Last active
January 30, 2023 14:07
-
-
Save tricarte/8c4595ef50649a91e2ca6462c27f2d42 to your computer and use it in GitHub Desktop.
nginx-virtualhost-template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | Config file for example.com host | | |
# ---------------------------------------------------------------------- | |
# | |
# This file is a template for an Nginx server. | |
# This Nginx server listens for the `example.com` host and handles requests. | |
# Replace `example.com` with your hostname before enabling. | |
server { | |
server_name example.com; | |
listen 80; | |
# listen [::]:80; | |
return 301 https://example.com$request_uri; | |
} | |
# Choose between www and non-www, listen on the wrong one and redirect to | |
# the right one. | |
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if | |
server { | |
# listen [::]:443 ssl http2; | |
# listen host-ip-address:443 ssl http2; | |
listen 443 ssl http2; | |
server_name www.example.com; | |
include h5bp/tls/ssl_engine.conf; | |
# include h5bp/tls/certificate_files.conf; | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot | |
include h5bp/tls/policy_balanced.conf; | |
return 301 $scheme://example.com$request_uri; | |
} | |
server { | |
# listen [::]:443 ssl http2 accept_filter=dataready; # for FreeBSD | |
# listen 443 ssl http2 accept_filter=dataready; # for FreeBSD | |
# listen [::]:443 ssl http2; | |
listen 443 ssl http2; | |
index index.php index.html; | |
# The host name to respond to | |
server_name example.com; | |
# Path for static files | |
root /var/www/example.com/public; | |
client_max_body_size 100M; | |
# Bypass 7g rule example for future reference | |
# if ($not_allowed_method_7g !~* "connect|debug|trace|track") { | |
# # set $nextcloud "${nextcloud}B"; | |
# break; | |
# } | |
# Include 7g Nginx Firewall conditional logic | |
include /etc/nginx/7g/7g.*.conf; | |
# Below part comes when you install ultimate-bad-bot-blocker | |
# So check this virtual host file for possible duplicates | |
## | |
# Nginx Bad Bot Blocker Includes | |
# REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker | |
## | |
include /etc/nginx/bots.d/ddos.conf; | |
include /etc/nginx/bots.d/blockbots.conf; | |
# HTTP Basic Authentication | |
# auth_basic "Restricted"; | |
# auth_basic_user_file /etc/nginx/.htpasswd; | |
access_log /var/log/nginx/example.com.access.log main buffer=1k flush=1m if=$do_log; | |
error_log /var/log/nginx/example.com.error.log; | |
set $redirect_to $scheme://$host; | |
# Prevent image hotlinking | |
valid_referers none blocked ~.google. ~.bing. ~.yandex. ~.duckduckgo. ~.yahoo example.com ~.example.com; | |
if ($invalid_referer) { | |
return 403; | |
} | |
limit_req zone=myzone burst=20 nodelay; | |
location = / { | |
try_files $uri $uri/ /index.php?$args; | |
} | |
location = /robots.txt { | |
try_files $uri /index.php?$args; | |
} | |
location = /cms/wp-admin/maint/repair.php { | |
# return 301 $redirect_to; | |
return 444; | |
} | |
location = /cms/xmlrpc.php { | |
return 444; | |
} | |
location = /clear_cache.php { | |
allow host-ip-address; | |
deny all; | |
include php-fpm/php-fpm.conf; | |
} | |
location = /cms/wp-cron.php { | |
return 444; | |
} | |
location = /cms/wp-login.php { | |
# HTTP Basic Authentication | |
auth_basic "Restricted"; | |
auth_basic_user_file /etc/nginx/.htpasswd; | |
include php-fpm/php-fpm.conf; | |
} | |
# location ~* cms/wp-admin/includes { deny all; } | |
location ^~ /cms/wp-includes/theme-compat/ { deny all; } | |
location ~* /cms/wp-includes/js/tinymce/langs/.*\.php { deny all; } | |
location ~* /cms/wp-includes/js/swfupload/swfupload\.swf { deny all; } | |
location ~* /cms/wp-includes/js/mediaelement/.*\.swf$ { deny all; } | |
# Deny access to .php files in the /content/ directory (including sub-folders) | |
location ~* /cms/content/.*\.(php|phps)$ { | |
# return 301 $redirect_to; | |
deny all; | |
} | |
# Block common exploit requests | |
location ~* | |
(/\.ht|/license\.txt|/phpmyadmin|/ckeditor|/hp/|/cfdocs/|/cfappman/|/SiteServer/|/webmail/|/nsn/|/servlet|/etc/passwd|/phpbb|/horde/|/administrator/|phpinfo|info\.php/|/cbms/|/readme\.html|readme\.md|readme\.txt|readme|composer\.json|composer\.lock|package\.json|package\.lock|\.git) { | |
return 444; | |
} | |
# Block access to wp-config.php and any files similarly named | |
location ~* /wp-config { | |
return 444; | |
} | |
# Block user enumeration to protect user names | |
# By default, WordPress redirects example.com/?author=1 to example.com/author/username | |
if ($args ~* "author=\d+") { | |
return 444; | |
} | |
location ~* /cms/(wp-links-opml.php|wp-trackback.php) { | |
# deny all; | |
return 444; | |
} | |
location ~* ^/(wp-admin|admin) { | |
# deny all | |
return 301 $redirect_to; | |
} | |
location /cms/wp-admin { | |
location ~* /(install|setup-config|upgrade|load-scripts|load-styles).php { | |
# return 301 $redirect_to; | |
return 444; | |
} | |
location ~* includes { deny all; } | |
} | |
location / { | |
# Remember that this will redirect any non-existing file system item | |
# to /index.php | |
try_files $uri $uri/ /index.php?$args; | |
} | |
# pass PHP scripts to FastCGI server | |
location ~ \.php$ { | |
# if cgi.fix_pathinfo = 1 then uncomment below: | |
# try_files $uri =404; | |
# cgi.fix_pathinfo = 0 causes the PHP interpreter to only try the literal path given | |
# and to stop processing if the file is not found. But it will also | |
# make PHP_SELF inconsistent ( not equal to DOCUMENT_URI ) | |
include php-fpm/php-fpm.conf; | |
fastcgi_param PHP_VALUE "sendmail_path=/usr/bin/msmtp -a change_me_msmtp_account -t"; | |
} | |
# Rewrite robots.txt | |
# This may be unnecessary: | |
# If you have direct robots.txt, or your seo plugin is writing directly to robots.txt | |
# rewrite ^/robots.txt$ /index.php last; | |
include h5bp/tls/ssl_engine.conf; | |
# Certificate files are stored in /etc/letsencrypt | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot | |
# Below file may override settings from h5bp/tls/ssl_engine.conf. I trust Certbot here | |
# because it is the one that creates the certificate. | |
include /etc/letsencrypt/options-ssl-nginx.*.conf; # managed by Certbot | |
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
include h5bp/tls/policy_balanced.conf; | |
# Custom error pages | |
include h5bp/errors/custom_errors.conf; | |
# Include the basic h5bp config set | |
include h5bp/basic.conf; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment