initial commit

.gitignore

@@ -0,0 +1,7 @@
+*.bak
+*.backup
+*.gho
+*.ori
+*.orig
+*.tmp
+*.swp

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Allan Christensen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,25 @@
+## Code snippets for use with Nginx
+
+### Prerequisites
+Nginx installed and running
+
+### Download the snippets
+```
+git clone https://git.x-files.dk/ubuntu-web-server/nginxsnippets.git /etc/nginx/nginxsnippets
+```
+
+### Usage
+An example can be found [\[here\]](https://git.x-files.dk/ubuntu-web-server/nginx-install/src/branch/main/cfg-apps/example.80.conf)
+
+> **Important:**
+>
+> If you allready installed Nginx using the method found [\[here\]](https://git.x-files.dk/ubuntu-web-server/nginx-install) the code snippets will already be present.
+
+### Post install
+Nothing to do.
+
+### More guides
+More guides can be found on [\[wiki.x-files.dk\]](https://wiki.x-files.dk)
+
+### Last tested
+October 19th 2024 on Ubuntu 24.04.

block-bots.conf

@@ -0,0 +1,15 @@
+map $http_user_agent $bad_user_agent {
+
+    default                           0;
+
+    "~*backdoor"                      1;
+    "~LieBaoFast"                     1;
+    "~AhrefsBot"                      1;
+    "~DotBot"                         1;
+    "~MauiBot"                        1;
+    "~MJ12Bot"                        1;
+    "~PetalBot"                       1;
+    "~PetalBot"                       1;
+    "~SEMrushBot"                     1;
+    "~UCBrowser"                      1;
+}

block-engines.conf

@@ -0,0 +1 @@
+add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

block-file-access.conf

@@ -0,0 +1,8 @@
+location ~ /\.git {
+deny all;
+return 404;
+}
+
+location ~ (\.aws$|\.cgi$|\.env$|\.perl$|\.pl$|\.py$|\.sh$) {
+return 444;
+}

block-htaccess.conf

@@ -0,0 +1,4 @@
+location ~ /\.ht {
+deny all;
+return 404;
+}

block-referer.conf

@@ -0,0 +1,32 @@
+map $http_referer $bad_referer {
+    hostnames;
+
+    default                           0;
+
+    "~binance.com"                    1;
+    "~social-buttons.com"             1;
+    "~semalt.com"                     1;
+    "~kambasoft.com"                  1;
+    "~savetubevideo.com"              1;
+    "~descargar-musica-gratis.net"    1;
+    "~7makemoneyonline.com"           1;
+    "~baixar-musicas-gratis.com"      1;
+    "~iloveitaly.com"                 1;
+    "~ilovevitaly.ru"                 1;
+    "~fbdownloader.com"               1;
+    "~econom.co"                      1;
+    "~buttons-for-website.com"        1;
+    "~buttons-for-your-website.com"   1;
+    "~srecorder.co"                   1;
+    "~darodar.com"                    1;
+    "~priceg.com"                     1;
+    "~blackhatworth.com"              1;
+    "~adviceforum.info"               1;
+    "~hulfingtonpost.com"             1;
+    "~best-seo-solution.com"          1;
+    "~googlsucks.com"                 1;
+    "~theguardlan.com"                1;
+    "~i-x.wiki"                       1;
+    "~buy-cheap-online.info"          1;
+    "~Get-Free-Traffic-Now.com"       1;
+}

cache-js-css.conf

@@ -0,0 +1,4 @@
+location ~* ^.+\.(css|js)$ {
+expires     1y;
+add_header Cache-Control "max-age=31600000, public";
+}

cache-open-files.conf

@@ -0,0 +1,4 @@
+open_file_cache max=10000 inactive=20s;
+open_file_cache_valid 30s;
+open_file_cache_min_uses 2;
+open_file_cache_errors on;

cache-statics.conf

@@ -0,0 +1,6 @@
+location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
+expires max;
+add_header Cache-Control "public";
+access_log        off;
+log_not_found     off;
+}

cloudflare.conf

@@ -0,0 +1,27 @@
+# - IPv4
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 131.0.72.0/22;
+
+# - IPv6
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+real_ip_header CF-Connecting-IP;

custom-errors.conf

@@ -0,0 +1,33 @@
+error_page 400 /custom_400.html;
+location = /custom_400.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_400.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 401 /custom_401.html;
+location = /custom_401.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_401.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 403 /custom_403.html;
+location = /custom_403.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_403.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 404 /custom_404.html;
+location = /custom_404.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_404.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 500 /custom_500.html;
+location = /custom_500.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_500.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 502 /custom_502.html;
+location = /custom_502.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_502.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 503 /custom_503.html;
+location = /custom_503.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_503.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+error_page 504 /custom_504.html;
+location = /custom_504.html { root /etc/nginx/nginxsnippets/errorpages; }
+location = /custom_504.png { root /etc/nginx/nginxsnippets/errorpages; }
+
+location = /custom_error.css { root /etc/nginx/nginxsnippets/errorpages; }

errorpages/custom_400.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>400 Bad Request</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_400.png" alt="400">
+    </div>
+</body>
+
+</html>

errorpages/custom_401.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>401 Unauthorized</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_401.png" alt="401">
+    </div>
+</body>
+
+</html>

errorpages/custom_403.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>403 Forbidden</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_403.png" alt="403">
+    </div>
+</body>
+
+</html>

errorpages/custom_404.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>404 Not Found</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_404.png" alt="404">
+    </div>
+</body>
+
+</html>

errorpages/custom_500.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>500 Internal Server Error</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_500.png" alt="500">
+    </div>
+</body>
+
+</html>

errorpages/custom_502.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>502 Bad Gateway</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_502.png" alt="502">
+    </div>
+</body>
+
+</html>

errorpages/custom_503.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>503 Service Unavailable</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_503.png" alt="503">
+    </div>
+</body>
+
+</html>

errorpages/custom_504.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>504 Gateway Timeout</title>
+    <link rel="stylesheet" href="custom_error.css">
+</head>
+
+<body>
+    <div class="center">
+        <img src="custom_504.png" alt="504">
+    </div>
+</body>
+
+</html>

errorpages/custom_error.css

@@ -0,0 +1,6 @@
+.center {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  height: 90vh;
+}

gzipconfig.conf

@@ -0,0 +1,9 @@
+gzip on;
+gzip_disable "msie6";
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_http_version 1.1;
+gzip_min_length 256;
+gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

log-exclude.conf

@@ -0,0 +1,3 @@
+location = /.env  { access_log off; log_not_found off; }
+location = /favicon.ico { access_log off; log_not_found off; }
+location = /robots.txt  { access_log off; log_not_found off; }

log.conf

@@ -0,0 +1 @@
+log_format main '[$time_local] [Cache:$upstream_cache_status] [$host] [Remote_Addr: $remote_addr] - $remote_user - $server_name to: $upstream_addr: "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';

microcache.conf

@@ -0,0 +1,13 @@
+fastcgi_hide_header X-Powered-By;
+fastcgi_cache microcache;
+fastcgi_cache_key $scheme$host$request_uri$request_method;
+fastcgi_cache_valid 200 301 302 30s;
+fastcgi_cache_use_stale updating error timeout invalid_header http_500;
+fastcgi_pass_header Set-Cookie;
+fastcgi_pass_header Cookie;
+fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+fastcgi_buffers 16 256k;
+fastcgi_buffer_size 128k;
+fastcgi_intercept_errors on;
+fastcgi_cache_bypass $skip_cache;
+fastcgi_no_cache $skip_cache;

proxy-params.conf

@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;

rate-limit.conf

@@ -0,0 +1 @@
+limit_req_zone $binary_remote_addr zone=RATELIMIT:10m rate=10r/s;

wphardening.conf

@@ -0,0 +1,55 @@
+# Wordpress deny xmlrpc start #####################################################################################################
+    location = /xmlrpc.php {
+    deny all;
+    access_log off;
+    log_not_found off;
+    return 444;
+    }
+# Wordpress deny xmlrpc stop ######################################################################################################
+
+# Wordpress deny wp-cron start ####################################################################################################
+    location = /wp-cron.php {
+    deny all;
+    access_log off;
+    log_not_found off;
+    return 444;
+    }
+# Wordpress deny wp-cron stop #####################################################################################################
+
+# Wordpress limit get post start ##################################################################################################
+if ($request_method !~ ^(GET|POST)$ ) {
+    return 444;
+}
+# Wordpress limit get post stop ###################################################################################################
+
+# Wordpress deny php files where they dont belong start ###########################################################################
+location ~* /(?:uploads|files|wp-content|wp-includes)/.*.php$ {
+    deny all;
+    access_log off;
+    log_not_found off;
+    return 444;
+}
+# Wordpress deny php files where they dont belong stop ############################################################################
+
+# Wordpress limit request pr. sec here its 5 req/sec start ########################################################################
+location = /wp-login.php {
+    limit_req zone=RATELIMIT burst=3 nodelay;
+    limit_req_status 444;
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock;
+}
+# NOTE: The above requires the following file to exist:
+# /etc/nginx/conf.d/rate-limit.conf with the following content:
+# limit_req_zone $binary_remote_addr zone=RATELIMIT:10m rate=10r/s;
+# Wordpress limit request pr. sec here its 5 req/sec stop #########################################################################
+
+# Wordpress deny access to the following files in upload directory start ##########################################################
+location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
+    deny all;
+}
+# Wordpress deny access to the following files in upload directory stop ###########################################################
+
+# Wordpress dont cache certain pages start ########################################################################################
+if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { set $skip_cache 1; }
+if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; }
+# Wordpress dont cache certain pages stop #########################################################################################