tiagovtg/JoomlaNginx.conf

## JoomlaNginx.conf
server {
	######################################################################
	## The Master .htaccess - NginX adaptation
	##
	## Version 3.3
	##
	## This file is designed to be the template NginX server configuration file
	## for your Joomla! sites. You should go through all of its sections and
	## modify it to match your site. Most notably, all instances of example.com
	## and example\.com should be replaced with your real domain name.
	##
	## Some sections are too picky and may cause problems with legitimate requests.
	## You are ultimately responsible for disabling them or writing exception rules
	## for your requests. Most notably, the advanced server protection section will
	## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
	## sions which use non-standard scripts as their entry points. You must add
	## exceptions for them manually.
	##
	## Some sections - depending on your server configuration - may cause your site
	## to throw 500 Internal Server Error. The only way to figure out which one is
	## causing it is trial and error.
	##
	## This is an adaptation of my Master .htaccess, a similar file which
	## I have designed for Apache-based servers. This adaptation would not
	## be possible without all the wonderful people who helped me write and
	## test the original Master .htaccess, the Joomla! project which now
	## recommends it in its official documentation wiki and the thousands
	## of Admin Tools Professional subscribers who provided invaluable
	## feedback on the Master .htaccess' performance across different servers.
	##
	## Have fun, stay safe.
	##
	## Nicholas K. Dionysopoulos
	## Lead Developer, AkeebaBackup.com
	##
	######################################################################

	######################################################################
	## Basic server setup. Change to match YOUR system!
	######################################################################
	# -- Basic configuration
	# ---- Port to listen to. For SSL sites change this to 443.
	listen 80;

	# ---- Domain name(s) of this site, separated by commas
	server_name www.example.com example.com www.example.org example.org;
	server_name_in_redirect off;

	# ---- Site root path
	root /usr/share/nginx/html/directory files site;
	index index.php index.html index.htm default.html default.htm;
	# Suporte a URLs amigaveis
	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	# ---- Path to the access log
	access_log /var/log/nginx/access.log;

	# ---- Path to the error log
	error_log /var/log/nginx/error.log;

	# ---- Custom error pages. Each error page is four lines. The first one
	#      defines which page will be shown for each error code. The next
	#      three lines make sure that the error page cannot be accessed
	#      directly over the web.
	error_page 404 /errors/404.html;
	location  /errors/404.html {
		internal;
	}

	error_page 500 /errors/500.html;
	location  /errors/500.html {
		internal;
	}

	error_page 403 /errors/403.html;
	location  /errors/403.html {
		internal;
	}

	# if have fastcgi on
	location ~ \.php$ {

		fastcgi_index index.php;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/site$fastcgi_script_name;
		fastcgi_pass 127.0.0.1:9000;

		# Don't cache if our headers (or cookie) are present
		proxy_no_cache $upstream_http_x_dont_cache_me $cookie_jnocache;
		proxy_cache_bypass $upstream_http_x_dont_cache_me $cookie_jnocache  $http_pragma $http_authorization $cookie_nocache $arg_nocache;
		# Ignore the standard no-cache headers - these will still be sent to the browser
		proxy_ignore_headers X-Accel-Expires Expires Cache-Control;

		# Don't send our custom header to the browser
		proxy_hide_header X-Dont-Cache-Me;

		# This next line is important if we're planning on caching for more than one site on the server
		proxy_cache_key "$scheme$host$request_uri";

		# Set cache key to include identifying components


		fastcgi_ignore_headers Cache-Control Expires;
		fastcgi_pass_header Set-Cookie;
		fastcgi_pass_header Cookie;

		## Add a cache miss/hit status header.
		add_header X-Micro-Cache $upstream_cache_status;

		## To avoid any interaction with the cache control headers we expire
		## everything on this location immediately.
		expires epoch;

		## Cache locking mechanism for protecting the backend of too many
		## simultaneous requests.
	}


	######################################################################
	## SSL Configuration
	##
	## Only use this block if you are setting up the SSL (HTTPS) server
	## definition of your site.
	######################################################################
	ssl on;
	ssl_certificate /etc/ssl/localcerts/webserver.pem;
	ssl_certificate_key /etc/ssl/localcerts/webserver.key;

	ssl_session_timeout 5m;

	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
	ssl_prefer_server_ciphers on;

	######################################################################
	## The Kitchen Sink - An array of useful and performance-tuning options
	######################################################################
	# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
	client_header_timeout 10;
	client_body_timeout   10;
	send_timeout          30;
	keepalive_timeout     40 20;

	# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
	connection_pool_size        8192;
	client_header_buffer_size   4k;
	large_client_header_buffers 8 8k;
	request_pool_size           8k;

	# -- Performance, see http://wiki.nginx.org/HttpCoreModule
	sendfile on;
	sendfile_max_chunk 1m;
	postpone_output 0;
	tcp_nopush on;
	tcp_nodelay off;

	# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
	output_buffers 8 32k;

	# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
	charset                 utf-8;
	source_charset          utf-8;

	# -- Security options, see http://wiki.nginx.org/HttpCoreModule
	server_name_in_redirect off;
	server_tokens off;
	ignore_invalid_headers on;
	# You may have to comment out the next line on multi-site installations
	disable_symlinks if_not_owner;

	######################################################################
	## Redirect non-www to www
	##
	## If you enable this, disable the "Redirect www to non-www" below!
	######################################################################
	if ($host = 'example.com' ) {
		rewrite ^/(.*)$ http://www.example.com/$1 permanent;
	}

	######################################################################
	## Redirect www to non-www
	##
	## If you enable this, disable the "Redirect non-www to www" above!
	######################################################################
	if ($host = 'www.example.com' ) {
		rewrite ^/(.*)$ http://example.com/$1 permanent;
	}

	######################################################################
	## Redirect example.org to example.com
	##
	## Your server_name must include both the old and new domain names!
	######################################################################
	if ($host ~ "(www\.)?example.org$" ) {
		rewrite ^/(.*)$ http://www.example.com/$1 permanent;
	}

	######################################################################
	## CloudFlare support - see http://wiki.nginx.org/NginxHttpRealIpModule
	## Comment out if you are not using the CloudFlare CDN
	######################################################################
	set_real_ip_from 204.93.240.0/24;
	set_real_ip_from 204.93.177.0/24;
	set_real_ip_from 199.27.128.0/21;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 190.93.240.0/20;
	real_ip_header CF-Connecting-IP;

	######################################################################
	## Directory indices
	## Forces index.php to be read before the index.htm(l) files
	######################################################################
	index index.php index.html index.htm;

	######################################################################
	## Status page - DISABLE THIS ON LIVE SITES!
	######################################################################
	location /nginx_status {
		stub_status on;
		access_log   off;
		# Remember to change this to your PC's IP address
		allow 192.168.0.1;
	}

	######################################################################
	## Google Apps redirection
	## This also shows how to redirect a directory to an external server
	######################################################################
	location ~* /mail {
		rewrite ^ http://mail.google.com/a/example.com permanent;
	}

	######################################################################
	## Block some common exploits
	######################################################################
	set $common_exploit 0;
	if ($query_string ~ "proc/self/environ") {
		set $common_exploit 1;
	}
	if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
		set $common_exploit 1;
	}
	if ($query_string ~ "base64_(en|de)code\(.*\)") {
		set $common_exploit 1;
	}
	if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
		set $common_exploit 1;
	}
	if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
		set $common_exploit 1;
	}
	if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
		set $common_exploit 1;
	}
	if ($common_exploit = 1) {
		return 403;
	}

	######################################################################
	## File injection protection
	######################################################################
	set $file_injection 0;
	if ($query_string ~ "[a-zA-Z0-9_]=http://") {
		set $file_injection 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
		set $file_injection 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
		set $file_injection 1;
	}
	if ($file_injection = 1) {
		return 403;
	}

	######################################################################
	## SQL injection first line of defence (NOT comprehensive!)
	######################################################################
	set $sql_injection 0;
	if ($query_string ~ "concat.*\(") {
		set $sql_injection 1;
	}
	if ($query_string ~ "union.*select.*\(") {
		set $sql_injection 1;
	}
	if ($query_string ~ "union.*all.*select.*") {
		set $sql_injection 1;
	}
	if ($sql_injection = 1) {
		return 403;
	}

	######################################################################
	## Basic anti-spam
	######################################################################
	set $looks_like_spam 0;
	if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
		set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
		set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
		set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
		set $looks_like_spam 1;
	}
	if ($looks_like_spam = 1) {
		return 403;
	}

	######################################################################
	## Advanced server protection rules exceptions
	##
	## You will DEFINITELY need to add exceptions for a lot of extensions
	## to work. Yeah, I have to write an illustrated guide at some point.
	## However, if you can use Firebug or Google Chrome Web Developer
	## window then you can find out the exceptions all by yourself. Use the
	## following as a guide.
	######################################################################
	# Allow direct access to a specific PHP file
	#location = /tmp/test.php {
		#	fastcgi_pass $fastcgi_pass;
		#	break;
		#}

		# Allow direct access to a specific static (non-PHP) file
		#location = /administrator/test.png {
			#	break;
			#}


			######################################################################
			## Server protection
			##
			## Nothing on my site runs unless I say so!
			######################################################################
			# Allow media files in select back-end directories
			location ~* ^/administrator/(components|modules|templates|images)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov|ttf|woff|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
				break;
			}

			# Allow media files in select front-end directories
			location ~* ^/(components|modules|templates|images|plugins|media|includes/js)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov|ttf|woff|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
				break;
			}

			# Allow access to the front-end index.php file
			location = / {
				try_files $uri $uri/ /index.php?q=$uri&$args;
			}
			location = /index.php {
				fastcgi_pass $fastcgi_pass;
				break;
			}

			# Allow access to the back-end index.php file
			location = /administrator {
				rewrite ^ /administrator/index.php last;
			}
			location = /administrator/ {
				rewrite ^ /administrator/index.php last;
			}
			location = /administrator/index.php {
				fastcgi_pass $fastcgi_pass;
				break;
			}

			# Disable access to everything else.
			#if need especify use:
			#location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$
			location ~* /.*$ {
				# If it is a file, directory or symlink and I haven't deliberetaly
				# enabled access to it, forbid any access to it!
				if (-e $request_filename) {
					return 403;
				}
				# In any other case, just treat as a SEF URL
				try_files $uri $uri/ /index.php?q=$uri&$args;
			}

			######################################################################
			## PHP Setup
			######################################################################
			include fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			set $fastcgi_pass "unix:/var/run/php5-fpm-web.sock";
			location ~ index.php$ {
				fastcgi_pass $fastcgi_pass;
			}

			######################################################################
			## Expiration control
			##
			## Optimises the expiration time
			######################################################################
			# CSS and JavaScript : 1 week
			location ~* \.(css|js)$ {
				expires 1w;
				add_header  Cache-Control public;
			}

			# Image files : 1 month
			location ~* \.(bmp|gif|jpg|jpeg|jp2|png|svg|tif|tiff|ico|wbmp|wbxml|smil)$ {
				expires 1y;
			}

			# Document files : 1 month
			location ~* \.(pdf|txt|xml|flv)$ {
				expires 1y;
			}

			# Audio files : 1 month
			location ~* \.(mid|midi|mp3|m4a|m4r|aif|aiff|ra|wav|voc|ogg)$ {
				expires 1y;
			}

			# Video files : 1 month
			location ~* \.(swf|vrml|avi|mkv|mpg|mpeg|mp4|m4v|mov|asf)$ {
				expires 1y;
			}

			######################################################################
			## User agent blocking
			##
			## Disables access to your site by user agent. Useful to block some
			## bandwidth hoggers.
			######################################################################
			set $bad_ua 0;

			# This also disables Akeeba Remote Control 2.5 and earlier
			if ($http_user_agent ~ "Indy Library") {
				set $bad_ua 1;
			}

			# Disabling Wget will also block the most common method to run CRON jobs
			if ($http_user_agent ~ "Wget") {
				set $bad_ua 1;
			}

			# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
			if ($http_user_agent ~ "libwww-perl") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "Download Demon") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "GetRight") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "GetWeb!") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "Go!Zilla") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "Go-Ahead-Got-It") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "GrabNet") {
				set $bad_ua 1;
			}
			if ($http_user_agent ~ "TurnitinBot") {
				set $bad_ua 1;
			}

			# If you enable any of the above don't remove this. It's what blocks
			# the bad user agents!
			if ($bad_ua = 1) {
				return 403;
			}

			######################################################################
			## Automatic compression of static resources
			## Compress text, html, javascript, css, xml and other static resources
			## May kill access to your site for old versions of Internet Explorer
			######################################################################
			gzip                    on;
			gzip_http_version       1.1;
			gzip_vary               on;
			gzip_comp_level 6;
			gzip_proxied    any;
			#gzip_min_length 1100;
			gzip_types      text/plain text/html text/xml text/css application/xml application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript;
			gzip_buffers    16 8k;

			fastcgi_buffers 8 16k;
			fastcgi_buffer_size 32k;
			fastcgi_read_timeout 300;
			fastcgi_send_timeout 300;

			# Desabilita o gzip para alguns navegadores
			gzip_disable    "MSIE [1-6].(?!.*SV1)";

			client_header_timeout 60;
			#client_header_buffer_size 1k;
			#send_timeout 20;

			location = /robots.txt {
				allow all;
				log_not_found off;
				access_log off;
			}
		}
	server {
	######################################################################
	## The Master .htaccess - NginX adaptation
	##
	## Version 3.3
	##
	## This file is designed to be the template NginX server configuration file
	## for your Joomla! sites. You should go through all of its sections and
	## modify it to match your site. Most notably, all instances of example.com
	## and example\.com should be replaced with your real domain name.
	##
	## Some sections are too picky and may cause problems with legitimate requests.
	## You are ultimately responsible for disabling them or writing exception rules
	## for your requests. Most notably, the advanced server protection section will
	## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
	## sions which use non-standard scripts as their entry points. You must add
	## exceptions for them manually.
	##
	## Some sections - depending on your server configuration - may cause your site
	## to throw 500 Internal Server Error. The only way to figure out which one is
	## causing it is trial and error.
	##
	## This is an adaptation of my Master .htaccess, a similar file which
	## I have designed for Apache-based servers. This adaptation would not
	## be possible without all the wonderful people who helped me write and
	## test the original Master .htaccess, the Joomla! project which now
	## recommends it in its official documentation wiki and the thousands
	## of Admin Tools Professional subscribers who provided invaluable
	## feedback on the Master .htaccess' performance across different servers.
	##
	## Have fun, stay safe.
	##
	## Nicholas K. Dionysopoulos
	## Lead Developer, AkeebaBackup.com
	##
	######################################################################

	######################################################################
	## Basic server setup. Change to match YOUR system!
	######################################################################
	# -- Basic configuration
	# ---- Port to listen to. For SSL sites change this to 443.
	listen 80;

	# ---- Domain name(s) of this site, separated by commas
	server_name www.example.com example.com www.example.org example.org;
	server_name_in_redirect off;

	# ---- Site root path
	root /usr/share/nginx/html/directory files site;
	index index.php index.html index.htm default.html default.htm;
	# Suporte a URLs amigaveis
	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	# ---- Path to the access log
	access_log /var/log/nginx/access.log;

	# ---- Path to the error log
	error_log /var/log/nginx/error.log;

	# ---- Custom error pages. Each error page is four lines. The first one
	# defines which page will be shown for each error code. The next
	# three lines make sure that the error page cannot be accessed
	# directly over the web.
	error_page 404 /errors/404.html;
	location /errors/404.html {
	internal;
	}

	error_page 500 /errors/500.html;
	location /errors/500.html {
	internal;
	}

	error_page 403 /errors/403.html;
	location /errors/403.html {
	internal;
	}

	# if have fastcgi on
	location ~ \.php$ {

	fastcgi_index index.php;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/site$fastcgi_script_name;
	fastcgi_pass 127.0.0.1:9000;

	# Don't cache if our headers (or cookie) are present
	proxy_no_cache $upstream_http_x_dont_cache_me $cookie_jnocache;
	proxy_cache_bypass $upstream_http_x_dont_cache_me $cookie_jnocache $http_pragma $http_authorization $cookie_nocache $arg_nocache;
	# Ignore the standard no-cache headers - these will still be sent to the browser
	proxy_ignore_headers X-Accel-Expires Expires Cache-Control;

	# Don't send our custom header to the browser
	proxy_hide_header X-Dont-Cache-Me;

	# This next line is important if we're planning on caching for more than one site on the server
	proxy_cache_key "$scheme$host$request_uri";

	# Set cache key to include identifying components


	fastcgi_ignore_headers Cache-Control Expires;
	fastcgi_pass_header Set-Cookie;
	fastcgi_pass_header Cookie;

	## Add a cache miss/hit status header.
	add_header X-Micro-Cache $upstream_cache_status;

	## To avoid any interaction with the cache control headers we expire
	## everything on this location immediately.
	expires epoch;

	## Cache locking mechanism for protecting the backend of too many
	## simultaneous requests.
	}



	######################################################################
	## SSL Configuration
	##
	## Only use this block if you are setting up the SSL (HTTPS) server
	## definition of your site.
	######################################################################
	ssl on;
	ssl_certificate /etc/ssl/localcerts/webserver.pem;
	ssl_certificate_key /etc/ssl/localcerts/webserver.key;

	ssl_session_timeout 5m;

	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
	ssl_prefer_server_ciphers on;

	######################################################################
	## The Kitchen Sink - An array of useful and performance-tuning options
	######################################################################
	# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
	client_header_timeout 10;
	client_body_timeout 10;
	send_timeout 30;
	keepalive_timeout 40 20;

	# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
	connection_pool_size 8192;
	client_header_buffer_size 4k;
	large_client_header_buffers 8 8k;
	request_pool_size 8k;

	# -- Performance, see http://wiki.nginx.org/HttpCoreModule
	sendfile on;
	sendfile_max_chunk 1m;
	postpone_output 0;
	tcp_nopush on;
	tcp_nodelay off;

	# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
	output_buffers 8 32k;

	# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
	charset utf-8;
	source_charset utf-8;

	# -- Security options, see http://wiki.nginx.org/HttpCoreModule
	server_name_in_redirect off;
	server_tokens off;
	ignore_invalid_headers on;
	# You may have to comment out the next line on multi-site installations
	disable_symlinks if_not_owner;

	######################################################################
	## Redirect non-www to www
	##
	## If you enable this, disable the "Redirect www to non-www" below!
	######################################################################
	if ($host = 'example.com' ) {
	rewrite ^/(.*)$ http://www.example.com/$1 permanent;
	}

	######################################################################
	## Redirect www to non-www
	##
	## If you enable this, disable the "Redirect non-www to www" above!
	######################################################################
	if ($host = 'www.example.com' ) {
	rewrite ^/(.*)$ http://example.com/$1 permanent;
	}

	######################################################################
	## Redirect example.org to example.com
	##
	## Your server_name must include both the old and new domain names!
	######################################################################
	if ($host ~ "(www\.)?example.org$" ) {
	rewrite ^/(.*)$ http://www.example.com/$1 permanent;
	}

	######################################################################
	## CloudFlare support - see http://wiki.nginx.org/NginxHttpRealIpModule
	## Comment out if you are not using the CloudFlare CDN
	######################################################################
	set_real_ip_from 204.93.240.0/24;
	set_real_ip_from 204.93.177.0/24;
	set_real_ip_from 199.27.128.0/21;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 190.93.240.0/20;
	real_ip_header CF-Connecting-IP;

	######################################################################
	## Directory indices
	## Forces index.php to be read before the index.htm(l) files
	######################################################################
	index index.php index.html index.htm;

	######################################################################
	## Status page - DISABLE THIS ON LIVE SITES!
	######################################################################
	location /nginx_status {
	stub_status on;
	access_log off;
	# Remember to change this to your PC's IP address
	allow 192.168.0.1;
	}

