99
cfg/nginx.conf.high.perf Normal file
View File

@ -0,0 +1,99 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 8000;
use epoll;
multi_accept on;
}
http {
##### BASIC SETTINGS ####################### LAST UPDATED 08022021 #####
#
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 100;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_body_buffer_size 10K;
client_header_buffer_size 4k;
client_max_body_size 50m;
large_client_header_buffers 2 4k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 2;
reset_timedout_connection on;
#
##### BASIC SETTINGS ####################### LAST UPDATED 08022021 #####
##### SSL SETTINGS ######################### LAST UPDATED 08022021 #####
#
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
#
##### SSL SETTINGS ######################### LAST UPDATED 08022021 #####
##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 #####
include /etc/nginx/nginxsnippets/cloudflare.conf;
##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 #####
# BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 #####
include /etc/nginx/nginxsnippets/block-referer.conf;
include /etc/nginx/nginxsnippets/block-bots.conf;
# BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 #####
##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 #####
include /etc/nginx/nginxsnippets/log.conf;
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log crit;
access_log on;
log_not_found off;
#
##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 #####
##### GZIP SETTINGS ######################## LAST UPDATED 08022021 #####
#
include /etc/nginx/nginxsnippets/gzipconfig.conf;
#
##### GZIP SETTINGS ######################## LAST UPDATED 08022021 #####
##### CACHE SETTINGS ####################### LAST UPDATED 08022021 #####
#
open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
#
##### CACHE SETTINGS ####################### LAST UPDATED 08022021 #####
##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 #####
#
upstream php-fpm {
server unix:/var/run/php/phpVERSION-fpm.sock;
}
fastcgi_read_timeout 300;
fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h;
#
##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 #####
##### VHOST SETTINGS ####################### LAST UPDATED 08022021 #####
#
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /etc/nginx/static-sites/*.conf;
#
##### VHOST SETTINGS ####################### LAST UPDATED 08022021 #####
}

102
nginxinstall Executable file
View File

@ -0,0 +1,102 @@
#!/bin/bash
########################################################################
# First Created: 17032021 Author: Allan Desc: Installs Nginx on Ubuntu #
########################################################################
#
# Are we root
#
if [[ $(id -u) -ne 0 ]]; then echo "" && echo "Must be root or use sudo" && echo "" ; exit 1; fi
#
# Are we in the right directory
#
scriptdir="nginx-install" && whereami=$(pwd |awk -F'/' '{print $NF}')
if [ $whereami != $scriptdir ]; then printf "\nWrong directory! Script must be run from $scriptdir\n\n" ; exit 1; fi
#
# Define variables and functions
#
line (){ for i in {1..50}; do echo -n "$1"; done && printf "\n"; }
#
# Function title
#
title () { printf "\nNginx install script V1.3\n\n"; }
#
# Function to check if a service is already running or not
#
serviceyes () { printf "\n$service is allready running cannot continue...\n\n"; }
servicealive () { status=$(systemctl is-active $service); if [[ "$status" == "active" ]]; then serviceyes ; exit; fi; }
#
# If Nginx is allready running then die
#
service="nginx" ; servicealive
#
# Display title
#
clear ; title
#
# Install and configure Nginx
#
apt install -y nginx
nginxfiles="/etc/nginx/nginxsnippets"
nginxconf="cfg"
rm /var/www/html/index.nginx-debian.html > /dev/null 2>&1
rm /etc/nginx/snippets/snakeoil.conf > /dev/null 2>&1
mkdir -p /var/cache/nginx/fcgi
#
# Copy Nginx snippets to Nginx directory i.e snippet code blocks and custom error pages
#
cp -R nginxsnippets $nginxfiles
#
# Install php php-fpm and configure nginx with standard config files
#
apt install -y php-fpm php-curl php-dom php-gd php-imagick php-ldap php-mbstring php-mysql php-pear php-soap php-xml php-zip
#
# Configure Nginx
#
phpver=$(php -v |head -1 |awk -F'.' '{print $1"."$2}' |sed 's/PHP //')
phpfpm="php$phpver-fpm" ; phpclidir="/etc/php/$phpver/cli" ; phpfpmdir="/etc/php/$phpver/fpm" ; socket="php$phpver"
#
# Adjusting a few nginx config files to match the installed php version before moving them to the right place
#
sed -i "s/VERSION/$phpver/" $nginxconf/nginx.conf
sed -i "s/VERSION/$phpver/" $nginxconf/nginx.conf.high.perf
sed -i "s/VERSION/$phpver/" $nginxfiles/wphardening.conf
cp $phpclidir/php.ini $phpclidir/php.ini.orig
cp $phpfpmdir/php.ini $phpfpmdir/php.ini.orig
cp $nginxconf/nginx.conf /etc/nginx
cp $nginxconf/nginx.conf.high.perf /etc/nginx
cp $nginxconf/default /etc/nginx/sites-available/default
#
# Creating a high performance www.conf file for optional later use
#
cp /etc/php/$phpver/fpm/pool.d/www.conf /etc/nginx/www.conf.high.perf
sed -i "s/pm.max_children = 5/pm.max_children = 50/" /etc/nginx/www.conf.high.perf
sed -i "s/pm.start_servers = 2/pm.start_servers = 15/" /etc/nginx/www.conf.high.perf
sed -i "s/pm.max_spare_servers = 3/pm.max_spare_servers = 10/" /etc/nginx/www.conf.high.perf
sed -i "s/;pm.process_idle_timeout = 10s/pm.process_idle_timeout = 10s/" /etc/nginx/www.conf.high.perf
sed -i "s/;pm.process_idle_timeout = 10s/pm.process_idle_timeout = 10s/" /etc/nginx/www.conf.high.perf
sed -i "s/;pm.max_requests = 500/pm.max_requests = 500/" /etc/nginx/www.conf.high.perf
#
# Adjusting php.ini with stuff I usually forget
#
sed -i 's/;max_input_vars = 1000/max_input_vars = 3000/' $phpclidir/php.ini
sed -i 's/;max_input_vars = 1000/max_input_vars = 3000/' $phpfpmdir/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 20M/' $phpfpmdir/php.ini
sed -i 's/;date.timezone =/date.timezone = Europe\/Copenhagen/' $phpclidir/php.ini
sed -i 's/;date.timezone =/date.timezone = Europe\/Copenhagen/' $phpfpmdir/php.ini
#
# Create directory for static websites that don't change much
#
mkdir /etc/nginx/static-sites
#
# Restart Nginx and Php-Fpm
#
systemctl restart $phpfpm && systemctl restart nginx
#
# All done
#
clear ; printf "\n" ; line '-' ; printf "All Done...\n" ; line '-' ; printf "\n"
#
# End of script
#

