Skip to content

Instantly share code, notes, and snippets.

@VirtuBox

VirtuBox/nginx.conf

Last active April 19, 2024 07:46
Download ZIP

Revisions

  1. VirtuBox revised this gist Apr 19, 2024. 1 changed file with 26 additions and 16 deletions.
    42 changes: 26 additions & 16 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -1,19 +1,7 @@
    # Cache static files
    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest|cast)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires max;
    }
    # Cache css & js files
    location ~* \.(?:css(\.map)?|js(\.map)?)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires 1y;
    }
    ##
    # Common security rules
    ##

    # Security settings for better privacy
    # Deny hidden files
    location ~ /\.(?!well-known\/) {
    @@ -27,6 +15,7 @@ location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGE
    location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$" {
    deny all;
    }
    # block other common scans
    location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
    deny all;
    }
    @@ -82,4 +71,25 @@ location = /wp-config.txt {
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }

    ##
    # Allow web browser caching and disable logging
    ##

    # Cache static files
    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest|cast)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires max;
    }
    # Cache css & js files
    location ~* \.(?:css(\.map)?|js(\.map)?)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires 1y;
    }
  2. VirtuBox renamed this gist Apr 19, 2024. 1 changed file with 0 additions and 0 deletions.
    0 secure.conf → nginx.conf
    View file
    File renamed without changes.
  3. VirtuBox created this gist Apr 19, 2024.
    85 changes: 85 additions & 0 deletions secure.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,85 @@
    # Cache static files
    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest|cast)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires max;
    }
    # Cache css & js files
    location ~* \.(?:css(\.map)?|js(\.map)?)$ {
    more_set_headers 'Access-Control-Allow-Origin : *';
    more_set_headers "Cache-Control : public, no-transform";
    access_log off;
    log_not_found off;
    expires 1y;
    }
    # Security settings for better privacy
    # Deny hidden files
    location ~ /\.(?!well-known\/) {
    deny all;
    }
    # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
    location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
    deny all;
    }
    # Deny backup extensions & log files and return 403 forbidden
    location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$" {
    deny all;
    }
    location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
    deny all;
    }

    # block base64_encoded content
    location ~* "(base64_encode)(.*)(\()" {
    deny all;
    }

    # block javascript eval()
    location ~* "(eval\()" {
    deny all;
    }

    ##
    # WordPress Specific
    ##

    # Prevent DoS attacks with xmlrpc.php
    location = /xmlrpc.php {
    # Whitelist Jetpack IP ranges, Allow all Communications Between Jetpack and WordPress.com
    allow 122.248.245.244/32;
    allow 54.217.201.243/32;
    allow 54.232.116.4/32;
    allow 192.0.80.0/20;
    allow 192.0.96.0/20;
    allow 192.0.112.0/20;
    allow 195.234.108.0/22;

    # Deny all other requests
    deny all;

    # Disable access and error logging
    access_log off;
    log_not_found off;

    # Limit the rate of requests to prevent DoS attacks
    limit_req zone=two burst=1 nodelay;

    # Pass the request to PHP-FPM backend
    include fastcgi_params;
    fastcgi_pass {{upstream}};
    }
    # Disable wp-config.txt
    location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
    }

    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
    }