	######################################################################
	## Google Apps redirection
	## This also shows how to redirect a directory to an external server
	######################################################################
	location ~* /mail {
	rewrite ^ http://mail.google.com/a/example.com permanent;
	}

	######################################################################
	## Block some common exploits
	######################################################################
	set $common_exploit 0;
	if ($query_string ~ "proc/self/environ") {
	set $common_exploit 1;
	}
	if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=\|\%3D)") {
	set $common_exploit 1;
	}
	if ($query_string ~ "base64_(en\|de)code\(.*\)") {
	set $common_exploit 1;
	}
	if ($query_string ~ "(<\|%3C).script.(>\|%3E)") {
	set $common_exploit 1;
	}
	if ($query_string ~ "GLOBALS(=\|\[\|\%[0-9A-Z]{0,2})") {
	set $common_exploit 1;
	}
	if ($query_string ~ "_REQUEST(=\|\[\|\%[0-9A-Z]{0,2})") {
	set $common_exploit 1;
	}
	if ($common_exploit = 1) {
	return 403;
	}

	######################################################################
	## File injection protection
	######################################################################
	set $file_injection 0;
	if ($query_string ~ "[a-zA-Z0-9_]=http://") {
	set $file_injection 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
	set $file_injection 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
	set $file_injection 1;
	}
	if ($file_injection = 1) {
	return 403;
	}

	######################################################################
	## SQL injection first line of defence (NOT comprehensive!)
	######################################################################
	set $sql_injection 0;
	if ($query_string ~ "concat.*\(") {
	set $sql_injection 1;
	}
	if ($query_string ~ "union.select.\(") {
	set $sql_injection 1;
	}
	if ($query_string ~ "union.all.select.*") {
	set $sql_injection 1;
	}
	if ($sql_injection = 1) {
	return 403;
	}

	######################################################################
	## Basic anti-spam
	######################################################################
	set $looks_like_spam 0;
	if ($query_string ~ "\b(ambien\|blue\spill\|cialis\|cocaine\|ejaculation\|erectile)\b") {
	set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(erections\|hoodia\|huronriveracres\|impotence\|levitra\|libido)\b") {
	set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(lipitor\|phentermin\|pro[sz]ac\|sandyauer\|tramadol\|troyhamby)\b") {
	set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(ultram\|unicauca\|valium\|viagra\|vicodin\|xanax\|ypxaieo)\b") {
	set $looks_like_spam 1;
	}
	if ($looks_like_spam = 1) {
	return 403;
	}

	######################################################################
	## Advanced server protection rules exceptions
	##
	## You will DEFINITELY need to add exceptions for a lot of extensions
	## to work. Yeah, I have to write an illustrated guide at some point.
	## However, if you can use Firebug or Google Chrome Web Developer
	## window then you can find out the exceptions all by yourself. Use the
	## following as a guide.
	######################################################################
	# Allow direct access to a specific PHP file
	#location = /tmp/test.php {
	# fastcgi_pass $fastcgi_pass;
	# break;
	#}

	# Allow direct access to a specific static (non-PHP) file
	#location = /administrator/test.png {
	# break;
	#}


	######################################################################
	## Server protection
	##
	## Nothing on my site runs unless I say so!
	######################################################################
	# Allow media files in select back-end directories
	location ~* ^/administrator/(components\|modules\|templates\|images)/.*.(jp(e?g\|2)?\|png\|gif\|bmp\|css\|js\|swf\|html?\|ico\|mpe(eg?[34])\|avi\|wav\|og[gv]\|xlsx?\|docx?\|pptx?\|zip\|rar\|pdf\|xps\|txt\|7z\|svg\|od[tsp]\|flv\|mov\|ttf\|woff\|eot\|JPG\|JPEG\|PNG\|GIF\|CSS\|JS\|TTF\|WOFF\|EOT)$ {
	break;
	}

	# Allow media files in select front-end directories
	location ~* ^/(components\|modules\|templates\|images\|plugins\|media\|includes/js)/.*.(jp(e?g\|2)?\|png\|gif\|bmp\|css\|js\|swf\|html?\|ico\|mpe(eg?[34])\|avi\|wav\|og[gv]\|xlsx?\|docx?\|pptx?\|zip\|rar\|pdf\|xps\|txt\|7z\|svg\|od[tsp]\|flv\|mov\|ttf\|woff\|eot\|JPG\|JPEG\|PNG\|GIF\|CSS\|JS\|TTF\|WOFF\|EOT)$ {
	break;
	}

	# Allow access to the front-end index.php file
	location = / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	location = /index.php {
	fastcgi_pass $fastcgi_pass;
	break;
	}

	# Allow access to the back-end index.php file
	location = /administrator {
	rewrite ^ /administrator/index.php last;
	}
	location = /administrator/ {
	rewrite ^ /administrator/index.php last;
	}
	location = /administrator/index.php {
	fastcgi_pass $fastcgi_pass;
	break;
	}

	# Disable access to everything else.
	#if need especify use:
	#location ~* /(images\|cache\|media\|logs\|tmp)/.*\.(php\|pl\|py\|jsp\|asp\|sh\|cgi)$
	location ~* /.*$ {
	# If it is a file, directory or symlink and I haven't deliberetaly
	# enabled access to it, forbid any access to it!
	if (-e $request_filename) {
	return 403;
	}
	# In any other case, just treat as a SEF URL
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	######################################################################
	## PHP Setup
	######################################################################
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	set $fastcgi_pass "unix:/var/run/php5-fpm-web.sock";
	location ~ index.php$ {
	fastcgi_pass $fastcgi_pass;
	}

	######################################################################
	## Expiration control
	##
	## Optimises the expiration time
	######################################################################
	# CSS and JavaScript : 1 week
	location ~* \.(css\|js)$ {
	expires 1w;
	add_header Cache-Control public;
	}

	# Image files : 1 month
	location ~* \.(bmp\|gif\|jpg\|jpeg\|jp2\|png\|svg\|tif\|tiff\|ico\|wbmp\|wbxml\|smil)$ {
	expires 1y;
	}

	# Document files : 1 month
	location ~* \.(pdf\|txt\|xml\|flv)$ {
	expires 1y;
	}

	# Audio files : 1 month
	location ~* \.(mid\|midi\|mp3\|m4a\|m4r\|aif\|aiff\|ra\|wav\|voc\|ogg)$ {
	expires 1y;
	}

	# Video files : 1 month
	location ~* \.(swf\|vrml\|avi\|mkv\|mpg\|mpeg\|mp4\|m4v\|mov\|asf)$ {
	expires 1y;
	}

	######################################################################
	## User agent blocking
	##
	## Disables access to your site by user agent. Useful to block some
	## bandwidth hoggers.
	######################################################################
	set $bad_ua 0;

	# This also disables Akeeba Remote Control 2.5 and earlier
	if ($http_user_agent ~ "Indy Library") {
	set $bad_ua 1;
	}

	# Disabling Wget will also block the most common method to run CRON jobs
	if ($http_user_agent ~ "Wget") {
	set $bad_ua 1;
	}

	# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
	if ($http_user_agent ~ "libwww-perl") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "Download Demon") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "GetRight") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "GetWeb!") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "Go!Zilla") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "Go-Ahead-Got-It") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "GrabNet") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "TurnitinBot") {
	set $bad_ua 1;
	}

	# If you enable any of the above don't remove this. It's what blocks
	# the bad user agents!
	if ($bad_ua = 1) {
	return 403;
	}

	######################################################################
	## Automatic compression of static resources
	## Compress text, html, javascript, css, xml and other static resources
	## May kill access to your site for old versions of Internet Explorer
	######################################################################
	gzip on;
	gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_proxied any;
	#gzip_min_length 1100;
	gzip_types text/plain text/html text/xml text/css application/xml application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript;
	gzip_buffers 16 8k;

	fastcgi_buffers 8 16k;
	fastcgi_buffer_size 32k;
	fastcgi_read_timeout 300;
	fastcgi_send_timeout 300;

	# Desabilita o gzip para alguns navegadores
	gzip_disable "MSIE [1-6].(?!.*SV1)";

	client_header_timeout 60;
	#client_header_buffer_size 1k;
	#send_timeout 20;

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}
	}