-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
194 lines (166 loc) · 5.95 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
# disable directory listing
autoindex off;
# hide the nginx version.
server_tokens off;
# hide the PHP version.
fastcgi_hide_header X-Powered-By;
proxy_hide_header X-Powered-By;
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# enable gzip compression
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
# Specify the minimum length of the response to compress (default 20)
gzip_min_length 500;
server {
listen 80;
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Allow larger file uploads
client_max_body_size 64M;
# don't log these files
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
log_not_found off;
access_log off;
allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
# this allows permalinks to work
location / {
try_files $uri $uri/ /index.php?$args;
}
# nginx doesn't have built-in PHP processing; it needs to use PHP-FPM
location ~ \.php$ {
# test for the existence of the file in the local file system
try_files $uri =404;
# FastCGI Proxying for handling the PHP processing with PHP-FPM
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $args;
fastcgi_intercept_errors on;
}
# protect the login/admin by whitelisting IPs
#location ~ ^/(wp-admin|wp-login.php) {
# allow 172.20.0.6;
# deny all;
#}
location /wp-admin/admin-ajax.php {
allow all;
}
## Otherwise, if the site needs to be accessed by many or from different
## places (remote working), try using this plugin to protect against
## Brute Force attacks: https://wordpress.org/plugins/wps-hide-login/
# Enable Rewrite Rules for Yoast SEO Sitemap
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
# block access to xmlrpc.php
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# disable direct access of dotfiles
location ~ (^|/)\. {
deny all;
access_log off;
log_not_found off;
}
# disable direct PHP file access
location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
# Disallow access to parts of wp-includes
location ~* wp-admin/includes {
deny all;
}
location ~* wp-includes/theme-compat/ {
deny all;
}
location ~* wp-includes/js/tinymce/langs/.*.php {
deny all;
}
# block access to wp-config.php
location = /wp-config.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
deny all;
}
# block nginx help log
location ~* /wp-content/uploads/nginx-helper/ {
deny all;
}
# deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
deny all;
}
# disallow other CGI scripts
location ~* .(pl|cgi|py|sh|lua)$ {
return 444;
}
# prevent image hotlinking
location ~ .(gif|png|jpe?g)$ {
# if you're using a custom url, replace localhost with it
valid_referers none blocked localhost *.localhost;
if ($invalid_referer) {
return 403;
}
}
# limit request types to only GET/HEAD/POST
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# spam blocking
set $comment_flagged 0;
set $comment_request_method 0;
set $comment_request_uri 0;
set $comment_referrer 1;
if ($request_method ~ "POST"){
set $comment_request_method 1;
}
if ($request_uri ~ "/wp-comments-post\.php$"){
set $comment_request_method 1;
}
if ($http_referer !~ "^https?:https://(([^/]+\.)?site\.com|jetpack\.wordpress\.com/jetpack-comment)(/|$)"){
set $comment_referrer 0;
}
set $comment_flagged "${comment_request_method}${comment_request_uri}${comment_referrer}";
if ($comment_flagged = "111") {
return 403;
}
# block unwanted user-agents/bots
if ($http_user_agent ~
(msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbotBaiduspider|Yandex|DirBuster|libwww|"")) {
return 403;
}
}