From ec9dcadf58b3c3cfd75d18ca0b4a0dd948372e9d Mon Sep 17 00:00:00 2001 From: allan Date: Sun, 2 Nov 2025 11:49:39 +0100 Subject: [PATCH] initial commit --- LICENSE | 21 ++++++ README.md | 40 +++++++++++ block-bots.conf | 15 ++++ block-engines.conf | 1 + block-file-access.conf | 8 +++ block-htaccess.conf | 4 ++ block-referer.conf | 32 +++++++++ cache-js-css.conf | 4 ++ cache-open-files.conf | 4 ++ cache-statics.conf | 6 ++ cloudflare.conf | 27 ++++++++ custom-errors.conf | 20 ++++++ errorpages/custom_400.html | 44 ++++++++++++ errorpages/custom_401.html | 44 ++++++++++++ errorpages/custom_402.html | 44 ++++++++++++ errorpages/custom_403.html | 44 ++++++++++++ errorpages/custom_404.html | 44 ++++++++++++ errorpages/custom_500.html | 44 ++++++++++++ errorpages/custom_501.html | 44 ++++++++++++ errorpages/custom_502.html | 44 ++++++++++++ errorpages/custom_503.html | 44 ++++++++++++ errorpages/custom_504.html | 44 ++++++++++++ errorpages/logo.png | Bin 0 -> 3214 bytes errorpages/style.css | 37 ++++++++++ gzipconfig.conf | 9 +++ hostfiles/README.md | 39 +++++++++++ hostfiles/dokuwiki.443.conf | 117 +++++++++++++++++++++++++++++++ hostfiles/dokuwiki.80.conf | 81 ++++++++++++++++++++++ hostfiles/example.443.conf | 94 +++++++++++++++++++++++++ hostfiles/example.80.conf | 58 ++++++++++++++++ hostfiles/gitea-multi.443.conf | 88 ++++++++++++++++++++++++ hostfiles/gitea-multi.80.conf | 52 ++++++++++++++ hostfiles/gitea.443.conf | 88 ++++++++++++++++++++++++ hostfiles/gitea.80.conf | 52 ++++++++++++++ hostfiles/wordpress.443.conf | 98 ++++++++++++++++++++++++++ hostfiles/wordpress.80.conf | 62 +++++++++++++++++ hostfiles/zabbix.443.conf | 122 +++++++++++++++++++++++++++++++++ hostfiles/zabbix.80.conf | 86 +++++++++++++++++++++++ log-exclude.conf | 3 + log.conf | 1 + microcache.conf | 13 ++++ nginxconf/default | 18 +++++ nginxconf/nginx.conf | 98 ++++++++++++++++++++++++++ nginxconf/nginx.conf.high.perf | 99 ++++++++++++++++++++++++++ proxy-params.conf | 4 ++ wp-hardening.conf | 55 +++++++++++++++ wp-rate-limit.conf | 1 + 47 files changed, 1997 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 block-bots.conf create mode 100644 block-engines.conf create mode 100644 block-file-access.conf create mode 100644 block-htaccess.conf create mode 100644 block-referer.conf create mode 100644 cache-js-css.conf create mode 100644 cache-open-files.conf create mode 100644 cache-statics.conf create mode 100644 cloudflare.conf create mode 100644 custom-errors.conf create mode 100644 errorpages/custom_400.html create mode 100644 errorpages/custom_401.html create mode 100644 errorpages/custom_402.html create mode 100644 errorpages/custom_403.html create mode 100644 errorpages/custom_404.html create mode 100644 errorpages/custom_500.html create mode 100644 errorpages/custom_501.html create mode 100644 errorpages/custom_502.html create mode 100644 errorpages/custom_503.html create mode 100644 errorpages/custom_504.html create mode 100644 errorpages/logo.png create mode 100644 errorpages/style.css create mode 100644 gzipconfig.conf create mode 100644 hostfiles/README.md create mode 100644 hostfiles/dokuwiki.443.conf create mode 100644 hostfiles/dokuwiki.80.conf create mode 100644 hostfiles/example.443.conf create mode 100644 hostfiles/example.80.conf create mode 100644 hostfiles/gitea-multi.443.conf create mode 100644 hostfiles/gitea-multi.80.conf create mode 100644 hostfiles/gitea.443.conf create mode 100644 hostfiles/gitea.80.conf create mode 100644 hostfiles/wordpress.443.conf create mode 100644 hostfiles/wordpress.80.conf create mode 100644 hostfiles/zabbix.443.conf create mode 100644 hostfiles/zabbix.80.conf create mode 100644 log-exclude.conf create mode 100644 log.conf create mode 100644 microcache.conf create mode 100644 nginxconf/default create mode 100644 nginxconf/nginx.conf create mode 100644 nginxconf/nginx.conf.high.perf create mode 100644 proxy-params.conf create mode 100644 wp-hardening.conf create mode 100644 wp-rate-limit.conf diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3eaaa81 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 Allan Christensen + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..bf665da --- /dev/null +++ b/README.md @@ -0,0 +1,40 @@ +# Nginx Snippets for Ubuntu 24.04 Server +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![WebServer](https://img.shields.io/badge/server-nginx-009639)](#) +[![PHP](https://img.shields.io/badge/php-fpm-777BB4)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Reusable and modular configuration snippets for use with Nginx on Ubuntu 24.04 Server. + +### Prerequisites +Nginx must be installed and running before using these snippets. + +### Download the Snippets +Clone the repository directly into your Nginx configuration directory: + +``` +git clone