commit ec9dcadf58b3c3cfd75d18ca0b4a0dd948372e9d Author: allan Date: Sun Nov 2 11:49:39 2025 +0100 initial commit diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3eaaa81 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 Allan Christensen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..bf665da --- /dev/null +++ b/README.md @@ -0,0 +1,40 @@ +# Nginx Snippets for Ubuntu 24.04 Server +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![WebServer](https://img.shields.io/badge/server-nginx-009639)](#) +[![PHP](https://img.shields.io/badge/php-fpm-777BB4)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Reusable and modular configuration snippets for use with Nginx on Ubuntu 24.04 Server. + +### Prerequisites +Nginx must be installed and running before using these snippets. + +### Download the Snippets +Clone the repository directly into your Nginx configuration directory: + +``` +git clone https://git.x-files.dk/webserver/nginx-snippets.git /etc/nginx/nginx-snippets +``` + +### Usage +An example configuration file can be found [here](https://git.x-files.dk/webserver/nginx-snippets/src/branch/main/hostfiles/example.80.conf). + +> **NOTE** +> If you already installed Nginx using the method described [here](https://git.x-files.dk/webserver/nginx-ubuntu), these code snippets are already included by default. + +### Post-install +Nothing to do. + +--- + +### More Information + +More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) + +--- + +### License +Licensed under the [MIT License](./LICENSE). + +--- diff --git a/block-bots.conf b/block-bots.conf new file mode 100644 index 0000000..66aae77 --- /dev/null +++ b/block-bots.conf @@ -0,0 +1,15 @@ +map $http_user_agent $bad_user_agent { + + default 0; + + "~*backdoor" 1; + "~LieBaoFast" 1; + "~AhrefsBot" 1; + "~DotBot" 1; + "~MauiBot" 1; + "~MJ12Bot" 1; + "~PetalBot" 1; + "~PetalBot" 1; + "~SEMrushBot" 1; + "~UCBrowser" 1; +} diff --git a/block-engines.conf b/block-engines.conf new file mode 100644 index 0000000..d2a7094 --- /dev/null +++ b/block-engines.conf @@ -0,0 +1 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; diff --git a/block-file-access.conf b/block-file-access.conf new file mode 100644 index 0000000..8aa2e41 --- /dev/null +++ b/block-file-access.conf @@ -0,0 +1,8 @@ +location ~ /\.git { +deny all; +return 404; +} + +location ~ (\.aws$|\.cgi$|\.env$|\.perl$|\.pl$|\.py$|\.sh$) { +return 444; +} diff --git a/block-htaccess.conf b/block-htaccess.conf new file mode 100644 index 0000000..dac3eb4 --- /dev/null +++ b/block-htaccess.conf @@ -0,0 +1,4 @@ +location ~ /\.ht { +deny all; +return 404; +} diff --git a/block-referer.conf b/block-referer.conf new file mode 100644 index 0000000..a386aae --- /dev/null +++ b/block-referer.conf @@ -0,0 +1,32 @@ +map $http_referer $bad_referer { + hostnames; + + default 0; + + "~binance.com" 1; + "~social-buttons.com" 1; + "~semalt.com" 1; + "~kambasoft.com" 1; + "~savetubevideo.com" 1; + "~descargar-musica-gratis.net" 1; + "~7makemoneyonline.com" 1; + "~baixar-musicas-gratis.com" 1; + "~iloveitaly.com" 1; + "~ilovevitaly.ru" 1; + "~fbdownloader.com" 1; + "~econom.co" 1; + "~buttons-for-website.com" 1; + "~buttons-for-your-website.com" 1; + "~srecorder.co" 1; + "~darodar.com" 1; + "~priceg.com" 1; + "~blackhatworth.com" 1; + "~adviceforum.info" 1; + "~hulfingtonpost.com" 1; + "~best-seo-solution.com" 1; + "~googlsucks.com" 1; + "~theguardlan.com" 1; + "~i-x.wiki" 1; + "~buy-cheap-online.info" 1; + "~Get-Free-Traffic-Now.com" 1; +} diff --git a/cache-js-css.conf b/cache-js-css.conf new file mode 100644 index 0000000..069861c --- /dev/null +++ b/cache-js-css.conf @@ -0,0 +1,4 @@ +location ~* ^.+\.(css|js)$ { +expires 1y; +add_header Cache-Control "max-age=31600000, public"; +} diff --git a/cache-open-files.conf b/cache-open-files.conf new file mode 100644 index 0000000..97b1fb5 --- /dev/null +++ b/cache-open-files.conf @@ -0,0 +1,4 @@ +open_file_cache max=10000 inactive=20s; +open_file_cache_valid 30s; +open_file_cache_min_uses 2; +open_file_cache_errors on; diff --git a/cache-statics.conf b/cache-statics.conf new file mode 100644 index 0000000..7182915 --- /dev/null +++ b/cache-statics.conf @@ -0,0 +1,6 @@ +location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { +expires max; +add_header Cache-Control "public"; +access_log off; +log_not_found off; +} diff --git a/cloudflare.conf b/cloudflare.conf new