Skip to content

Instantly share code, notes, and snippets.

@Uriel29

Uriel29/configurationfile.txt

Last active August 29, 2015 14:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Uriel29/56cd70efc7af2e9433fe to your computer and use it in GitHub Desktop.
Save Uriel29/56cd70efc7af2e9433fe to your computer and use it in GitHub Desktop.
Download ZIP
Configuration file Nginx for Joomla!
Raw
configurationfile.txt
server {
listen 80;
server_name site.com www.site.com;
server_name_in_redirect off;
access_log /var/log/nginx/localhost.access_log;
error_log /var/log/nginx/localhost.error_log info;
root /usr/share/nginx/html/directory files site;
index index.php index.html index.htm default.html default.htm;
# Suporte a URLs amigaveis
location / {
try_files $uri $uri/ /index.php?$args;
}
######################################################################
## Redireionar de www para sem-www> www.site.com para site.com
##
######################################################################
#if ($host = 'www.site.com' ) {
# # rewrite ^/(.*)$ http://site.com/$1 permanent;
# }
######################################################################
## Redireionar de sem www para com-www > site.com para www.site.com
# if ($host = 'site.com' ) {
# rewrite ^/(.*)$ http://www.site.com/$1 permanent;
#}
#####################################################################
## The Kitchen Sink - An array of useful and performance-tuning options
######################################################################
# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
client_body_timeout 10;
send_timeout 30;
keepalive_timeout 40 20;
# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
connection_pool_size 8192;
large_client_header_buffers 8 8k;
request_pool_size 8k;
# -- Performance, see http://wiki.nginx.org/HttpCoreModule
sendfile on;
sendfile_max_chunk 1m;
postpone_output 0;
tcp_nopush on;
tcp_nodelay off;
# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
output_buffers 8 32k;
# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
charset utf-8;
source_charset utf-8;
# -- Security options, see http://wiki.nginx.org/HttpCoreModule
server_tokens off;
ignore_invalid_headers on;
# You may have to comment out the next line on multi-site installations
disable_symlinks if_not_owner;
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}
location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/site$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
# Don't cache if our headers (or cookie) are present
proxy_no_cache $upstream_http_x_dont_cache_me $cookie_jnocache;
proxy_cache_bypass $upstream_http_x_dont_cache_me $cookie_jnocache $http_pragma $http_authorization $cookie_nocache $arg_nocache;
# Ignore the standard no-cache headers - these will still be sent to the browser
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
# Don't send our custom header to the browser
proxy_hide_header X-Dont-Cache-Me;
# This next line is important if we're planning on caching for more than one site on the server
proxy_cache_key "$scheme$host$request_uri";
# Set cache key to include identifying components
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
## Add a cache miss/hit status header.
add_header X-Micro-Cache $upstream_cache_status;
## To avoid any interaction with the cache control headers we expire
## everything on this location immediately.
expires epoch;
## Cache locking mechanism for protecting the backend of too many
## simultaneous requests.
}
# caching of files
location ~* \.(ico|pdf|flv)$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
expires 14d;
add_header Cache-Control public;
}
# Habilita o gzip
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
# Mime-types que serão compactados
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
# Desabilita o gzip para alguns navegadores
gzip_disable "MSIE [1-6].(?!.*SV1)";
client_header_timeout 60;
#client_header_buffer_size 1k;
#send_timeout 20;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
######################################################################
## Block some common exploits
######################################################################
set $common_exploit 0;
if ($query_string ~ "proc/self/environ") {
set $common_exploit 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $common_exploit 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $common_exploit 1;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $common_exploit 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($common_exploit = 1) {
return 403;
}
######################################################################
## File injection protection
######################################################################
set $file_injection 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $file_injection 1;
}
if ($file_injection = 1) {
return 403;
}
######################################################################
## SQL injection first line of defence (NOT comprehensive!)
######################################################################
set $sql_injection 0;
if ($query_string ~ "concat.*\(") {
set $sql_injection 1;
}
if ($query_string ~ "union.*select.*\(") {
set $sql_injection 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $sql_injection 1;
}
if ($sql_injection = 1) {
return 403;
}
######################################################################
## Basic anti-spam
######################################################################
set $looks_like_spam 0;
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $looks_like_spam 1;
}
if ($looks_like_spam = 1) {
return 403;
}
######################################################################
## Server protection
##
## Nothing on my site runs unless I say so!
######################################################################
# Allow media files in select back-end directories
location ~* ^/administrator/(components|modules|templates|images)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ {
break;
}
# Allow media files in select front-end directories
location ~* ^/(components|modules|templates|images|plugins|media|includes/js)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ {
break;
}
######################################################################
## User agent blocking
##
## Disables access to your site by user agent. Useful to block some
## bandwidth hoggers.
######################################################################
set $bad_ua 0;
# This also disables Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $bad_ua 1;
}
# Disabling Wget will also block the most common method to run CRON jobs
if ($http_user_agent ~ "Wget") {
set $bad_ua 1;
}
# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
if ($http_user_agent ~ "libwww-perl") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Download Demon") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GetRight") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GrabNet") {
set $bad_ua 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $bad_ua 1;
}
# If you enable any of the above don't remove this. It's what blocks
# the bad user agents!
if ($bad_ua = 1) {
return 403;
}
# server {
# listen 443;
# server_name site.com;
#
#
# ssl on;
# ssl_certificate /etc/nginx/ssl/site_com.crt;
# ssl_certificate_key /etc/nginx/ssl/server.key;
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:10m;
# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA;
# ssl_prefer_server_ciphers on;
# access_log /var/log/nginx/localhost.access_log;
# error_log /var/log/nginx/localhost.error_log info;
# }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment