From db651263d9a52d30ad61ea12501670da32ada5e2 Mon Sep 17 00:00:00 2001 From: allan Date: Mon, 25 Aug 2025 09:45:08 +0200 Subject: [PATCH] initial commit --- hostfiles/README.md | 21 ++++++ hostfiles/dokuwiki.443.conf | 117 +++++++++++++++++++++++++++++++ hostfiles/dokuwiki.80.conf | 81 ++++++++++++++++++++++ hostfiles/example.443.conf | 94 +++++++++++++++++++++++++ hostfiles/example.80.conf | 58 ++++++++++++++++ hostfiles/gitea.443.conf | 88 ++++++++++++++++++++++++ hostfiles/gitea.80.conf | 52 ++++++++++++++ hostfiles/wordpress.443.conf | 98 ++++++++++++++++++++++++++ hostfiles/wordpress.80.conf | 62 +++++++++++++++++ hostfiles/zabbix.443.conf | 122 +++++++++++++++++++++++++++++++++ hostfiles/zabbix.80.conf | 86 +++++++++++++++++++++++ nginxconf/default | 18 +++++ nginxconf/nginx.conf | 98 ++++++++++++++++++++++++++ nginxconf/nginx.conf.high.perf | 99 ++++++++++++++++++++++++++ 14 files changed, 1094 insertions(+) create mode 100644 hostfiles/README.md create mode 100644 hostfiles/dokuwiki.443.conf create mode 100644 hostfiles/dokuwiki.80.conf create mode 100644 hostfiles/example.443.conf create mode 100644 hostfiles/example.80.conf create mode 100644 hostfiles/gitea.443.conf create mode 100644 hostfiles/gitea.80.conf create mode 100644 hostfiles/wordpress.443.conf create mode 100644 hostfiles/wordpress.80.conf create mode 100644 hostfiles/zabbix.443.conf create mode 100644 hostfiles/zabbix.80.conf create mode 100644 nginxconf/default create mode 100644 nginxconf/nginx.conf create mode 100644 nginxconf/nginx.conf.high.perf diff --git a/hostfiles/README.md b/hostfiles/README.md new file mode 100644 index 0000000..c60170e --- /dev/null +++ b/hostfiles/README.md @@ -0,0 +1,21 @@ +## Important + +### The configuration files needs a few adjustments before they will work. + +### Domain +You will need to change every occurrence of the "DOMAIN" variable with a real domain name in the configuration file. + +### Php Socket +You will need to supply the correct version of what php socket you are running. In short change the following in the configuration. + + phpVERSION-fpm.sock + +To whatever version you are running like for example + + php8.3-fpm.sock + +### More guides +More guides can be found on [\[wiki.x-files.dk\]](https://wiki.x-files.dk) + +### Last tested +October 19th 2024 on Ubuntu 24.04. diff --git a/hostfiles/dokuwiki.443.conf b/hostfiles/dokuwiki.443.conf new file mode 100644 index 0000000..843c3c1 --- /dev/null +++ b/hostfiles/dokuwiki.443.conf @@ -0,0 +1,117 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + return 301 https://DOMAIN$request_uri; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index doku.php; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + try_files $uri $uri/ @dokuwiki; + } + ##### Process content stop ################################################# + + # Dokuwiki hardening start ################################################# + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # || + # \/ + # location ~ /(data|conf|bin|inc|vendor)/ { deny all; } + # location ~ /install.php { deny all; } + # /\ + # || + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # Dokuwiki hardening stop ################################################## + + ##### Dokuwiki specific start ############################################## + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + } + ##### Dokuwiki specific stop ############################################### + + ##### Process php start #################################################### + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; + include /etc/nginx/nginxsnippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/dokuwiki.80.conf b/hostfiles/dokuwiki.80.conf new file mode 100644 index 0000000..a0939ba --- /dev/null +++ b/hostfiles/dokuwiki.80.conf @@ -0,0 +1,81 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index doku.php; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + try_files $uri $uri/ @dokuwiki; + } + ##### Process content stop ################################################# + + # Dokuwiki hardening start ################################################# + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # || + # \/ + # location ~ /(data|conf|bin|inc|vendor)/ { deny all; } + # location ~ /install.php { deny all; } + # /\ + # || + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # Dokuwiki hardening stop ################################################## + + ##### Dokuwiki specific start ############################################## + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + } + ##### Dokuwiki specific stop ############################################### + + ##### Process php start #################################################### + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; + include /etc/nginx/nginxsnippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/example.443.conf b/hostfiles/example.443.conf new file mode 100644 index 0000000..2dcd434 --- /dev/null +++ b/hostfiles/example.443.conf @@ -0,0 +1,94 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginxsnippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; + include /etc/nginx/nginxsnippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/example.80.conf b/hostfiles/example.80.conf new file mode 100644 index 0000000..6012717 --- /dev/null +++ b/hostfiles/example.80.conf @@ -0,0 +1,58 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginxsnippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; + include /etc/nginx/nginxsnippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/gitea.443.conf b/hostfiles/gitea.443.conf new file mode 100644 index 0000000..5d4749c --- /dev/null +++ b/hostfiles/gitea.443.conf @@ -0,0 +1,88 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + # include /etc/nginx/nginxsnippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginxsnippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:3000; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/gitea.80.conf b/hostfiles/gitea.80.conf new file mode 100644 index 0000000..5605b60 --- /dev/null +++ b/hostfiles/gitea.80.conf @@ -0,0 +1,52 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + # include /etc/nginx/nginxsnippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginxsnippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:3000; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + # Optional include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/wordpress.443.conf b/hostfiles/wordpress.443.conf new file mode 100644 index 0000000..e6b4b39 --- /dev/null +++ b/hostfiles/wordpress.443.conf @@ -0,0 +1,98 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Wordpress Hardeing start ############################################# + include /etc/nginx/nginxsnippets/wphardening.conf; + ##### Wordpress Hardeing stop ############################################## + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginxsnippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; + include /etc/nginx/nginxsnippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/wordpress.80.conf b/hostfiles/wordpress.80.conf new file mode 100644 index 0000000..b746ae6 --- /dev/null +++ b/hostfiles/wordpress.80.conf @@ -0,0 +1,62 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Wordpress Hardeing start ############################################# + include /etc/nginx/nginxsnippets/wphardening.conf; + ##### Wordpress Hardeing stop ############################################## + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginxsnippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/phpVERSION-fpm.sock; + include /etc/nginx/nginxsnippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/zabbix.443.conf b/hostfiles/zabbix.443.conf new file mode 100644 index 0000000..1ed0f99 --- /dev/null +++ b/hostfiles/zabbix.443.conf @@ -0,0 +1,122 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /usr/share/zabbix; + index index.php; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Misc content start ################################################### + location / { + + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + ##### Misc content stop #################################################### + + ##### Process php ########################################################## + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + ##### Process php ########################################################## + + ##### Cache js css and all statics start ################################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css and all statics stop #################################### +} +##### Process https start ###################################################### diff --git a/hostfiles/zabbix.80.conf b/hostfiles/zabbix.80.conf new file mode 100644 index 0000000..3cf4600 --- /dev/null +++ b/hostfiles/zabbix.80.conf @@ -0,0 +1,86 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /usr/share/zabbix; + index index.php; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginxsnippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginxsnippets/block-engines.conf; + include /etc/nginx/nginxsnippets/log-exclude.conf; + include /etc/nginx/nginxsnippets/block-htaccess.conf; + include /etc/nginx/nginxsnippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Misc content start ################################################### + location / { + + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + ##### Misc content stop #################################################### + + ##### Process php ########################################################## + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + ##### Process php ########################################################## + + ##### Cache js css and all statics start ################################### + include /etc/nginx/nginxsnippets/cache-open-files.conf; + include /etc/nginx/nginxsnippets/cache-statics.conf; + include /etc/nginx/nginxsnippets/cache-js-css.conf; + ##### Cache js css and all statics stop #################################### +} +##### Process http start ####################################################### diff --git a/nginxconf/default b/nginxconf/default new file mode 100644 index 0000000..aa8c2bd --- /dev/null +++ b/nginxconf/default @@ -0,0 +1,18 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_tokens off; + root /var/www/html/default; + index index.html index.htm; + server_name _; + + access_log /var/log/nginx/direct.ip.access.log main; + error_log /var/log/nginx/direct.ip.access.error.log crit; + access_log on; + log_not_found off; + + location / { + return 444; + try_files $uri $uri/ =404; + } +} diff --git a/nginxconf/nginx.conf b/nginxconf/nginx.conf new file mode 100644 index 0000000..02b6712 --- /dev/null +++ b/nginxconf/nginx.conf @@ -0,0 +1,98 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + # + port_in_redirect off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_body_buffer_size 10K; + client_header_buffer_size 4k; + client_max_body_size 50m; + large_client_header_buffers 2 4k; + client_body_timeout 10; + client_header_timeout 10; + send_timeout 2; + reset_timedout_connection on; + # + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + # + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + # + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + include /etc/nginx/nginxsnippets/cloudflare.conf; + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + include /etc/nginx/nginxsnippets/block-referer.conf; + include /etc/nginx/nginxsnippets/block-bots.conf; + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + include /etc/nginx/nginxsnippets/log.conf; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log crit; + access_log on; + log_not_found off; + # + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + # + include /etc/nginx/nginxsnippets/gzipconfig.conf; + # + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + # + # open_file_cache max=10000 inactive=20s; + # open_file_cache_valid 30s; + # open_file_cache_min_uses 2; + # open_file_cache_errors on; + # + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + # + upstream php-fpm { + server unix:/var/run/php/phpVERSION-fpm.sock; + } + fastcgi_read_timeout 300; + fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h; + # + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### + # + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /etc/nginx/static-sites/*.conf; + # + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### +} diff --git a/nginxconf/nginx.conf.high.perf b/nginxconf/nginx.conf.high.perf new file mode 100644 index 0000000..7fd6e71 --- /dev/null +++ b/nginxconf/nginx.conf.high.perf @@ -0,0 +1,99 @@ +user www-data; +worker_processes auto; +worker_rlimit_nofile 100000; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 8000; + use epoll; + multi_accept on; +} + +http { + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + # + port_in_redirect off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_body_buffer_size 10K; + client_header_buffer_size 4k; + client_max_body_size 50m; + large_client_header_buffers 2 4k; + client_body_timeout 10; + client_header_timeout 10; + send_timeout 2; + reset_timedout_connection on; + # + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + # + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + # + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + include /etc/nginx/nginxsnippets/cloudflare.conf; + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + include /etc/nginx/nginxsnippets/block-referer.conf; + include /etc/nginx/nginxsnippets/block-bots.conf; + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + include /etc/nginx/nginxsnippets/log.conf; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log crit; + access_log on; + log_not_found off; + # + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + # + include /etc/nginx/nginxsnippets/gzipconfig.conf; + # + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + # + open_file_cache max=10000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; + # + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + # + upstream php-fpm { + server unix:/var/run/php/phpVERSION-fpm.sock; + } + fastcgi_read_timeout 300; + fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h; + # + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### + # + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /etc/nginx/static-sites/*.conf; + # + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### +}