update nginx ssl_cipher suite et fix git init

This commit is contained in:
VirtuBox 2019-04-04 14:09:37 +02:00
parent 475848d84f
commit f283edd702
5 changed files with 93 additions and 168 deletions

View File

@ -304,7 +304,8 @@ Then you can check php version with command `php -v`
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
# commit change with git
git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
```
### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
@ -325,16 +326,13 @@ Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
```
```bash
# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
```
### Nginx configuration for netdata
@ -346,7 +344,7 @@ git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf conf
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
```
#### Increase Nginx open files limits

View File

@ -78,10 +78,13 @@ All previous configurations are still available in the branch [easyengine-v3](ht
- [netdata](#netdata)
- [cht.sh (cheat)](#chtsh-cheat)
- [nanorc - Improved Nano Syntax Highlighting Files](#nanorc---improved-nano-syntax-highlighting-files)
- [Add WP-CLI & bash-completion for user www-data](#add-wp-cli--bash-completion-for-user-www-data)
- [Cleanup previous EasyEngine v3](#cleanup-previous-easyengine-v3)
- [Removing previous php versions](#removing-previous-php-versions)
--------------------------------------------------------------------------------
@ -302,7 +305,7 @@ Then you can check php version with command `php -v`
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
# commit change with git
git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
```
### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
@ -323,29 +326,25 @@ Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
```
```bash
# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
```
### Nginx configuration for netdata
<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>
```bash
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
```
#### Increase Nginx open files limits
@ -489,7 +488,6 @@ chmod -R g+rw /var/www/yourdomain.tld
<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
- subdomain support
@ -583,7 +581,6 @@ wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | s
<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>
```bashrc
# download wp-cli bash_completion
wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash

View File

@ -0,0 +1,81 @@
# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php73;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}
location "=/wp-config\.(php|txt)" {
location ~* wp-config.php { deny all; }
location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
deny all;
}
location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }
location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
access_log off;
log_not_found off;
deny all;
}
if ($query_string ~ "author=\d+") {
return 403;
}
location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
return 403;
}
location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
return 403;
}
location ~* /\.ht {
deny all;
}
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
return 403;
}
#extension wp-toolkit end

View File

@ -1,151 +0,0 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
pcre_jit on;
events
{
multi_accept on;
worker_connections 50000;
accept_mutex on;
use epoll;
http
{
##
# EasyEngine Settings
##
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 8;
keepalive_requests 500;
lingering_time 20s;
lingering_timeout 5s;
server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;
##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 300;
client_max_body_size 100m;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# tls dynamic records patch directive
ssl_dyn_rec_enable on;
ssl_dyn_rec_enable on;
ssl_dyn_rec_size_hi 4229;
ssl_dyn_rec_size_lo 1369;
ssl_dyn_rec_threshold 40;
ssl_dyn_rec_timeout 1000;
# nginx-vts-status module
vhost_traffic_status_zone;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
# Common security headers
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';
# ipscrub settings
ipscrub_period_seconds 3600;
##
# Gzip Settings
##
# mitigation of CRIME/BREACH attacks
gzip off;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 4;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

View File

@ -92,7 +92,7 @@ http
ssl_early_data off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';
ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
@ -105,7 +105,7 @@ http
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen";
##
# Basic Settings
##