update locations configuration

* add anti-hack settings
This commit is contained in:
VirtuBox 2018-09-16 17:57:42 +02:00
parent ec57ddc4c2
commit b40e7abc4e
14 changed files with 1024 additions and 862 deletions

Binary file not shown.

Binary file not shown.

View File

@ -1,133 +1,131 @@
# NGINX CONFIGURATION FOR COMMON LOCATION # NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
# Refer #340 issue # Refer #340 issue
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
{ add_header "Access-Control-Allow-Origin" "*";
add_header "Access-Control-Allow-Origin" "*"; access_log off;
access_log off; log_not_found off;
log_not_found off; expires max;
expires max; }
} # Cache css & js files
# Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?)$ {
location ~* \.(?:css(\.map)?|js(\.map)?)$ add_header "Access-Control-Allow-Origin" "*";
{ access_log off;
add_header "Access-Control-Allow-Origin" "*"; log_not_found off;
access_log off; expires 30d;
log_not_found off; }
expires 30d; # Security settings for better privacy
} # Deny hidden files
# Security settings for better privacy location ~ /\. {
# Deny hidden files deny all;
location ~ /\. { }
deny all; # Use the directory /var/www/html to valide acme-challenge
} # just create the sub-directories .well-known/acme-challenge and set www-data as owner
# Use the directory /var/www/html to valide acme-challenge # #
# just create the sub-directories .well-known/acme-challenge and set www-data as owner # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# # # #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge location /.well-known/acme-challenge/ {
# # alias /var/www/html/.well-known/acme-challenge/;
location /.well-known/acme-challenge/ { }
alias /var/www/html/.well-known/acme-challenge/; # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
} location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files deny all;
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { }
deny all; # Deny backup extensions & log files and return 403 forbidden
} location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
# Deny backup extensions & log files and return 403 forbidden deny all;
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { }
deny all; # common nginx configuration to block sql injection and other attacks
} location ~* "(eval\()" {
# common nginx configuration to block sql injection and other attacks deny all;
location ~* "(eval\()" { }
deny all; location ~* "(127\.0\.0\.1)" {
} deny all;
location ~* "(127\.0\.0\.1)" { }
deny all; location ~* "([a-z0-9]{2000})" {
} deny all;
location ~* "([a-z0-9]{2000})" { }
deny all; location ~* "(javascript\:)(.*)(\;)" {
} deny all;
location ~* "(javascript\:)(.*)(\;)" { }
deny all; location ~* "(base64_encode)(.*)(\()" {
} deny all;
location ~* "(base64_encode)(.*)(\()" { }
deny all; location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
} deny all;
location ~* "(GLOBALS|REQUEST)(=|\[|%)" { }
deny all; location ~* "(<|%3C).*script.*(>|%3)" {
} deny all;
location ~* "(<|%3C).*script.*(>|%3)" { }
deny all; location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
} deny all;
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { }
deny all; location ~* "(boot\.ini|etc/passwd|self/environ)" {
} deny all;
location ~* "(boot\.ini|etc/passwd|self/environ)" { }
deny all; location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
} deny all;
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { }
deny all; location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
} deny all;
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { }
deny all; location ~* "(https?|ftp|php):/" {
} deny all;
location ~* "(https?|ftp|php):/" { }
deny all; location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
} deny all;
location ~* "(=\\\'|=\\%27|/\\\'/?)\." { }
deny all; location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
} deny all;
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { }
deny all; location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
} deny all;
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { }
deny all; location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
} deny all;
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { }
deny all; location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
} deny all;
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { }
deny all; location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
} deny all;
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { }
deny all; # Status pages
} location = /nginx_status {
# Status pages stub_status on;
location = /nginx_status { access_log off;
stub_status on; include common/acl.conf;
access_log off; }
include common/acl.conf; location ~ ^/(status|ping)$ {
} include fastcgi_params;
location ~ ^/(status|ping)$ { include common/acl.conf;
include fastcgi_params; fastcgi_pass php7;
fastcgi_pass php7; }
include common/acl.conf; # EasyEngine (ee) utilities
} # phpMyAdmin settings
# EasyEngine (ee) utilities location = /pma {
# phpMyAdmin settings return 301 https://$host:22222/db/pma;
location = /pma { }
return 301 https://$host:22222/db/pma; location = /phpMyAdmin {
} return 301 https://$host:22222/db/pma;
location = /phpMyAdmin { }
return 301 https://$host:22222/db/pma; location = /phpmyadmin {
} return 301 https://$host:22222/db/pma;
location = /phpmyadmin { }
return 301 https://$host:22222/db/pma; # Adminer settings
} location = /adminer {
# Adminer settings return 301 https://$host:22222/db/adminer;
location = /adminer { }
return 301 https://$host:22222/db/adminer;
}