file mode 100644 index 0000000..fd34af2 --- /dev/null +++ b/cloudflare.conf @@ -0,0 +1,27 @@ +# - IPv4 +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 104.16.0.0/13; +set_real_ip_from 104.24.0.0/14; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 131.0.72.0/22; + +# - IPv6 +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2a06:98c0::/29; +set_real_ip_from 2c0f:f248::/32; + +real_ip_header CF-Connecting-IP; diff --git a/custom-errors.conf b/custom-errors.conf new file mode 100644 index 0000000..a167dc9 --- /dev/null +++ b/custom-errors.conf @@ -0,0 +1,20 @@ +error_page 400 /errorpages/custom_400.html; +error_page 401 /errorpages/custom_401.html; +error_page 403 /errorpages/custom_403.html; +error_page 404 /errorpages/custom_404.html; +error_page 500 /errorpages/custom_500.html; +error_page 502 /errorpages/custom_502.html; +error_page 503 /errorpages/custom_503.html; +error_page 504 /errorpages/custom_504.html; + +# Serve all HTML, CSS, and image assets from one directory +location ^~ /errorpages/ { + alias /etc/nginx/nginx-snippets/errorpages/; + # Restrict to safe static types + types { + text/html html; + text/css css; + image/png png; + } + default_type text/html; +} diff --git a/errorpages/custom_400.html b/errorpages/custom_400.html new file mode 100644 index 0000000..b26a09b --- /dev/null +++ b/errorpages/custom_400.html @@ -0,0 +1,44 @@ + + + + + + + 400 BAD REQUEST + + + + +
+ + + + + + + + + + + + + + + BAD REQUEST + + + + + + + 400 + + + +
+ + + diff --git a/errorpages/custom_401.html b/errorpages/custom_401.html new file mode 100644 index 0000000..9b95128 --- /dev/null +++ b/errorpages/custom_401.html @@ -0,0 +1,44 @@ + + + + + + + 401 UNAUTHORIZED + + + + +
+ + + + + + + + + + + + + + + UNAUTHORIZED + + + + + + + 401 + + + +
+ + + diff --git a/errorpages/custom_402.html b/errorpages/custom_402.html new file mode 100644 index 0000000..7fbfda8 --- /dev/null +++ b/errorpages/custom_402.html @@ -0,0 +1,44 @@ + + + + + + + 402 PAYMENT REQUIRED + + + + +
+ + + + + + + + + + + + + + + PAYMENT REQUIRED + + + + + + + 402 + + + +
+ + + diff --git a/errorpages/custom_403.html b/errorpages/custom_403.html new file mode 100644 index 0000000..142f46b --- /dev/null +++ b/errorpages/custom_403.html @@ -0,0 +1,44 @@ + + + + + + + 403 FORBIDDEN + + + + +
+ + + + + + + + + + + + + + + FORBIDDEN + + + + + + + 403 + + + +
+ + + diff --git a/errorpages/custom_404.html b/errorpages/custom_404.html new file mode 100644 index 0000000..a09258e --- /dev/null +++ b/errorpages/custom_404.html @@ -0,0 +1,44 @@ + + + + + + + 404 NOT FOUND + + + + +
+ + + + + + + + + + + + + + + NOT FOUND + + + + + + + 404 + + + +
+ + + diff --git a/errorpages/custom_500.html b/errorpages/custom_500.html new file mode 100644 index 0000000..329325b --- /dev/null +++ b/errorpages/custom_500.html @@ -0,0 +1,44 @@ + + + + + + + 500 INTERNAL SERVER ERROR + + + + +
+ + + + + + + + + + + + + + + INTERNAL SERVER ERROR + + + + + + + 500 + + + +
+ + + diff --git a/errorpages/custom_501.html b/errorpages/custom_501.html new file mode 100644 index 0000000..4df33bd --- /dev/null +++ b/errorpages/custom_501.html @@ -0,0 +1,44 @@ + + + + + + + 501 NOT IMPLEMENTED + + + + +
+ + + + + + + + + + + + + + + NOT IMPLEMENTED + + + + + + + 501 + + + +
+ + + diff --git a/errorpages/custom_502.html b/errorpages/custom_502.html new file mode 100644 index 0000000..1faccc3 --- /dev/null +++ b/errorpages/custom_502.html @@ -0,0 +1,44 @@ + + + + + + + 502 BAD GATEWAY + + + + +
+ + + + + + + + + + + + + + + BAD GATEWAY + + + + + + + 502 + + + +
+ + + diff --git a/errorpages/custom_503.html b/errorpages/custom_503.html new file mode 100644 index 0000000..9494896 --- /dev/null +++ b/errorpages/custom_503.html @@ -0,0 +1,44 @@ + + + + + + + 503 SERVICE UNAVAILABLE + + + + +
+ + + + + + + + + + + + + + + SERVICE UNAVAILABLE + + + + + + + 503 + + + +
+ + + diff --git a/errorpages/custom_504.html b/errorpages/custom_504.html new file mode 100644 index 0000000..074e5c2 --- /dev/null +++ b/errorpages/custom_504.html @@ -0,0 +1,44 @@ + + + + + + + 504 GATEWAY TIMEOUT + + + + +
+ + + + + + + + + + + + + + + GATEWAY TIMEOUT + + + + + + + 504 + + + +
