add nginx vts module settings

docs/files/etc/nginx/common/protect.conf

@@ -0,0 +1,21 @@
+# nginx common web app exploits protection 
+
+location ~* "(eval\()"  { deny all; }
+location ~* "(127\.0\.0\.1)"  { deny all; }
+location ~* "([a-z0-9]{2000})"  { deny all; }
+location ~* "(javascript\:)(.*)(\;)"  { deny all; }
+location ~* "(base64_encode)(.*)(\()"  { deny all; }
+location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { deny all; }
+location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
+location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; }
+location ~* "(https?|ftp|php):/" { deny all; }
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; }
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; }
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; }
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; }
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; }
+location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; }
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; }

docs/files/etc/nginx/nginx-intermediate.conf

@@ -53,6 +53,12 @@ http
 
     # tls dynamic records patch directive
     ssl_dyn_rec_enable on;
+    
+    # nginx-vts-status module
+    #vhost_traffic_status_zone;
+    
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
 
     ##
     # GeoIP module configuration, before removing comments

docs/files/etc/nginx/nginx-tlsv12.conf

@@ -53,6 +53,12 @@ http
     
     # tls dynamic records patch directive
     ssl_dyn_rec_enable on;
+    
+    # nginx-vts-status module
+    #vhost_traffic_status_zone;
+    
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
 
     ##
     # GeoIP module configuration, before removing comments

docs/files/etc/nginx/nginx.conf

@@ -53,6 +53,13 @@ http
     
     # tls dynamic records patch directive
     ssl_dyn_rec_enable on;
+    
+    # nginx-vts-status module
+    #vhost_traffic_status_zone;
+    
+    # dns resolver for oscp
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
 
     ##
     # GeoIP module configuration, before removing comments

docs/files/etc/nginx/proxy_params

@@ -8,3 +8,4 @@ proxy_buffers 256 16k;
 proxy_busy_buffers_size 256k;
 proxy_temp_file_write_size 256k;
 proxy_max_temp_file_size 0;
+proxy_read_timeout 3000;

docs/files/etc/nginx/sites-available/22222

@@ -25,6 +25,12 @@ server {
   location / {
     try_files $uri $uri/ /index.php?$args;
   }
+  
+  # nginx-vts-status 
+  #location /vts_status {
+  #vhost_traffic_status_display;
+  #vhost_traffic_status_display_format html;
+  #}
 
   # Display menu at location /fpm/status/
   location =  /fpm/status/ {}

etc/nginx/common/protect.conf

@@ -0,0 +1,21 @@
+# nginx common web app exploits protection 
+
+location ~* "(eval\()"  { deny all; }
+location ~* "(127\.0\.0\.1)"  { deny all; }
+location ~* "([a-z0-9]{2000})"  { deny all; }
+location ~* "(javascript\:)(.*)(\;)"  { deny all; }
+location ~* "(base64_encode)(.*)(\()"  { deny all; }
+location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { deny all; }
+location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
+location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; }
+location ~* "(https?|ftp|php):/" { deny all; }
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; }
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; }
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; }
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; }
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; }
+location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; }
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; }

etc/nginx/nginx-intermediate.conf

@@ -53,6 +53,13 @@ http
 
     # tls dynamic records patch directive
     ssl_dyn_rec_enable on;
+    
+    # nginx-vts-status module
+    #vhost_traffic_status_zone;
+    
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
+
 
     ##
     # GeoIP module configuration, before removing comments

etc/nginx/nginx-tlsv12.conf

@@ -53,6 +53,12 @@ http
     
     # tls dynamic records patch directive
     ssl_dyn_rec_enable on;
+    
+    # nginx-vts-status module
+    #vhost_traffic_status_zone;
+    
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
 
     ##
     # GeoIP module configuration, before removing comments

etc/nginx/nginx.conf

@@ -53,6 +53,12 @@ http
     
     # tls dynamic records patch directive
     ssl_dyn_rec_enable on;
+    
+    # nginx-vts-status module
+    #vhost_traffic_status_zone;
+    
+    resolver 8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout 10;
 
     ##
     # GeoIP module configuration, before removing comments

etc/nginx/proxy_params

@@ -8,3 +8,4 @@ proxy_buffers 256 16k;
 proxy_busy_buffers_size 256k;
 proxy_temp_file_write_size 256k;
 proxy_max_temp_file_size 0;
+proxy_read_timeout 3000;

etc/nginx/sites-available/22222

@@ -25,6 +25,12 @@ server {
   location / {
     try_files $uri $uri/ /index.php?$args;
   }
+  
+  # nginx-vts-status 
+  #location /vts_status {
+  #vhost_traffic_status_display;
+  #vhost_traffic_status_display_format html;
+  #}
 
   # Display menu at location /fpm/status/
   location =  /fpm/status/ {}