View File

@ -1,133 +1,133 @@
# NGINX CONFIGURATION FOR COMMON LOCATION # NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
# Refer #340 issue # Refer #340 issue
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache css & js files # Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ location ~* \.(?:css(\.map)?|js(\.map)?)$
{ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires 30d; expires 30d;
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location ~ /\. { location ~ /\. {
deny all; deny all;
} }
# Use the directory /var/www/html to valide acme-challenge # Use the directory /var/www/html to valide acme-challenge
# just create the sub-directories .well-known/acme-challenge and set www-data as owner # just create the sub-directories .well-known/acme-challenge and set www-data as owner
# # # #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# # # #
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/; alias /var/www/html/.well-known/acme-challenge/;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" { location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
deny all; deny all;
} }
# Deny backup extensions & log files and return 403 forbidden # Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
} }
# common nginx configuration to block sql injection and other attacks # common nginx configuration to block sql injection and other attacks
location ~* "(eval\()" { location ~* "(eval\()" {
deny all; deny all;
} }
location ~* "(127\.0\.0\.1)" { location ~* "(127\.0\.0\.1)" {
deny all; deny all;
} }
location ~* "([a-z0-9]{2000})" { location ~* "([a-z0-9]{2000})" {
deny all; deny all;
} }
location ~* "(javascript\:)(.*)(\;)" { location ~* "(javascript\:)(.*)(\;)" {
deny all; deny all;
} }
location ~* "(base64_encode)(.*)(\()" { location ~* "(base64_encode)(.*)(\()" {
deny all; deny all;
} }
location ~* "(GLOBALS|REQUEST)(=|\[|%)" { location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
deny all; deny all;
} }
location ~* "(<|%3C).*script.*(>|%3)" { location ~* "(<|%3C).*script.*(>|%3)" {
deny all; deny all;
} }
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
deny all; deny all;
} }
location ~* "(boot\.ini|etc/passwd|self/environ)" { location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all; deny all;
} }
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all; deny all;
} }
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all; deny all;
} }
location ~* "(https?|ftp|php):/" { location ~* "(https?|ftp|php):/" {
deny all; deny all;
} }
location ~* "(=\\\'|=\\%27|/\\\'/?)\." { location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all; deny all;
} }
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all; deny all;
} }
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all; deny all;
} }
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all; deny all;
} }
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all; deny all;
} }
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
deny all; deny all;
} }
# Status pages # Status pages
location /nginx_status { location /nginx_status {
stub_status on; stub_status on;
access_log off; access_log off;
include common/acl.conf; include common/acl.conf;
} }
location ~ ^/(status|ping) { location ~ ^/(status|ping) {
include fastcgi_params; include fastcgi_params;
fastcgi_pass php71; fastcgi_pass php71;
include common/acl.conf; include common/acl.conf;
} }
# EasyEngine (ee) utilities # EasyEngine (ee) utilities
# phpMyAdmin settings # phpMyAdmin settings
location /pma { location /pma {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
location /phpMyAdmin { location /phpMyAdmin {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
location /phpmyadmin { location /phpmyadmin {
return 301 https://$host:22222/db/pma; return 301 https://$host:22222/db/pma;
} }
# Adminer settings # Adminer settings
location /adminer { location /adminer {
return 301 https://$host:22222/db/adminer; return 301 https://$host:22222/db/adminer;
} }

