Skip to content

Instantly share code, notes, and snippets.

@Uriel29
Forked from tiagovtg/JoomlaNginx.conf
Created January 20, 2016 16:09
Show Gist options
  • Save Uriel29/77ea2386995ddf86d7f2 to your computer and use it in GitHub Desktop.
Save Uriel29/77ea2386995ddf86d7f2 to your computer and use it in GitHub Desktop.
Configuration file Nginx for Joomla! Akeeba + Uriel29 Merge
server {
######################################################################
## The Master .htaccess - NginX adaptation
##
## Version 3.3
##
## This file is designed to be the template NginX server configuration file
## for your Joomla! sites. You should go through all of its sections and
## modify it to match your site. Most notably, all instances of example.com
## and example\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## This is an adaptation of my Master .htaccess, a similar file which
## I have designed for Apache-based servers. This adaptation would not
## be possible without all the wonderful people who helped me write and
## test the original Master .htaccess, the Joomla! project which now
## recommends it in its official documentation wiki and the thousands
## of Admin Tools Professional subscribers who provided invaluable
## feedback on the Master .htaccess' performance across different servers.
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
######################################################################
######################################################################
## Basic server setup. Change to match YOUR system!
######################################################################
# -- Basic configuration
# ---- Port to listen to. For SSL sites change this to 443.
listen 80;
# ---- Domain name(s) of this site, separated by commas
server_name www.example.com example.com www.example.org example.org;
server_name_in_redirect off;
# ---- Site root path
root /usr/share/nginx/html/directory files site;
index index.php index.html index.htm default.html default.htm;
# Suporte a URLs amigaveis
location / {
try_files $uri $uri/ /index.php?$args;
}
# ---- Path to the access log
access_log /var/log/nginx/access.log;
# ---- Path to the error log
error_log /var/log/nginx/error.log;
# ---- Custom error pages. Each error page is four lines. The first one
# defines which page will be shown for each error code. The next
# three lines make sure that the error page cannot be accessed
# directly over the web.
error_page 404 /errors/404.html;
location /errors/404.html {
internal;
}
error_page 500 /errors/500.html;
location /errors/500.html {
internal;
}
error_page 403 /errors/403.html;
location /errors/403.html {
internal;
}
# if have fastcgi on
location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/site$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
# Don't cache if our headers (or cookie) are present
proxy_no_cache $upstream_http_x_dont_cache_me $cookie_jnocache;
proxy_cache_bypass $upstream_http_x_dont_cache_me $cookie_jnocache $http_pragma $http_authorization $cookie_nocache $arg_nocache;
# Ignore the standard no-cache headers - these will still be sent to the browser
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
# Don't send our custom header to the browser
proxy_hide_header X-Dont-Cache-Me;
# This next line is important if we're planning on caching for more than one site on the server
proxy_cache_key "$scheme$host$request_uri";
# Set cache key to include identifying components
fastcgi_ignore_headers Cache-Control Expires;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
## Add a cache miss/hit status header.
add_header X-Micro-Cache $upstream_cache_status;
## To avoid any interaction with the cache control headers we expire
## everything on this location immediately.
expires epoch;
## Cache locking mechanism for protecting the backend of too many
## simultaneous requests.
}
######################################################################
## SSL Configuration
##
## Only use this block if you are setting up the SSL (HTTPS) server
## definition of your site.
######################################################################
ssl on;
ssl_certificate /etc/ssl/localcerts/webserver.pem;
ssl_certificate_key /etc/ssl/localcerts/webserver.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
######################################################################
## The Kitchen Sink - An array of useful and performance-tuning options
######################################################################
# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
client_header_timeout 10;
client_body_timeout 10;
send_timeout 30;
keepalive_timeout 40 20;
# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
connection_pool_size 8192;
client_header_buffer_size 4k;
large_client_header_buffers 8 8k;
request_pool_size 8k;
# -- Performance, see http://wiki.nginx.org/HttpCoreModule
sendfile on;
sendfile_max_chunk 1m;
postpone_output 0;
tcp_nopush on;
tcp_nodelay off;
# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
output_buffers 8 32k;
# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
charset utf-8;
source_charset utf-8;
# -- Security options, see http://wiki.nginx.org/HttpCoreModule
server_name_in_redirect off;
server_tokens off;
ignore_invalid_headers on;
# You may have to comment out the next line on multi-site installations
disable_symlinks if_not_owner;
######################################################################
## Redirect non-www to www
##
## If you enable this, disable the "Redirect www to non-www" below!
######################################################################
if ($host = 'example.com' ) {
rewrite ^/(.*)$ http://www.example.com/$1 permanent;
}
######################################################################
## Redirect www to non-www
##
## If you enable this, disable the "Redirect non-www to www" above!
######################################################################
if ($host = 'www.example.com' ) {
rewrite ^/(.*)$ http://example.com/$1 permanent;
}
######################################################################
## Redirect example.org to example.com
##
## Your server_name must include both the old and new domain names!
######################################################################
if ($host ~ "(www\.)?example.org$" ) {
rewrite ^/(.*)$ http://www.example.com/$1 permanent;
}
######################################################################
## CloudFlare support - see http://wiki.nginx.org/NginxHttpRealIpModule
## Comment out if you are not using the CloudFlare CDN
######################################################################
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
real_ip_header CF-Connecting-IP;
######################################################################
## Directory indices
## Forces index.php to be read before the index.htm(l) files
######################################################################
index index.php index.html index.htm;
######################################################################
## Status page - DISABLE THIS ON LIVE SITES!
######################################################################
location /nginx_status {
stub_status on;
access_log off;
# Remember to change this to your PC's IP address
allow 192.168.0.1;
}
######################################################################
## Google Apps redirection
## This also shows how to redirect a directory to an external server
######################################################################
location ~* /mail {
rewrite ^ http://mail.google.com/a/example.com permanent;
}
######################################################################
## Block some common exploits
######################################################################
set $common_exploit 0;
if ($query_string ~ "proc/self/environ") {
set $common_exploit 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $common_exploit 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $common_exploit 1;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $common_exploit 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $common_exploit 1;
}
if ($common_exploit = 1) {
return 403;
}
######################################################################
## File injection protection
######################################################################
set $file_injection 0;
if ($query_string ~ "[a-zA-Z0-9_]=http://") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $file_injection 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $file_injection 1;
}
if ($file_injection = 1) {
return 403;
}
######################################################################
## SQL injection first line of defence (NOT comprehensive!)
######################################################################
set $sql_injection 0;
if ($query_string ~ "concat.*\(") {
set $sql_injection 1;
}
if ($query_string ~ "union.*select.*\(") {
set $sql_injection 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $sql_injection 1;
}
if ($sql_injection = 1) {
return 403;
}
######################################################################
## Basic anti-spam
######################################################################
set $looks_like_spam 0;
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $looks_like_spam 1;
}
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $looks_like_spam 1;
}
if ($looks_like_spam = 1) {
return 403;
}
######################################################################
## Advanced server protection rules exceptions
##
## You will DEFINITELY need to add exceptions for a lot of extensions
## to work. Yeah, I have to write an illustrated guide at some point.
## However, if you can use Firebug or Google Chrome Web Developer
## window then you can find out the exceptions all by yourself. Use the
## following as a guide.
######################################################################
# Allow direct access to a specific PHP file
#location = /tmp/test.php {
# fastcgi_pass $fastcgi_pass;
# break;
#}
# Allow direct access to a specific static (non-PHP) file
#location = /administrator/test.png {
# break;
#}
######################################################################
## Server protection
##
## Nothing on my site runs unless I say so!
######################################################################
# Allow media files in select back-end directories
location ~* ^/administrator/(components|modules|templates|images)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov|ttf|woff|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
break;
}
# Allow media files in select front-end directories
location ~* ^/(components|modules|templates|images|plugins|media|includes/js)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov|ttf|woff|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
break;
}
# Allow access to the front-end index.php file
location = / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location = /index.php {
fastcgi_pass $fastcgi_pass;
break;
}
# Allow access to the back-end index.php file
location = /administrator {
rewrite ^ /administrator/index.php last;
}
location = /administrator/ {
rewrite ^ /administrator/index.php last;
}
location = /administrator/index.php {
fastcgi_pass $fastcgi_pass;
break;
}
# Disable access to everything else.
#if need especify use:
#location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$
location ~* /.*$ {
# If it is a file, directory or symlink and I haven't deliberetaly
# enabled access to it, forbid any access to it!
if (-e $request_filename) {
return 403;
}
# In any other case, just treat as a SEF URL
try_files $uri $uri/ /index.php?q=$uri&$args;
}
######################################################################
## PHP Setup
######################################################################
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $fastcgi_pass "unix:/var/run/php5-fpm-web.sock";
location ~ index.php$ {
fastcgi_pass $fastcgi_pass;
}
######################################################################
## Expiration control
##
## Optimises the expiration time
######################################################################
# CSS and JavaScript : 1 week
location ~* \.(css|js)$ {
expires 1w;
add_header Cache-Control public;
}
# Image files : 1 month
location ~* \.(bmp|gif|jpg|jpeg|jp2|png|svg|tif|tiff|ico|wbmp|wbxml|smil)$ {
expires 1y;
}
# Document files : 1 month
location ~* \.(pdf|txt|xml|flv)$ {
expires 1y;
}
# Audio files : 1 month
location ~* \.(mid|midi|mp3|m4a|m4r|aif|aiff|ra|wav|voc|ogg)$ {
expires 1y;
}
# Video files : 1 month
location ~* \.(swf|vrml|avi|mkv|mpg|mpeg|mp4|m4v|mov|asf)$ {
expires 1y;
}
######################################################################
## User agent blocking
##
## Disables access to your site by user agent. Useful to block some
## bandwidth hoggers.
######################################################################
set $bad_ua 0;
# This also disables Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $bad_ua 1;
}
# Disabling Wget will also block the most common method to run CRON jobs
if ($http_user_agent ~ "Wget") {
set $bad_ua 1;
}
# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
if ($http_user_agent ~ "libwww-perl") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Download Demon") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GetRight") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $bad_ua 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $bad_ua 1;
}
if ($http_user_agent ~ "GrabNet") {
set $bad_ua 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $bad_ua 1;
}
# If you enable any of the above don't remove this. It's what blocks
# the bad user agents!
if ($bad_ua = 1) {
return 403;
}
######################################################################
## Automatic compression of static resources
## Compress text, html, javascript, css, xml and other static resources
## May kill access to your site for old versions of Internet Explorer
######################################################################
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
#gzip_min_length 1100;
gzip_types text/plain text/html text/xml text/css application/xml application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript;
gzip_buffers 16 8k;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_read_timeout 300;
fastcgi_send_timeout 300;
# Desabilita o gzip para alguns navegadores
gzip_disable "MSIE [1-6].(?!.*SV1)";
client_header_timeout 60;
#client_header_buffer_size 1k;
#send_timeout 20;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment