diff --git a/README.md b/README.md
index 13f0ac2..fc7311f 100644
--- a/README.md
+++ b/README.md
@@ -304,7 +304,8 @@ Then you can check php version with command `php -v`
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
# commit change with git
-git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
+[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
+
```
### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
@@ -325,16 +326,13 @@ Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
-# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
-cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
-
# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
```
```bash
# commit change with git
-git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
+[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
```
### Nginx configuration for netdata
@@ -346,7 +344,7 @@ git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf conf
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
# commit change with git
-git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
+[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
```
#### Increase Nginx open files limits
diff --git a/docs/README.md b/docs/README.md
index 96c8c10..8d95f73 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -78,10 +78,13 @@ All previous configurations are still available in the branch [easyengine-v3](ht
- [netdata](#netdata)
- [cht.sh (cheat)](#chtsh-cheat)
+
- [nanorc - Improved Nano Syntax Highlighting Files](#nanorc---improved-nano-syntax-highlighting-files)
+
- [Add WP-CLI & bash-completion for user www-data](#add-wp-cli--bash-completion-for-user-www-data)
- [Cleanup previous EasyEngine v3](#cleanup-previous-easyengine-v3)
+
- [Removing previous php versions](#removing-previous-php-versions)
--------------------------------------------------------------------------------
@@ -302,7 +305,7 @@ Then you can check php version with command `php -v`
cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/
# commit change with git
-git -C /etc/nginx init && git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
+[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update conf.d configurations"
```
### Compile the latest Nginx release with [nginx-ee](https://github.com/VirtuBox/nginx-ee)
@@ -323,29 +326,25 @@ Choose one of them
# TLSv1.2 TLSv1.3 only (recommended)
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf
-# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3
-cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf
-
# TLSv1.2 only
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf
```
```bash
# commit change with git
-git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf configurations"
+[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update nginx.conf"
```
### Nginx configuration for netdata
Included by default in WordOps - this may not be needed anymore
-
```bash
# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/
cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222
# commit change with git
-git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
+[ ! -d /etc/nginx/.git ] && { git -C /etc/nginx init; } git -C /etc/nginx/ add . && git -C /etc/nginx/ commit -m "update 22222 configuration"
```
#### Increase Nginx open files limits
@@ -489,7 +488,6 @@ chmod -R g+rw /var/www/yourdomain.tld
Included by default in WordOps - this may not be needed anymore
-
[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers
- subdomain support
@@ -583,7 +581,6 @@ wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | s
Included by default in WordOps - this may not be needed anymore
-
```bashrc
# download wp-cli bash_completion
wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash
diff --git a/etc/nginx/common/wpcommon-php73.conf b/etc/nginx/common/wpcommon-php73.conf
new file mode 100644
index 0000000..737dc5c
--- /dev/null
+++ b/etc/nginx/common/wpcommon-php73.conf
@@ -0,0 +1,81 @@
+# WordPress COMMON SETTINGS
+# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
+# Limit access to avoid brute force attack
+location = /wp-login.php {
+ limit_req zone=one burst=1 nodelay;
+ include fastcgi_params;
+ fastcgi_pass php73;
+}
+# Disable wp-config.txt
+location = /wp-config.txt {
+ deny all;
+ access_log off;
+ log_not_found off;
+}
+# webp rewrite rules for jpg and png images
+# try to load alternative image.png.webp before image.png
+location /wp-content/uploads {
+ location ~ \.(png|jpe?g)$ {
+ add_header Vary "Accept-Encoding";
+ add_header "Access-Control-Allow-Origin" "*";
+ add_header Cache-Control "public, no-transform";
+ access_log off;
+ log_not_found off;
+ expires max;
+ try_files $uri$webp_suffix $uri =404;
+ }
+ location ~ \.php$ {
+#Prevent Direct Access Of PHP Files From Web Browsers
+ deny all;
+ }
+}
+# Deny access to any files with a .php extension in the uploads directory
+# Works in sub-directory installs and also in multisite network
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /(?:uploads|files)/.*\.php$ {
+ deny all;
+}
+# mitigate DoS attack CVE with WordPress script concatenation
+# add the following line to wp-config.php
+# define( 'CONCATENATE_SCRIPTS', false );
+location ~ \/wp-admin\/load-(scripts|styles).php {
+ deny all;
+}
+
+location "=/wp-config\.(php|txt)" {
+
+location ~* wp-config.php { deny all; }
+
+ location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
+ location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
+ deny all;
+ }
+ location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }
+
+ location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
+ access_log off;
+ log_not_found off;
+ deny all;
+ }
+
+ if ($query_string ~ "author=\d+") {
+ return 403;
+ }
+
+ location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
+ return 403;
+ }
+
+ location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
+ return 403;
+ }
+
+ location ~* /\.ht {
+ deny all;
+ }
+
+ if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
+ return 403;
+ }
+
+ #extension wp-toolkit end
diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf
deleted file mode 100644
index 5c378e7..0000000
--- a/etc/nginx/nginx-intermediate.conf
+++ /dev/null
@@ -1,151 +0,0 @@
-user www-data;
-worker_processes auto;
-worker_cpu_affinity auto;
-worker_rlimit_nofile 100000;
-pid /run/nginx.pid;
-
-pcre_jit on;
-
-events
-{
- multi_accept on;
- worker_connections 50000;
- accept_mutex on;
- use epoll;
-
-http
-{
- ##
- # EasyEngine Settings
- ##
-
- sendfile on;
- sendfile_max_chunk 512k;
-
- tcp_nopush on;
- tcp_nodelay on;
-
- keepalive_timeout 8;
- keepalive_requests 500;
-
- lingering_time 20s;
- lingering_timeout 5s;
-
- server_tokens off;
- reset_timedout_connection on;
- add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox";
- add_header rt-Fastcgi-Cache $upstream_cache_status;
-
- # Limit Request
- limit_req_status 403;
- limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s;
-
- #Simple DOS mitigation
- ##Max c/s by ip
- #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
- #limit_conn limit_per_ip 80;
-
- ##Max rq/s by ip
- #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
- #limit_req zone=allips burst=400 nodelay;
-
- # Proxy Settings
- # set_real_ip_from proxy-server-ip;
- # real_ip_header X-Forwarded-For;
-
- fastcgi_read_timeout 300;
- client_max_body_size 100m;
-
- #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
- aio threads;
-
- # tls dynamic records patch directive
- ssl_dyn_rec_enable on;
- ssl_dyn_rec_enable on;
- ssl_dyn_rec_size_hi 4229;
- ssl_dyn_rec_size_lo 1369;
- ssl_dyn_rec_threshold 40;
- ssl_dyn_rec_timeout 1000;
-
- # nginx-vts-status module
- vhost_traffic_status_zone;
-
- resolver 8.8.8.8 1.1.1.1 valid=300s;
- resolver_timeout 10;
-
-
- ##
- # GeoIP module configuration, before removing comments
- # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
- ##
- #geoip_country /usr/share/GeoIP/GeoIP.dat;
- #geoip_city /usr/share/GeoIP/GeoIPCity.dat;
-
- ##
- # SSL Settings
- ##
- # intermediate configuration. tweak to your needs.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:50m;
- ssl_session_timeout 1d;
- ssl_session_tickets off;
- ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
-
- # Common security headers
- more_set_headers "X-Frame-Options : SAMEORIGIN";
- more_set_headers "X-Xss-Protection : 1; mode=block";
- more_set_headers "X-Content-Type-Options : nosniff";
- more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
- more_set_headers "X-Download-Options : noopen";
-
- ##
- # Basic Settings
- ##
- # server_names_hash_bucket_size 64;
- # server_name_in_redirect off;
-
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- ##
- # Logging Settings
- # access_log disabled for performance
- ##
-
- access_log off;
- error_log /var/log/nginx/error.log;
-
- # Log format Settings
- log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] '
- '$http_host "$request" $status $body_bytes_sent '
- '"$http_referer" "$http_user_agent" $server_protocol';
-
- # ipscrub settings
- ipscrub_period_seconds 3600;
-
- ##
- # Gzip Settings
- ##
- # mitigation of CRIME/BREACH attacks
- gzip off;
-
-
- ##
- # Brotli Settings
- ##
-
- brotli on;
- brotli_static on;
- brotli_buffers 16 8k;
- brotli_comp_level 4;
- brotli_types *;
-
-
- ##
- # Virtual Host Configs
- ##
- include /etc/nginx/conf.d/*.conf;
- include /etc/nginx/sites-enabled/*;
-}
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 7dcf774..e457d23 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -92,7 +92,7 @@ http
ssl_early_data off;
ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';
+ ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
@@ -105,7 +105,7 @@ http
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen";
-
+
##
# Basic Settings
##