View File

@ -1,136 +1,137 @@
# NGINX CONFIGURATION FOR COMMON LOCATION # NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
try_files /favicon.ico @empty; try_files /favicon.ico @empty;
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
location @empty {
empty_gif; location @empty {
} empty_gif;
location = /robots.txt { }
# Some WordPress plugin gererate robots.txt file location = /robots.txt {
# Refer #340 issue # Some WordPress plugin gererate robots.txt file
try_files $uri $uri/ /index.php?$args; # Refer #340 issue
access_log off; try_files $uri $uri/ /index.php?$args;
log_not_found off; access_log off;
} log_not_found off;
# Cache static files }
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ { # Cache static files
add_header "Access-Control-Allow-Origin" "*"; location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
access_log off; add_header "Access-Control-Allow-Origin" "*";
log_not_found off; access_log off;
expires max; log_not_found off;
} expires max;
# Cache css & js files }
location ~* \.(?:css(\.map)?|js(\.map)?)$ { # Cache css & js files
add_header "Access-Control-Allow-Origin" "*"; location ~* \.(?:css(\.map)?|js(\.map)?)$ {
access_log off; add_header "Access-Control-Allow-Origin" "*";
log_not_found off; access_log off;
expires 30d; log_not_found off;
} expires 30d;
# Security settings for better privacy }
# Deny hidden files # Security settings for better privacy
location ~ /\. { # Deny hidden files
deny all; location ~ /\. {
} deny all;
# Use the directory /var/www/html to valide acme-challenge }
# just create the sub-directories .well-known/acme-challenge and set www-data as owner # Use the directory /var/www/html to valide acme-challenge
# # # just create the sub-directories .well-known/acme-challenge and set www-data as owner
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge # #
# # # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
location /.well-known/acme-challenge/ { # #
alias /var/www/html/.well-known/acme-challenge/; location /.well-known/acme-challenge/ {
} alias /var/www/html/.well-known/acme-challenge/;
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files }
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
deny all; location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
} deny all;
# Deny backup extensions & log files and return 403 forbidden }
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { # Deny backup extensions & log files and return 403 forbidden
deny all; location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
} deny all;
# common nginx configuration to block sql injection and other attacks }
location ~* "(eval\()" { # common nginx configuration to block sql injection and other attacks
deny all; location ~* "(eval\()" {
} deny all;
location ~* "(127\.0\.0\.1)" { }
deny all; location ~* "(127\.0\.0\.1)" {
} deny all;
location ~* "([a-z0-9]{2000})" { }
deny all; location ~* "([a-z0-9]{2000})" {
} deny all;
location ~* "(javascript\:)(.*)(\;)" { }
deny all; location ~* "(javascript\:)(.*)(\;)" {
} deny all;
location ~* "(base64_encode)(.*)(\()" { }
deny all; location ~* "(base64_encode)(.*)(\()" {
} deny all;
location ~* "(GLOBALS|REQUEST)(=|\[|%)" { }
deny all; location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
} deny all;
location ~* "(<|%3C).*script.*(>|%3)" { }
deny all; location ~* "(<|%3C).*script.*(>|%3)" {
} deny all;
location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { }
deny all; location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
} deny all;
location ~* "(boot\.ini|etc/passwd|self/environ)" { }
deny all; location ~* "(boot\.ini|etc/passwd|self/environ)" {
} deny all;
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { }
deny all; location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
} deny all;
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { }
deny all; location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
} deny all;
location ~* "(https?|ftp|php):/" { }
deny all; location ~* "(https?|ftp|php):/" {
} deny all;
location ~* "(=\\\'|=\\%27|/\\\'/?)\." { }
deny all; location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
} deny all;
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { }
deny all; location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
} deny all;
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { }
deny all; location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
} deny all;
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { }
deny all; location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
} deny all;
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { }
deny all; location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
} deny all;
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { }
deny all; location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
} deny all;
# Status pages }
location /nginx_status { # Status pages
stub_status on; location /nginx_status {
access_log off; stub_status on;
include common/acl.conf; access_log off;
} include common/acl.conf;
location ~ ^/(status|ping) { }
include fastcgi_params; location ~ ^/(status|ping) {
include common/acl.conf; include fastcgi_params;
fastcgi_pass php72; include common/acl.conf;
} fastcgi_pass php72;
# EasyEngine (ee) utilities }
# phpMyAdmin settings # EasyEngine (ee) utilities
location /pma { # phpMyAdmin settings
return 301 https://$host:22222/db/pma; location /pma {
} return 301 https://$host:22222/db/pma;
location /phpMyAdmin { }
return 301 https://$host:22222/db/pma; location /phpMyAdmin {
} return 301 https://$host:22222/db/pma;
location /phpmyadmin { }
return 301 https://$host:22222/db/pma; location /phpmyadmin {
} return 301 https://$host:22222/db/pma;
# Adminer settings }
location /adminer { # Adminer settings
return 301 https://$host:22222/db/adminer; location /adminer {
} return 301 https://$host:22222/db/adminer;
}

