tricarte/example.com.conf

## example.com.conf
# | Config file for example.com host                                   |
# ----------------------------------------------------------------------
#
# This file is a template for an Nginx server.
# This Nginx server listens for the `example.com` host and handles requests.
# Replace `example.com` with your hostname before enabling.

server {
  server_name example.com;

  listen 80;
  # listen [::]:80;

  return 301 https://example.com$request_uri;
}

# Choose between www and non-www, listen on the wrong one and redirect to
# the right one.
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
server {
    # listen [::]:443 ssl http2;
    # listen host-ip-address:443 ssl http2;
    listen 443 ssl http2;

    server_name www.example.com;

    include h5bp/tls/ssl_engine.conf;
    # include h5bp/tls/certificate_files.conf;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include h5bp/tls/policy_balanced.conf;

    return 301 $scheme://example.com$request_uri;
}

server {
    # listen [::]:443 ssl http2 accept_filter=dataready;  # for FreeBSD
    # listen 443 ssl http2 accept_filter=dataready;  # for FreeBSD
    # listen [::]:443 ssl http2;
    listen 443 ssl http2;

    index index.php index.html;

    # The host name to respond to
    server_name example.com;

    # Path for static files
    root /var/www/example.com/public;

    client_max_body_size 100M;

    # Bypass 7g rule example for future reference
    # if ($not_allowed_method_7g !~*  "connect|debug|trace|track") {
    #     # set $nextcloud "${nextcloud}B";
    #     break;
    # }

    # Include 7g Nginx Firewall conditional logic
    include /etc/nginx/7g/7g.*.conf;

    # Below part comes when you install ultimate-bad-bot-blocker
    # So check this virtual host file for possible duplicates

    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
    include /etc/nginx/bots.d/ddos.conf;
    include /etc/nginx/bots.d/blockbots.conf;

    # HTTP Basic Authentication
    # auth_basic "Restricted";
    # auth_basic_user_file /etc/nginx/.htpasswd;

    access_log            /var/log/nginx/example.com.access.log main buffer=1k flush=1m if=$do_log;
    error_log             /var/log/nginx/example.com.error.log;

    set $redirect_to $scheme://$host;

    # Prevent image hotlinking
    valid_referers none blocked ~.google. ~.bing. ~.yandex. ~.duckduckgo. ~.yahoo example.com ~.example.com;
    if ($invalid_referer) {
        return   403;
    }

    limit_req zone=myzone burst=20 nodelay;

    location = / {
        try_files $uri $uri/ /index.php?$args;
    }

    location = /robots.txt  {
        try_files $uri /index.php?$args;
    }

    location = /cms/wp-admin/maint/repair.php {
        # return 301 $redirect_to;
        return 444;
    }

    location = /cms/xmlrpc.php {
        return 444;
    }

    location = /clear_cache.php {
        allow host-ip-address;
        deny all;
        include php-fpm/php-fpm.conf;
    }

    location = /cms/wp-cron.php {
        return 444;
    }

    location = /cms/wp-login.php {
        # HTTP Basic Authentication
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;

        include php-fpm/php-fpm.conf;
    }

    # location ~* cms/wp-admin/includes { deny all; }
    location ^~ /cms/wp-includes/theme-compat/ { deny all; }
    location ~* /cms/wp-includes/js/tinymce/langs/.*\.php { deny all; }
    location ~* /cms/wp-includes/js/swfupload/swfupload\.swf { deny all; }
    location ~* /cms/wp-includes/js/mediaelement/.*\.swf$ { deny all; }

    # Deny access to .php files in the /content/ directory (including sub-folders)
    location ~* /cms/content/.*\.(php|phps)$ {
        # return 301 $redirect_to;
        deny all;
    }

    # Block common exploit requests
    location ~*
    (/\.ht|/license\.txt|/phpmyadmin|/ckeditor|/hp/|/cfdocs/|/cfappman/|/SiteServer/|/webmail/|/nsn/|/servlet|/etc/passwd|/phpbb|/horde/|/administrator/|phpinfo|info\.php/|/cbms/|/readme\.html|readme\.md|readme\.txt|readme|composer\.json|composer\.lock|package\.json|package\.lock|\.git) {
        return 444;
    }

    # Block access to wp-config.php and any files similarly named
    location ~* /wp-config {
        return 444;
    }

    # Block user enumeration to protect user names
    # By default, WordPress redirects example.com/?author=1 to example.com/author/username
    if ($args ~* "author=\d+") {
        return 444;
    }

    location ~* /cms/(wp-links-opml.php|wp-trackback.php) {
        # deny all;
        return 444;
    }

    location ~* ^/(wp-admin|admin) {
        # deny all
        return 301 $redirect_to;
    }

    location /cms/wp-admin {

        location ~* /(install|setup-config|upgrade|load-scripts|load-styles).php {
            # return 301 $redirect_to;
            return 444;
        }

        location ~* includes { deny all; }
    }

    location / {
        # Remember that this will redirect any non-existing file system item
        # to /index.php
        try_files $uri $uri/ /index.php?$args;
    }

    # pass PHP scripts to FastCGI server
    location ~ \.php$ {
        # if cgi.fix_pathinfo = 1 then uncomment below:
        # try_files $uri =404;
        # cgi.fix_pathinfo = 0 causes the PHP interpreter to only try the literal path given
        # and to stop processing if the file is not found. But it will also
        # make PHP_SELF inconsistent ( not equal to DOCUMENT_URI )
        include php-fpm/php-fpm.conf;
        fastcgi_param PHP_VALUE "sendmail_path=/usr/bin/msmtp -a change_me_msmtp_account -t";
    }

    # Rewrite robots.txt
    # This may be unnecessary:
    # If you have direct robots.txt, or your seo plugin is writing directly to robots.txt
    # rewrite ^/robots.txt$ /index.php last;

    include h5bp/tls/ssl_engine.conf;
    # Certificate files are stored in /etc/letsencrypt

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    # Below file may override settings from h5bp/tls/ssl_engine.conf. I trust Certbot here
    # because it is the one that creates the certificate.
    include /etc/letsencrypt/options-ssl-nginx.*.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    include h5bp/tls/policy_balanced.conf;

    # Custom error pages
    include h5bp/errors/custom_errors.conf;

    # Include the basic h5bp config set
    include h5bp/basic.conf;
}
	# \| Config file for example.com host \|
	# ----------------------------------------------------------------------
	#
	# This file is a template for an Nginx server.
	# This Nginx server listens for the `example.com` host and handles requests.
	# Replace `example.com` with your hostname before enabling.

	server {
	server_name example.com;

	listen 80;
	# listen [::]:80;

	return 301 https://example.com$request_uri;
	}

	# Choose between www and non-www, listen on the wrong one and redirect to
	# the right one.
	# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
	server {
	# listen [::]:443 ssl http2;
	# listen host-ip-address:443 ssl http2;
	listen 443 ssl http2;

	server_name www.example.com;

	include h5bp/tls/ssl_engine.conf;
	# include h5bp/tls/certificate_files.conf;
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
	include h5bp/tls/policy_balanced.conf;

	return 301 $scheme://example.com$request_uri;
	}

	server {
	# listen [::]:443 ssl http2 accept_filter=dataready; # for FreeBSD
	# listen 443 ssl http2 accept_filter=dataready; # for FreeBSD
	# listen [::]:443 ssl http2;
	listen 443 ssl http2;

	index index.php index.html;

	# The host name to respond to
	server_name example.com;

	# Path for static files
	root /var/www/example.com/public;

	client_max_body_size 100M;

	# Bypass 7g rule example for future reference
	# if ($not_allowed_method_7g !~* "connect\|debug\|trace\|track") {
	# # set $nextcloud "${nextcloud}B";
	# break;
	# }

	# Include 7g Nginx Firewall conditional logic
	include /etc/nginx/7g/7g.*.conf;

	# Below part comes when you install ultimate-bad-bot-blocker
	# So check this virtual host file for possible duplicates

	##
	# Nginx Bad Bot Blocker Includes
	# REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
	##
	include /etc/nginx/bots.d/ddos.conf;
	include /etc/nginx/bots.d/blockbots.conf;

	# HTTP Basic Authentication
	# auth_basic "Restricted";
	# auth_basic_user_file /etc/nginx/.htpasswd;

	access_log /var/log/nginx/example.com.access.log main buffer=1k flush=1m if=$do_log;
	error_log /var/log/nginx/example.com.error.log;

	set $redirect_to $scheme://$host;

	# Prevent image hotlinking
	valid_referers none blocked ~.google. ~.bing. ~.yandex. ~.duckduckgo. ~.yahoo example.com ~.example.com;
	if ($invalid_referer) {
	return 403;
	}

	limit_req zone=myzone burst=20 nodelay;

	location = / {
	try_files $uri $uri/ /index.php?$args;
	}

	location = /robots.txt {
	try_files $uri /index.php?$args;
	}

	location = /cms/wp-admin/maint/repair.php {
	# return 301 $redirect_to;
	return 444;
	}

	location = /cms/xmlrpc.php {
	return 444;
	}

	location = /clear_cache.php {
	allow host-ip-address;
	deny all;
	include php-fpm/php-fpm.conf;
	}

	location = /cms/wp-cron.php {
	return 444;
	}

	location = /cms/wp-login.php {
	# HTTP Basic Authentication
	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/.htpasswd;

	include php-fpm/php-fpm.conf;
	}

	# location ~* cms/wp-admin/includes { deny all; }
	location ^~ /cms/wp-includes/theme-compat/ { deny all; }
	location ~* /cms/wp-includes/js/tinymce/langs/.*\.php { deny all; }
	location ~* /cms/wp-includes/js/swfupload/swfupload\.swf { deny all; }
	location ~* /cms/wp-includes/js/mediaelement/.*\.swf$ { deny all; }

	# Deny access to .php files in the /content/ directory (including sub-folders)
	location ~* /cms/content/.*\.(php\|phps)$ {
	# return 301 $redirect_to;
	deny all;
	}

	# Block common exploit requests
	location ~*
	(/\.ht\|/license\.txt\|/phpmyadmin\|/ckeditor\|/hp/\|/cfdocs/\|/cfappman/\|/SiteServer/\|/webmail/\|/nsn/\|/servlet\|/etc/passwd\|/phpbb\|/horde/\|/administrator/\|phpinfo\|info\.php/\|/cbms/\|/readme\.html\|readme\.md\|readme\.txt\|readme\|composer\.json\|composer\.lock\|package\.json\|package\.lock\|\.git) {
	return 444;
	}

	# Block access to wp-config.php and any files similarly named
	location ~* /wp-config {
	return 444;
	}

	# Block user enumeration to protect user names
	# By default, WordPress redirects example.com/?author=1 to example.com/author/username
	if ($args ~* "author=\d+") {
	return 444;
	}

	location ~* /cms/(wp-links-opml.php\|wp-trackback.php) {
	# deny all;
	return 444;
	}

	location ~* ^/(wp-admin\|admin) {
	# deny all
	return 301 $redirect_to;
	}

	location /cms/wp-admin {

	location ~* /(install\|setup-config\|upgrade\|load-scripts\|load-styles).php {
	# return 301 $redirect_to;
	return 444;
	}

	location ~* includes { deny all; }
	}

	location / {
	# Remember that this will redirect any non-existing file system item
	# to /index.php
	try_files $uri $uri/ /index.php?$args;
	}

	# pass PHP scripts to FastCGI server
	location ~ \.php$ {
	# if cgi.fix_pathinfo = 1 then uncomment below:
	# try_files $uri =404;
	# cgi.fix_pathinfo = 0 causes the PHP interpreter to only try the literal path given
	# and to stop processing if the file is not found. But it will also
	# make PHP_SELF inconsistent ( not equal to DOCUMENT_URI )
	include php-fpm/php-fpm.conf;
	fastcgi_param PHP_VALUE "sendmail_path=/usr/bin/msmtp -a change_me_msmtp_account -t";
	}

	# Rewrite robots.txt
	# This may be unnecessary:
	# If you have direct robots.txt, or your seo plugin is writing directly to robots.txt
	# rewrite ^/robots.txt$ /index.php last;

	include h5bp/tls/ssl_engine.conf;
	# Certificate files are stored in /etc/letsencrypt

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

	# Below file may override settings from h5bp/tls/ssl_engine.conf. I trust Certbot here
	# because it is the one that creates the certificate.
	include /etc/letsencrypt/options-ssl-nginx.*.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	include h5bp/tls/policy_balanced.conf;

	# Custom error pages
	include h5bp/errors/custom_errors.conf;

	# Include the basic h5bp config set
	include h5bp/basic.conf;
	}