Browse Source

update nginx ssl_cipher suite et fix git init

master
VirtuBox 1 year ago
parent
commit
f283edd702
5 changed files with 93 additions and 168 deletions
  1. +4
    -6
      README.md
  2. +6
    -9
      docs/README.md
  3. +81
    -0
      etc/nginx/common/wpcommon-php73.conf
  4. +0
    -151
      etc/nginx/nginx-intermediate.conf
  5. +2
    -2
      etc/nginx/nginx.conf

+ 4
- 6
README.md View File

@@ -304,7 +304,8 @@ Then you can check php version with command `php -v`
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/

# commit change with git
git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"

```

### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
@@ -325,16 +326,13 @@ Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf

# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf

# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
```

```bash
# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
```

### Nginx configuration for netdata
@@ -346,7 +344,7 @@ git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf conf
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222

# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
```

#### Increase Nginx open files limits


+ 6
- 9
docs/README.md View File

@@ -78,10 +78,13 @@ All previous configurations are still available in the branch [easyengine-v3](ht
- [netdata](#netdata)

- [cht.sh (cheat)](#chtsh-cheat)

- [nanorc - Improved Nano Syntax Highlighting Files](#nanorc---improved-nano-syntax-highlighting-files)

- [Add WP-CLI & bash-completion for user www-data](#add-wp-cli--bash-completion-for-user-www-data)

- [Cleanup previous EasyEngine v3](#cleanup-previous-easyengine-v3)

- [Removing previous php versions](#removing-previous-php-versions)

--------------------------------------------------------------------------------
@@ -302,7 +305,7 @@ Then you can check php version with command `php -v`
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/

# commit change with git
git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
```

### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
@@ -323,29 +326,25 @@ Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf

# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf

# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
```

```bash
# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
```

### Nginx configuration for netdata

<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>


```bash
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222

# commit change with git
git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
```

#### Increase Nginx open files limits
@@ -489,7 +488,6 @@ chmod -R g+rw /var/www/yourdomain.tld

<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>


[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers

- subdomain support
@@ -583,7 +581,6 @@ wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | s

<span style="color: red">Included by default in WordOps - this may not be needed anymore</span>


```bashrc
# download wp-cli bash_completion
wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash


+ 81
- 0
etc/nginx/common/wpcommon-php73.conf View File

@@ -0,0 +1,81 @@
# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass php73;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
deny all;
}
location "=/wp-config\.(php|txt)" {
location ~* wp-config.php { deny all; }
location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
deny all;
}
location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }
location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
access_log off;
log_not_found off;
deny all;
}
if ($query_string ~ "author=\d+") {
return 403;
}
location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
return 403;
}
location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
return 403;
}
location ~* /\.ht {
deny all;
}
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
return 403;
}
#extension wp-toolkit end

+ 0
- 151
etc/nginx/nginx-intermediate.conf View File

@@ -1,151 +0,0 @@
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;

pcre_jit on;

events
{
multi_accept on;
worker_connections 50000;
accept_mutex on;
use epoll;

http
{
##
# EasyEngine Settings
##

sendfile on;
sendfile_max_chunk 512k;

tcp_nopush on;
tcp_nodelay on;

keepalive_timeout 8;
keepalive_requests 500;

lingering_time 20s;
lingering_timeout 5s;

server_tokens off;
reset_timedout_connection on;
add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status;

# Limit Request
limit_req_status 403;
limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;

#Simple DOS mitigation
##Max c/s by ip
#limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
#limit_conn limit_per_ip 80;

##Max rq/s by ip
#limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
#limit_req zone=allips burst=400 nodelay;

# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;

fastcgi_read_timeout 300;
client_max_body_size 100m;

#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;

# tls dynamic records patch directive
ssl_dyn_rec_enable on;
ssl_dyn_rec_enable on;
ssl_dyn_rec_size_hi 4229;
ssl_dyn_rec_size_lo 1369;
ssl_dyn_rec_threshold 40;
ssl_dyn_rec_timeout 1000;

# nginx-vts-status module
vhost_traffic_status_zone;

resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 10;


##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;

##
# SSL Settings
##
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

# Common security headers
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen";

##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
# access_log disabled for performance
##

access_log off;
error_log /var/log/nginx/error.log;

# Log format Settings
log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $server_protocol';

# ipscrub settings
ipscrub_period_seconds 3600;

##
# Gzip Settings
##
# mitigation of CRIME/BREACH attacks
gzip off;


##
# Brotli Settings
##

brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 4;
brotli_types *;


##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

+ 2
- 2
etc/nginx/nginx.conf View File

@@ -92,7 +92,7 @@ http
ssl_early_data off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';
ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
@@ -105,7 +105,7 @@ http
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen";
##
# Basic Settings
##


Loading…
Cancel
Save