View File

@ -1,37 +1,37 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php7; fastcgi_pass php7;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
# webp rewrite rules # webp rewrite rules
location ~ \.(png|jpe?g)$ { location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding"; add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform"; add_header Cache-Control "public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
try_files $uri$webp_suffix $uri =404; try_files $uri$webp_suffix $uri =404;
} }
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php # add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false ); # define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \/wp-admin\/load-(scripts|styles).php {
deny all; deny all;
} }

View File

@ -1,37 +1,37 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php71; fastcgi_pass php71;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
# webp rewrite rules # webp rewrite rules
location ~ \.(png|jpe?g)$ { location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding"; add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform"; add_header Cache-Control "public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
try_files $uri$webp_suffix $uri =404; try_files $uri$webp_suffix $uri =404;
} }
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php # add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false ); # define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \/wp-admin\/load-(scripts|styles).php {
deny all; deny all;
} }

View File

@ -1,37 +1,37 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php72; fastcgi_pass php72;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
# webp rewrite rules # webp rewrite rules
location ~ \.(png|jpe?g)$ { location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding"; add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform"; add_header Cache-Control "public, no-transform";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
try_files $uri$webp_suffix $uri =404; try_files $uri$webp_suffix $uri =404;
} }
} }
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php # add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false ); # define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php { location ~ \/wp-admin\/load-(scripts|styles).php {
deny all; deny all;
} }

