virtubox
/
ubuntu-nginx-web-server
mirror of https://github.com/VirtuBox/ubuntu-nginx-web-server
1
0
Fork 0
Code Issues Releases Wiki Activity

Update wpcommon and fix incorrect config

This commit is contained in:
VirtuBox 2019-11-07 12:22:15 +01:00
parent bc249cbc48
commit 33bb4c3559
Signed by: virtubox
GPG Key ID: 22EB296C97BAD476
2 changed files with 192 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
etc/nginx/common/wpcommon-php72.conf
View File

@ -1,43 +1,96 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS - WO v3.9.7
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php72; fastcgi_pass php72;
} }
# Disable wp-config.txt # Prevent DoS attacks on wp-cron
location = /wp-config.txt { location = /wp-cron.php {
deny all; limit_req zone=two burst=1 nodelay;
access_log off; include fastcgi_params;
log_not_found off; fastcgi_pass php72;
} }
# webp rewrite rules for jpg and png images # Prevent Dos attacks with xmlrpc.php
# try to load alternative image.png.webp before image.png location = /xmlrpc.php {
location /wp-content/uploads { limit_req zone=two burst=1 nodelay;
location ~ \.(png|jpe?g)$ { include fastcgi_params;
add_header Vary "Accept-Encoding"; fastcgi_pass php72;
add_header "Access-Control-Allow-Origin" "*"; }
add_header Cache-Control "public, no-transform"; # Disable wp-config.txt
access_log off; location = /wp-config.txt {
log_not_found off; deny all;
expires max; access_log off;
try_files $uri$webp_suffix $uri =404; log_not_found off;
} }
location ~ \.php$ { location = /robots.txt {
#Prevent Direct Access Of PHP Files From Web Browsers # Some WordPress plugin gererate robots.txt file
deny all; # Refer #340 issue
} try_files $uri $uri/ /index.php?$args @robots;
} access_log off;
# Deny access to any files with a .php extension in the uploads directory log_not_found off;
# Works in sub-directory installs and also in multisite network }
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) # fallback for robots.txt with default wordpress rules
location ~* /(?:uploads|files)/.*\.php$ { location @robots {
deny all; return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
} }
# mitigate DoS attack CVE with WordPress script concatenation # webp rewrite rules for jpg and png images
# add the following line to wp-config.php # try to load alternative image.png.webp before image.png
# define( 'CONCATENATE_SCRIPTS', false ); location /wp-content/uploads {
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \.(png|jpe?g)$ {
deny all; add_header Vary "Accept-Encoding";
} more_set_headers 'Access-Control-Allow-Origin : *';
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~* \.(php|gz|log|zip|tar|rar)$ {
#Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
deny all;
}
}
# webp rewrite rules for EWWW testing image
location /wp-content/plugins/ewww-image-optimizer/images {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
more_set_headers 'Access-Control-Allow-Origin : *';
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# enable gzip on static assets - php files are forbidden
location /wp-content/cache {
# Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
more_set_headers 'Access-Control-Allow-Origin : *';
access_log off;
log_not_found off;
expires 30d;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

177
etc/nginx/common/wpcommon-php73.conf
View File

@ -1,81 +1,96 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS - WO v3.9.7
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php73; fastcgi_pass php73;
} }
# Disable wp-config.txt # Prevent DoS attacks on wp-cron
location = /wp-config.txt { location = /wp-cron.php {
deny all; limit_req zone=two burst=1 nodelay;
access_log off; include fastcgi_params;
log_not_found off; fastcgi_pass php73;
} }
# webp rewrite rules for jpg and png images # Prevent Dos attacks with xmlrpc.php
# try to load alternative image.png.webp before image.png location = /xmlrpc.php {
location /wp-content/uploads { limit_req zone=two burst=1 nodelay;
location ~ \.(png|jpe?g)$ { include fastcgi_params;
add_header Vary "Accept-Encoding"; fastcgi_pass php73;
add_header "Access-Control-Allow-Origin" "*"; }
add_header Cache-Control "public, no-transform"; # Disable wp-config.txt
access_log off; location = /wp-config.txt {
log_not_found off; deny all;
expires max; access_log off;
try_files $uri$webp_suffix $uri =404; log_not_found off;
} }
location ~ \.php$ { location = /robots.txt {
#Prevent Direct Access Of PHP Files From Web Browsers # Some WordPress plugin gererate robots.txt file
deny all; # Refer #340 issue
} try_files $uri $uri/ /index.php?$args @robots;
} access_log off;
# Deny access to any files with a .php extension in the uploads directory log_not_found off;
# Works in sub-directory installs and also in multisite network }
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) # fallback for robots.txt with default wordpress rules
location ~* /(?:uploads|files)/.*\.php$ { location @robots {
deny all; return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
} }
# mitigate DoS attack CVE with WordPress script concatenation # webp rewrite rules for jpg and png images
# add the following line to wp-config.php # try to load alternative image.png.webp before image.png
# define( 'CONCATENATE_SCRIPTS', false ); location /wp-content/uploads {
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \.(png|jpe?g)$ {
deny all; add_header Vary "Accept-Encoding";
} more_set_headers 'Access-Control-Allow-Origin : *';
add_header Cache-Control "public, no-transform";
location "=/wp-config\.(php|txt)" { access_log off;
log_not_found off;
location ~* wp-config.php { deny all; } expires max;
try_files $uri$webp_suffix $uri =404;
location ~* "^/wp-content/uploads/.*\\.php" { deny all; } }
location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" { location ~* \.(php|gz|log|zip|tar|rar)$ {
deny all; #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
} deny all;
location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; } }
}
location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" { # webp rewrite rules for EWWW testing image
access_log off; location /wp-content/plugins/ewww-image-optimizer/images {
log_not_found off; location ~ \.(png|jpe?g)$ {
deny all; add_header Vary "Accept-Encoding";
} more_set_headers 'Access-Control-Allow-Origin : *';
add_header Cache-Control "public, no-transform";
if ($query_string ~ "author=\d+") { access_log off;
return 403; log_not_found off;
} expires max;
try_files $uri$webp_suffix $uri =404;
location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" { }
return 403; location ~ \.php$ {
} #Prevent Direct Access Of PHP Files From Web Browsers
deny all;
location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" { }
return 403; }
} # enable gzip on static assets - php files are forbidden
location /wp-content/cache {
location ~* /\.ht { # Cache css & js files
deny all; location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
} more_set_headers 'Access-Control-Allow-Origin : *';
access_log off;
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") { log_not_found off;
return 403; expires 30d;
} }
location ~ \.php$ {
#extension wp-toolkit end #Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}