Created
August 20, 2015 00:44
-
-
Save goblindegook/ffe906ae7d997a6558ff to your computer and use it in GitHub Desktop.
WordPress (Nginx)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- | |
| # LearningMode; | |
| SecRulesEnabled; | |
| DeniedUrl "/RequestDenied" | |
| CheckRule "$SQL >= 8" BLOCK; | |
| CheckRule "$RFI >= 8" BLOCK; | |
| CheckRule "$TRAVERSAL >= 4" BLOCK; | |
| CheckRule "$EVADE >= 4" BLOCK; | |
| CheckRule "$XSS >= 8" BLOCK; | |
| # WordPress naxsi rules | |
| ### HEADERS | |
| BasicRule wl:1000,1001,1005,1007,1010,1011,1013,1100,1200,1308,1309,1310,1311,1315 "mz:$HEADERS_VAR:cookie"; | |
| # xmlrpc | |
| BasicRule wl:1402 "mz:$HEADERS_VAR:content-type"; | |
| ### simple BODY (POST) | |
| BasicRule wl:1001,1015,1009,1311,1310,1101,1016 "mz:$URL:/|$BODY_VAR:customized"; | |
| # comments | |
| BasicRule wl:1000,1010,1011,1013,1015,1200,1310,1311 "mz:$BODY_VAR:post_title"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:original_publish"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:save"; | |
| BasicRule wl:1008,1010,1011,1013,1015 "mz:$BODY_VAR:sk2_my_js_payload"; | |
| BasicRule wl:1001,1009,1005,1016,1100,1310 "mz:$BODY_VAR:url"; | |
| BasicRule wl:1009,1100 "mz:$BODY_VAR:referredby"; | |
| BasicRule wl:1009,1100 "mz:$BODY_VAR:_wp_original_http_referer"; | |
| BasicRule wl:1000,1001,1005,1008,1007,1009,1010,1011,1013,1015,1016,1100,1200,1302,1303,1310,1311,1315,1400 "mz:$BODY_VAR:comment"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:redirect_to"; | |
| BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:action"; | |
| BasicRule wl:1001,1013 "mz:$BODY_VAR:blogname"; | |
| BasicRule wl:1015,1013 "mz:$BODY_VAR:blogdescription"; | |
| BasicRule wl:1015 "mz:$BODY_VAR:date_format_custom"; | |
| BasicRule wl:1015 "mz:$BODY_VAR:date_format"; | |
| BasicRule wl:1015 "mz:$BODY_VAR:tax_input%5bpost_tag%5d"; | |
| BasicRule wl:1015 "mz:$BODY_VAR:tax_input[post_tag]"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:siteurl"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:home"; | |
| BasicRule wl:1000,1015 "mz:$BODY_VAR:submit"; | |
| # news content matches pretty much everything | |
| BasicRule wl:0 "mz:$BODY_VAR:content"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:delete_option"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:prowl-msg-message"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:_url"; | |
| BasicRule wl:1001,1009 "mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d"; | |
| BasicRule wl:1200 "mz:$BODY_VAR:ppn_post_note"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:author"; | |
| BasicRule wl:1001,1015 "mz:$BODY_VAR:excerpt"; | |
| BasicRule wl:1015 "mz:$BODY_VAR:catslist"; | |
| BasicRule wl:1005,1008,1009,1010,1011,1015,1315 "mz:$BODY_VAR:cookie"; | |
| BasicRule wl:1101 "mz:$BODY_VAR:googleplus"; | |
| BasicRule wl:1007 "mz:$BODY_VAR:name"; | |
| BasicRule wl:1007 "mz:$BODY_VAR:action"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:attachment%5burl%5d"; | |
| BasicRule wl:1100 "mz:$BODY_VAR:attachment_url"; | |
| BasicRule wl:1001,1009,1100,1302,1303,1310,1311 "mz:$BODY_VAR:html"; | |
| BasicRule wl:1015 "mz:$BODY_VAR:title"; | |
| BasicRule wl:1001,1009,1015 "mz:$BODY_VAR:recaptcha_challenge_field"; | |
| BasicRule wl:1011 "mz:$BODY_VAR:pwd"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:excerpt"; | |
| ### BODY|NAME | |
| BasicRule wl:1000 "mz:$BODY_VAR:delete_option|NAME"; | |
| BasicRule wl:1000 "mz:$BODY_VAR:from|NAME"; | |
| ### Simple ARGS (GET) | |
| # WP login screen | |
| BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to"; | |
| BasicRule wl:1000,1009 "mz:$ARGS_VAR:_wp_http_referer"; | |
| BasicRule wl:1000 "mz:$ARGS_VAR:wp_http_referer"; | |
| BasicRule wl:1000 "mz:$ARGS_VAR:action"; | |
| BasicRule wl:1000 "mz:$ARGS_VAR:action2"; | |
| # load and load[] GET variable | |
| BasicRule wl:1000,1015 "mz:$ARGS_VAR:load"; | |
| BasicRule wl:1000,1015 "mz:$ARGS_VAR:load[]"; | |
| BasicRule wl:1015 "mz:$ARGS_VAR:q"; | |
| BasicRule wl:1000,1015 "mz:$ARGS_VAR:load%5b%5d"; | |
| ### URL | |
| BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php"; | |
| BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php"; | |
| # URL|BODY | |
| BasicRule wl:1009,1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer"; | |
| BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect"; | |
| BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY"; | |
| BasicRule wl:11 "mz:$URL:/wp-cron.php|BODY"; | |
| BasicRule wl:2 "mz:$URL:/wp-admin/async-upload.php|BODY"; | |
| # URL|BODY|NAME | |
| BasicRule wl:1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME"; | |
| BasicRule wl:1100 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME"; | |
| BasicRule wl:1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:attachment_url|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/plugins.php|$BODY_VAR:verify-delete|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category[]|NAME"; | |
| BasicRule wl:1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:tax_input[post_tag]|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:newtag[post_tag]|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/users.php|$BODY_VAR:users[]|NAME"; | |