View File

@ -1,82 +1,131 @@
# NGINX CONFIGURATION FOR COMMON LOCATION # NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
# Refer #340 issue # Refer #340 issue
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
{ add_header "Access-Control-Allow-Origin" "*";
add_header "Access-Control-Allow-Origin" "*"; access_log off;
access_log off; log_not_found off;
log_not_found off; expires max;
expires max; }
} # Cache css & js files
# Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?)$ {
location ~* \.(?:css(\.map)?|js(\.map)?)$ add_header "Access-Control-Allow-Origin" "*";
{ access_log off;
add_header "Access-Control-Allow-Origin" "*"; log_not_found off;
access_log off; expires 30d;
log_not_found off; }
expires 30d; # Security settings for better privacy
} # Deny hidden files
# Security settings for better privacy location ~ /\. {
# Deny hidden files deny all;
location ~ /\. { }
deny all; # Use the directory /var/www/html to valide acme-challenge
access_log off; # just create the sub-directories .well-known/acme-challenge and set www-data as owner
log_not_found off; # #
} # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# Use the directory /var/www/html to valide acme-challenge # #
# just create the sub-directories .well-known/acme-challenge and set www-data as owner location /.well-known/acme-challenge/ {
# # alias /var/www/html/.well-known/acme-challenge/;
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge }
# # # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location /.well-known/acme-challenge/ { location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
alias /var/www/html/.well-known/acme-challenge/; deny all;
} }
# Deny backup extensions & log files # Deny backup extensions & log files and return 403 forbidden
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all; deny all;
access_log off; }
log_not_found off; # common nginx configuration to block sql injection and other attacks
} location ~* "(eval\()" {
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) deny all;
location ~* "/(^$|readme|license|example)\.(txt|html)" { }
return 403; location ~* "(127\.0\.0\.1)" {
} deny all;
# Status pages }
location /nginx_status { location ~* "([a-z0-9]{2000})" {
stub_status on; deny all;
access_log off; }
include common/acl.conf; location ~* "(javascript\:)(.*)(\;)" {
} deny all;
location ~ ^/(status|ping) { }
include fastcgi_params; location ~* "(base64_encode)(.*)(\()" {
fastcgi_pass php7; deny all;
include common/acl.conf; }
} location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
# EasyEngine (ee) utilities deny all;
# phpMyAdmin settings }
location /pma { location ~* "(<|%3C).*script.*(>|%3)" {
return 301 https://$host:22222/db/pma; deny all;
} }
location /phpMyAdmin { location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
return 301 https://$host:22222/db/pma; deny all;
} }
location /phpmyadmin { location ~* "(boot\.ini|etc/passwd|self/environ)" {
return 301 https://$host:22222/db/pma; deny all;
} }
# Adminer settings location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
location /adminer { deny all;
return 301 https://$host:22222/db/adminer; }
} location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
deny all;
}
# Status pages
location = /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping)$ {
include fastcgi_params;
include common/acl.conf;
fastcgi_pass php7;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location = /pma {
return 301 https://$host:22222/db/pma;
}
location = /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location = /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location = /adminer {
return 301 https://$host:22222/db/adminer;
}

View File

@ -1,82 +1,133 @@
# NGINX CONFIGURATION FOR COMMON LOCATION # NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
location = /robots.txt { location = /robots.txt {
# Some WordPress plugin gererate robots.txt file # Some WordPress plugin gererate robots.txt file
# Refer #340 issue # Refer #340 issue
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Cache static files # Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$
{ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires max; expires max;
} }
# Cache css & js files # Cache css & js files
location ~* \.(?:css(\.map)?|js(\.map)?)$ location ~* \.(?:css(\.map)?|js(\.map)?)$
{ {
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; access_log off;
log_not_found off; log_not_found off;
expires 30d; expires 30d;
} }
# Security settings for better privacy # Security settings for better privacy
# Deny hidden files # Deny hidden files
location ~ /\. { location ~ /\. {
deny all; deny all;
access_log off; }
log_not_found off; # Use the directory /var/www/html to valide acme-challenge
} # just create the sub-directories .well-known/acme-challenge and set www-data as owner
# Use the directory /var/www/html to valide acme-challenge # #
# just create the sub-directories .well-known/acme-challenge and set www-data as owner # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
# # # #
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge location /.well-known/acme-challenge/ {
# # alias /var/www/html/.well-known/acme-challenge/;
location /.well-known/acme-challenge/ { }
alias /var/www/html/.well-known/acme-challenge/; # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
} location ~* "/(^$|readme|license|example|README|changelog)\.(txt|html|md)" {
# Deny backup extensions & log files deny all;
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { }
deny all; # Deny backup extensions & log files and return 403 forbidden
access_log off; location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
log_not_found off; deny all;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) # common nginx configuration to block sql injection and other attacks
location ~* "/(^$|readme|license|example)\.(txt|html)" { location ~* "(eval\()" {
return 403; deny all;
} }
# Status pages location ~* "(127\.0\.0\.1)" {
location /nginx_status { deny all;
stub_status on; }
access_log off; location ~* "([a-z0-9]{2000})" {
include common/acl.conf; deny all;
} }
location ~ ^/(status|ping) { location ~* "(javascript\:)(.*)(\;)" {
include fastcgi_params; deny all;
fastcgi_pass php71; }
include common/acl.conf; location ~* "(base64_encode)(.*)(\()" {
} deny all;
# EasyEngine (ee) utilities }
# phpMyAdmin settings location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
location /pma { deny all;
return 301 https://$host:22222/db/pma; }
} location ~* "(<|%3C).*script.*(>|%3)" {
location /phpMyAdmin { deny all;
return 301 https://$host:22222/db/pma; }
} location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
location /phpmyadmin { deny all;
return 301 https://$host:22222/db/pma; }
} location ~* "(boot\.ini|etc/passwd|self/environ)" {
# Adminer settings deny all;
location /adminer { }
return 301 https://$host:22222/db/adminer; location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
} deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" {
deny all;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php71;
include common/acl.conf;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

