commit b146b71d6144e2bc038293dc05f004ca4cfb6598 Author: allan Date: Fri Aug 8 12:25:26 2025 +0200 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..02b486a --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +*.bak +*.backup +*.gho +*.ori +*.orig +*.tmp +*.swp diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..57f408b --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 Allan Christensen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..df42a47 --- /dev/null +++ b/README.md @@ -0,0 +1,25 @@ +## Code snippets for use with Nginx + +### Prerequisites +Nginx installed and running + +### Download the snippets +``` +git clone https://git.x-files.dk/ubuntu-web-server/nginxsnippets.git /etc/nginx/nginxsnippets +``` + +### Usage +An example can be found [\[here\]](https://git.x-files.dk/ubuntu-web-server/nginx-install/src/branch/main/cfg-apps/example.80.conf) + +> **Important:** +> +> If you allready installed Nginx using the method found [\[here\]](https://git.x-files.dk/ubuntu-web-server/nginx-install) the code snippets will already be present. + +### Post install +Nothing to do. + +### More guides +More guides can be found on [\[wiki.x-files.dk\]](https://wiki.x-files.dk) + +### Last tested +October 19th 2024 on Ubuntu 24.04. diff --git a/block-bots.conf b/block-bots.conf new file mode 100644 index 0000000..66aae77 --- /dev/null +++ b/block-bots.conf @@ -0,0 +1,15 @@ +map $http_user_agent $bad_user_agent { + + default 0; + + "~*backdoor" 1; + "~LieBaoFast" 1; + "~AhrefsBot" 1; + "~DotBot" 1; + "~MauiBot" 1; + "~MJ12Bot" 1; + "~PetalBot" 1; + "~PetalBot" 1; + "~SEMrushBot" 1; + "~UCBrowser" 1; +} diff --git a/block-engines.conf b/block-engines.conf new file mode 100644 index 0000000..d2a7094 --- /dev/null +++ b/block-engines.conf @@ -0,0 +1 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; diff --git a/block-file-access.conf b/block-file-access.conf new file mode 100644 index 0000000..8aa2e41 --- /dev/null +++ b/block-file-access.conf @@ -0,0 +1,8 @@ +location ~ /\.git { +deny all; +return 404; +} + +location ~ (\.aws$|\.cgi$|\.env$|\.perl$|\.pl$|\.py$|\.sh$) { +return 444; +} diff --git a/block-htaccess.conf b/block-htaccess.conf new file mode 100644 index 0000000..dac3eb4 --- /dev/null +++ b/block-htaccess.conf @@ -0,0 +1,4 @@ +location ~ /\.ht { +deny all; +return 404; +} diff --git a/block-referer.conf b/block-referer.conf new file mode 100644 index 0000000..a386aae --- /dev/null +++ b/block-referer.conf @@ -0,0 +1,32 @@ +map $http_referer $bad_referer { + hostnames; + + default 0; + + "~binance.com" 1; + "~social-buttons.com" 1; + "~semalt.com" 1; + "~kambasoft.com" 1; + "~savetubevideo.com" 1; + "~descargar-musica-gratis.net" 1; + "~7makemoneyonline.com" 1; + "~baixar-musicas-gratis.com" 1; + "~iloveitaly.com" 1; + "~ilovevitaly.ru" 1; + "~fbdownloader.com" 1; + "~econom.co" 1; + "~buttons-for-website.com" 1; + "~buttons-for-your-website.com" 1; + "~srecorder.co" 1; + "~darodar.com" 1; + "~priceg.com" 1; + "~blackhatworth.com" 1; + "~adviceforum.info" 1; + "~hulfingtonpost.com" 1; + "~best-seo-solution.com" 1; + "~googlsucks.com" 1; + "~theguardlan.com" 1; + "~i-x.wiki" 1; + "~buy-cheap-online.info" 1; + "~Get-Free-Traffic-Now.com" 1; +} diff --git a/cache-js-css.conf b/cache-js-css.conf new file mode 100644 index 0000000..069861c --- /dev/null +++ b/cache-js-css.conf @@ -0,0 +1,4 @@ +location ~* ^.+\.(css|js)$ { +expires 1y; +add_header Cache-Control "max-age=31600000, public"; +} diff --git a/cache-open-files.conf b/cache-open-files.conf new file mode 100644 index 0000000..97b1fb5 --- /dev/null +++ b/cache-open-files.conf @@ -0,0 +1,4 @@ +open_file_cache max=10000 inactive=20s; +open_file_cache_valid 30s; +open_file_cache_min_uses 2; +open_file_cache_errors on; diff --git a/cache-statics.conf b/cache-statics.conf new file mode 100644 index 0000000..7182915 --- /dev/null +++ b/cache-statics.conf @@ -0,0 +1,6 @@ +location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { +expires max; +add_header Cache-Control "public"; +access_log off; +log_not_found off; +} diff --git a/cloudflare.conf b/cloudflare.conf new file mode 100644 index 0000000..fd34af2 --- /dev/null +++ b/cloudflare.conf @@ -0,0 +1,27 @@ +# - IPv4 +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 104.16.0.0/13; +set_real_ip_from 104.24.0.0/14; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 131.0.72.0/22; + +# - IPv6 +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2a06:98c0::/29; +set_real_ip_from 2c0f:f248::/32; + +real_ip_header CF-Connecting-IP; diff --git a/custom-errors.conf b/custom-errors.conf new file mode 100644 index 0000000..789db45 --- /dev/null +++ b/custom-errors.conf @@ -0,0 +1,33 @@ +error_page 400 /custom_400.html; +location = /custom_400.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_400.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 401 /custom_401.html; +location = /custom_401.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_401.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 403 /custom_403.html; +location = /custom_403.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_403.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 404 /custom_404.html; +location = /custom_404.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_404.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 500 /custom_500.html; +location = /custom_500.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_500.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 502 /custom_502.html; +location = /custom_502.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_502.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 503 /custom_503.html; +location = /custom_503.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_503.png { root /etc/nginx/nginxsnippets/errorpages; } + +error_page 504 /custom_504.html; +location = /custom_504.html { root /etc/nginx/nginxsnippets/errorpages; } +location = /custom_504.png { root /etc/nginx/nginxsnippets/errorpages; } + +location = /custom_error.css { root /etc/nginx/nginxsnippets/errorpages; } diff --git a/errorpages/custom_400.html b/errorpages/custom_400.html new file mode 100644 index 0000000..18c680b --- /dev/null +++ b/errorpages/custom_400.html @@ -0,0 +1,18 @@ + + + + + + + + 400 Bad Request + + + + +
+ 400 +
+ + + diff --git a/errorpages/custom_400.png b/errorpages/custom_400.png new file mode 100644 index 0000000..bdd510b Binary files /dev/null and b/errorpages/custom_400.png differ diff --git a/errorpages/custom_401.html b/errorpages/custom_401.html new file mode 100644 index 0000000..88f105f --- /dev/null +++ b/errorpages/custom_401.html @@ -0,0 +1,18 @@ + + + + + + + + 401 Unauthorized + + + + +
+ 401 +
+ + + diff --git a/errorpages/custom_401.png b/errorpages/custom_401.png new file mode 100644 index 0000000..8622ba8 Binary files /dev/null and b/errorpages/custom_401.png differ diff --git a/errorpages/custom_403.html b/errorpages/custom_403.html new file mode 100644 index 0000000..089fba6 --- /dev/null +++ b/errorpages/custom_403.html @@ -0,0 +1,18 @@ + + + + + + + + 403 Forbidden + + + + +
+ 403 +
+ + + diff --git a/errorpages/custom_403.png b/errorpages/custom_403.png new file mode 100644 index 0000000..7bbf788 Binary files /dev/null and b/errorpages/custom_403.png differ diff --git a/errorpages/custom_404.html b/errorpages/custom_404.html new file mode 100644 index 0000000..99148c7 --- /dev/null +++ b/errorpages/custom_404.html @@ -0,0 +1,18 @@ + + + + + + + + 404 Not Found + + + + +
+ 404 +
+ + + diff --git a/errorpages/custom_404.png b/errorpages/custom_404.png new file mode 100644 index 0000000..4343ffe Binary files /dev/null and b/errorpages/custom_404.png differ diff --git a/errorpages/custom_500.html b/errorpages/custom_500.html new file mode 100644 index 0000000..6471c04 --- /dev/null +++ b/errorpages/custom_500.html @@ -0,0 +1,18 @@ + + + + + + + + 500 Internal Server Error + + + + +
+ 500 +
+ + + diff --git a/errorpages/custom_500.png b/errorpages/custom_500.png new file mode 100644 index 0000000..4b9d664 Binary files /dev/null and b/errorpages/custom_500.png differ diff --git a/errorpages/custom_502.html b/errorpages/custom_502.html new file mode 100644 index 0000000..e7076fb --- /dev/null +++ b/errorpages/custom_502.html @@ -0,0 +1,18 @@ + + + + + + + + 502 Bad Gateway + + + + +
+ 502 +
+ + + diff --git a/errorpages/custom_502.png b/errorpages/custom_502.png new file mode 100644 index 0000000..27e5280 Binary files /dev/null and b/errorpages/custom_502.png differ diff --git a/errorpages/custom_503.html b/errorpages/custom_503.html new file mode 100644 index 0000000..18176bc --- /dev/null +++ b/errorpages/custom_503.html @@ -0,0 +1,18 @@ + + + + + + + + 503 Service Unavailable + + + + +
+ 503 +
+ + + diff --git a/errorpages/custom_503.png b/errorpages/custom_503.png new file mode 100644 index 0000000..bd02d37 Binary files /dev/null and b/errorpages/custom_503.png differ diff --git a/errorpages/custom_504.html b/errorpages/custom_504.html new file mode 100644 index 0000000..2c2a0a5 --- /dev/null +++ b/errorpages/custom_504.html @@ -0,0 +1,18 @@ + + + + + + + + 504 Gateway Timeout + + + + +
+ 504 +
+ + + diff --git a/errorpages/custom_504.png b/errorpages/custom_504.png new file mode 100644 index 0000000..b382174 Binary files /dev/null and b/errorpages/custom_504.png differ diff --git a/errorpages/custom_error.css b/errorpages/custom_error.css new file mode 100644 index 0000000..d8add07 --- /dev/null +++ b/errorpages/custom_error.css @@ -0,0 +1,6 @@ +.center { + display: flex; + justify-content: center; + align-items: center; + height: 90vh; +} diff --git a/gzipconfig.conf b/gzipconfig.conf new file mode 100644 index 0000000..b45e8de --- /dev/null +++ b/gzipconfig.conf @@ -0,0 +1,9 @@ +gzip on; +gzip_disable "msie6"; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_min_length 256; +gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; diff --git a/log-exclude.conf b/log-exclude.conf new file mode 100644 index 0000000..9a6ba21 --- /dev/null +++ b/log-exclude.conf @@ -0,0 +1,3 @@ +location = /.env { access_log off; log_not_found off; } +location = /favicon.ico { access_log off; log_not_found off; } +location = /robots.txt { access_log off; log_not_found off; } diff --git a/log.conf b/log.conf new file mode 100644 index 0000000..b39aeb0 --- /dev/null +++ b/log.conf @@ -0,0 +1 @@ +log_format main '[$time_local] [Cache:$upstream_cache_status] [$host] [Remote_Addr: $remote_addr] - $remote_user - $server_name to: $upstream_addr: "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '; diff --git a/microcache.conf b/microcache.conf new file mode 100644 index 0000000..1be3c07 --- /dev/null +++ b/microcache.conf @@ -0,0 +1,13 @@ +fastcgi_hide_header X-Powered-By; +fastcgi_cache microcache; +fastcgi_cache_key $scheme$host$request_uri$request_method; +fastcgi_cache_valid 200 301 302 30s; +fastcgi_cache_use_stale updating error timeout invalid_header http_500; +fastcgi_pass_header Set-Cookie; +fastcgi_pass_header Cookie; +fastcgi_ignore_headers Cache-Control Expires Set-Cookie; +fastcgi_buffers 16 256k; +fastcgi_buffer_size 128k; +fastcgi_intercept_errors on; +fastcgi_cache_bypass $skip_cache; +fastcgi_no_cache $skip_cache; diff --git a/proxy-params.conf b/proxy-params.conf new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/proxy-params.conf @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/rate-limit.conf b/rate-limit.conf new file mode 100644 index 0000000..95ed179 --- /dev/null +++ b/rate-limit.conf @@ -0,0 +1 @@ +limit_req_zone $binary_remote_addr zone=RATELIMIT:10m rate=10r/s; diff --git a/wphardening.conf b/wphardening.conf new file mode 100644 index 0000000..ef88e85 --- /dev/null +++ b/wphardening.conf @@ -0,0 +1,55 @@ +# Wordpress deny xmlrpc start ##################################################################################################### + location = /xmlrpc.php { + deny all; + access_log off; + log_not_found off; + return 444; + } +# Wordpress deny xmlrpc stop ###################################################################################################### + +# Wordpress deny wp-cron start #################################################################################################### + location = /wp-cron.php { + deny all; + access_log off; + log_not_found off; + return 444; + } +# Wordpress deny wp-cron stop ##################################################################################################### + +# Wordpress limit get post start ################################################################################################## +if ($request_method !~ ^(GET|POST)$ ) { + return 444; +} +# Wordpress limit get post stop ################################################################################################### + +# Wordpress deny php files where they dont belong start ########################################################################### +location ~* /(?:uploads|files|wp-content|wp-includes)/.*.php$ { + deny all; + access_log off; + log_not_found off; + return 444; +} +# Wordpress deny php files where they dont belong stop ############################################################################ + +# Wordpress limit request pr. sec here its 5 req/sec start ######################################################################## +location = /wp-login.php { + limit_req zone=RATELIMIT burst=3 nodelay; + limit_req_status 444; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; +} +# NOTE: The above requires the following file to exist: +# /etc/nginx/conf.d/rate-limit.conf with the following content: +# limit_req_zone $binary_remote_addr zone=RATELIMIT:10m rate=10r/s; +# Wordpress limit request pr. sec here its 5 req/sec stop ######################################################################### + +# Wordpress deny access to the following files in upload directory start ########################################################## +location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { + deny all; +} +# Wordpress deny access to the following files in upload directory stop ########################################################### + +# Wordpress dont cache certain pages start ######################################################################################## +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { set $skip_cache 1; } +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } +# Wordpress dont cache certain pages stop #########################################################################################