https://git.x-files.dk/webserver/nginx-snippets.git /etc/nginx/nginx-snippets +``` + +### Usage +An example configuration file can be found [here](https://git.x-files.dk/webserver/nginx-snippets/src/branch/main/hostfiles/example.80.conf). + +> **NOTE** +> If you already installed Nginx using the method described [here](https://git.x-files.dk/webserver/nginx-ubuntu), these code snippets are already included by default. + +### Post-install +Nothing to do. + +--- + +### More Information + +More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) + +--- + +### License +Licensed under the [MIT License](./LICENSE). + +--- diff --git a/block-bots.conf b/block-bots.conf new file mode 100644 index 0000000..66aae77 --- /dev/null +++ b/block-bots.conf @@ -0,0 +1,15 @@ +map $http_user_agent $bad_user_agent { + + default 0; + + "~*backdoor" 1; + "~LieBaoFast" 1; + "~AhrefsBot" 1; + "~DotBot" 1; + "~MauiBot" 1; + "~MJ12Bot" 1; + "~PetalBot" 1; + "~PetalBot" 1; + "~SEMrushBot" 1; + "~UCBrowser" 1; +} diff --git a/block-engines.conf b/block-engines.conf new file mode 100644 index 0000000..d2a7094 --- /dev/null +++ b/block-engines.conf @@ -0,0 +1 @@ +add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; diff --git a/block-file-access.conf b/block-file-access.conf new file mode 100644 index 0000000..8aa2e41 --- /dev/null +++ b/block-file-access.conf @@ -0,0 +1,8 @@ +location ~ /\.git { +deny all; +return 404; +} + +location ~ (\.aws$|\.cgi$|\.env$|\.perl$|\.pl$|\.py$|\.sh$) { +return 444; +} diff --git a/block-htaccess.conf b/block-htaccess.conf new file mode 100644 index 0000000..dac3eb4 --- /dev/null +++ b/block-htaccess.conf @@ -0,0 +1,4 @@ +location ~ /\.ht { +deny all; +return 404; +} diff --git a/block-referer.conf b/block-referer.conf new file mode 100644 index 0000000..a386aae --- /dev/null +++ b/block-referer.conf @@ -0,0 +1,32 @@ +map $http_referer $bad_referer { + hostnames; + + default 0; + + "~binance.com" 1; + "~social-buttons.com" 1; + "~semalt.com" 1; + "~kambasoft.com" 1; + "~savetubevideo.com" 1; + "~descargar-musica-gratis.net" 1; + "~7makemoneyonline.com" 1; + "~baixar-musicas-gratis.com" 1; + "~iloveitaly.com" 1; + "~ilovevitaly.ru" 1; + "~fbdownloader.com" 1; + "~econom.co" 1; + "~buttons-for-website.com" 1; + "~buttons-for-your-website.com" 1; + "~srecorder.co" 1; + "~darodar.com" 1; + "~priceg.com" 1; + "~blackhatworth.com" 1; + "~adviceforum.info" 1; + "~hulfingtonpost.com" 1; + "~best-seo-solution.com" 1; + "~googlsucks.com" 1; + "~theguardlan.com" 1; + "~i-x.wiki" 1; + "~buy-cheap-online.info" 1; + "~Get-Free-Traffic-Now.com" 1; +} diff --git a/cache-js-css.conf b/cache-js-css.conf new file mode 100644 index 0000000..069861c --- /dev/null +++ b/cache-js-css.conf @@ -0,0 +1,4 @@ +location ~* ^.+\.(css|js)$ { +expires 1y; +add_header Cache-Control "max-age=31600000, public"; +} diff --git a/cache-open-files.conf b/cache-open-files.conf new file mode 100644 index 0000000..97b1fb5 --- /dev/null +++ b/cache-open-files.conf @@ -0,0 +1,4 @@ +open_file_cache max=10000 inactive=20s; +open_file_cache_valid 30s; +open_file_cache_min_uses 2; +open_file_cache_errors on; diff --git a/cache-statics.conf b/cache-statics.conf new file mode 100644 index 0000000..7182915 --- /dev/null +++ b/cache-statics.conf @@ -0,0 +1,6 @@ +location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { +expires max; +add_header Cache-Control "public"; +access_log off; +log_not_found off; +} diff --git a/cloudflare.conf b/cloudflare.conf new file mode 100644 index 0000000..fd34af2 --- /dev/null +++ b/cloudflare.conf @@ -0,0 +1,27 @@ +# - IPv4 +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 104.16.0.0/13; +set_real_ip_from 104.24.0.0/14; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 131.0.72.0/22; + +# - IPv6 +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2a06:98c0::/29; +set_real_ip_from 2c0f:f248::/32; + +real_ip_header CF-Connecting-IP; diff --git a/custom-errors.conf b/custom-errors.conf new file mode 100644 index 0000000..a167dc9 --- /dev/null +++ b/custom-errors.conf @@ -0,0 +1,20 @@ +error_page 400 /errorpages/custom_400.html; +error_page 401 /errorpages/custom_401.html; +error_page 403 /errorpages/custom_403.html; +error_page 404 /errorpages/custom_404.html; +error_page 500 /errorpages/custom_500.html; +error_page 502 /errorpages/custom_502.html; +error_page 503 /errorpages/custom_503.html; +error_page 504 /errorpages/custom_504.html; + +# Serve all HTML, CSS, and image assets from one directory +location ^~ /errorpages/ { + alias /etc/nginx/nginx-snippets/errorpages/; + # Restrict to safe static types + types { + text/html html; + text/css css; + image/png png; + } + default_type text/html; +} diff --git a/errorpages/custom_400.html b/errorpages/custom_400.html new file mode 100644 index 0000000..b26a09b --- /dev/null +++ b/errorpages/custom_400.html @@ -0,0 +1,44 @@ + + + + + + + 400 BAD REQUEST + + + + +
+ + + + + + + + + + + + + + + BAD REQUEST + + + + + + + 400 + + + +
+ + + diff --git a/errorpages/custom_401.html b/errorpages/custom_401.html new file mode 100644 index 0000000..9b95128 --- /dev/null +++ b/errorpages/custom_401.html @@ -0,0 +1,44 @@ + + + + + + + 401 UNAUTHORIZED + + + + +
+ + + + + + + + + + + + + + + UNAUTHORIZED + + + + + + + 401 + + + +
+ + + diff --git a/errorpages/custom_402.html b/errorpages/custom_402.html new file mode 100644 index 0000000..7fbfda8 --- /dev/null +++ b/errorpages/custom_402.html @@ -0,0 +1,44 @@ + + + + + + + 402 PAYMENT REQUIRED + + + + +
+ + + + + + + + + + + + + + + PAYMENT REQUIRED + + + + + + + 402 + + + +
+ + + diff --git a/errorpages/custom_403.html b/errorpages/custom_403.html new file mode 100644 index 0000000..142f46b --- /dev/null +++ b/errorpages/custom_403.html @@ -0,0 +1,44 @@ + + + + + + + 403 FORBIDDEN + + + + +
+ + + + + + + + + + + + + + + FORBIDDEN + + + + + + + 403 + + + +
+ + + diff --git a/errorpages/custom_404.html b/errorpages/custom_404.html new file mode 100644 index 0000000..a09258e --- /dev/null +++ b/errorpages/custom_404.html @@ -0,0 +1,44 @@ + + + + + + + 404 NOT FOUND + + + + +
+ + + + + + + + + + + + + + + NOT FOUND + + + + + + + 404 + + + +
+ + + diff --git a/errorpages/custom_500.html b/errorpages/custom_500.html new file mode 100644 index 0000000..329325b --- /dev/null +++ b/errorpages/custom_500.html @@ -0,0 +1,44 @@ + + + + + + + 500 INTERNAL SERVER ERROR + + + + +
+ + + + + + + + + + + + + + + INTERNAL SERVER ERROR + + + + + + + 500 + + + +
+ + + diff --git a/errorpages/custom_501.html b/errorpages/custom_501.html new file mode 100644 index 0000000..4df33bd --- /dev/null +++ b/errorpages/custom_501.html @@ -0,0 +1,44 @@ + + + + + + + 501 NOT IMPLEMENTED + + + + +
+ + + + + + + + + + + + + + + NOT IMPLEMENTED + + + + + + + 501 + + + +
+ + + diff --git a/errorpages/custom_502.html b/errorpages/custom_502.html new file mode 100644 index 0000000..1faccc3 --- /dev/null +++ b/errorpages/custom_502.html @@ -0,0 +1,44 @@ + + + + + + + 502 BAD GATEWAY + + + + +
+ + + + + + + + + + + + + + + BAD GATEWAY + + + + + + + 502 + + + +
+ + + diff --git a/errorpages/custom_503.html b/errorpages/custom_503.html new file mode 100644 index 0000000..9494896 --- /dev/null +++ b/errorpages/custom_503.html @@ -0,0 +1,44 @@ + + + + + + + 503 SERVICE UNAVAILABLE + + + + +
+ + + + + + + + + + + + + + + SERVICE UNAVAILABLE + + + + + + + 503 + + + +
+ + + diff --git a/errorpages/custom_504.html b/errorpages/custom_504.html new file mode 100644 index 0000000..074e5c2 --- /dev/null +++ b/errorpages/custom_504.html @@ -0,0 +1,44 @@ + + + + + + + 504 GATEWAY TIMEOUT + + + + +
+ + + + + + + + + + + + + + + GATEWAY TIMEOUT + + + + + + + 504 + + + +
+ + + diff --git a/errorpages/logo.png b/errorpages/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..8e9297bf4d8637c1c785887dcb4767976cb3e18b GIT binary patch literal 3214 zcmV;93~}>`P)~%{!up|8cbKsru-6cCG1S|O`BKICZqU;IWfp(o9zPP`7rehyZZ4U{tO8G4(#@>1VK{|vk{^fO*E1j9p! z!e@9$!iByoa|zSbmF1)<9SvD*n2^w90StgSKCDhmQ*6;xKG!Nb+b5O^M&E!a?O0&& zH`dh%Zn6Nz*PtXqU$$r}pKBF+cTWv|Gs?`@TE6o-R%9pZXviY;^QO9ih1%he;$Z9t ziuC+Us;#Mfu0?dVHw25m)nN?AA;T6U#5Du%Az|ow8~S1A6}a*e%U~4BLm8NxbETiU zJwwq{LvYo%cN>E7dkz`)+wj!~z}Uj<6{nYFwZH(3Jp!6y1j9ak+1xYs?w%R}jOz-( z=urrFAj-PPWO-VLOZ!aQsLr1q`m#z>Uqz>>0}b0o$Mc6A2#6{P(9J^c5ES3Yhc|B# zR3AD8QL-amn)PLirhr_30$1)fzH?~pIL%Y?IzK%8 z>(P*@2IuRKMv5%BGG|*;`US-%O~KSiU?_RS;M#^lK&BYn_+Zr4B|=}eJn*PAwZD`1 z1S-y_Bl~H{By@9aOHA*KmA>rm8PiJ83}uw5`&%?GpXhl0P)B(FNL1;ujy!9_KZ}FD zEYnm&sbCbyzcsI`%ENdW7Uc_rBsVLPbETj0{JCMAeNL&MSbD4;&FH|MykKzcsSc_` zLL7fQY5Gb9O>toKb|b2)S4Zj{RJ#ft>8w%-Z&t-JeI;+&7K^mFvMa1}(UGwZs&|Nv zY|h41=xEvcilP});{c;THfdfr#zFtw{M|U;N}1>@jyj>Ly&0ZC=ESOTP7^V(4rnQLqNI5?UdVFHM5IdW~q<=Q5d z%~D(ri$g<>u27mv1AUFvyzVmx)k;-Ij<1-+=k(E+F5T~N47|wt+LgYjz&#@k^ragw zY%>95c-U2^l4&Y&`f@zK3e|l`M>adCIuHyRcU3w~B}!j;mCaMFdHGuo@H#5#S4U1u zDNVJOH5qSUnPhP7Yfji@^Ha?m&P*XqwFqb^TQXj8IZIcW1ia!Dd|^5=A#DDY7Ml7x zHdU5nJdJiF!0DQoZwOr3(E~_}K~3U$X`!j!A@oF(@$~kOvkdw@t}l#bJ#Fwivs2)K z_ZvblYc6qV@9L?2fT)oT?`z%G-Ptwrx~-zjd&Ynv^fb_y@cd!uC$M)pu(o%!_hAh% zo)=$koALRQ6M{0*lvWa3x#=r_dFWT8J(+i9cW*!jP7Ka=J}18X`0Su*Y-ieND#={p z%nfZtL8p!QuaPTR4clz{b;){=G1WhOHFm-B#8wi0WxLkMFWTn&%_kLY`QgI_hUvMt_j`mJR@JU903#Yr z*#pCB5?dtt%66@(YTrKJZz>K(Xj$EC6!LN9%f-&rZ=t($t3H?nkulY znlbC3bfZ=`AZO{Os{HT9XUjxWJsxLbNZqwUCj`lKO%rv!RWkbCa!$UY8p^x z=_cvdjb3F5jKq`J`lK&InhL4vK0`3p_5}u|OiRlw-6V4(zO#xUHFGM3rixZ_WxH~6 zr=B%cKvm0t87AKWaJAKD{BqeF8NY7yYD-|Wq#?aCb3>bSvYmm6X5jgAfd>qK>NZ?? znKeLS(2RyO=h_Yc#_Z5VFkzVw1&kkPz4BnBDNA6iGJJnIU_r5u&oQAXi(r(aB)}FJ zb3@IjGQ4v+u6!O_$=3deV=lL-8Ph71rj~_!hN&^M&e4o-3B!><>w)hcY%~@68TT1l zQ$6wtFcDXNWVIY2oYOZQHH|E)+*NTj<@u9Cr*B5Y(MRX#f)RD((W$_Hi9Tp}jesix zSALputr!-@rhXmKfeu1%{P84)f=x%YX{wI6-gcnbffYSRmuZnOoN@swYI|e})1?>U z$~%%An>P*kdkLTbv;o&UaCfWe-c_#FQsOD zcR1tlZeV6i?2<)w)!Bq9#D53XAz@n|1(t`Q%E(5AAIXFg_qt*|#2QUZ+e82X7`oDT zx&kf({t)8}NQ>lv0_2Dp+M&PKFfY2UB9&YcQQ8@Sk+2^zk3Fl`t zqC(tt2|q#?@MPT4froFgx+|uW;marIvus4rd_`Uye8n4G#`@v9}wAi`cMIw3;+NC07*qoM6N<$f{P#O AyZ`_I literal 0 HcmV?d00001 diff --git a/errorpages/style.css b/errorpages/style.css new file mode 100644 index 0000000..1399391 --- /dev/null +++ b/errorpages/style.css @@ -0,0 +1,37 @@ +/* +# +# Full height page, flexbox centers the SVG horizontally and vertically. +# +*/ +html, body { + height: 100%; + margin: 0; + background: #fff; +} + +body { + display: flex; + justify-content: center; + align-items: center; +} + +/* +# +# Force SVG to act as a block so flexbox can center it properly. +# +*/ +svg { + display: block; +} + +/* +# +# Text style for the arc labels. +# +*/ +svg text { + font-family: Arial, sans-serif; + font-size: 12px; + fill: #d90000; + letter-spacing: 1px; +} diff --git a/gzipconfig.conf b/gzipconfig.conf new file mode 100644 index 0000000..b45e8de --- /dev/null +++ b/gzipconfig.conf @@ -0,0 +1,9 @@ +gzip on; +gzip_disable "msie6"; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_min_length 256; +gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; diff --git a/hostfiles/README.md b/hostfiles/README.md new file mode 100644 index 0000000..29af6e1 --- /dev/null +++ b/hostfiles/README.md @@ -0,0 +1,39 @@ +# Nginx Hostfile Configuration Guide +[![OS](https://img.shields.io/badge/ubuntu-24.04-E95420)](#) +[![Shell](https://img.shields.io/badge/shell-bash-121011)](#) +[![WebServer](https://img.shields.io/badge/server-nginx-009639)](#) +[![PHP](https://img.shields.io/badge/php-fpm-777BB4)](#) +[![License](https://img.shields.io/badge/License-MIT-green)](./LICENSE) + +Instructions for adjusting host-specific configuration files included with the **nginx-snippets** collection. + +## Configuration Adjustments Required + +### Domain +Replace every occurrence of the variable `DOMAIN` in the configuration file with your actual domain name. + +### PHP Socket +Update the PHP-FPM socket reference to match the version currently installed. For example, change: + +``` +PHPVERSION.sock +``` + +to something like: + +``` +php8.3-fpm.sock +``` + +--- + +### More Information + +More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) + +--- + +### License +Licensed under the [MIT License](./LICENSE). + +--- diff --git a/hostfiles/dokuwiki.443.conf b/hostfiles/dokuwiki.443.conf new file mode 100644 index 0000000..c9dace2 --- /dev/null +++ b/hostfiles/dokuwiki.443.conf @@ -0,0 +1,117 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + return 301 https://DOMAIN$request_uri; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index doku.php; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + try_files $uri $uri/ @dokuwiki; + } + ##### Process content stop ################################################# + + # Dokuwiki hardening start ################################################# + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # || + # \/ + # location ~ /(data|conf|bin|inc|vendor)/ { deny all; } + # location ~ /install.php { deny all; } + # /\ + # || + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # Dokuwiki hardening stop ################################################## + + ##### Dokuwiki specific start ############################################## + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + } + ##### Dokuwiki specific stop ############################################### + + ##### Process php start #################################################### + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/dokuwiki.80.conf b/hostfiles/dokuwiki.80.conf new file mode 100644 index 0000000..b455728 --- /dev/null +++ b/hostfiles/dokuwiki.80.conf @@ -0,0 +1,81 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index doku.php; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + try_files $uri $uri/ @dokuwiki; + } + ##### Process content stop ################################################# + + # Dokuwiki hardening start ################################################# + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # || + # \/ + # location ~ /(data|conf|bin|inc|vendor)/ { deny all; } + # location ~ /install.php { deny all; } + # /\ + # || + # Uncomment these 2 lines containing "location" after dokuwiki is installed + # Dokuwiki hardening stop ################################################## + + ##### Dokuwiki specific start ############################################## + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + } + ##### Dokuwiki specific stop ############################################### + + ##### Process php start #################################################### + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/example.443.conf b/hostfiles/example.443.conf new file mode 100644 index 0000000..7fba4e5 --- /dev/null +++ b/hostfiles/example.443.conf @@ -0,0 +1,94 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/example.80.conf b/hostfiles/example.80.conf new file mode 100644 index 0000000..82aed36 --- /dev/null +++ b/hostfiles/example.80.conf @@ -0,0 +1,58 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/gitea-multi.443.conf b/hostfiles/gitea-multi.443.conf new file mode 100644 index 0000000..dcd4fb1 --- /dev/null +++ b/hostfiles/gitea-multi.443.conf @@ -0,0 +1,88 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:GITEAPORT; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/gitea-multi.80.conf b/hostfiles/gitea-multi.80.conf new file mode 100644 index 0000000..017722b --- /dev/null +++ b/hostfiles/gitea-multi.80.conf @@ -0,0 +1,52 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:GITEAPORT; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/gitea.443.conf b/hostfiles/gitea.443.conf new file mode 100644 index 0000000..2644f3e --- /dev/null +++ b/hostfiles/gitea.443.conf @@ -0,0 +1,88 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:3000; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/gitea.80.conf b/hostfiles/gitea.80.conf new file mode 100644 index 0000000..e9b21eb --- /dev/null +++ b/hostfiles/gitea.80.conf @@ -0,0 +1,52 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + # include /etc/nginx/nginx-snippets/log-exclude.conf; + location = /.env { access_log off; log_not_found off; } + location = /favicon.ico { access_log off; log_not_found off; } + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + # proxy_set_header Host $host; # May fix som proxy issues + # proxy_ssl_verify off; # Disable cert check with internal proxy + proxy_pass http://127.0.0.1:3000; + } + ##### Process content stop ################################################# + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/wordpress.443.conf b/hostfiles/wordpress.443.conf new file mode 100644 index 0000000..4eb1565 --- /dev/null +++ b/hostfiles/wordpress.443.conf @@ -0,0 +1,98 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Wordpress Hardeing start ############################################# + include /etc/nginx/includes/wp-hardening.conf; + ##### Wordpress Hardeing stop ############################################## + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process https stop ####################################################### diff --git a/hostfiles/wordpress.80.conf b/hostfiles/wordpress.80.conf new file mode 100644 index 0000000..2246f5c --- /dev/null +++ b/hostfiles/wordpress.80.conf @@ -0,0 +1,62 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /var/www/html/DOMAIN; + index index.php index.html; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Process content start ################################################ + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + ##### Process content stop ################################################# + + ##### Wordpress Hardeing start ############################################# + include /etc/nginx/includes/wp-hardening.conf; + ##### Wordpress Hardeing stop ############################################## + + ##### Process php start #################################################### + location ~ \.php$ { + # include /etc/nginx/nginx-snippets/proxyheader.conf; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; + include /etc/nginx/nginx-snippets/microcache.conf; + } + ##### Process php stop ##################################################### + + ##### Cache js css static content and open files start ##################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css static content and open files stop ###################### +} +##### Process http stop ######################################################## diff --git a/hostfiles/zabbix.443.conf b/hostfiles/zabbix.443.conf new file mode 100644 index 0000000..028eea6 --- /dev/null +++ b/hostfiles/zabbix.443.conf @@ -0,0 +1,122 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; + server_tokens off; +} +##### Process http stop ######################################################## + +##### Process https start ###################################################### +server { + listen 443 ssl http2; + server_name DOMAIN; + server_tokens off; + root /usr/share/zabbix; + index index.php; + + ##### SSL configuration start ############################################## + # ssl_protocols TLSv1.2 TLSv1.3; + # ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + # ssl_prefer_server_ciphers off; + # ssl_stapling on; + # ssl_stapling_verify on; + # resolver 8.8.4.4 8.8.8.8; + # resolver_timeout 5s; + # ssl_session_timeout 1d; + # ssl_session_tickets off; + # ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + # ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; + # ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ##### SSL configuration stop ############################################### + + ##### XSS headers start #################################################### + # add_header X-Frame-Options DENY; + # add_header X-Frame-Options SAMEORIGIN; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1; mode=block"; + # add_header Permissions-Policy interest-cohort=(); + # add_header Content-Security-Policy "default-src 'self'"; + # add_header Referrer-Policy strict-origin-when-cross-origin; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ##### XSS headers stop ##################################################### + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Misc content start ################################################### + location / { + + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + ##### Misc content stop #################################################### + + ##### Process php ########################################################## + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + ##### Process php ########################################################## + + ##### Cache js css and all statics start ################################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css and all statics stop #################################### +} +##### Process https start ###################################################### diff --git a/hostfiles/zabbix.80.conf b/hostfiles/zabbix.80.conf new file mode 100644 index 0000000..af6db7e --- /dev/null +++ b/hostfiles/zabbix.80.conf @@ -0,0 +1,86 @@ +##### Process http start ####################################################### +server { + listen 80; + server_name DOMAIN; + server_tokens off; + root /usr/share/zabbix; + index index.php; + + ##### Optional include custom Error pages start ############################ + include /etc/nginx/nginx-snippets/custom-errors.conf; + ##### Optional include custom Error pages stop ############################# + + ##### Optional disable gzip start ########################################## + # gzip off; + ##### Optional disable gzip stop ########################################### + + ##### Optional disable access log start #################################### + # access_log off; + ##### Optional disable access log stop ##################################### + + ##### Block Bad referers and bad bots start ################################ + if ($bad_referer) { return 444; } + if ($bad_user_agent) { return 444; } + ##### Block Bad referers and bad bots stop ################################# + + ##### Optional stuff start ################################################# + # include /etc/nginx/nginx-snippets/block-engines.conf; + include /etc/nginx/nginx-snippets/log-exclude.conf; + include /etc/nginx/nginx-snippets/block-htaccess.conf; + include /etc/nginx/nginx-snippets/block-file-access.conf; + ##### Optional stuff stop ################################################## + + ##### Enable fastcgi cache start ########################################### + set $skip_cache 0; + ##### Enable fastcgi cache stop ############################################ + + ##### Misc content start ################################################### + location / { + + try_files $uri $uri/ =404; + } + + location /assets { + access_log off; + expires 10d; + } + + location ~ /(api\/|conf[^\.]|include|locale) { + deny all; + return 404; + } + ##### Misc content stop #################################################### + + ##### Process php ########################################################## + location ~ [^/]\.php(/|$) { + fastcgi_pass unix:/var/run/php/zabbix.sock; + + fastcgi_param DOCUMENT_ROOT /usr/share/zabbix; + fastcgi_param SCRIPT_FILENAME /usr/share/zabbix$fastcgi_script_name; + fastcgi_param PATH_TRANSLATED /usr/share/zabbix$fastcgi_script_name; + + include fastcgi_params; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_intercept_errors on; + fastcgi_ignore_client_abort off; + fastcgi_connect_timeout 60; + fastcgi_send_timeout 180; + fastcgi_read_timeout 180; + fastcgi_buffer_size 128k; + fastcgi_buffers 4 256k; + fastcgi_busy_buffers_size 256k; + fastcgi_temp_file_write_size 256k; + } + ##### Process php ########################################################## + + ##### Cache js css and all statics start ################################### + # include /etc/nginx/nginx-snippets/cache-open-files.conf; + # include /etc/nginx/nginx-snippets/cache-statics.conf; + # include /etc/nginx/nginx-snippets/cache-js-css.conf; + ##### Cache js css and all statics stop #################################### +} +##### Process http start ####################################################### diff --git a/log-exclude.conf b/log-exclude.conf new file mode 100644 index 0000000..9a6ba21 --- /dev/null +++ b/log-exclude.conf @@ -0,0 +1,3 @@ +location = /.env { access_log off; log_not_found off; } +location = /favicon.ico { access_log off; log_not_found off; } +location = /robots.txt { access_log off; log_not_found off; } diff --git a/log.conf b/log.conf new file mode 100644 index 0000000..b39aeb0 --- /dev/null +++ b/log.conf @@ -0,0 +1 @@ +log_format main '[$time_local] [Cache:$upstream_cache_status] [$host] [Remote_Addr: $remote_addr] - $remote_user - $server_name to: $upstream_addr: "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '; diff --git a/microcache.conf b/microcache.conf new file mode 100644 index 0000000..1be3c07 --- /dev/null +++ b/microcache.conf @@ -0,0 +1,13 @@ +fastcgi_hide_header X-Powered-By; +fastcgi_cache microcache; +fastcgi_cache_key $scheme$host$request_uri$request_method; +fastcgi_cache_valid 200 301 302 30s; +fastcgi_cache_use_stale updating error timeout invalid_header http_500; +fastcgi_pass_header Set-Cookie; +fastcgi_pass_header Cookie; +fastcgi_ignore_headers Cache-Control Expires Set-Cookie; +fastcgi_buffers 16 256k; +fastcgi_buffer_size 128k; +fastcgi_intercept_errors on; +fastcgi_cache_bypass $skip_cache; +fastcgi_no_cache $skip_cache; diff --git a/nginxconf/default b/nginxconf/default new file mode 100644 index 0000000..aa8c2bd --- /dev/null +++ b/nginxconf/default @@ -0,0 +1,18 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_tokens off; + root /var/www/html/default; + index index.html index.htm; + server_name _; + + access_log /var/log/nginx/direct.ip.access.log main; + error_log /var/log/nginx/direct.ip.access.error.log crit; + access_log on; + log_not_found off; + + location / { + return 444; + try_files $uri $uri/ =404; + } +} diff --git a/nginxconf/nginx.conf b/nginxconf/nginx.conf new file mode 100644 index 0000000..da2f667 --- /dev/null +++ b/nginxconf/nginx.conf @@ -0,0 +1,98 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + # + port_in_redirect off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_body_buffer_size 10K; + client_header_buffer_size 4k; + client_max_body_size 50m; + large_client_header_buffers 2 4k; + client_body_timeout 10; + client_header_timeout 10; + send_timeout 2; + reset_timedout_connection on; + # + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + # + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + # + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/cloudflare.conf; + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/block-referer.conf; + include /etc/nginx/nginx-snippets/block-bots.conf; + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/log.conf; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log crit; + access_log on; + log_not_found off; + # + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + # + include /etc/nginx/nginx-snippets/gzipconfig.conf; + # + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + # + # open_file_cache max=10000 inactive=20s; + # open_file_cache_valid 30s; + # open_file_cache_min_uses 2; + # open_file_cache_errors on; + # + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + # + upstream php-fpm { + server unix:/var/run/php/PHPVERSION.sock; + } + fastcgi_read_timeout 300; + fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h; + # + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### + # + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /etc/nginx/static-sites/*.conf; + # + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### +} diff --git a/nginxconf/nginx.conf.high.perf b/nginxconf/nginx.conf.high.perf new file mode 100644 index 0000000..fe860da --- /dev/null +++ b/nginxconf/nginx.conf.high.perf @@ -0,0 +1,99 @@ +user www-data; +worker_processes auto; +worker_rlimit_nofile 100000; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 8000; + use epoll; + multi_accept on; +} + +http { + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + # + port_in_redirect off; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + keepalive_requests 100; + types_hash_max_size 2048; + server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + client_body_buffer_size 10K; + client_header_buffer_size 4k; + client_max_body_size 50m; + large_client_header_buffers 2 4k; + client_body_timeout 10; + client_header_timeout 10; + send_timeout 2; + reset_timedout_connection on; + # + ##### BASIC SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + # + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + # + ##### SSL SETTINGS ######################### LAST UPDATED 08022021 ##### + + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/cloudflare.conf; + ##### CLOUDFLARE SHOW REAL IPs ############# LAST UPDATED 08022021 ##### + + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/block-referer.conf; + include /etc/nginx/nginx-snippets/block-bots.conf; + # BLOCK BAD REFERER AND BAD BOTS ########### LAST UPDATED 08022021 ##### + + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + include /etc/nginx/nginx-snippets/log.conf; + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log crit; + access_log on; + log_not_found off; + # + ##### LOG SETTINGS ONLY LOG CRITICAL MSG ### LAST UPDATED 08022021 ##### + + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + # + include /etc/nginx/nginx-snippets/gzipconfig.conf; + # + ##### GZIP SETTINGS ######################## LAST UPDATED 08022021 ##### + + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + # + open_file_cache max=10000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; + # + ##### CACHE SETTINGS ####################### LAST UPDATED 08022021 ##### + + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + # + upstream php-fpm { + server unix:/var/run/php/PHPVERSION.sock; + } + fastcgi_read_timeout 300; + fastcgi_cache_path /var/cache/nginx/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h; + # + ##### FASTCGI SETTINGS ##################### LAST UPDATED 08022021 ##### + + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### + # + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + include /etc/nginx/static-sites/*.conf; + # + ##### VHOST SETTINGS ####################### LAST UPDATED 08022021 ##### +} diff --git a/proxy-params.conf b/proxy-params.conf new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/proxy-params.conf @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/wp-hardening.conf b/wp-hardening.conf new file mode 100644 index 0000000..250cfc4 --- /dev/null +++ b/wp-hardening.conf @@ -0,0 +1,55 @@ +# Wordpress deny xmlrpc start ##################################################################################################### + location = /xmlrpc.php { + deny all; + access_log off; + log_not_found off; + return 444; + } +# Wordpress deny xmlrpc stop ###################################################################################################### + +# Wordpress deny wp-cron start #################################################################################################### + location = /wp-cron.php { + deny all; + access_log off; + log_not_found off; + return 444; + } +# Wordpress deny wp-cron stop ##################################################################################################### + +# Wordpress limit get post start ################################################################################################## +if ($request_method !~ ^(GET|POST)$ ) { + return 444; +} +# Wordpress limit get post stop ################################################################################################### + +# Wordpress deny php files where they dont belong start ########################################################################### +location ~* /(?:uploads|files|wp-content|wp-includes)/.*.php$ { + deny all; + access_log off; + log_not_found off; + return 444; +} +# Wordpress deny php files where they dont belong stop ############################################################################ + +# Wordpress limit request pr. sec here its 5 req/sec start ######################################################################## +location = /wp-login.php { + limit_req zone=wp-rate-limit burst=3 nodelay; + limit_req_status 444; + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/PHPVERSION.sock; +} +# NOTE: The above requires the following file to exist: +# /etc/nginx/conf.d/wp-rate-limit.conf with the following content: +# limit_req_zone $binary_remote_addr zone=wp-rate-limit:10m rate=10r/s; +# Wordpress limit request pr. sec here its 5 req/sec stop ######################################################################### + +# Wordpress deny access to the following files in upload directory start ########################################################## +location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { + deny all; +} +# Wordpress deny access to the following files in upload directory stop ########################################################### + +# Wordpress dont cache certain pages start ######################################################################################## +if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { set $skip_cache 1; } +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { set $skip_cache 1; } +# Wordpress dont cache certain pages stop ######################################################################################### diff --git a/wp-rate-limit.conf b/wp-rate-limit.conf new file mode 100644 index 0000000..97d3d4e --- /dev/null +++ b/wp-rate-limit.conf @@ -0,0 +1 @@ +limit_req_zone $binary_remote_addr zone=wp-rate-limit:10m rate=10r/s;