diff --git a/common.zip b/common.zip index 193080c..38d07e6 100644 Binary files a/common.zip and b/common.zip differ diff --git a/docs/files/common.zip b/docs/files/common.zip index 193080c..38d07e6 100644 Binary files a/docs/files/common.zip and b/docs/files/common.zip differ diff --git a/docs/files/etc/nginx/common/locations-php7.conf b/docs/files/etc/nginx/common/locations-php7.conf index c1c06a8..9d483d2 100644 --- a/docs/files/etc/nginx/common/locations-php7.conf +++ b/docs/files/etc/nginx/common/locations-php7.conf @@ -1,133 +1,131 @@ -# NGINX CONFIGURATION FOR COMMON LOCATION -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Basic locations files -location = /favicon.ico { - access_log off; - log_not_found off; - expires max; -} -location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; -} -# Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; -} -# Cache css & js files -location ~* \.(?:css(\.map)?|js(\.map)?)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires 30d; -} -# Security settings for better privacy -# Deny hidden files -location ~ /\. { - deny all; -} -# Use the directory /var/www/html to valide acme-challenge -# just create the sub-directories .well-known/acme-challenge and set www-data as owner -# # -# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge -# # -location /.well-known/acme-challenge/ { - alias /var/www/html/.well-known/acme-challenge/; -} -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files -location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { - deny all; -} -# Deny backup extensions & log files and return 403 forbidden -location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { - deny all; -} -# common nginx configuration to block sql injection and other attacks -location ~* "(eval\()" { - deny all; -} -location ~* "(127\.0\.0\.1)" { - deny all; -} -location ~* "([a-z0-9]{2000})" { - deny all; -} -location ~* "(javascript\:)(.*)(\;)" { - deny all; -} -location ~* "(base64_encode)(.*)(\()" { - deny all; -} -location ~* "(GLOBALS|REQUEST)(=|\[|%)" { - deny all; -} -location ~* "(<|%3C).*script.*(>|%3)" { - deny all; -} -location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { - deny all; -} -location ~* "(boot\.ini|etc/passwd|self/environ)" { - deny all; -} -location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { - deny all; -} -location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { - deny all; -} -location ~* "(https?|ftp|php):/" { - deny all; -} -location ~* "(=\\\'|=\\%27|/\\\'/?)\." { - deny all; -} -location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { - deny all; -} -location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { - deny all; -} -location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { - deny all; -} -location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { - deny all; -} -location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { - deny all; -} -# Status pages -location = /nginx_status { - stub_status on; - access_log off; - include common/acl.conf; -} -location ~ ^/(status|ping)$ { - include fastcgi_params; - fastcgi_pass php7; - include common/acl.conf; -} -# EasyEngine (ee) utilities -# phpMyAdmin settings -location = /pma { - return 301 https://$host:22222/db/pma; -} -location = /phpMyAdmin { - return 301 https://$host:22222/db/pma; -} -location = /phpmyadmin { - return 301 https://$host:22222/db/pma; -} -# Adminer settings -location = /adminer { - return 301 https://$host:22222/db/adminer; -} +# NGINX CONFIGURATION FOR COMMON LOCATION +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Basic locations files +location = /favicon.ico { + access_log off; + log_not_found off; + expires max; +} +location = /robots.txt { +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; +} +# Cache static files +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; +} +# Security settings for better privacy +# Deny hidden files +location ~ /\. { + deny all; +} +# Use the directory /var/www/html to valide acme-challenge +# just create the sub-directories .well-known/acme-challenge and set www-data as owner +# # +# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge +# # +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; +} +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { + deny all; +} +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# common nginx configuration to block sql injection and other attacks +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { + deny all; +} +# Status pages +location = /nginx_status { + stub_status on; + access_log off; + include common/acl.conf; +} +location ~ ^/(status|ping)$ { + include fastcgi_params; + include common/acl.conf; + fastcgi_pass php7; +} +# EasyEngine (ee) utilities +# phpMyAdmin settings +location = /pma { + return 301 https://$host:22222/db/pma; +} +location = /phpMyAdmin { + return 301 https://$host:22222/db/pma; +} +location = /phpmyadmin { + return 301 https://$host:22222/db/pma; +} +# Adminer settings +location = /adminer { + return 301 https://$host:22222/db/adminer; +} diff --git a/docs/files/etc/nginx/common/locations-php71.conf b/docs/files/etc/nginx/common/locations-php71.conf index 3509b64..16585ab 100644 --- a/docs/files/etc/nginx/common/locations-php71.conf +++ b/docs/files/etc/nginx/common/locations-php71.conf @@ -1,133 +1,133 @@ -# NGINX CONFIGURATION FOR COMMON LOCATION -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Basic locations files -location = /favicon.ico { - access_log off; - log_not_found off; - expires max; -} -location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; -} -# Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; -} -# Cache css & js files -location ~* \.(?:css(\.map)?|js(\.map)?)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires 30d; -} -# Security settings for better privacy -# Deny hidden files -location ~ /\. { - deny all; -} -# Use the directory /var/www/html to valide acme-challenge -# just create the sub-directories .well-known/acme-challenge and set www-data as owner -# # -# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge -# # -location /.well-known/acme-challenge/ { - alias /var/www/html/.well-known/acme-challenge/; -} -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files -location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { - deny all; -} -# Deny backup extensions & log files and return 403 forbidden -location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { - deny all; -} -# common nginx configuration to block sql injection and other attacks -location ~* "(eval\()" { - deny all; -} -location ~* "(127\.0\.0\.1)" { - deny all; -} -location ~* "([a-z0-9]{2000})" { - deny all; -} -location ~* "(javascript\:)(.*)(\;)" { - deny all; -} -location ~* "(base64_encode)(.*)(\()" { - deny all; -} -location ~* "(GLOBALS|REQUEST)(=|\[|%)" { - deny all; -} -location ~* "(<|%3C).*script.*(>|%3)" { - deny all; -} -location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { - deny all; -} -location ~* "(boot\.ini|etc/passwd|self/environ)" { - deny all; -} -location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { - deny all; -} -location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { - deny all; -} -location ~* "(https?|ftp|php):/" { - deny all; -} -location ~* "(=\\\'|=\\%27|/\\\'/?)\." { - deny all; -} -location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { - deny all; -} -location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { - deny all; -} -location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { - deny all; -} -location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { - deny all; -} -location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { - deny all; -} -# Status pages -location /nginx_status { - stub_status on; - access_log off; - include common/acl.conf; -} -location ~ ^/(status|ping) { - include fastcgi_params; - fastcgi_pass php71; - include common/acl.conf; -} -# EasyEngine (ee) utilities -# phpMyAdmin settings -location /pma { - return 301 https://$host:22222/db/pma; -} -location /phpMyAdmin { - return 301 https://$host:22222/db/pma; -} -location /phpmyadmin { - return 301 https://$host:22222/db/pma; -} -# Adminer settings -location /adminer { - return 301 https://$host:22222/db/adminer; -} +# NGINX CONFIGURATION FOR COMMON LOCATION +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Basic locations files +location = /favicon.ico { + access_log off; + log_not_found off; + expires max; +} +location = /robots.txt { + # Some WordPress plugin gererate robots.txt file + # Refer #340 issue + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; +} +# Cache static files +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ +{ + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ +{ + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; +} +# Security settings for better privacy +# Deny hidden files +location ~ /\. { + deny all; +} +# Use the directory /var/www/html to valide acme-challenge +# just create the sub-directories .well-known/acme-challenge and set www-data as owner +# # +# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge +# # +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; +} +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { + deny all; +} +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# common nginx configuration to block sql injection and other attacks +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { + deny all; +} +# Status pages +location /nginx_status { + stub_status on; + access_log off; + include common/acl.conf; +} +location ~ ^/(status|ping) { + include fastcgi_params; + fastcgi_pass php71; + include common/acl.conf; +} +# EasyEngine (ee) utilities +# phpMyAdmin settings +location /pma { + return 301 https://$host:22222/db/pma; +} +location /phpMyAdmin { + return 301 https://$host:22222/db/pma; +} +location /phpmyadmin { + return 301 https://$host:22222/db/pma; +} +# Adminer settings +location /adminer { + return 301 https://$host:22222/db/adminer; +} diff --git a/docs/files/etc/nginx/common/locations-php72.conf b/docs/files/etc/nginx/common/locations-php72.conf index a501589..00338a9 100644 --- a/docs/files/etc/nginx/common/locations-php72.conf +++ b/docs/files/etc/nginx/common/locations-php72.conf @@ -1,136 +1,137 @@ -# NGINX CONFIGURATION FOR COMMON LOCATION -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Basic locations files -location = /favicon.ico { - try_files /favicon.ico @empty; - access_log off; - log_not_found off; - expires max; - -} -location @empty { - empty_gif; -} -location = /robots.txt { -# Some WordPress plugin gererate robots.txt file -# Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; -} -# Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; -} -# Cache css & js files -location ~* \.(?:css(\.map)?|js(\.map)?)$ { - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires 30d; -} -# Security settings for better privacy -# Deny hidden files -location ~ /\. { - deny all; -} -# Use the directory /var/www/html to valide acme-challenge -# just create the sub-directories .well-known/acme-challenge and set www-data as owner -# # -# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge -# # -location /.well-known/acme-challenge/ { - alias /var/www/html/.well-known/acme-challenge/; -} -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files -location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { - deny all; -} -# Deny backup extensions & log files and return 403 forbidden -location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { - deny all; -} -# common nginx configuration to block sql injection and other attacks -location ~* "(eval\()" { - deny all; -} -location ~* "(127\.0\.0\.1)" { - deny all; -} -location ~* "([a-z0-9]{2000})" { - deny all; -} -location ~* "(javascript\:)(.*)(\;)" { - deny all; -} -location ~* "(base64_encode)(.*)(\()" { - deny all; -} -location ~* "(GLOBALS|REQUEST)(=|\[|%)" { - deny all; -} -location ~* "(<|%3C).*script.*(>|%3)" { - deny all; -} -location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { - deny all; -} -location ~* "(boot\.ini|etc/passwd|self/environ)" { - deny all; -} -location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { - deny all; -} -location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { - deny all; -} -location ~* "(https?|ftp|php):/" { - deny all; -} -location ~* "(=\\\'|=\\%27|/\\\'/?)\." { - deny all; -} -location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { - deny all; -} -location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { - deny all; -} -location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { - deny all; -} -location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { - deny all; -} -location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { - deny all; -} -# Status pages -location /nginx_status { - stub_status on; - access_log off; - include common/acl.conf; -} -location ~ ^/(status|ping) { - include fastcgi_params; - include common/acl.conf; - fastcgi_pass php72; -} -# EasyEngine (ee) utilities -# phpMyAdmin settings -location /pma { - return 301 https://$host:22222/db/pma; -} -location /phpMyAdmin { - return 301 https://$host:22222/db/pma; -} -location /phpmyadmin { - return 301 https://$host:22222/db/pma; -} -# Adminer settings -location /adminer { - return 301 https://$host:22222/db/adminer; -} +# NGINX CONFIGURATION FOR COMMON LOCATION +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Basic locations files +location = /favicon.ico { + try_files /favicon.ico @empty; + access_log off; + log_not_found off; + expires max; + +} + +location @empty { + empty_gif; +} +location = /robots.txt { +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; +} +# Cache static files +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; +} +# Security settings for better privacy +# Deny hidden files +location ~ /\. { + deny all; +} +# Use the directory /var/www/html to valide acme-challenge +# just create the sub-directories .well-known/acme-challenge and set www-data as owner +# # +# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge +# # +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; +} +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { + deny all; +} +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# common nginx configuration to block sql injection and other attacks +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { + deny all; +} +# Status pages +location /nginx_status { + stub_status on; + access_log off; + include common/acl.conf; +} +location ~ ^/(status|ping) { + include fastcgi_params; + include common/acl.conf; + fastcgi_pass php72; +} +# EasyEngine (ee) utilities +# phpMyAdmin settings +location /pma { + return 301 https://$host:22222/db/pma; +} +location /phpMyAdmin { + return 301 https://$host:22222/db/pma; +} +location /phpmyadmin { + return 301 https://$host:22222/db/pma; +} +# Adminer settings +location /adminer { + return 301 https://$host:22222/db/adminer; +} diff --git a/docs/files/etc/nginx/common/wpcommon-php7.conf b/docs/files/etc/nginx/common/wpcommon-php7.conf index fa3e96e..a3e7755 100644 --- a/docs/files/etc/nginx/common/wpcommon-php7.conf +++ b/docs/files/etc/nginx/common/wpcommon-php7.conf @@ -1,37 +1,37 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php7; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder and add webp rewrite -location /wp-content/uploads/ { - location ~ \.php$ { -#Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } - # webp rewrite rules - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } -} -# mitigate DoS attack CVE with WordPress script concatenation -# add the following line to wp-config.php -# define( 'CONCATENATE_SCRIPTS', false ); -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} +# WordPress COMMON SETTINGS +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php7; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +# Disallow php in upload folder and add webp rewrite +location /wp-content/uploads/ { + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } + # webp rewrite rules + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +} diff --git a/docs/files/etc/nginx/common/wpcommon-php71.conf b/docs/files/etc/nginx/common/wpcommon-php71.conf index d33ce6e..85bfb08 100644 --- a/docs/files/etc/nginx/common/wpcommon-php71.conf +++ b/docs/files/etc/nginx/common/wpcommon-php71.conf @@ -1,37 +1,37 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php71; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder and add webp rewrite -location /wp-content/uploads/ { - location ~ \.php$ { -#Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } - # webp rewrite rules - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } -} -# mitigate DoS attack CVE with WordPress script concatenation -# add the following line to wp-config.php -# define( 'CONCATENATE_SCRIPTS', false ); -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} +# WordPress COMMON SETTINGS +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php71; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +# Disallow php in upload folder and add webp rewrite +location /wp-content/uploads/ { + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } + # webp rewrite rules + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +} diff --git a/docs/files/etc/nginx/common/wpcommon-php72.conf b/docs/files/etc/nginx/common/wpcommon-php72.conf index a2ab46a..52a0bd6 100644 --- a/docs/files/etc/nginx/common/wpcommon-php72.conf +++ b/docs/files/etc/nginx/common/wpcommon-php72.conf @@ -1,37 +1,37 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php72; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder and add webp rewrite -location /wp-content/uploads/ { - location ~ \.php$ { -#Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } - # webp rewrite rules - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } -} -# mitigate DoS attack CVE with WordPress script concatenation -# add the following line to wp-config.php -# define( 'CONCATENATE_SCRIPTS', false ); -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} +# WordPress COMMON SETTINGS +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php72; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +# Disallow php in upload folder and add webp rewrite +location /wp-content/uploads/ { + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } + # webp rewrite rules + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +} diff --git a/etc/nginx/common/locations-php7.conf b/etc/nginx/common/locations-php7.conf index 3b58bae..9d483d2 100644 --- a/etc/nginx/common/locations-php7.conf +++ b/etc/nginx/common/locations-php7.conf @@ -1,82 +1,131 @@ -# NGINX CONFIGURATION FOR COMMON LOCATION -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Basic locations files -location = /favicon.ico { - access_log off; - log_not_found off; - expires max; -} -location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; -} -# Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; -} -# Cache css & js files -location ~* \.(?:css(\.map)?|js(\.map)?)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires 30d; -} -# Security settings for better privacy -# Deny hidden files -location ~ /\. { - deny all; - access_log off; - log_not_found off; -} -# Use the directory /var/www/html to valide acme-challenge -# just create the sub-directories .well-known/acme-challenge and set www-data as owner -# # -# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge -# # -location /.well-known/acme-challenge/ { - alias /var/www/html/.well-known/acme-challenge/; -} -# Deny backup extensions & log files -location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { - deny all; - access_log off; - log_not_found off; -} -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) -location ~* "/(^$|readme|license|example)\.(txt|html)" { - return 403; -} -# Status pages -location /nginx_status { - stub_status on; - access_log off; - include common/acl.conf; -} -location ~ ^/(status|ping) { - include fastcgi_params; - fastcgi_pass php7; - include common/acl.conf; -} -# EasyEngine (ee) utilities -# phpMyAdmin settings -location /pma { - return 301 https://$host:22222/db/pma; -} -location /phpMyAdmin { - return 301 https://$host:22222/db/pma; -} -location /phpmyadmin { - return 301 https://$host:22222/db/pma; -} -# Adminer settings -location /adminer { - return 301 https://$host:22222/db/adminer; -} +# NGINX CONFIGURATION FOR COMMON LOCATION +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Basic locations files +location = /favicon.ico { + access_log off; + log_not_found off; + expires max; +} +location = /robots.txt { +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; +} +# Cache static files +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; +} +# Security settings for better privacy +# Deny hidden files +location ~ /\. { + deny all; +} +# Use the directory /var/www/html to valide acme-challenge +# just create the sub-directories .well-known/acme-challenge and set www-data as owner +# # +# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge +# # +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; +} +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { + deny all; +} +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# common nginx configuration to block sql injection and other attacks +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { + deny all; +} +# Status pages +location = /nginx_status { + stub_status on; + access_log off; + include common/acl.conf; +} +location ~ ^/(status|ping)$ { + include fastcgi_params; + include common/acl.conf; + fastcgi_pass php7; +} +# EasyEngine (ee) utilities +# phpMyAdmin settings +location = /pma { + return 301 https://$host:22222/db/pma; +} +location = /phpMyAdmin { + return 301 https://$host:22222/db/pma; +} +location = /phpmyadmin { + return 301 https://$host:22222/db/pma; +} +# Adminer settings +location = /adminer { + return 301 https://$host:22222/db/adminer; +} diff --git a/etc/nginx/common/locations-php71.conf b/etc/nginx/common/locations-php71.conf index 2b9d5c1..16585ab 100644 --- a/etc/nginx/common/locations-php71.conf +++ b/etc/nginx/common/locations-php71.conf @@ -1,82 +1,133 @@ -# NGINX CONFIGURATION FOR COMMON LOCATION -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Basic locations files -location = /favicon.ico { - access_log off; - log_not_found off; - expires max; -} -location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; -} -# Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; -} -# Cache css & js files -location ~* \.(?:css(\.map)?|js(\.map)?)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires 30d; -} -# Security settings for better privacy -# Deny hidden files -location ~ /\. { - deny all; - access_log off; - log_not_found off; -} -# Use the directory /var/www/html to valide acme-challenge -# just create the sub-directories .well-known/acme-challenge and set www-data as owner -# # -# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge -# # -location /.well-known/acme-challenge/ { - alias /var/www/html/.well-known/acme-challenge/; -} -# Deny backup extensions & log files -location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { - deny all; - access_log off; - log_not_found off; -} -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) -location ~* "/(^$|readme|license|example)\.(txt|html)" { - return 403; -} -# Status pages -location /nginx_status { - stub_status on; - access_log off; - include common/acl.conf; -} -location ~ ^/(status|ping) { - include fastcgi_params; - fastcgi_pass php71; - include common/acl.conf; -} -# EasyEngine (ee) utilities -# phpMyAdmin settings -location /pma { - return 301 https://$host:22222/db/pma; -} -location /phpMyAdmin { - return 301 https://$host:22222/db/pma; -} -location /phpmyadmin { - return 301 https://$host:22222/db/pma; -} -# Adminer settings -location /adminer { - return 301 https://$host:22222/db/adminer; -} +# NGINX CONFIGURATION FOR COMMON LOCATION +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Basic locations files +location = /favicon.ico { + access_log off; + log_not_found off; + expires max; +} +location = /robots.txt { + # Some WordPress plugin gererate robots.txt file + # Refer #340 issue + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; +} +# Cache static files +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ +{ + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ +{ + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; +} +# Security settings for better privacy +# Deny hidden files +location ~ /\. { + deny all; +} +# Use the directory /var/www/html to valide acme-challenge +# just create the sub-directories .well-known/acme-challenge and set www-data as owner +# # +# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge +# # +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; +} +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { + deny all; +} +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# common nginx configuration to block sql injection and other attacks +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { + deny all; +} +# Status pages +location /nginx_status { + stub_status on; + access_log off; + include common/acl.conf; +} +location ~ ^/(status|ping) { + include fastcgi_params; + fastcgi_pass php71; + include common/acl.conf; +} +# EasyEngine (ee) utilities +# phpMyAdmin settings +location /pma { + return 301 https://$host:22222/db/pma; +} +location /phpMyAdmin { + return 301 https://$host:22222/db/pma; +} +location /phpmyadmin { + return 301 https://$host:22222/db/pma; +} +# Adminer settings +location /adminer { + return 301 https://$host:22222/db/adminer; +} diff --git a/etc/nginx/common/locations-php72.conf b/etc/nginx/common/locations-php72.conf index bdcfa29..00338a9 100644 --- a/etc/nginx/common/locations-php72.conf +++ b/etc/nginx/common/locations-php72.conf @@ -1,82 +1,137 @@ -# NGINX CONFIGURATION FOR COMMON LOCATION -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Basic locations files -location = /favicon.ico { - access_log off; - log_not_found off; - expires max; -} -location = /robots.txt { - # Some WordPress plugin gererate robots.txt file - # Refer #340 issue - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; -} -# Cache static files -location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; -} -# Cache css & js files -location ~* \.(?:css(\.map)?|js(\.map)?)$ -{ - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires 30d; -} -# Security settings for better privacy -# Deny hidden files -location ~ /\. { - deny all; - access_log off; - log_not_found off; -} -# Use the directory /var/www/html to valide acme-challenge -# just create the sub-directories .well-known/acme-challenge and set www-data as owner -# # -# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge -# # -location /.well-known/acme-challenge/ { - alias /var/www/html/.well-known/acme-challenge/; -} -# Deny backup extensions & log files -location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { - deny all; - access_log off; - log_not_found off; -} -# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) -location ~* "/(^$|readme|license|example)\.(txt|html)" { - return 403; -} -# Status pages -location /nginx_status { - stub_status on; - access_log off; - include common/acl.conf; -} -location ~ ^/(status|ping) { - include fastcgi_params; - fastcgi_pass php72; - include common/acl.conf; -} -# EasyEngine (ee) utilities -# phpMyAdmin settings -location /pma { - return 301 https://$host:22222/db/pma; -} -location /phpMyAdmin { - return 301 https://$host:22222/db/pma; -} -location /phpmyadmin { - return 301 https://$host:22222/db/pma; -} -# Adminer settings -location /adminer { - return 301 https://$host:22222/db/adminer; -} +# NGINX CONFIGURATION FOR COMMON LOCATION +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Basic locations files +location = /favicon.ico { + try_files /favicon.ico @empty; + access_log off; + log_not_found off; + expires max; + +} + +location @empty { + empty_gif; +} +location = /robots.txt { +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; +} +# Cache static files +location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; +} +# Cache css & js files +location ~* \.(?:css(\.map)?|js(\.map)?)$ { + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires 30d; +} +# Security settings for better privacy +# Deny hidden files +location ~ /\. { + deny all; +} +# Use the directory /var/www/html to valide acme-challenge +# just create the sub-directories .well-known/acme-challenge and set www-data as owner +# # +# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge +# # +location /.well-known/acme-challenge/ { + alias /var/www/html/.well-known/acme-challenge/; +} +# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files +location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { + deny all; +} +# Deny backup extensions & log files and return 403 forbidden +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# common nginx configuration to block sql injection and other attacks +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { + deny all; +} +# Status pages +location /nginx_status { + stub_status on; + access_log off; + include common/acl.conf; +} +location ~ ^/(status|ping) { + include fastcgi_params; + include common/acl.conf; + fastcgi_pass php72; +} +# EasyEngine (ee) utilities +# phpMyAdmin settings +location /pma { + return 301 https://$host:22222/db/pma; +} +location /phpMyAdmin { + return 301 https://$host:22222/db/pma; +} +location /phpmyadmin { + return 301 https://$host:22222/db/pma; +} +# Adminer settings +location /adminer { + return 301 https://$host:22222/db/adminer; +} diff --git a/etc/nginx/common/wpcommon-php7.conf b/etc/nginx/common/wpcommon-php7.conf index a4d9997..a3e7755 100644 --- a/etc/nginx/common/wpcommon-php7.conf +++ b/etc/nginx/common/wpcommon-php7.conf @@ -1,33 +1,37 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php7; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder -location /wp-content/uploads/ { - location ~ \.php$ { - #Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } -} -location ~* ^/wp-content/.+\.(png|jpg)$ { - add_header Vary Accept; - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; -} - -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} +# WordPress COMMON SETTINGS +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php7; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +# Disallow php in upload folder and add webp rewrite +location /wp-content/uploads/ { + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } + # webp rewrite rules + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +} diff --git a/etc/nginx/common/wpcommon-php71.conf b/etc/nginx/common/wpcommon-php71.conf index 5b2ee59..85bfb08 100644 --- a/etc/nginx/common/wpcommon-php71.conf +++ b/etc/nginx/common/wpcommon-php71.conf @@ -1,35 +1,37 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php71; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder and add webp rewrite -location /wp-content/uploads/ { - location ~ \.php$ { - #Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } -} - -# mitigate DoS attack CVE with WordPress script concatenation -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} \ No newline at end of file +# WordPress COMMON SETTINGS +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php71; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +# Disallow php in upload folder and add webp rewrite +location /wp-content/uploads/ { + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } + # webp rewrite rules + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +} diff --git a/etc/nginx/common/wpcommon-php72.conf b/etc/nginx/common/wpcommon-php72.conf index 0cc7ae4..52a0bd6 100644 --- a/etc/nginx/common/wpcommon-php72.conf +++ b/etc/nginx/common/wpcommon-php72.conf @@ -1,35 +1,37 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php72; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# Disallow php in upload folder and add webp rewrite -location /wp-content/uploads/ { - location ~ \.php$ { - #Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } -} - -# mitigate DoS attack CVE with WordPress script concatenation -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} +# WordPress COMMON SETTINGS +# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php72; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +# Disallow php in upload folder and add webp rewrite +location /wp-content/uploads/ { + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } + # webp rewrite rules + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + add_header "Access-Control-Allow-Origin" "*"; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +}