Merge remote-tracking branch 'origin/master' into develop
This commit is contained in:
commit
45d1041425
BIN
common.zip
BIN
common.zip
Binary file not shown.
Binary file not shown.
|
@ -3,7 +3,7 @@
|
|||
# You can copy this file to one of:
|
||||
# - "/etc/mysql/my.cnf" to set global options,
|
||||
# - "~/.my.cnf" to set user-specific options.
|
||||
#
|
||||
#
|
||||
# One can use all long options that the program supports.
|
||||
# Run program with --help to get a list of available options and with
|
||||
# --print-defaults to see which it would actually understand and use.
|
||||
|
@ -37,10 +37,11 @@ tmpdir = /tmp
|
|||
lc_messages_dir = /usr/share/mysql
|
||||
lc_messages = en_US
|
||||
skip-external-locking
|
||||
performance_schema = ON
|
||||
#
|
||||
# Instead of skip-networking the default is now to listen only on
|
||||
# localhost which is more compatible and is not less secure.
|
||||
bind-address = 127.0.0.1
|
||||
bind-address = ::ffff:127.0.0.1
|
||||
#
|
||||
# * Fine Tuning
|
||||
#
|
||||
|
@ -71,9 +72,9 @@ read_rnd_buffer_size = 1M
|
|||
#
|
||||
# Cache only tiny result sets, so we can fit more in the query cache.
|
||||
query_cache_limit = 128K
|
||||
query_cache_size = 64M
|
||||
query_cache_size = 0
|
||||
# for more write intensive setups, set to DEMAND or OFF
|
||||
#query_cache_type = DEMAND
|
||||
query_cache_type = 0
|
||||
#
|
||||
# * Logging and Replication
|
||||
#
|
||||
|
@ -89,7 +90,7 @@ query_cache_size = 64M
|
|||
log_warnings = 2
|
||||
#
|
||||
# Enable the slow query log to see queries with especially long duration
|
||||
#slow_query_log[={0|1}]
|
||||
slow_query_log = 1
|
||||
slow_query_log_file = /var/log/mysql/mariadb-slow.log
|
||||
long_query_time = 10
|
||||
#log_slow_rate_limit = 1000
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
# EasyEngine (ee) protect locations using
|
||||
# HTTP authentication || IP address
|
||||
satisfy any;
|
||||
auth_basic "Restricted Area";
|
||||
auth_basic_user_file htpasswd-ee;
|
||||
# Allowed IP Address List
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
|
@ -1,79 +1,131 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example)\.(txt|html)" {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
# Use the directory /var/www/html to valide acme-challenge
|
||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
||||
# #
|
||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||
# #
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
# common nginx configuration to block sql injection and other attacks
|
||||
location ~* "(eval\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(127\.0\.0\.1)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "([a-z0-9]{2000})" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(javascript\:)(.*)(\;)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(base64_encode)(.*)(\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(<|%3C).*script.*(>|%3)" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(https?|ftp|php):/" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location = /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping)$ {
|
||||
include fastcgi_params;
|
||||
include common/acl.conf;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location = /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location = /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location = /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location = /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
|
|
|
@ -1,79 +1,133 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example)\.(txt|html)" {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
|
||||
{
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$
|
||||
{
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
# Use the directory /var/www/html to valide acme-challenge
|
||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
||||
# #
|
||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||
# #
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
# common nginx configuration to block sql injection and other attacks
|
||||
location ~* "(eval\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(127\.0\.0\.1)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "([a-z0-9]{2000})" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(javascript\:)(.*)(\;)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(base64_encode)(.*)(\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(<|%3C).*script.*(>|%3)" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(https?|ftp|php):/" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
|
|
|
@ -1,79 +1,137 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example)\.(txt|html)" {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
try_files /favicon.ico @empty;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
|
||||
}
|
||||
|
||||
location @empty {
|
||||
empty_gif;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
# Use the directory /var/www/html to valide acme-challenge
|
||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
||||
# #
|
||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||
# #
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
# common nginx configuration to block sql injection and other attacks
|
||||
location ~* "(eval\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(127\.0\.0\.1)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "([a-z0-9]{2000})" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(javascript\:)(.*)(\;)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(base64_encode)(.*)(\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(<|%3C).*script.*(>|%3)" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(https?|ftp|php):/" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
include common/acl.conf;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
|
|
|
@ -1,35 +1,37 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
# webp rewrite rules
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
|
|
@ -1,35 +1,37 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
# webp rewrite rules
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
|
|
@ -1,35 +1,37 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
# webp rewrite rules
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
|
|
@ -18,10 +18,16 @@ http
|
|||
##
|
||||
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
|
|
|
@ -0,0 +1,186 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -19,11 +19,16 @@ http {
|
|||
# EasyEngine Settings
|
||||
##
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
|
@ -72,7 +77,7 @@ http {
|
|||
# ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
|
|
|
@ -25,12 +25,12 @@ server {
|
|||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# nginx-vts-status
|
||||
#location /vts_status {
|
||||
#vhost_traffic_status_display;
|
||||
#vhost_traffic_status_display_format html;
|
||||
#}
|
||||
|
||||
# nginx-vts-status
|
||||
location /vts_status {
|
||||
vhost_traffic_status_display;
|
||||
vhost_traffic_status_display_format html;
|
||||
}
|
||||
|
||||
# Display menu at location /fpm/status/
|
||||
location = /fpm/status/ {}
|
||||
|
|
|
@ -1,14 +1,37 @@
|
|||
# Kernel sysctl configuration file
|
||||
# Sources :
|
||||
# Kernel sysctl configuration file for Linux
|
||||
#
|
||||
# Version 1.14 - 2018-09-13
|
||||
# Michiel Klaver - IT Professional
|
||||
# Modified by VirtuBox
|
||||
#
|
||||
# Sources :
|
||||
# https://klaver.it/linux/sysctl.conf
|
||||
# https://easyengine.io/tutorials/linux/sysctl-conf/
|
||||
# http://klaver.it/linux/
|
||||
#
|
||||
#
|
||||
# sysctl -e -p /etc/sysctl.conf
|
||||
# Credits:
|
||||
#
|
||||
# http://www.enigma.id.au/linux_tuning.txt
|
||||
# http://www.securityfocus.com/infocus/1729
|
||||
# http://fasterdata.es.net/TCP-tuning/linux.html
|
||||
# http://fedorahosted.org/ktune/browser/sysctl.ktune
|
||||
# http://www.cymru.com/Documents/ip-stack-tuning.html
|
||||
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
|
||||
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
|
||||
# http://knol.google.com/k/linux-performance-tuning-and-measurement
|
||||
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
|
||||
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
|
||||
# http://www.speedguide.net/read_articles.php?id=121
|
||||
# http://lartc.org/howto/lartc.kernel.obscure.html
|
||||
# http://en.wikipedia.org/wiki/Sysctl
|
||||
#
|
||||
# Usage
|
||||
# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
|
||||
#
|
||||
# sysctl -p
|
||||
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
|
||||
#
|
||||
#
|
||||
|
||||
###
|
||||
### GENERAL SYSTEM SECURITY OPTIONS ###
|
||||
###
|
||||
|
@ -16,9 +39,21 @@
|
|||
# Controls the System Request debugging functionality of the kernel
|
||||
kernel.sysrq = 0
|
||||
|
||||
# Controls whether core dumps will append the PID to the core filename.
|
||||
# Useful for debugging multi-threaded applications.
|
||||
kernel.core_uses_pid = 1
|
||||
|
||||
#Allow for more PIDs
|
||||
kernel.pid_max = 65535
|
||||
|
||||
# The contents of /proc/<pid>/maps and smaps files are only visible to
|
||||
# readers that are allowed to ptrace() the process
|
||||
kernel.maps_protect = 1
|
||||
|
||||
#Enable ExecShield protection
|
||||
kernel.exec-shield = 1
|
||||
kernel.randomize_va_space = 2
|
||||
|
||||
# Controls the maximum size of a message, in bytes
|
||||
kernel.msgmnb = 65535
|
||||
|
||||
|
@ -31,34 +66,44 @@ fs.suid_dumpable = 0
|
|||
# Hide exposed kernel pointers
|
||||
kernel.kptr_restrict = 1
|
||||
|
||||
###
|
||||
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 2097152
|
||||
###
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 209708
|
||||
|
||||
# Do less swapping
|
||||
vm.swappiness = 10
|
||||
vm.dirty_ratio = 30
|
||||
vm.dirty_background_ratio = 2
|
||||
vm.dirty_background_ratio = 5
|
||||
|
||||
# Redis configuration
|
||||
# specifies the minimum virtual address that a process is allowed to mmap
|
||||
vm.mmap_min_addr = 4096
|
||||
|
||||
# 50% overcommitment of available memory
|
||||
vm.overcommit_ratio = 50
|
||||
|
||||
# allow memory overcommit required for redis
|
||||
vm.overcommit_memory = 1
|
||||
|
||||
# Set maximum amount of memory allocated to shm to 256MB
|
||||
kernel.shmmax = 268435456
|
||||
kernel.shmall = 268435456
|
||||
|
||||
# Keep at least 64MB of free RAM space available
|
||||
vm.min_free_kbytes = 65535
|
||||
|
||||
###
|
||||
### GENERAL NETWORK SECURITY OPTIONS ###
|
||||
###
|
||||
|
||||
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_syn_retries = 2
|
||||
net.ipv4.tcp_synack_retries = 2
|
||||
net.ipv4.tcp_max_syn_backlog = 4096
|
||||
|
||||
# Disables packet forwarding
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv4.conf.all.forwarding = 0
|
||||
net.ipv4.conf.default.forwarding = 0
|
||||
net.ipv6.conf.all.forwarding = 0
|
||||
net.ipv6.conf.default.forwarding = 0
|
||||
|
||||
# Disables IP source routing
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
|
@ -120,7 +165,10 @@ net.ipv6.conf.all.autoconf=0
|
|||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.autoconf=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
|
||||
net.ipv6.conf.all.accept_ra_defrtr = 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr = 0
|
||||
net.ipv6.conf.all.accept_ra_pinfo = 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo = 0
|
||||
|
||||
###
|
||||
### TUNING NETWORK PERFORMANCE ###
|
||||
|
@ -169,9 +217,12 @@ net.ipv4.tcp_tw_reuse = 1
|
|||
net.ipv4.tcp_max_orphans = 16384
|
||||
net.ipv4.tcp_orphan_retries = 0
|
||||
|
||||
# Increase the maximum memory used to reassemble IP fragments
|
||||
net.ipv4.ipfrag_high_thresh = 512000
|
||||
net.ipv4.ipfrag_low_thresh = 446464
|
||||
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
|
||||
net.ipv4.ipfrag_low_thresh = 196608
|
||||
net.ipv6.ip6frag_low_thresh = 196608
|
||||
net.ipv4.ipfrag_high_thresh = 262144
|
||||
net.ipv6.ip6frag_high_thresh = 262144
|
||||
|
||||
|
||||
# don't cache ssthresh from previous connection
|
||||
net.ipv4.tcp_no_metrics_save = 1
|
|
@ -37,10 +37,11 @@ tmpdir = /tmp
|
|||
lc_messages_dir = /usr/share/mysql
|
||||
lc_messages = en_US
|
||||
skip-external-locking
|
||||
performance_schema = ON
|
||||
#
|
||||
# Instead of skip-networking the default is now to listen only on
|
||||
# localhost which is more compatible and is not less secure.
|
||||
bind-address = 127.0.0.1
|
||||
bind-address = ::ffff:127.0.0.1
|
||||
#
|
||||
# * Fine Tuning
|
||||
#
|
||||
|
@ -71,9 +72,9 @@ read_rnd_buffer_size = 1M
|
|||
#
|
||||
# Cache only tiny result sets, so we can fit more in the query cache.
|
||||
query_cache_limit = 128K
|
||||
query_cache_size = 64M
|
||||
query_cache_size = 0
|
||||
# for more write intensive setups, set to DEMAND or OFF
|
||||
#query_cache_type = DEMAND
|
||||
query_cache_type = 0
|
||||
#
|
||||
# * Logging and Replication
|
||||
#
|
||||
|
@ -89,7 +90,7 @@ query_cache_size = 64M
|
|||
log_warnings = 2
|
||||
#
|
||||
# Enable the slow query log to see queries with especially long duration
|
||||
#slow_query_log[={0|1}]
|
||||
slow_query_log = 1
|
||||
slow_query_log_file = /var/log/mysql/mariadb-slow.log
|
||||
long_query_time = 10
|
||||
#log_slow_rate_limit = 1000
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
# EasyEngine (ee) protect locations using
|
||||
# HTTP authentication || IP address
|
||||
satisfy any;
|
||||
auth_basic "Restricted Area";
|
||||
auth_basic_user_file htpasswd-ee;
|
||||
# Allowed IP Address List
|
||||
allow 127.0.0.1;
|
||||
deny all;
|
|
@ -1,79 +1,131 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example)\.(txt|html)" {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
# Use the directory /var/www/html to valide acme-challenge
|
||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
||||
# #
|
||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||
# #
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
# common nginx configuration to block sql injection and other attacks
|
||||
location ~* "(eval\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(127\.0\.0\.1)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "([a-z0-9]{2000})" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(javascript\:)(.*)(\;)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(base64_encode)(.*)(\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(<|%3C).*script.*(>|%3)" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(https?|ftp|php):/" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location = /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping)$ {
|
||||
include fastcgi_params;
|
||||
include common/acl.conf;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location = /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location = /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location = /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location = /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
|
|
|
@ -1,79 +1,133 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example)\.(txt|html)" {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
|
||||
{
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$
|
||||
{
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
# Use the directory /var/www/html to valide acme-challenge
|
||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
||||
# #
|
||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||
# #
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
# common nginx configuration to block sql injection and other attacks
|
||||
location ~* "(eval\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(127\.0\.0\.1)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "([a-z0-9]{2000})" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(javascript\:)(.*)(\;)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(base64_encode)(.*)(\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(<|%3C).*script.*(>|%3)" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(https?|ftp|php):/" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
|
|
|
@ -1,79 +1,137 @@
|
|||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(css|js)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
|
||||
#location ~ /\.well-known {
|
||||
# allow all;
|
||||
#}
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example)\.(txt|html)" {
|
||||
return 403;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
include common/acl.conf;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
# NGINX CONFIGURATION FOR COMMON LOCATION
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Basic locations files
|
||||
location = /favicon.ico {
|
||||
try_files /favicon.ico @empty;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
|
||||
}
|
||||
|
||||
location @empty {
|
||||
empty_gif;
|
||||
}
|
||||
location = /robots.txt {
|
||||
# Some WordPress plugin gererate robots.txt file
|
||||
# Refer #340 issue
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Cache static files
|
||||
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
}
|
||||
# Cache css & js files
|
||||
location ~* \.(?:css(\.map)?|js(\.map)?)$ {
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires 30d;
|
||||
}
|
||||
# Security settings for better privacy
|
||||
# Deny hidden files
|
||||
location ~ /\.(?!well-known\/) {
|
||||
deny all;
|
||||
}
|
||||
# Use the directory /var/www/html to valide acme-challenge
|
||||
# just create the sub-directories .well-known/acme-challenge and set www-data as owner
|
||||
# #
|
||||
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
|
||||
# #
|
||||
location /.well-known/acme-challenge/ {
|
||||
alias /var/www/html/.well-known/acme-challenge/;
|
||||
}
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
|
||||
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||
deny all;
|
||||
}
|
||||
# Deny backup extensions & log files and return 403 forbidden
|
||||
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
|
||||
deny all;
|
||||
}
|
||||
# common nginx configuration to block sql injection and other attacks
|
||||
location ~* "(eval\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(127\.0\.0\.1)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "([a-z0-9]{2000})" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(javascript\:)(.*)(\;)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(base64_encode)(.*)(\()" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(<|%3C).*script.*(>|%3)" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(boot\.ini|etc/passwd|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(https?|ftp|php):/" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
|
||||
deny all;
|
||||
}
|
||||
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
|
||||
deny all;
|
||||
}
|
||||
# Status pages
|
||||
location /nginx_status {
|
||||
stub_status on;
|
||||
access_log off;
|
||||
include common/acl.conf;
|
||||
}
|
||||
location ~ ^/(status|ping) {
|
||||
include fastcgi_params;
|
||||
include common/acl.conf;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# EasyEngine (ee) utilities
|
||||
# phpMyAdmin settings
|
||||
location /pma {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpMyAdmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
location /phpmyadmin {
|
||||
return 301 https://$host:22222/db/pma;
|
||||
}
|
||||
# Adminer settings
|
||||
location /adminer {
|
||||
return 301 https://$host:22222/db/adminer;
|
||||
}
|
||||
|
|
|
@ -1,33 +1,37 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
location ~* ^/wp-content/.+\.(png|jpg)$ {
|
||||
add_header Vary Accept;
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
# webp rewrite rules
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
|
|
@ -1,35 +1,37 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php71;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
# webp rewrite rules
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
|
|
@ -1,35 +1,37 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php72;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# Disallow php in upload folder and add webp rewrite
|
||||
location /wp-content/uploads/ {
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
# webp rewrite rules
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
|
|
@ -18,10 +18,16 @@ http
|
|||
##
|
||||
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
|
|
|
@ -0,0 +1,186 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events
|
||||
{
|
||||
worker_connections 16384;
|
||||
multi_accept on;
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "EasyEngine v3.8.1 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 120s;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'EECDH+CHACHA20:EECDH+AESGCM';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:P-521:P-384:P-256;
|
||||
|
||||
##Common headers for security
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/css
|
||||
text/plain
|
||||
text/x-component
|
||||
text/xml
|
||||
text/javascript;
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 6;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -19,11 +19,16 @@ http {
|
|||
# EasyEngine Settings
|
||||
##
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 30;
|
||||
types_hash_max_size 2048;
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
|
@ -71,7 +76,7 @@ http {
|
|||
# ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
|
|
|
@ -26,33 +26,59 @@ server {
|
|||
vhost_traffic_status_display_format html;
|
||||
}
|
||||
|
||||
# Display menu at location /fpm/status/
|
||||
location = /fpm/status/;
|
||||
location ~ /fpm/status/(.*) {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_NAME /status;
|
||||
fastcgi_pass $1;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
|
||||
# ViMbAdmin Rules
|
||||
location = /vimbadmin/ {
|
||||
return 301 $scheme://$host:22222/vimbadmin/public/;
|
||||
}
|
||||
location ~* /vimbadmin/public/(.*)/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
location ~* /vimbadmin/public/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
location /netdata {
|
||||
root /var/www/22222/htdocs;
|
||||
index index.php index.htm index.html;
|
||||
|
||||
# Turn on directory listing
|
||||
autoindex on;
|
||||
|
||||
# HTTP Authentication on port 22222
|
||||
include common/acl.conf;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# nginx-vts-status
|
||||
location /vts_status {
|
||||
vhost_traffic_status_display;
|
||||
vhost_traffic_status_display_format html;
|
||||
}
|
||||
|
||||
# Display menu at location /fpm/status/
|
||||
location = /fpm/status/ {}
|
||||
|
||||
location ~ /fpm/status/(.*) {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_NAME /status;
|
||||
fastcgi_pass $1;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
try_files $uri =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php7;
|
||||
}
|
||||
|
||||
# ViMbAdmin Rules
|
||||
location = /vimbadmin/ {
|
||||
return 301 $scheme://$host:22222/vimbadmin/public/;
|
||||
}
|
||||
|
||||
|
||||
|
||||
location ~* /vimbadmin/public/(.*)/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
|
||||
location ~* /vimbadmin/public/(.*) {
|
||||
root /var/www/22222/htdocs/vimbadmin/public;
|
||||
try_files $uri $uri/ /vimbadmin/public/index.php?$args;
|
||||
}
|
||||
|
||||
location /netdata {
|
||||
return 301 /netdata/;
|
||||
}
|
||||
location ~ /netdata/(?<ndpath>.*) {
|
||||
|
|
|
@ -1,14 +1,37 @@
|
|||
# Kernel sysctl configuration file
|
||||
# Sources :
|
||||
# Kernel sysctl configuration file for Linux
|
||||
#
|
||||
# Version 1.14 - 2018-09-13
|
||||
# Michiel Klaver - IT Professional
|
||||
# Modified by VirtuBox
|
||||
#
|
||||
# Sources :
|
||||
# https://klaver.it/linux/sysctl.conf
|
||||
# https://easyengine.io/tutorials/linux/sysctl-conf/
|
||||
# http://klaver.it/linux/
|
||||
#
|
||||
#
|
||||
# sysctl -e -p /etc/sysctl.conf
|
||||
# Credits:
|
||||
#
|
||||
# http://www.enigma.id.au/linux_tuning.txt
|
||||
# http://www.securityfocus.com/infocus/1729
|
||||
# http://fasterdata.es.net/TCP-tuning/linux.html
|
||||
# http://fedorahosted.org/ktune/browser/sysctl.ktune
|
||||
# http://www.cymru.com/Documents/ip-stack-tuning.html
|
||||
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
|
||||
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
|
||||
# http://knol.google.com/k/linux-performance-tuning-and-measurement
|
||||
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
|
||||
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
|
||||
# http://www.speedguide.net/read_articles.php?id=121
|
||||
# http://lartc.org/howto/lartc.kernel.obscure.html
|
||||
# http://en.wikipedia.org/wiki/Sysctl
|
||||
#
|
||||
# Usage
|
||||
# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf
|
||||
#
|
||||
# sysctl -e -p /etc/sysctl.d/10-ubuntu-nginx-web-server.conf
|
||||
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
|
||||
#
|
||||
#
|
||||
|
||||
###
|
||||
### GENERAL SYSTEM SECURITY OPTIONS ###
|
||||
###
|
||||
|
@ -16,9 +39,21 @@
|
|||
# Controls the System Request debugging functionality of the kernel
|
||||
kernel.sysrq = 0
|
||||
|
||||
# Controls whether core dumps will append the PID to the core filename.
|
||||
# Useful for debugging multi-threaded applications.
|
||||
kernel.core_uses_pid = 1
|
||||
|
||||
#Allow for more PIDs
|
||||
kernel.pid_max = 65535
|
||||
|
||||
# The contents of /proc/<pid>/maps and smaps files are only visible to
|
||||
# readers that are allowed to ptrace() the process
|
||||
kernel.maps_protect = 1
|
||||
|
||||
#Enable ExecShield protection
|
||||
kernel.exec-shield = 1
|
||||
kernel.randomize_va_space = 2
|
||||
|
||||
# Controls the maximum size of a message, in bytes
|
||||
kernel.msgmnb = 65535
|
||||
|
||||
|
@ -31,34 +66,44 @@ fs.suid_dumpable = 0
|
|||
# Hide exposed kernel pointers
|
||||
kernel.kptr_restrict = 1
|
||||
|
||||
###
|
||||
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 2097152
|
||||
###
|
||||
|
||||
# Increase size of file handles and inode cache
|
||||
fs.file-max = 209708
|
||||
|
||||
# Do less swapping
|
||||
vm.swappiness = 10
|
||||
vm.dirty_ratio = 30
|
||||
vm.dirty_background_ratio = 2
|
||||
vm.dirty_background_ratio = 5
|
||||
|
||||
# Redis configuration
|
||||
# specifies the minimum virtual address that a process is allowed to mmap
|
||||
vm.mmap_min_addr = 4096
|
||||
|
||||
# 50% overcommitment of available memory
|
||||
vm.overcommit_ratio = 50
|
||||
|
||||
# allow memory overcommit required for redis
|
||||
vm.overcommit_memory = 1
|
||||
|
||||
# Set maximum amount of memory allocated to shm to 256MB
|
||||
kernel.shmmax = 268435456
|
||||
kernel.shmall = 268435456
|
||||
|
||||
# Keep at least 64MB of free RAM space available
|
||||
vm.min_free_kbytes = 65535
|
||||
|
||||
###
|
||||
### GENERAL NETWORK SECURITY OPTIONS ###
|
||||
###
|
||||
|
||||
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_syn_retries = 2
|
||||
net.ipv4.tcp_synack_retries = 2
|
||||
net.ipv4.tcp_max_syn_backlog = 4096
|
||||
|
||||
# Disables packet forwarding
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv4.conf.all.forwarding = 0
|
||||
net.ipv4.conf.default.forwarding = 0
|
||||
net.ipv6.conf.all.forwarding = 0
|
||||
net.ipv6.conf.default.forwarding = 0
|
||||
|
||||
# Disables IP source routing
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
|
@ -120,7 +165,10 @@ net.ipv6.conf.all.autoconf=0
|
|||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.autoconf=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
|
||||
net.ipv6.conf.all.accept_ra_defrtr = 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr = 0
|
||||
net.ipv6.conf.all.accept_ra_pinfo = 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo = 0
|
||||
|
||||
###
|
||||
### TUNING NETWORK PERFORMANCE ###
|
||||
|
@ -169,9 +217,12 @@ net.ipv4.tcp_tw_reuse = 1
|
|||
net.ipv4.tcp_max_orphans = 16384
|
||||
net.ipv4.tcp_orphan_retries = 0
|
||||
|
||||
# Increase the maximum memory used to reassemble IP fragments
|
||||
net.ipv4.ipfrag_high_thresh = 512000
|
||||
net.ipv4.ipfrag_low_thresh = 446464
|
||||
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
|
||||
net.ipv4.ipfrag_low_thresh = 196608
|
||||
net.ipv6.ip6frag_low_thresh = 196608
|
||||
net.ipv4.ipfrag_high_thresh = 262144
|
||||
net.ipv6.ip6frag_high_thresh = 262144
|
||||
|
||||
|
||||
# don't cache ssthresh from previous connection
|
||||
net.ipv4.tcp_no_metrics_save = 1
|
Loading…
Reference in New Issue