View File

@ -1,82 +1,137 @@
# NGINX CONFIGURATION FOR COMMON LOCATION # NGINX CONFIGURATION FOR COMMON LOCATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Basic locations files # Basic locations files
location = /favicon.ico { location = /favicon.ico {
access_log off; try_files /favicon.ico @empty;
log_not_found off; access_log off;
expires max; log_not_found off;
} expires max;
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file }
# Refer #340 issue
try_files $uri $uri/ /index.php?$args; location @empty {
access_log off; empty_gif;
log_not_found off; }
} location = /robots.txt {
# Cache static files # Some WordPress plugin gererate robots.txt file
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ # Refer #340 issue
{ try_files $uri $uri/ /index.php?$args;
add_header "Access-Control-Allow-Origin" "*"; access_log off;
access_log off; log_not_found off;
log_not_found off; }
expires max; # Cache static files
} location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
# Cache css & js files add_header "Access-Control-Allow-Origin" "*";
location ~* \.(?:css(\.map)?|js(\.map)?)$ access_log off;
{ log_not_found off;
add_header "Access-Control-Allow-Origin" "*"; expires max;
access_log off; }
log_not_found off; # Cache css & js files
expires 30d; location ~* \.(?:css(\.map)?|js(\.map)?)$ {
} add_header "Access-Control-Allow-Origin" "*";
# Security settings for better privacy access_log off;
# Deny hidden files log_not_found off;
location ~ /\. { expires 30d;
deny all; }
access_log off; # Security settings for better privacy
log_not_found off; # Deny hidden files
} location ~ /\. {
# Use the directory /var/www/html to valide acme-challenge deny all;
# just create the sub-directories .well-known/acme-challenge and set www-data as owner }
# # # Use the directory /var/www/html to valide acme-challenge
# chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge # just create the sub-directories .well-known/acme-challenge and set www-data as owner
# # # #
location /.well-known/acme-challenge/ { # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
alias /var/www/html/.well-known/acme-challenge/; # #
} location /.well-known/acme-challenge/ {
# Deny backup extensions & log files alias /var/www/html/.well-known/acme-challenge/;
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { }
deny all; # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
access_log off; location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
log_not_found off; deny all;
} }
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) # Deny backup extensions & log files and return 403 forbidden
location ~* "/(^$|readme|license|example)\.(txt|html)" { location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
return 403; deny all;
} }
# Status pages # common nginx configuration to block sql injection and other attacks
location /nginx_status { location ~* "(eval\()" {
stub_status on; deny all;
access_log off; }
include common/acl.conf; location ~* "(127\.0\.0\.1)" {
} deny all;
location ~ ^/(status|ping) { }
include fastcgi_params; location ~* "([a-z0-9]{2000})" {
fastcgi_pass php72; deny all;
include common/acl.conf; }
} location ~* "(javascript\:)(.*)(\;)" {
# EasyEngine (ee) utilities deny all;
# phpMyAdmin settings }
location /pma { location ~* "(base64_encode)(.*)(\()" {
return 301 https://$host:22222/db/pma; deny all;
} }
location /phpMyAdmin { location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
return 301 https://$host:22222/db/pma; deny all;
} }
location /phpmyadmin { location ~* "(<|%3C).*script.*(>|%3)" {
return 301 https://$host:22222/db/pma; deny all;
} }
# Adminer settings location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
location /adminer { deny all;
return 301 https://$host:22222/db/adminer; }
} location ~* "(boot\.ini|etc/passwd|self/environ)" {
deny all;
}
location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
deny all;
}
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
deny all;
}
location ~* "(https?|ftp|php):/" {
deny all;
}
location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
deny all;
}
location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
deny all;
}
location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
deny all;
}
location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
deny all;
}
location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
deny all;
}
location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
deny all;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
include common/acl.conf;
}
location ~ ^/(status|ping) {
include fastcgi_params;
include common/acl.conf;
fastcgi_pass php72;
}
# EasyEngine (ee) utilities
# phpMyAdmin settings
location /pma {
return 301 https://$host:22222/db/pma;
}
location /phpMyAdmin {
return 301 https://$host:22222/db/pma;
}
location /phpmyadmin {
return 301 https://$host:22222/db/pma;
}
# Adminer settings
location /adminer {
return 301 https://$host:22222/db/adminer;
}

