Trying to secure Nginx the most for Joomla CMS under Ubuntu 11.10
<!-- to be saved at /usr/share/nginx/html/404.html -->
<html lang="en"><head><meta charset="utf-8">
<meta name="viewport" content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 404 (Not Found)!!1</title>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(// 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
<link type="text/css" rel="stylesheet" href="chrome-extension://cpngackimfmofbokmjmljamhdncknpmg/style.css"><script type="text/javascript" charset="utf-8" src="chrome-extension://cpngackimfmofbokmjmljamhdncknpmg/page_context.js"></script></head><body screen_capture_injected="true">
<a href="//">
<img src="//" alt="Google"></a>
<p><b>404.</b> <ins>That.s an error.</ins>
<h2>The page you were looking for appears to
have been moved, deleted or does not exist.</h2>
</p><p>The requested URL <code>/wfwefwefwef</code> was not found on this server. <ins>That.s all we know.</ins>
<a href="" target="new">Please contact us to report a problem.</a>
<script type="text/javascript">
var GOOG_FIXURL_LANG = 'en';
<script type="text/javascript"
<li>Try returning to the <a href="">home page</a> and finding the page you were looking for.</li>
<br />
<h3>Sorry for your inconvenience</h3>
# dedicated server with 8GB of RAM and php5-fpm
# issue a 'service php5-fpm restart' after changes
apc.enabled = 1
apc.shm_segments = 1
apc.shm_size = 512M
apc.optimization = 0
apc.num_files_hint = 512
apc.user_entries_hint = 1024
apc.ttl = 0
apc.user_ttl = 0
apc.gc_ttl = 600
apc.cache_by_default = 1
apc.filters = "apc\.php$"
apc.slam_defense = 0
apc.use_request_time = 1
apc.mmap_file_mask = /tmp/apc.XXXXXX
;OR apc.mmap_file_mask = /dev/zero
apc.file_update_protection = 2
apc.enable_cli = 0
apc.max_file_size = 2M
apc.stat = 1
apc.write_lock = 1
apc.report_autofilter = 0
apc.include_once_override = 0
apc.rfc1867 = 0
apc.rfc1867_prefix = "upload_"
apc.rfc1867_name = "APC_UPLOAD_PROGRESS"
apc.rfc1867_freq = 0
apc.localcache = 1
apc.localcache.size = 512
apc.coredump_unmap = 0
apc.stat_ctime = 0
## Reusable settings for PHP CMS, targetted at joomla
# latest version at
# author,
# to be saved in /etc/nginx/conf/joomla.conf
server_name_in_redirect off;
location / {
expires 1d;
# Note that nginx does not use .htaccess.
# This will allow for SEF URL’s
try_files $uri $uri/ /index.php?$args;
# Optimizations #
gzip on;
gzip_min_length 640;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Caching #
location ~* \.(ico|pdf|flv)$ {
access_log off;
expires 1y;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
location ~* \.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
access_log off;
expires 30d;
# Hardening #
server_tokens off;
# File uploads
client_max_body_size 10M;
client_body_buffer_size 128k;
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
# Only allow these request methods GET|HEAD|POST
# Do not accept DELETE, SEARCH and other methods
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
# Error #
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
# Rewrite #
# Add www to all urls
if ($host ~* ^([a-z0-9\-]+\.(be|fr|nl|de))$) {
rewrite ^(.*)$ http://www.$host$1 permanent;
proxy_cache_key "$host$request_uri$cookie_sessioncookie";
# Pass all .php files onto a php-fpm/php-fcgi server.
# see
# see
location ~ \.php$ {
# Zero-day exploit defense.
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_intercept_errors on;
#fastcgi_pass php;
# These are my settings, run with the default mysql settings and then run after 24h
# and follow the recommendations!
# latest version at
# author,
# to be saved in /etc/mysql/my.cnf
port = 3306
socket = /var/run/mysqld/mysqld.sock
socket = /var/run/mysqld/mysqld.sock
nice = 0
# If you make changes to these settings and your system uses apparmor, you may
# also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.
user = mysql
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address =
key_buffer = 100M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
myisam-recover = BACKUP
#max_connections = 100
table_cache = 1512
table_definition_cache = 1512
tmp_table_size = 64M
read_buffer_size = 32M
#thread_concurrency = 10
query_cache_limit = 1M
query_cache_size = 100M
log_error = /var/log/mysql/error.log
log_slow_queries = /var/log/mysql/mysql-slow.log
long_query_time = 2
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
# * InnoDB
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# * Security Features
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
max_allowed_packet = 16M
key_buffer = 16M
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
!includedir /etc/mysql/conf.d/
## latest version at
# author,
# to be saved in /etc/nginx/nginx.conf
user www-data;
# = to the number of CPU - 1
# you may want to leave one core for the system and its interrupts
# and the other cores for the web server
worker_processes 4;
pid /var/run/;
events {
# worker_connections : This is the amount of client connections a
# single child process will handle by themselves at any one time.
# (default: 1024) Note: Multiply worker_processes times worker_connections
# for the total amount of connections Nginx will handle. Our example is
# setup to handle 3*64=192 concurrent connections in total. Clients who
# connect after the max has been reached will be denied access.
worker_connections 1024;
# multi_accept on;
http {
# Basic Settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
## Hardening ####
server_tokens off;
### (default is 8k or 16k) The directive specifies the client request body buffer size.
# If the request body is more than the buffer, then the entire request body or some part is written in a temporary file.
client_body_buffer_size 8K;
### Directive sets the headerbuffer size for the request header from client. For the overwhelming
### majority of requests a buffer size of 1K is sufficient. Increase this if you have a custom header
### or a large cookie sent from the client (e.g., wap client).
client_header_buffer_size 1k;
### Directive assigns the maximum accepted body size of client request, indicated by the line Content-Length
### in the header of request. If size is greater the given one, then the client gets the error
### "Request Entity Too Large" (413). Increase this when you are getting file uploads via the POST method.
client_max_body_size 2m;
### Directive assigns the maximum number and size of buffers for large headers to read from client request.
### By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K,
### if at the end of working request connection converts to state keep-alive, then these buffers are freed.
### 2x1k will accept 2kB data URI. This will also help combat bad bots and DoS attacks.
large_client_header_buffers 2 1k;
### The first parameter assigns the timeout for keep-alive connections with the client.
### The server will close connections after this time. The optional second parameter assigns
### the time value in the header Keep-Alive: timeout=time of the response. This header can
### convince some browsers to close the connection, so that the server does not have to. Without
### this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection "keep-alive").
keepalive_timeout 300 300;
### Directive sets the read timeout for the request body from client.
### The timeout is set only if a body is not get in one readstep. If after
### this time the client send nothing, nginx returns error "Request time out"
### (408). The default is 60.
client_body_timeout 10;
### Directive assigns timeout with reading of the title of the request of client.
### The timeout is set only if a header is not get in one readstep. If after this
### time the client send nothing, nginx returns error "Request time out" (408).
client_header_timeout 10;
### Directive assigns response timeout to client. Timeout is established not on entire
### transfer of answer, but only between two operations of reading, if after this time
### client will take nothing, then nginx is shutting down the connection.
send_timeout 10;
### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###
### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ###
limit_zone slimits $binary_remote_addr 5m;
### Control maximum number of simultaneous connections for one session i.e. ###
### restricts the amount of connections from a single ip address ###
limit_conn slimits 5;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging Settings
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Gzip Settings
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Virtual Host Configs
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
#mail {
# # See sample authentication script at:
# #
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
## latest version at
# author,
# to be saved in /etc/php5/fpm/php5-fpm.conf
# 512MB of ram will offer you a maximum of 30 children and a minimum of 5.
# 2048MB of ram will offer you a maximum of 60 children and a minimum of 20.
# But be warned that these may not apply for the content you are processing with PHP. Image manipulation will require a far larger amount of ram and should be limited to less threads.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes to be created when pm is set to 'dynamic'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to either 'static' or 'dynamic'
; Note: This value is mandatory.
pm.max_children = 120
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 30
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 30
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 60
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
server {
### The port number (80 for http)
listen 80;
### The domain name
### The public root folder of the site
root /var/www/vhosts/;
### The default index file.
index index.php;
### Where to write the site access log
access_log /var/www/vhosts/;
# Stop deep linking or hot linking
# apply this rule on any location that’s an image using Regexp
# block empty blocked or whiteliste referers
# test proper operation using
location ~* \.(png|gif|jpg|jpeg|swf|ico)(\?[0-9]+)?$ {
valid_referers none blocked ~\.google\. ~\.yahoo\. ~\.bing\. ~\.facebook\. ~\.fbcdn\.;
if ($invalid_referer) {
# return 403;
rewrite ^/images/(.*)\.(gif|jpg|jpeg|png)$ last;
### Password Protect /administrator area
location ~ /administrator/.*) {
auth_basic "Restricted";
auth_basic_user_file /var/www/vhosts/;
include /etc/nginx/conf/joomla.conf;
