grambas/domain.conf

## domain.conf
# Common bandwidth hoggers and hacking tools.
map $http_user_agent $limit_bots {
    default 0;
    ~*(AltaVista|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
    ~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
     ~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
    ~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
    ~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
    ~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
}


server {
    #redirect www to non-www
    server_name www.example.de;
    return 301 $scheme://example.de$request_uri; #@CHANGE TO YOUR DOMAIN
}

server {
        root /var/www/example.de; #@CHANGE TO YOUR DOMAIN ROOT FOLDER
        index index.html index.php;
        listen 80;
        server_name example.de; #@CHANGE TO YOUR DOMAIN

        access_log /var/logs/access.log;        #@CHANGE TO LOG YOUR LOGFILE
        error_log  /var/logs.error.log info;    #@CHANGE TO LOG YOUR LOGFILE

#####################
##SEO / PERFORMANCE #
#####################

        # This block will catch static file requests, such as images, css, js
        # The ?: prefix is a 'non-capturing' mark, meaning we do not require
        # the pattern to be captured into $1 which should help improve performance
        location ~* \.(?:ico|css|js|gif|jpe?g|png|woff|ttf|otf|svg|woff2|eot)$ {
            # Some basic cache-control for static files to be sent to the browser
            expires 30d; # or use max
            add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }
        #
#####################
##SECURITY          #
#####################

            #BLOCK FROM MAP
            if ($limit_bots = 1) {
              return 403;
            }
            ##


            ## Deny certain Referers ###
            if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
            {
                 return 403;
            }
            ##


            ## Block SQL injections
            set $block_sql_injections 0;
            if ($query_string ~ "union.*select.*\(") {
                set $block_sql_injections 1;
            }
            if ($query_string ~ "union.*all.*select.*") {
                set $block_sql_injections 1;
            }
            if ($query_string ~ "concat.*\(") {
                set $block_sql_injections 1;
            }
            if ($block_sql_injections = 1) {
                return 403;
            }

            ## Block file injections
            set $block_file_injections 0;
            if ($query_string ~ "[a-zA-Z0-9_]=http://") {
                set $block_file_injections 1;
            }
            if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
                set $block_file_injections 1;
            }
            if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
                set $block_file_injections 1;
            }
            if ($block_file_injections = 1) {
                return 403;
            }

            ## Block common exploits
            set $block_common_exploits 0;
            if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "proc/self/environ") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
                set $block_common_exploits 1;
            }
            if ($query_string ~ "base64_(en|de)code\(.*\)") {
                set $block_common_exploits 1;
            }
            if ($block_common_exploits = 1) {
                return 403;
            }

            ## Block spam
            set $block_spam 0;
            if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
                set $block_spam 1;
            }
            if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
                set $block_spam 1;
            }
            if ($block_spam = 1) {
                return 403;
            }


            # Protect specific TXT and config files
            location ~ /(\.|wp-config.php|readme.html|license.txt|schema.txt|password.txt|passwords.txt)
            {
                    deny all;
            }

            # Protect ~ files
            location ~ ~$
            {
                    access_log off;
                    log_not_found off;
                    deny all;
            }

            # Protect .git files
            location ~ /\.git
            {
                    access_log off;
                    log_not_found off;
                    deny all;
            }

            # Protect Perl/CGI/etc files
            location ~* \.(pl|cgi|py|sh|lua)\$
            {
                    return 444;
            }

            # Block web attacks
            location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t)
            {
                    return 444;
            }

            # Protect other sensitive files
            location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
            {
                    return 444;
            }

            # Block execution of PHP files in uploads folders
            location ~* /(?:uploads|files)/.*\.php$
            {
                    deny all;
            }
#####################
##LOCATIONS         #
#####################

            ## Location example with auth##
            #location /auth-example {
            #   auth_basic "Administrator Login";
            #    auth_basic_user_file /var/www/.htpasswd-example;
            #}

            location / {
                    try_files $uri $uri/ /index.php?q=$uri&$args;
            }
            #@IMPORTANT CHECK YOUR PHP VERSION!!!
            ## For php5-fpm
            location ~ \.php$ {
                    try_files $uri =404;
                    fastcgi_split_path_info ^(.+\.php)(/.+)$;
                    fastcgi_pass unix:/var/run/php5-fpm.sock;
                    fastcgi_index index.php;
                    include fastcgi_params;
            }

             ## For php7.0-fpm
             #location ~ \.php$ {
             #   include snippets/fastcgi-php.conf;
             #   fastcgi_pass unix:/run/php/php7.0-fpm.sock;
             #}

}

## nginx.conf
user www-data;
worker_processes 1;
pid /run/nginx.pid;
events {
    worker_connections 1024;
    multi_accept on;
}
http {
    #don't send the nginx version number in error pages and Server header
    server_tokens off;
    proxy_hide_header X-Powered-By;
        more_set_headers 'Server: Windows 98'; #trololo
    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    add_header X-Frame-Options SAMEORIGIN;
    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
    add_header X-Content-Type-Options nosniff;
    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-XSS-Protection "1; mode=block";
    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    ### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###
    ### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ###
       limit_zone slimits $binary_remote_addr 5m; #maybe be depreciated (google it)

    ### Control maximum number of simultaneous connections for one session i.e. ###
    ### restricts the amount of connections from a single ip address ###
        limit_conn slimits 5; #maybe be depreciated (google it)
    ##Controlling Buffer Overflow Attacks
    client_max_body_size 20M;
    client_body_buffer_size 15K;
    client_body_timeout 12;
    client_header_timeout 12;
    keepalive_timeout 15;
    send_timeout 10;
    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    ##
    # Logging Settings
    ##
    access_log /srv/LOGS/nginx-access.log;    #@CHANGE TO LOG YOUR LOGFILE
    error_log  /src/LOGS/nginx-error.log;    #@CHANGE TO LOG YOUR LOGFILE
    ##
    # Gzip Settings
    ##
    gzip_disable "msie6";
    gzip on;
    gzip_comp_level 2;
    gzip_min_length 1000;
    gzip_buffers  4 32k;
    gzip_types    text/plain application/x-javascript text/xml text/css  application/xml;
    gzip_vary on;
    # end gzip configuration

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

## sysctl.conf
#/etc/sysctl.conf

# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0


# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
	# Common bandwidth hoggers and hacking tools.
	map $http_user_agent $limit_bots {
	default 0;
	~*(AltaVista\|Slurp\|BlackWidow\|Bot\|ChinaClaw\|Custo\|DISCo\|Download\|Demon\|eCatch\|EirGrabber\|EmailSiphon\|EmailWolf\|SuperHTTP\|Surfbot\|WebWhacker) 1;
	~*(Express\|WebPictures\|ExtractorPro\|EyeNetIE\|FlashGet\|GetRight\|GetWeb!\|Go!Zilla\|Go-Ahead-Got-It\|GrabNet\|Grafula\|HMView\|Go!Zilla\|Go-Ahead-Got-It) 1;
	~*(rafula\|HMView\|HTTrack\|Stripper\|Sucker\|Indy\|InterGET\|Ninja\|JetCar\|Spider\|larbin\|LeechFTP\|Downloader\|tool\|Navroad\|NearSite\|NetAnts\|tAkeOut\|WWWOFFLE) 1;
	~*(GrabNet\|NetSpider\|Vampire\|NetZIP\|Octopus\|Offline\|PageGrabber\|Foto\|pavuk\|pcBrowser\|RealDownload\|ReGet\|SiteSnagger\|SmartDownload\|SuperBot\|WebSpider) 1;
	~*(Teleport\|VoidEYE\|Collector\|WebAuto\|WebCopier\|WebFetch\|WebGo\|WebLeacher\|WebReaper\|WebSauger\|eXtractor\|Quester\|WebStripper\|WebZIP\|Wget\|Widow\|Zeus) 1;
	~*(Twengabot\|htmlparser\|libwww\|Python\|perl\|urllib\|scan\|Curl\|email\|PycURL\|Pyth\|PyQ\|WebCollector\|WebCopy\|webcraw) 1;
	}


	server {
	#redirect www to non-www
	server_name www.example.de;
	return 301 $scheme://example.de$request_uri; #@CHANGE TO YOUR DOMAIN
	}

	server {
	root /var/www/example.de; #@CHANGE TO YOUR DOMAIN ROOT FOLDER
	index index.html index.php;
	listen 80;
	server_name example.de; #@CHANGE TO YOUR DOMAIN

	access_log /var/logs/access.log; #@CHANGE TO LOG YOUR LOGFILE
	error_log /var/logs.error.log info; #@CHANGE TO LOG YOUR LOGFILE

	#####################
	##SEO / PERFORMANCE #
	#####################

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico\|css\|js\|gif\|jpe?g\|png\|woff\|ttf\|otf\|svg\|woff2\|eot)$ {
	# Some basic cache-control for static files to be sent to the browser
	expires 30d; # or use max
	add_header Pragma public;
	add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}
	#
	#####################
	##SECURITY #
	#####################

	#BLOCK FROM MAP
	if ($limit_bots = 1) {
	return 403;
	}
	##


	## Deny certain Referers ###
	if ( $http_referer ~* (babes\|forsale\|girl\|jewelry\|love\|nudit\|organic\|poker\|porn\|sex\|teen) )
	{
	return 403;
	}
	##



	## Block SQL injections
	set $block_sql_injections 0;
	if ($query_string ~ "union.select.\(") {
	set $block_sql_injections 1;
	}
	if ($query_string ~ "union.all.select.*") {
	set $block_sql_injections 1;
	}
	if ($query_string ~ "concat.*\(") {
	set $block_sql_injections 1;
	}
	if ($block_sql_injections = 1) {
	return 403;
	}

	## Block file injections
	set $block_file_injections 0;
	if ($query_string ~ "[a-zA-Z0-9_]=http://") {
	set $block_file_injections 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
	set $block_file_injections 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
	set $block_file_injections 1;
	}
	if ($block_file_injections = 1) {
	return 403;
	}

	## Block common exploits
	set $block_common_exploits 0;
	if ($query_string ~ "(<\|%3C).script.(>\|%3E)") {
	set $block_common_exploits 1;
	}
	if ($query_string ~ "GLOBALS(=\|\[\|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
	}
	if ($query_string ~ "_REQUEST(=\|\[\|\%[0-9A-Z]{0,2})") {
	set $block_common_exploits 1;
	}
	if ($query_string ~ "proc/self/environ") {
	set $block_common_exploits 1;
	}
	if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=\|\%3D)") {
	set $block_common_exploits 1;
	}
	if ($query_string ~ "base64_(en\|de)code\(.*\)") {
	set $block_common_exploits 1;
	}
	if ($block_common_exploits = 1) {
	return 403;
	}

	## Block spam
	set $block_spam 0;
	if ($query_string ~ "\b(ultram\|unicauca\|valium\|viagra\|vicodin\|xanax\|ypxaieo)\b") {
	set $block_spam 1;
	}
	if ($query_string ~ "\b(erections\|hoodia\|huronriveracres\|impotence\|levitra\|libido)\b") {
	set $block_spam 1;
	}
	if ($query_string ~ "\b(ambien\|blue\spill\|cialis\|cocaine\|ejaculation\|erectile)\b") {
	set $block_spam 1;
	}
	if ($query_string ~ "\b(lipitor\|phentermin\|pro[sz]ac\|sandyauer\|tramadol\|troyhamby)\b") {
	set $block_spam 1;
	}
	if ($block_spam = 1) {
	return 403;
	}


	# Protect specific TXT and config files
	location ~ /(\.\|wp-config.php\|readme.html\|license.txt\|schema.txt\|password.txt\|passwords.txt)
	{
	deny all;
	}

	# Protect ~ files
	location ~ ~$
	{
	access_log off;
	log_not_found off;
	deny all;
	}

	# Protect .git files
	location ~ /\.git
	{
	access_log off;
	log_not_found off;
	deny all;
	}

	# Protect Perl/CGI/etc files
	location ~* \.(pl\|cgi\|py\|sh\|lua)\$
	{
	return 444;
	}

	# Block web attacks
	location ~* (roundcube\|webdav\|smtp\|http\:\|soap\|w00tw00t)
	{
	return 444;
	}

	# Protect other sensitive files
	location ~* \.(engine\|inc\|info\|install\|make\|module\|profile\|test\|po\|sh\|.sql\|theme\|tpl(\.php)?\|xtmpl)$\|^(\..\|Entries.*\|Repository\|Root\|Tag\|Template)$\|\.php_
	{
	return 444;
	}

	# Block execution of PHP files in uploads folders
	location ~* /(?:uploads\|files)/.*\.php$
	{
	deny all;
	}
	#####################
	##LOCATIONS #
	#####################

	## Location example with auth##
	#location /auth-example {
	# auth_basic "Administrator Login";
	# auth_basic_user_file /var/www/.htpasswd-example;
	#}

	location / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	#@IMPORTANT CHECK YOUR PHP VERSION!!!
	## For php5-fpm
	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include fastcgi_params;
	}

	## For php7.0-fpm
	#location ~ \.php$ {
	# include snippets/fastcgi-php.conf;
	# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	}
	user www-data;
	worker_processes 1;
	pid /run/nginx.pid;
	events {
	worker_connections 1024;
	multi_accept on;
	}
	http {
	#don't send the nginx version number in error pages and Server header
	server_tokens off;
	proxy_hide_header X-Powered-By;
	more_set_headers 'Server: Windows 98'; #trololo
	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;
	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;
	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";
	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
	### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###
	### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ###
	limit_zone slimits $binary_remote_addr 5m; #maybe be depreciated (google it)

	### Control maximum number of simultaneous connections for one session i.e. ###
	### restricts the amount of connections from a single ip address ###
	limit_conn slimits 5; #maybe be depreciated (google it)
	##Controlling Buffer Overflow Attacks
	client_max_body_size 20M;
	client_body_buffer_size 15K;
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 15;
	send_timeout 10;
	##
	# Basic Settings
	##
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	types_hash_max_size 2048;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	##
	# Logging Settings
	##
	access_log /srv/LOGS/nginx-access.log; #@CHANGE TO LOG YOUR LOGFILE
	error_log /src/LOGS/nginx-error.log; #@CHANGE TO LOG YOUR LOGFILE
	##
	# Gzip Settings
	##
	gzip_disable "msie6";
	gzip on;
	gzip_comp_level 2;
	gzip_min_length 1000;
	gzip_buffers 4 32k;
	gzip_types text/plain application/x-javascript text/xml text/css application/xml;
	gzip_vary on;
	# end gzip configuration

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	#/etc/sysctl.conf

	# Avoid a smurf attack
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Turn on protection for bad icmp error messages
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Turn on syncookies for SYN flood attack protection
	net.ipv4.tcp_syncookies = 1

	# Turn on and log spoofed, source routed, and redirect packets
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1

	# No source routed packets here
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0

	# Turn on reverse path filtering
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Make sure no one can alter the routing tables
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0

	# Don't act as a router
	net.ipv4.ip_forward = 0
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0


	# Turn on execshild
	kernel.exec-shield = 1
	kernel.randomize_va_space = 1

	# Tuen IPv6
	net.ipv6.conf.default.router_solicitations = 0
	net.ipv6.conf.default.accept_ra_rtr_pref = 0
	net.ipv6.conf.default.accept_ra_pinfo = 0
	net.ipv6.conf.default.accept_ra_defrtr = 0
	net.ipv6.conf.default.autoconf = 0
	net.ipv6.conf.default.dad_transmits = 0
	net.ipv6.conf.default.max_addresses = 1

	# Optimization for port usefor LBs
	# Increase system file descriptor limit
	fs.file-max = 65535

	# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
	kernel.pid_max = 65536

	# Increase system IP port limits
	net.ipv4.ip_local_port_range = 2000 65000

	# Increase TCP max buffer size setable using setsockopt()
	net.ipv4.tcp_rmem = 4096 87380 8388608
	net.ipv4.tcp_wmem = 4096 87380 8388608

	# Increase Linux auto tuning TCP buffer limits
	# min, default, and max number of bytes to use
	# set max to at least 4MB, or higher if you use very high BDP paths
	# Tcp Windows etc
	net.core.rmem_max = 8388608
	net.core.wmem_max = 8388608
	net.core.netdev_max_backlog = 5000
	net.ipv4.tcp_window_scaling = 1