15
nginxsnippets/block-bots.conf Normal file
View File

@ -0,0 +1,15 @@
map $http_user_agent $bad_user_agent {
default 0;
"~*backdoor" 1;
"~LieBaoFast" 1;
"~AhrefsBot" 1;
"~DotBot" 1;
"~MauiBot" 1;
"~MJ12Bot" 1;
"~PetalBot" 1;
"~PetalBot" 1;
"~SEMrushBot" 1;
"~UCBrowser" 1;
}

1
nginxsnippets/block-engines.conf Normal file
View File

@ -0,0 +1 @@
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

8
nginxsnippets/block-file-access.conf Normal file
View File

@ -0,0 +1,8 @@
location ~ /\.git {
deny all;
return 404;
}
location ~ (\.aws$|\.cgi$|\.env$|\.perl$|\.pl$|\.py$|\.sh$) {
return 444;
}

4
nginxsnippets/block-htaccess.conf Normal file
View File

@ -0,0 +1,4 @@
location ~ /\.ht {
deny all;
return 404;
}

32
nginxsnippets/block-referer.conf Normal file
View File

@ -0,0 +1,32 @@
map $http_referer $bad_referer {
hostnames;
default 0;
"~binance.com" 1;
"~social-buttons.com" 1;
"~semalt.com" 1;
"~kambasoft.com" 1;
"~savetubevideo.com" 1;
"~descargar-musica-gratis.net" 1;
"~7makemoneyonline.com" 1;
"~baixar-musicas-gratis.com" 1;
"~iloveitaly.com" 1;
"~ilovevitaly.ru" 1;
"~fbdownloader.com" 1;
"~econom.co" 1;
"~buttons-for-website.com" 1;
"~buttons-for-your-website.com" 1;
"~srecorder.co" 1;
"~darodar.com" 1;
"~priceg.com" 1;
"~blackhatworth.com" 1;
"~adviceforum.info" 1;
"~hulfingtonpost.com" 1;
"~best-seo-solution.com" 1;
"~googlsucks.com" 1;
"~theguardlan.com" 1;
"~i-x.wiki" 1;
"~buy-cheap-online.info" 1;
"~Get-Free-Traffic-Now.com" 1;
}

4
nginxsnippets/cache-js-css.conf Normal file
View File

@ -0,0 +1,4 @@
location ~* ^.+\.(css|js)$ {
expires 1y;
add_header Cache-Control "max-age=31600000, public";
}

4
nginxsnippets/cache-open-files.conf Normal file
View File

@ -0,0 +1,4 @@
open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

6
nginxsnippets/cache-statics.conf Normal file
View File

@ -0,0 +1,6 @@
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
expires max;
add_header Cache-Control "public";
access_log off;
log_not_found off;
}

27
nginxsnippets/cloudflare.conf Normal file
View File

@ -0,0 +1,27 @@
# - IPv4
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
# - IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;

33
nginxsnippets/custom-errors.conf Normal file
View File

@ -0,0 +1,33 @@
error_page 400 /custom_400.html;
location = /custom_400.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_400.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 401 /custom_401.html;
location = /custom_401.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_401.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 403 /custom_403.html;
location = /custom_403.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_403.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 404 /custom_404.html;
location = /custom_404.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_404.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 500 /custom_500.html;
location = /custom_500.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_500.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 502 /custom_502.html;
location = /custom_502.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_502.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 503 /custom_503.html;
location = /custom_503.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_503.png { root /etc/nginx/nginxsnippets/errorpages; }
error_page 504 /custom_504.html;
location = /custom_504.html { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_504.png { root /etc/nginx/nginxsnippets/errorpages; }
location = /custom_error.css { root /etc/nginx/nginxsnippets/errorpages; }

18
nginxsnippets/errorpages/custom_400.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>400 Bad Request</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_400.png" alt="400">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_400.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

18
nginxsnippets/errorpages/custom_401.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>401 Unauthorized</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_401.png" alt="401">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_401.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

18
nginxsnippets/errorpages/custom_403.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>403 Forbidden</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_403.png" alt="403">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_403.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

18
nginxsnippets/errorpages/custom_404.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>404 Not Found</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_404.png" alt="404">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_404.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

18
nginxsnippets/errorpages/custom_500.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>500 Internal Server Error</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_500.png" alt="500">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

18
nginxsnippets/errorpages/custom_502.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>502 Bad Gateway</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_502.png" alt="502">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_502.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

18
nginxsnippets/errorpages/custom_503.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>503 Service Unavailable</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_503.png" alt="503">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_503.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

18
nginxsnippets/errorpages/custom_504.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>504 Gateway Timeout</title>
<link rel="stylesheet" href="custom_error.css">
</head>
<body>
<div class="center">
<img src="custom_504.png" alt="504">
</div>
</body>
</html>

BIN
nginxsnippets/errorpages/custom_504.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

6
nginxsnippets/errorpages/custom_error.css Normal file
View File

@ -0,0 +1,6 @@
.center {
display: flex;
justify-content: center;
align-items: center;
height: 90vh;
}

9
nginxsnippets/gzipconfig.conf Normal file
View File

@ -0,0 +1,9 @@
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

3
nginxsnippets/log-exclude.conf Normal file
View File

@ -0,0 +1,3 @@
location = /.env { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }

1
nginxsnippets/log.conf Normal file
View File

@ -0,0 +1 @@
log_format main '[$time_local] [Cache:$upstream_cache_status] [$host] [Remote_Addr: $remote_addr] - $remote_user - $server_name to: $upstream_addr: "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';

13
nginxsnippets/microcache.conf Normal file
View File

@ -0,0 +1,13 @@
fastcgi_hide_header X-Powered-By;
fastcgi_cache microcache;
fastcgi_cache_key $scheme$host$request_uri$request_method;
fastcgi_cache_valid 200 301 302 30s;
fastcgi_cache_use_stale updating error timeout invalid_header http_500;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_buffers 16 256k;
fastcgi_buffer_size 128k;
fastcgi_intercept_errors on;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;

4
nginxsnippets/proxy-params.conf Normal file
View File

@ -0,0 +1,4 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

1
nginxsnippets/rate-limit.conf Normal file
View File

@ -0,0 +1 @@
limit_req_zone $binary_remote_addr zone=RATELIMIT:10m rate=10r/s;

55
nginxsnippets/wphardening.conf Normal file
View File

@ -0,0 +1,55 @@
# Wordpress deny xmlrpc start #####################################################################################################
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# Wordpress deny xmlrpc stop ######################################################################################################
# Wordpress deny wp-cron start ####################################################################################################
location = /wp-cron.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# Wordpress deny wp-cron stop #####################################################################################################
# Wordpress limit get post start ##################################################################################################
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}
# Wordpress limit get post stop ###################################################################################################
# Wordpress deny php files where they dont belong start ###########################################################################
location ~* /(?:uploads|files|wp-content|wp-includes)/.*.php$ {
deny all;
access_log off;
log_not_found off;
return 444;
}
# Wordpress deny php files where they dont belong stop ############################################################################
# Wordpress limit request pr. sec here its 5 req/sec start ########################################################################
location = /wp-login.php {
limit_req zone=RATELIMIT burst=3 nodelay;
limit_req_status 444;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
}
# NOTE: The above requires the following file to exist:
# /etc/nginx/conf.d/rate-limit.conf with the following content:
# limit_req_zone $binary_remote_addr zone=RATELIMIT:10m rate=10r/s;
# Wordpress limit request pr. sec here its 5 req/sec stop #########################################################################
# Wordpress deny access to the following files in upload directory start ##########################################################
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
deny all;
}
# Wordpress deny access to the following files in upload directory stop ###########################################################
# Wordpress dont cache certain pages start ########################################################################################
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { set $skip_cache 1; }
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; }
# Wordpress dont cache certain pages stop #########################################################################################