You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

110 lines
3.2 KiB

  1. # NGINX CONFIGURATION FOR COMMON LOCATION
  2. # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
  3. # Basic locations files
  4. location = /favicon.ico {
  5. try_files /favicon.ico @empty;
  6. access_log off;
  7. log_not_found off;
  8. expires max;
  9. }
  10. location @empty {
  11. empty_gif;
  12. }
  13. location = /robots.txt {
  14. # Some WordPress plugin gererate robots.txt file
  15. # Refer #340 issue
  16. try_files $uri $uri/ /index.php?$args @robots;
  17. access_log off;
  18. log_not_found off;
  19. }
  20. # fallback for robots.txt with default wordpress rules
  21. location @robots {
  22. return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
  23. }
  24. # Cache static files
  25. location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
  26. add_header "Access-Control-Allow-Origin" "*";
  27. access_log off;
  28. log_not_found off;
  29. expires max;
  30. }
  31. # Cache css & js files
  32. location ~* \.(?:css(\.map)?|js(\.map)?)$ {
  33. add_header "Access-Control-Allow-Origin" "*";
  34. access_log off;
  35. log_not_found off;
  36. expires 30d;
  37. }
  38. # Security settings for better privacy
  39. # Deny hidden files
  40. location ~ /\.(?!well-known\/) {
  41. deny all;
  42. }
  43. # Use the directory /var/www/html to valide acme-challenge
  44. # just create the sub-directories .well-known/acme-challenge
  45. ####
  46. # sudo chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge
  47. ####
  48. # location /.well-known/acme-challenge/ {
  49. # alias /var/www/html/.well-known/acme-challenge/;
  50. # }
  51. # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
  52. location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
  53. deny all;
  54. }
  55. # Deny backup extensions & log files and return 403 forbidden
  56. location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
  57. deny all;
  58. }
  59. # common nginx configuration to block sql injection and other attacks
  60. location ~* "(eval\()" {
  61. deny all;
  62. }
  63. location ~* "(127\.0\.0\.1)" {
  64. deny all;
  65. }
  66. location ~* "([a-z0-9]{2000})" {
  67. deny all;
  68. }
  69. location ~* "(javascript\:)(.*)(\;)" {
  70. deny all;
  71. }
  72. location ~* "(base64_encode)(.*)(\()" {
  73. deny all;
  74. }
  75. location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
  76. deny all;
  77. }
  78. location ~* "(<|%3C).*script.*(>|%3)" {
  79. deny all;
  80. }
  81. location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
  82. deny all;
  83. }
  84. location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
  85. deny all;
  86. }
  87. location ~* "(https?|ftp|php):/" {
  88. deny all;
  89. }
  90. location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
  91. deny all;
  92. }
  93. location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
  94. deny all;
  95. }
  96. location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
  97. deny all;
  98. }
  99. location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)" {
  100. deny all;
  101. }
  102. location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" {
  103. deny all;
  104. }