View File

@ -1,33 +1,37 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php7; fastcgi_pass php7;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
} # webp rewrite rules
location ~* ^/wp-content/.+\.(png|jpg)$ { location ~ \.(png|jpe?g)$ {
add_header Vary Accept; add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*"; add_header "Access-Control-Allow-Origin" "*";
access_log off; add_header Cache-Control "public, no-transform";
log_not_found off; access_log off;
expires max; log_not_found off;
try_files $uri$webp_suffix $uri =404; expires max;
} try_files $uri$webp_suffix $uri =404;
}
location ~ \/wp-admin\/load-(scripts|styles).php { }
deny all; # mitigate DoS attack CVE with WordPress script concatenation
} # add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

View File

@ -1,35 +1,37 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php71; fastcgi_pass php71;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
location ~ \.(png|jpe?g)$ { # webp rewrite rules
add_header Vary "Accept-Encoding"; location ~ \.(png|jpe?g)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header Vary "Accept-Encoding";
add_header Cache-Control "public, no-transform"; add_header "Access-Control-Allow-Origin" "*";
access_log off; add_header Cache-Control "public, no-transform";
log_not_found off; access_log off;
expires max; log_not_found off;
try_files $uri$webp_suffix $uri =404; expires max;
} try_files $uri$webp_suffix $uri =404;
} }
}
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
location ~ \/wp-admin\/load-(scripts|styles).php { # add the following line to wp-config.php
deny all; # define( 'CONCATENATE_SCRIPTS', false );
} location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}

View File

@ -1,35 +1,37 @@
# WordPress COMMON SETTINGS # WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack # Limit access to avoid brute force attack
location = /wp-login.php { location = /wp-login.php {
limit_req zone=one burst=1 nodelay; limit_req zone=one burst=1 nodelay;
include fastcgi_params; include fastcgi_params;
fastcgi_pass php72; fastcgi_pass php72;
} }
# Disable wp-config.txt # Disable wp-config.txt
location = /wp-config.txt { location = /wp-config.txt {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Disallow php in upload folder and add webp rewrite # Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ { location /wp-content/uploads/ {
location ~ \.php$ { location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers #Prevent Direct Access Of PHP Files From Web Browsers
deny all; deny all;
} }
location ~ \.(png|jpe?g)$ { # webp rewrite rules
add_header Vary "Accept-Encoding"; location ~ \.(png|jpe?g)$ {
add_header "Access-Control-Allow-Origin" "*"; add_header Vary "Accept-Encoding";
add_header Cache-Control "public, no-transform"; add_header "Access-Control-Allow-Origin" "*";
access_log off; add_header Cache-Control "public, no-transform";
log_not_found off; access_log off;
expires max; log_not_found off;
try_files $uri$webp_suffix $uri =404; expires max;
} try_files $uri$webp_suffix $uri =404;
} }
}
# mitigate DoS attack CVE with WordPress script concatenation # mitigate DoS attack CVE with WordPress script concatenation
location ~ \/wp-admin\/load-(scripts|styles).php { # add the following line to wp-config.php
deny all; # define( 'CONCATENATE_SCRIPTS', false );
} location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}