| # URL|ARGS|NAME | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME"; | |
| # plain WP site | |
| BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php"; | |
| BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php"; | |
| # URL|BODY | |
| BasicRule wl:1009,1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer"; | |
| BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect"; | |
| BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY"; | |
| BasicRule wl:11 "mz:$URL:/wp-cron.php|BODY"; | |
| # URL|BODY|NAME | |
| BasicRule wl:1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME"; | |
| BasicRule wl:1100 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-auth-check]|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-check-locked-posts][]|NAME"; | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:checked[]|NAME"; | |
| # URL|ARGS|NAME | |
| BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME"; | |
| BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME"; | |
| ### Plugins | |
| #WP Minify | |
| BasicRule wl:1015 "mz:$URL:/wp-content/plugins/bwp-minify/min/|$ARGS_VAR:f"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: 'american' -*- | |
| server { | |
| listen 80; | |
| server_name example.com www.example.com cdn.example.net; | |
| access_log /var/log/nginx/example.com.access.log; | |
| error_log /var/log/nginx/example.com.error.log error; | |
| root /var/www/example.com/htdocs; | |
| index index.php index.html index.htm; | |
| charset utf-8; | |
| set $cache_uri $request_uri; | |
| set $skip_cache 0; | |
| set $cache_control 'public, store, must-revalidate'; | |
| set $expires 24h; | |
| # Don't cache POST requests | |
| if ($request_method = POST) { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| # Don't cache PUT requests | |
| if ($request_method = PUT) { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| # Don't cache PATCH requests | |
| if ($request_method = PATCH) { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| # Don't cache DELETE requests | |
| if ($request_method = DELETE) { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| # Don't cache requests with a query string | |
| if ($query_string != '') { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| # Don't cache uris containing the following segments | |
| if ($request_uri ~* '(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)') { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| # Don't use the cache for logged in users or recent commenters | |
| if ($http_cookie ~* 'comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in') { | |
| set $cache_control 'no-cache'; | |
| set $cache_uri 'null cache'; | |
| set $expires 0; | |
| set $skip_cache 1; | |
| } | |
| location = /favicon.ico { log_not_found off; access_log off; } | |
| location = /robots.txt { log_not_found off; access_log off; } | |
| location ~ /\. { deny all; log_not_found off; access_log off; } | |
| location = /wp-config.php { deny all; log_not_found off; access_log off; } | |
| location ~ ^/wp-content/backups { deny all; log_not_found off; access_log off; } | |
| location ~ ^/wp-content/.*\.php$ { deny all; log_not_found off; access_log off; } | |
| location ~ ^/wp-admin/includes/.*\.php$ { deny all; log_not_found off; access_log off; } | |
| location ~ ^/wp-includes/.*\.php$ { deny all; log_not_found off; access_log off; } | |
| location ~ ^/wp-config-sample\.php$ { deny all; log_not_found off; access_log off; } | |
| location /RequestDenied { | |
| return 403; | |
| } | |
| # Use cached or actual file if they exists, otherwise pass request to WordPress | |
| location / { | |
| # WP Super Cache: | |
| # try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args; | |
| # Normal: | |
| try_files $uri $uri/ /index.php?$args; | |
| include /var/www/example.com/conf/naxsi.rules; | |
| } | |
| location ~ /wp-login\.php$ { | |
| try_files $uri =404; | |
| limit_req zone=one burst=1 nodelay; | |
| include /var/www/example.com/conf/naxsi.rules; | |
| include fastcgi_params; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_pass php; | |
| } | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| include /var/www/example.com/conf/naxsi.rules; | |
| include fastcgi_params; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_pass php; | |
| fastcgi_cache_bypass $skip_cache; | |
| fastcgi_no_cache $skip_cache; | |
| fastcgi_cache WORDPRESS; | |
| fastcgi_cache_valid 60m; | |
| add_header Cache-Control $cache_control; | |
| expires $expires; | |
| } | |
| location ~ /purge(/.*) { | |
| fastcgi_cache_purge WORDPRESS '$scheme$request_method$host$1'; | |
| } | |
| location ~* .(css|js)$ { | |
| expires max; | |
| } | |
| # Cache static files for as long as possible | |
| location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { | |
| expires max; | |
| log_not_found off; | |
| access_log off; | |
| tcp_nodelay off; | |
| open_file_cache max=1000 inactive=120s; | |
| open_file_cache_valid 30s; | |
| open_file_cache_min_uses 2; | |
| open_file_cache_errors off; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment