add anti-hack configuration in locations.conf

* update nginx with short ciphers suite 
* add comments to new directives
This commit is contained in:
VirtuBox 2018-09-12 20:44:12 +02:00
parent e75d3bcc22
commit 325bc49627
11 changed files with 366 additions and 186 deletions

View File

@ -14,14 +14,16 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache static files # Cache css & js files
location ~* \.(css|js)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -29,51 +31,103 @@ location ~* \.(css|js)$ {
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location ~ /\. {
deny all;
}
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/; alias /var/www/html/.well-known/acme-challenge/;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
#location ~ /\.well-known { location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
# allow all; deny all;
#}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
} }
# Deny backup extensions & log files # Deny backup extensions & log files and return 403 forbidden
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
access_log off;
log_not_found off;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) # common nginx configuration to block sql injection and other attacks
location ~* "/(^$|readme|license|example)\.(txt|html)" { location ~* "(eval\()" {
return 403; deny all;
}
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "([a-z0-9]{2000})" {
deny all;
}
location ~* "(javascript\:)(.*)(\;)" {
deny all;
}
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
deny all;
} }
# Status pages # Status pages
location /nginx_status { location = /nginx_status {
stub_status on; stub_status on;
access_log off; access_log off;
include common/acl.conf; include common/acl.conf;
} }
location ~ ^/(status|ping) { location ~ ^/(status|ping)$ {
include fastcgi_params; include fastcgi_params;
fastcgi_pass php7; fastcgi_pass php7;
include common/acl.conf; include common/acl.conf;
} }
# EasyEngine (ee) utilities # EasyEngine (ee) utilities
# phpMyAdmin settings # phpMyAdmin settings
location /pma { location = /pma {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
location /phpMyAdmin { location = /phpMyAdmin {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
location /phpmyadmin { location = /phpmyadmin {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
# Adminer settings # Adminer settings
location /adminer { location = /adminer {
return 301 https://$host:22222/db/adminer; return 301 https://$host:22222/db/adminer;
} }

View File

@ -14,14 +14,16 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache static files # Cache css & js files
location ~* \.(css|js)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -29,27 +31,79 @@ location ~* \.(css|js)$ {
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location ~ /\. {
deny all;
}
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/; alias /var/www/html/.well-known/acme-challenge/;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
#location ~ /\.well-known { location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
# allow all; deny all;
#}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
} }
# Deny backup extensions & log files # Deny backup extensions & log files and return 403 forbidden
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
access_log off;
log_not_found off;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) # common nginx configuration to block sql injection and other attacks
location ~* "/(^$|readme|license|example)\.(txt|html)" { location ~* "(eval\()" {
return 403; deny all;
}
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "([a-z0-9]{2000})" {
deny all;
}
location ~* "(javascript\:)(.*)(\;)" {
deny all;
}
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
deny all;
} }
# Status pages # Status pages
location /nginx_status { location /nginx_status {

View File

@ -2,78 +2,135 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; try_files /favicon.ico @empty;
log_not_found off; access_log off;
expires max; log_not_found off;
expires max;
}
location @empty {
empty_gif;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
# Refer #340 issue # Refer #340 issue
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache static files # Cache css & js files
location ~* \.(css|js)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires 30d; expires 30d;
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location ~ /\. {
deny all;
}
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/; alias /var/www/html/.well-known/acme-challenge/;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
#location ~ /\.well-known { location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
# allow all; deny all;
#}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
} }
# Deny backup extensions & log files # Deny backup extensions & log files and return 403 forbidden
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
access_log off;
log_not_found off;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) # common nginx configuration to block sql injection and other attacks
location ~* "/(^$|readme|license|example)\.(txt|html)" { location ~* "(eval\()" {
return 403; deny all;
}
location ~* "(127\.0\.0\.1)" {
deny all;
}
location ~* "([a-z0-9]{2000})" {
deny all;
}
location ~* "(javascript\:)(.*)(\;)" {
deny all;
}
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all;
}
location ~* "(<|%3C).*script.*(>|%3)" {
deny all;
}
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all;
}
location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
deny all;
} }
# Status pages # Status pages
location /nginx_status { location /nginx_status {
stub_status on; stub_status on;
access_log off; access_log off;
include common/acl.conf; include common/acl.conf;
} }
location ~ ^/(status|ping) { location ~ ^/(status|ping) {
include fastcgi_params; include fastcgi_params;
fastcgi_pass php71; include common/acl.conf;
include common/acl.conf; fastcgi_pass php72;
} }
# EasyEngine (ee) utilities # EasyEngine (ee) utilities
# phpMyAdmin settings # phpMyAdmin settings
location /pma { location /pma {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
location /phpMyAdmin { location /phpMyAdmin {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
location /phpmyadmin { location /phpmyadmin {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
# Adminer settings # Adminer settings
location /adminer { location /adminer {
return 301 https://$host:22222/db/adminer; return 301 https://$host:22222/db/adminer;
} }

View File

@ -2,34 +2,36 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php7; fastcgi_pass php7;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} access_log off;
location ~ \.(png|jpe?g)$ { log_not_found off;
add_header Vary "Accept-Encoding"; }
add_header "Access-Control-Allow-Origin" "*"; # Disallow php in upload folder and add webp rewrite
add_header Cache-Control "public, no-transform"; location /wp-content/uploads/ {
access_log off; location ~ \.php$ {
log_not_found off; #Prevent Direct Access Of PHP Files From Web Browsers
expires max; deny all;
try_files $uri$webp_suffix $uri =404; }
} # webp rewrite rules
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \/wp-admin\/load-(scripts|styles).php {
deny all; deny all;
} }

View File

@ -2,34 +2,36 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php71; fastcgi_pass php71;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
location ~ \.(png|jpe?g)$ { # webp rewrite rules
add_header Vary "Accept-Encoding"; location ~ \.(png|jpe?g)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header Vary "Accept-Encoding";
add_header Cache-Control "public, no-transform"; add_header "Access-Control-Allow-Origin" "*";
access_log off; add_header Cache-Control "public, no-transform";
log_not_found off; access_log off;
expires max; log_not_found off;
try_files $uri$webp_suffix $uri =404; expires max;
} try_files $uri$webp_suffix $uri =404;
}
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \/wp-admin\/load-(scripts|styles).php {
deny all; deny all;
} }

View File

@ -2,34 +2,36 @@
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php72; fastcgi_pass php72;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
location ~ \.(png|jpe?g)$ { # webp rewrite rules
add_header Vary "Accept-Encoding"; location ~ \.(png|jpe?g)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header Vary "Accept-Encoding";
add_header Cache-Control "public, no-transform"; add_header "Access-Control-Allow-Origin" "*";
access_log off; add_header Cache-Control "public, no-transform";
log_not_found off; access_log off;
expires max; log_not_found off;
try_files $uri$webp_suffix $uri =404; expires max;
} try_files $uri$webp_suffix $uri =404;
}
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \/wp-admin\/load-(scripts|styles).php {
deny all; deny all;
} }

View File

@ -72,7 +72,7 @@ http
# SSL Settings # SSL Settings
## ##
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d; ssl_session_timeout 1d;

View File

@ -14,14 +14,16 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache static files # Cache css & js files
location ~* \.(css|js)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -29,18 +31,19 @@ location ~* \.(css|js)$ {
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
#location ~ /\.well-known {
# allow all;
#}
location ~ /\. { location ~ /\. {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Deny backup extensions & log files # Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all; deny all;

View File

@ -14,14 +14,16 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache static files # Cache css & js files
location ~* \.(css|js)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -29,18 +31,19 @@ location ~* \.(css|js)$ {
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
#location ~ /\.well-known {
# allow all;
#}
location ~ /\. { location ~ /\. {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Deny backup extensions & log files # Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all; deny all;

View File

@ -14,14 +14,16 @@ location = /robots.txt {
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache static files # Cache css & js files
location ~* \.(css|js)$ { location ~* \.(?:css(\.map)?|js(\.map)?)$
{
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
@ -29,18 +31,19 @@ location ~* \.(css|js)$ {
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
#location ~ /\.well-known {
# allow all;
#}
location ~ /\. { location ~ /\. {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
# #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# #
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
# Deny backup extensions & log files # Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
deny all; deny all;
@ -59,7 +62,7 @@ location /nginx_status {
} }
location ~ ^/(status|ping) { location ~ ^/(status|ping) {
include fastcgi_params; include fastcgi_params;
fastcgi_pass php71; fastcgi_pass php72;
include common/acl.conf; include common/acl.conf;
} }
# EasyEngine (ee) utilities # EasyEngine (ee) utilities

View File

@ -71,7 +71,7 @@ http
# SSL Settings # SSL Settings
## ##
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d; ssl_session_timeout 1d;