+ + + diff --git a/errorpages/logo.png b/errorpages/logo.png new file mode 100644 index 0000000..8e9297b Binary files /dev/null and b/errorpages/logo.png differ diff --git a/errorpages/style.css b/errorpages/style.css new file mode 100644 index 0000000..1399391 --- /dev/null +++ b/errorpages/style.css @@ -0,0 +1,37 @@ +/* +# +# Full height page, flexbox centers the SVG horizontally and vertically. +# +*/ +html, body { + height: 100%; + margin: 0; + background: #fff; +} + +body { + display: flex; + justify-content: center; + align-items: center; +} + +/* +# +# Force SVG to act as a block so flexbox can center it properly. +# +*/ +svg { + display: block; +} + +/* +# +# Text style for the arc labels. +# +*/ +svg text { + font-family: Arial, sans-serif; + font-size: 12px; + fill: #d90000; + letter-spacing: 1px; +} diff --git a/gzipconfig.conf b/gzipconfig.conf new file mode 100644 index 0000000..b45e8de --- /dev/null +++ b/gzipconfig.conf @@ -0,0 +1,9 @@ +gzip on; +gzip_disable "msie6"; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_min_length 256; +gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; diff --git a/hostfiles/README.md b/hostfiles/README.md new file mode 100644 index 0000000..29af6e1 --- /dev/null +++ b/hostfiles/README.md @@ -0,0 +1,39 @@ +# Nginx Hostfile Configuration Guide +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![WebServer](https://img.shields.io/badge/server-nginx-009639)](#) +[![PHP](https://img.shields.io/badge/php-fpm-777BB4)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Instructions for adjusting host-specific configuration files included with the **nginx-snippets** collection. + +## Configuration Adjustments Required + +### Domain +Replace every occurrence of the variable `DOMAIN` in the configuration file with your actual domain name. + +### PHP Socket +Update the PHP-FPM socket reference to match the version currently installed. For example, change: + +``` +PHPVERSION.sock +``` + +to something like: + +``` +php8.3-fpm.sock +``` + +--- + +### More Information + +More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) + +--- + +### License +Licensed under the [MIT License](./LICENSE). + +--- diff --git a/hostfiles/dokuwiki.443.conf b/hostfiles/dokuwiki.443.conf new file mode 100644 index 0000000..c9dace2 --- /dev/null +++ b/hostfiles/dokuwiki.443.conf @@ -0,0 +1,117 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + return 301 https://DOMAIN$request_uri; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index doku.php; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + try_files $uri $uri/ @dokuwiki; + } + ##### Process content stop ################################################# + + # Dokuwiki hardening start ################################################# + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # || + # \/ + # location ~ /(data|conf|bin|inc|vendor)/ { deny all; } + # location ~ /install.php { deny all; } + # /\ + # || + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # Dokuwiki hardening stop ################################################## + + ##### Dokuwiki specific start ############################################## + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + } + ##### Dokuwiki specific stop ############################################### + + ##### Process php start #################################################### + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/dokuwiki.80.conf b/hostfiles/dokuwiki.80.conf new file mode 100644 index 0000000..b455728 --- /dev/null +++ b/hostfiles/dokuwiki.80.conf @@ -0,0 +1,81 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index doku.php; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + try_files $uri $uri/ @dokuwiki; + } + ##### Process content stop ################################################# + + # Dokuwiki hardening start ################################################# + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # || + # \/ + # location ~ /(data|conf|bin|inc|vendor)/ { deny all; } + # location ~ /install.php { deny all; } + # /\ + # || + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # Dokuwiki hardening stop ################################################## + + ##### Dokuwiki specific start ############################################## + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + } + ##### Dokuwiki specific stop ############################################### + + ##### Process php start #################################################### + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/example.443.conf b/hostfiles/example.443.conf new file mode 100644 index 0000000..7fba4e5 --- /dev/null +++ b/hostfiles/example.443.conf @@ -0,0 +1,94 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/example.80.conf b/hostfiles/example.80.conf new file mode 100644 index 0000000..82aed36 --- /dev/null +++ b/hostfiles/example.80.conf @@ -0,0 +1,58 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/gitea-multi.443.conf b/hostfiles/gitea-multi.443.conf new file mode 100644 index 0000000..dcd4fb1 --- /dev/null +++ b/hostfiles/gitea-multi.443.conf @@ -0,0 +1,88 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:GITEAPORT; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/gitea-multi.80.conf b/hostfiles/gitea-multi.80.conf new file mode 100644 index 0000000..017722b --- /dev/null +++ b/hostfiles/gitea-multi.80.conf @@ -0,0 +1,52 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:GITEAPORT; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/gitea.443.conf b/hostfiles/gitea.443.conf new file mode 100644 index 0000000..2644f3e --- /dev/null +++ b/hostfiles/gitea.443.conf @@ -0,0 +1,88 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:3000; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/gitea.80.conf b/hostfiles/gitea.80.conf new file mode 100644 index 0000000..e9b21eb --- /dev/null +++ b/hostfiles/gitea.80.conf @@ -0,0 +1,52 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:3000; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/wordpress.443.conf b/hostfiles/wordpress.443.conf new file mode 100644 index 0000000..4eb1565 --- /dev/null +++ b/hostfiles/wordpress.443.conf @@ -0,0 +1,98 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Wordpress Hardeing start ############################################# + include /etc/nginx/includes/wp-hardening.conf; + ##### Wordpress Hardeing stop ############################################## + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/wordpress.80.conf b/hostfiles/wordpress.80.conf new file mode 100644 index 0000000..2246f5c --- /dev/null +++ b/hostfiles/wordpress.80.conf @@ -0,0 +1,62 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Wordpress Hardeing start ############################################# + include /etc/nginx/includes/wp-hardening.conf; + ##### Wordpress Hardeing stop ############################################## + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/zabbix.443.conf b/hostfiles/zabbix.443.conf new file mode 100644 index 0000000..028eea6 --- /dev/null +++ b/hostfiles/zabbix.443.conf @@ -0,0 +1,122 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /usr/share/zabbix; + index index.php; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Misc content start ################################################### + location / { + + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + ##### Misc content stop #################################################### + + ##### Process php ########################################################## + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + ##### Process php ########################################################## + + ##### Cache js css and all statics start ################################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css and all statics stop #################################### +} +##### Process https start ###################################################### diff --git a/hostfiles/zabbix.80.conf b/hostfiles/zabbix.80.conf new file mode 100644 index 0000000..af6db7e --- /dev/null +++ b/hostfiles/zabbix.80.conf @@ -0,0 +1,86 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /usr/share/zabbix; + index index.php; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Misc content start ################################################### + location / { + + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + ##### Misc content stop #################################################### + + ##### Process php ########################################################## + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + ##### Process php ########################################################## + + ##### Cache js css and all statics start ################################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css and all statics stop #################################### +} +##### Process http start ####################################################### diff --git a/log-exclude.conf b/log-exclude.conf new file mode 100644 index 0000000..9a6ba21 --- /dev/null +++ b/log-exclude.conf @@ -0,0 +1,3 @@ +location = /.env { access_log off; log_not_found off; } +location = /favicon.ico { access_log off; log_not_found off; } +location = /robots.txt { access_log off; log_not_found off; } diff --git a/log.conf b/log.conf new file mode 100644 index 0000000..b39aeb0 --- /dev/null +++ b/log.conf @@ -0,0 +1 @@ +log_format main '[$time_local] [Cache:$upstream_cache_status] [$host] [Remote_Addr: $remote_addr] - $remote_user - $server_name to: $upstream_addr: "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '; diff --git a/microcache.conf b/microcache.conf new file mode 100644 index 0000000..1be3c07 --- /dev/null +++ b/microcache.conf @@ -0,0 +1,13 @@ +fastcgi_hide_header X-Powered-By; +fastcgi_cache microcache; +fastcgi_cache_key $scheme$host$request_uri$request_method; +fastcgi_cache_valid 200 301 302 30s; +fastcgi_cache_use_stale updating error timeout invalid_header http_500; +fastcgi_pass_header Set-Cookie; +fastcgi_pass_header Cookie; +fastcgi_ignore_headers Cache-Control Expires Set-Cookie; +fastcgi_buffers 16 256k; +fastcgi_buffer_size 128k; +fastcgi_intercept_errors on; +fastcgi_cache_bypass $skip_cache; +fastcgi_no_cache $skip_cache; diff --git a/nginxconf/default b/nginxconf/default new file mode 100644 index 0000000..aa8c2bd --- /dev/null +++ b/nginxconf/default @@ -0,0 +1,18 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_tokens off; + root /var/www/html/default; + index index.html index.htm; + server_name _; + + access_log /var/log/nginx/direct.ip.access.log main; + error_log /var/log/nginx/direct.ip.access.error.log crit; + access_log on; + log_not_found off; + + location / { + return 444; + try_files $uri $uri/ =404; + } +} diff --git a/nginxconf/nginx.conf b/nginxconf/nginx.conf new file mode 100644 index 0000000..da2f667 --- /dev/null +++ b/nginxconf/nginx.conf @@ -0,0 +1,98 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + # + port_in_redirect off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_body_buffer_size 10K; + client_header_buffer_size 4k; + client_max_body_size 50m; + large_client_header_buffers 2 4k; + client_body_timeout 10; + client_header_timeout 10; + send_timeout 2; + reset_timedout_connection on; + # + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + # + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + # + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/cloudflare.conf; + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/block-referer.conf; + include /etc/nginx/nginx-snippets/block-bots.conf; + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/log.conf; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log crit; + access_log on; + log_not_found off; + # + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + # + include /etc/nginx/nginx-snippets/gzipconfig.conf; + # + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + # + # open_file_cache max=10000 inactive=20s; + # open_file_cache_valid 30s; + # open_file_cache_min_uses 2; + # open_file_cache_errors on; + # + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + # + upstream php-fpm { + server unix:/var/run/php/PHPVERSION.sock; + } + fastcgi_read_timeout 300; + fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h; + # + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### + # + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /etc/nginx/static-sites/*.conf; + # + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### +} diff --git a/nginxconf/nginx.conf.high.perf b/nginxconf/nginx.conf.high.perf new file mode 100644 index 0000000..fe860da --- /dev/null +++ b/nginxconf/nginx.conf.high.perf @@ -0,0 +1,99 @@ +user www-data; +worker_processes auto; +worker_rlimit_nofile 100000; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 8000; + use epoll; + multi_accept on; +} + +http { + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + # + port_in_redirect off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_body_buffer_size 10K; + client_header_buffer_size 4k; + client_max_body_size 50m; + large_client_header_buffers 2 4k; + client_body_timeout 10; + client_header_timeout 10; + send_timeout 2; + reset_timedout_connection on; + # + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + # + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + # + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/cloudflare.conf; + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/block-referer.conf; + include /etc/nginx/nginx-snippets/block-bots.conf; + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/log.conf; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log crit; + access_log on; + log_not_found off; + # + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + # + include /etc/nginx/nginx-snippets/gzipconfig.conf; + # + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + # + open_file_cache max=10000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; + # + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + # + upstream php-fpm { + server unix:/var/run/php/PHPVERSION.sock; + } + fastcgi_read_timeout 300; + fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h; + # + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### + # + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /etc/nginx/static-sites/*.conf; + # + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### +} diff --git a/proxy-params.conf b/proxy-params.conf new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/proxy-params.conf @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/wp-hardening.conf b/wp-hardening.conf new file mode 100644 index 0000000..250cfc4 --- /dev/null +++ b/wp-hardening.conf @@ -0,0 +1,55 @@ +# Wordpress deny xmlrpc start ##################################################################################################### + location = /xmlrpc.php { + deny all; + access_log off; + log_not_found off; + return 444; + } +# Wordpress deny xmlrpc stop ###################################################################################################### + +# Wordpress deny wp-cron start #################################################################################################### + location = /wp-cron.php { + deny all; + access_log off; + log_not_found off; + return 444; + } +# Wordpress deny wp-cron stop ##################################################################################################### + +# Wordpress limit get post start ################################################################################################## +if ($request_method !~ ^(GET|POST)$ ) { + return 444; +} +# Wordpress limit get post stop ################################################################################################### + +# Wordpress deny php files where they dont belong start ########################################################################### +location ~* /(?:uploads|files|wp-content|wp-includes)/.*.php$ { + deny all; + access_log off; + log_not_found off; + return 444; +} +# Wordpress deny php files where they dont belong stop ############################################################################ + +# Wordpress limit request pr. sec here its 5 req/sec start ######################################################################## +location = /wp-login.php { + limit_req zone=wp-rate-limit burst=3 nodelay; + limit_req_status 444; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; +} +# NOTE: The above requires the following file to exist: +# /etc/nginx/conf.d/wp-rate-limit.conf with the following content: +# limit_req_zone $binary_remote_addr zone=wp-rate-limit:10m rate=10r/s; +# Wordpress limit request pr. sec here its 5 req/sec stop ######################################################################### + +# Wordpress deny access to the following files in upload directory start ########################################################## +location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { + deny all; +} +# Wordpress deny access to the following files in upload directory stop ########################################################### + +# Wordpress dont cache certain pages start ######################################################################################## +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { set $skip_cache 1; } +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } +# Wordpress dont cache certain pages stop ######################################################################################### diff --git a/wp-rate-limit.conf b/wp-rate-limit.conf new file mode 100644 index 0000000..97d3d4e --- /dev/null +++ b/wp-rate-limit.conf @@ -0,0 +1 @@ +limit_req_zone $binary_remote_addr zone=wp-rate-limit:10m rate=10r/s;