update nginx ssl_cipher suite et fix git init
This commit is contained in:
parent
475848d84f
commit
f283edd702
10
README.md
10
README.md
|
@ -304,7 +304,8 @@ Then you can check php version with command `php -v`
|
|||
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
|
||||
|
||||
# commit change with git
|
||||
git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
|
||||
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
|
||||
|
||||
```
|
||||
|
||||
### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
|
||||
|
@ -325,16 +326,13 @@ Choose one of them
|
|||
# TLSv1.2 TLSv1.3 only (recommended)
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
|
||||
```
|
||||
|
||||
```bash
|
||||
# commit change with git
|
||||
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
|
||||
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
|
||||
```
|
||||
|
||||
### Nginx configuration for netdata
|
||||
|
@ -346,7 +344,7 @@ git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf conf
|
|||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
|
||||
|
||||
# commit change with git
|
||||
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
|
||||
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
|
||||
```
|
||||
|
||||
#### Increase Nginx open files limits
|
||||
|
|
|
@ -78,10 +78,13 @@ All previous configurations are still available in the branch [easyengine-v3](ht
|
|||
- [netdata](#netdata)
|
||||
|
||||
- [cht.sh (cheat)](#chtsh-cheat)
|
||||
|
||||
- [nanorc - Improved Nano Syntax Highlighting Files](#nanorc---improved-nano-syntax-highlighting-files)
|
||||
|
||||
- [Add WP-CLI & bash-completion for user www-data](#add-wp-cli--bash-completion-for-user-www-data)
|
||||
|
||||
- [Cleanup previous EasyEngine v3](#cleanup-previous-easyengine-v3)
|
||||
|
||||
- [Removing previous php versions](#removing-previous-php-versions)
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
@ -302,7 +305,7 @@ Then you can check php version with command `php -v`
|
|||
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
|
||||
|
||||
# commit change with git
|
||||
git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
|
||||
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
|
||||
```
|
||||
|
||||
### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
|
||||
|
@ -323,29 +326,25 @@ Choose one of them
|
|||
# TLSv1.2 TLSv1.3 only (recommended)
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
|
||||
# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
|
||||
|
||||
# TLSv1.2 only
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
|
||||
```
|
||||
|
||||
```bash
|
||||
# commit change with git
|
||||
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
|
||||
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
|
||||
```
|
||||
|
||||
### Nginx configuration for netdata
|
||||
|
||||
<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>
|
||||
|
||||
|
||||
```bash
|
||||
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
|
||||
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
|
||||
|
||||
# commit change with git
|
||||
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
|
||||
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
|
||||
```
|
||||
|
||||
#### Increase Nginx open files limits
|
||||
|
@ -489,7 +488,6 @@ chmod -R g+rw /var/www/yourdomain.tld
|
|||
|
||||
<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>
|
||||
|
||||
|
||||
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
|
||||
|
||||
- subdomain support
|
||||
|
@ -583,7 +581,6 @@ wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | s
|
|||
|
||||
<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>
|
||||
|
||||
|
||||
```bashrc
|
||||
# download wp-cli bash_completion
|
||||
wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
# WordPress COMMON SETTINGS
|
||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
||||
# Limit access to avoid brute force attack
|
||||
location = /wp-login.php {
|
||||
limit_req zone=one burst=1 nodelay;
|
||||
include fastcgi_params;
|
||||
fastcgi_pass php73;
|
||||
}
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
# webp rewrite rules for jpg and png images
|
||||
# try to load alternative image.png.webp before image.png
|
||||
location /wp-content/uploads {
|
||||
location ~ \.(png|jpe?g)$ {
|
||||
add_header Vary "Accept-Encoding";
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
add_header Cache-Control "public, no-transform";
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
expires max;
|
||||
try_files $uri$webp_suffix $uri =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||
deny all;
|
||||
}
|
||||
}
|
||||
# Deny access to any files with a .php extension in the uploads directory
|
||||
# Works in sub-directory installs and also in multisite network
|
||||
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||
location ~* /(?:uploads|files)/.*\.php$ {
|
||||
deny all;
|
||||
}
|
||||
# mitigate DoS attack CVE with WordPress script concatenation
|
||||
# add the following line to wp-config.php
|
||||
# define( 'CONCATENATE_SCRIPTS', false );
|
||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location "=/wp-config\.(php|txt)" {
|
||||
|
||||
location ~* wp-config.php { deny all; }
|
||||
|
||||
location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
|
||||
location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
|
||||
deny all;
|
||||
}
|
||||
location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }
|
||||
|
||||
location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
deny all;
|
||||
}
|
||||
|
||||
if ($query_string ~ "author=\d+") {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~* /\.ht {
|
||||
deny all;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
|
||||
return 403;
|
||||
}
|
||||
|
||||
#extension wp-toolkit end
|
|
@ -1,151 +0,0 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_cpu_affinity auto;
|
||||
worker_rlimit_nofile 100000;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
pcre_jit on;
|
||||
|
||||
events
|
||||
{
|
||||
multi_accept on;
|
||||
worker_connections 50000;
|
||||
accept_mutex on;
|
||||
use epoll;
|
||||
|
||||
http
|
||||
{
|
||||
##
|
||||
# EasyEngine Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
keepalive_timeout 8;
|
||||
keepalive_requests 500;
|
||||
|
||||
lingering_time 20s;
|
||||
lingering_timeout 5s;
|
||||
|
||||
server_tokens off;
|
||||
reset_timedout_connection on;
|
||||
add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox";
|
||||
add_header rt-Fastcgi-Cache $upstream_cache_status;
|
||||
|
||||
# Limit Request
|
||||
limit_req_status 403;
|
||||
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
|
||||
|
||||
#Simple DOS mitigation
|
||||
##Max c/s by ip
|
||||
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
|
||||
#limit_conn limit_per_ip 80;
|
||||
|
||||
##Max rq/s by ip
|
||||
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
|
||||
#limit_req zone=allips burst=400 nodelay;
|
||||
|
||||
# Proxy Settings
|
||||
# set_real_ip_from proxy-server-ip;
|
||||
# real_ip_header X-Forwarded-For;
|
||||
|
||||
fastcgi_read_timeout 300;
|
||||
client_max_body_size 100m;
|
||||
|
||||
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
|
||||
aio threads;
|
||||
|
||||
# tls dynamic records patch directive
|
||||
ssl_dyn_rec_enable on;
|
||||
ssl_dyn_rec_enable on;
|
||||
ssl_dyn_rec_size_hi 4229;
|
||||
ssl_dyn_rec_size_lo 1369;
|
||||
ssl_dyn_rec_threshold 40;
|
||||
ssl_dyn_rec_timeout 1000;
|
||||
|
||||
# nginx-vts-status module
|
||||
vhost_traffic_status_zone;
|
||||
|
||||
resolver 8.8.8.8 1.1.1.1 valid=300s;
|
||||
resolver_timeout 10;
|
||||
|
||||
|
||||
##
|
||||
# GeoIP module configuration, before removing comments
|
||||
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
|
||||
##
|
||||
#geoip_country /usr/share/GeoIP/GeoIP.dat;
|
||||
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
# intermediate configuration. tweak to your needs.
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
|
||||
|
||||
# Common security headers
|
||||
more_set_headers "X-Frame-Options : SAMEORIGIN";
|
||||
more_set_headers "X-Xss-Protection : 1; mode=block";
|
||||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
more_set_headers "X-Download-Options : noopen";
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
# access_log disabled for performance
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
# Log format Settings
|
||||
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
|
||||
'$http_host "$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" $server_protocol';
|
||||
|
||||
# ipscrub settings
|
||||
ipscrub_period_seconds 3600;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
# mitigation of CRIME/BREACH attacks
|
||||
gzip off;
|
||||
|
||||
|
||||
##
|
||||
# Brotli Settings
|
||||
##
|
||||
|
||||
brotli on;
|
||||
brotli_static on;
|
||||
brotli_buffers 16 8k;
|
||||
brotli_comp_level 4;
|
||||
brotli_types *;
|
||||
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
|
@ -92,7 +92,7 @@ http
|
|||
ssl_early_data off;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';
|
||||
ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 1d;
|
||||
|
@ -105,7 +105,7 @@ http
|
|||
more_set_headers "X-Content-Type-Options : nosniff";
|
||||
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
|
||||
more_set_headers "X-Download-Options : noopen";
|
||||
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
|
Loading…
Reference in New Issue