diff --git a/templates/nginx/22222 b/templates/nginx/22222 index 31ed0be..586079a 100644 --- a/templates/nginx/22222 +++ b/templates/nginx/22222 @@ -1,66 +1,46 @@ -# Webinoly admin NGINX CONFIGURATION +# Webinoly Admin-Tools NGINX CONFIGURATION +# WebinolyNginxServerStart server { - listen 22222 default_server deferred; - listen [::]:22222 default_server; - - access_log /var/log/nginx/22222.access.log we_log; - error_log /var/log/nginx/22222.error.log; + listen 22222 default_server deferred; + listen [::]:22222 default_server; - #ssl on; - #ssl_certificate /var/www/22222/cert/22222.crt; - #ssl_certificate_key /var/www/22222/cert/22222.key; - #ssl_stapling on; - #ssl_stapling_verify on; - #ssl_trusted_certificate /var/www/22222/cert/chain.pem; - - # Force HTTP to HTTPS - #error_page 497 =200 https://$host:22222$request_uri; + access_log /var/log/nginx/22222.access.log we_log; + error_log /var/log/nginx/22222.error.log; - root /var/www/22222/htdocs; - index index.php index.htm index.html; + root /var/www/22222/htdocs; + index index.php index.htm index.html; - # Turn on directory listing - autoindex on; + # Turn on directory listing + autoindex on; - # HTTP Authentication on port 22222 - include common/acl.conf; + # HTTP Authentication on port 22222 + include common/acl.conf; - location / { - try_files $uri $uri/ /index.php?$args; - } + # PHP Support + include common/php.conf; + include common/locations.conf; - # Status pages - location /nginx_status { - stub_status on; - access_log off; - # include common/acl.conf; - } - location ~ ^/(status|ping) { - include fastcgi_params; - fastcgi_pass php; - # include common/acl.conf; - } + # Status pages + location = /nginx_status { + stub_status on; + access_log off; + } + location ~ ^/(status|ping)$ { + include fastcgi_params; + fastcgi_pass php; + } - # Display menu at location /fpm/status/ - location = /fpm/status/ {} + # Display menu at location /fpm/status/ + location = /fpm/status/ {} - location ~ /fpm/status/(.*) { - try_files $uri =404; - include fastcgi_params; - fastcgi_param SCRIPT_NAME /status; - fastcgi_pass $1; - } - - location ~ \.php$ { - try_files $uri =404; - include fastcgi_params; - fastcgi_pass php; - } - - location ~* \.(js|css|jpg|gif|png)$ { - root /var/www/22222/htdocs/; - } + location ~ /fpm/status/(.*) { + try_files $uri =404; + include fastcgi_params; + fastcgi_param SCRIPT_NAME /status; + fastcgi_pass $1; + } } +# WebinolyNginxServerEnd diff --git a/templates/nginx/common/locations.conf b/templates/nginx/common/locations.conf index 6396df8..e132458 100644 --- a/templates/nginx/common/locations.conf +++ b/templates/nginx/common/locations.conf @@ -1,42 +1,47 @@ # NGINX CONFIGURATION FOR COMMON LOCATION # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly + # Basic locations files location = /favicon.ico { - access_log off; - log_not_found off; - expires max; + access_log off; + log_not_found off; + expires max; } location = /robots.txt { - try_files $uri $uri/ /index.php?$args; - access_log off; - log_not_found off; + try_files $uri $uri/ /index.php?$args; + access_log off; + log_not_found off; } + # Cache static files location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ { - include common/headers-http.conf; - include common/headers-https.conf; - add_header "Access-Control-Allow-Origin" "*"; - access_log off; - log_not_found off; - expires max; + include common/headers-http.conf; + include common/headers-https.conf; + add_header "Access-Control-Allow-Origin" "*"; + access_log off; + log_not_found off; + expires max; } + # Security settings for better privacy # Deny hidden files location ~ /\.well-known { - allow all; + allow all; } location ~ /\. { - deny all; - access_log off; - log_not_found off; + deny all; + access_log off; + log_not_found off; } + # Deny backup extensions & log files location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { - deny all; - access_log off; - log_not_found off; + deny all; + access_log off; + log_not_found off; } + # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") { - return 403; + return 403; } diff --git a/templates/nginx/common/wpcommon.conf b/templates/nginx/common/wpcommon.conf index 1b267b7..2f38305 100644 --- a/templates/nginx/common/wpcommon.conf +++ b/templates/nginx/common/wpcommon.conf @@ -1,36 +1,54 @@ # WordPress COMMON SETTINGS # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly + # Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include common/acl.conf; - include fastcgi_params; - fastcgi_pass php; +# https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html +location = /wp-admin/load-styles.php { + limit_req zone=one burst=1 nodelay; + include common/acl.conf; + include fastcgi_params; + fastcgi_pass php; } +location = /wp-admin/load-scripts.php { + limit_req zone=one burst=1 nodelay; + include common/acl.conf; + include fastcgi_params; + fastcgi_pass php; +} +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include common/acl.conf; + include fastcgi_params; + fastcgi_pass php; +} + # Disable wp-config.txt location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; + deny all; + access_log off; + log_not_found off; } + # Disallow php in upload folder location /wp-content/uploads/ { - location ~ \.php$ { - #Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } + location ~ \.php$ { + #Prevent Direct Access Of PHP Files From Web Browsers + deny all; } -# Yoast sitemap -location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { - rewrite ^(.*)/sitemap\.xml$ $1/sitemap_index.xml permanent; - rewrite ^.*/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last; - # Rules for yoast sitemap with wp|wpsubdir|wpsubdomain - rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last; - rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; - # Following lines are optional. Needed for Yoast Premium. - rewrite ^.*/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last; - rewrite ^.*/locations\.kml$ /index.php?sitemap=wpseo_local_kml last; - rewrite ^.*/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last; - rewrite ^.*/video-sitemap\.xsl$ /index.php?xsl=video last; - access_log off; } + +# YoastSitemapStart - Yoast SEO Plugin + location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ { + rewrite ^(.*)/sitemap\.xml$ $1/sitemap_index.xml permanent; + rewrite ^.*/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last; + # Rules for yoast sitemap with wp|wpsubdir|wpsubdomain + rewrite ^.*/sitemap_index\.xml$ /index.php?sitemap=1 last; + rewrite ^.*/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last; + # Following lines are optional. Needed for Yoast Premium. + rewrite ^.*/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last; + rewrite ^.*/locations\.kml$ /index.php?sitemap=wpseo_local_kml last; + rewrite ^.*/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last; + rewrite ^.*/video-sitemap\.xsl$ /index.php?xsl=video last; + access_log off; +} +# YoastSitemapEnd \ No newline at end of file diff --git a/templates/nginx/common/wpfc.conf b/templates/nginx/common/wpfc.conf index fa3d72d..8131cb4 100644 --- a/templates/nginx/common/wpfc.conf +++ b/templates/nginx/common/wpfc.conf @@ -1,30 +1,34 @@ # WPFC NGINX CONFIGURATION # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly + set $skip_cache 0; # POST requests and URL with a query string should always go to php if ($request_method = POST) { - set $skip_cache 1; + set $skip_cache 1; } if ($query_string != "") { - set $skip_cache 1; + set $skip_cache 1; } + # Don't cache URL containing the following segments -if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") { - set $skip_cache 1; +if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|.*sitemap.*\.xml)") { + set $skip_cache 1; } + # Don't use the cache for logged in users or recent commenter or customer with items in cart -if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") { - set $skip_cache 1; +if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart") { + set $skip_cache 1; } + # Use cached or actual file if they exists, Otherwise pass request to WordPress location / { - try_files $uri $uri/ /index.php?$args; + try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { - try_files $uri =404; - include fastcgi_params; - fastcgi_pass php; - fastcgi_cache_bypass $skip_cache; - fastcgi_no_cache $skip_cache; - fastcgi_cache WORDPRESS; + try_files $uri =404; + include fastcgi_params; + fastcgi_pass php; + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; + fastcgi_cache WORDPRESS; } diff --git a/templates/nginx/common/wpsubdir.conf b/templates/nginx/common/wpsubdir.conf index 46ea842..4c344ca 100644 --- a/templates/nginx/common/wpsubdir.conf +++ b/templates/nginx/common/wpsubdir.conf @@ -1,5 +1,6 @@ # WPSUBDIRECTORY NGINX CONFIGURATION # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly + if (!-e $request_filename) { # Redirect wp-admin to wp-admin/ rewrite /wp-admin$ $scheme://$host$uri/ permanent; diff --git a/templates/nginx/conf.d/blockips.conf b/templates/nginx/conf.d/blockips.conf index 8228bed..3a21ddf 100644 --- a/templates/nginx/conf.d/blockips.conf +++ b/templates/nginx/conf.d/blockips.conf @@ -1,2 +1 @@ -# Block IP Address -# deny 1.1.1.1; +# Block IP Address - (deny 1.1.1.1;) diff --git a/templates/nginx/conf.d/fastcgi.conf b/templates/nginx/conf.d/fastcgi.conf index af661b9..e319aeb 100644 --- a/templates/nginx/conf.d/fastcgi.conf +++ b/templates/nginx/conf.d/fastcgi.conf @@ -9,3 +9,5 @@ fastcgi_buffer_size 32k; fastcgi_param SERVER_NAME $http_host; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_keep_conn on; +fastcgi_cache_background_update on; +fastcgi_read_timeout 30s; \ No newline at end of file diff --git a/templates/nginx/conf.d/upstream.conf b/templates/nginx/conf.d/upstream.conf index 8ef9e91..5005f18 100644 --- a/templates/nginx/conf.d/upstream.conf +++ b/templates/nginx/conf.d/upstream.conf @@ -4,6 +4,5 @@ upstream php { server 127.0.0.1:9000; } upstream debug { - # Debug Pool server 127.0.0.1:9001; } diff --git a/templates/nginx/nginx.conf b/templates/nginx/nginx.conf index 66aa779..83862e4 100644 --- a/templates/nginx/nginx.conf +++ b/templates/nginx/nginx.conf @@ -17,22 +17,27 @@ http { sendfile on; tcp_nopush on; tcp_nodelay on; - - keepalive_timeout 20; - send_timeout 20; - types_hash_max_size 2048; server_tokens off; reset_timedout_connection on; - limit_req_status 403; - limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - fastcgi_read_timeout 300; + + send_timeout 15; + keepalive_timeout 15; + client_body_buffer_size 128k; client_max_body_size 100m; - open_file_cache max=30000 inactive=1m; + client_body_timeout 15; + client_header_timeout 15; + open_file_cache_valid 3m; + open_file_cache max=30000 inactive=1m; + + types_hash_max_size 2048; # server_names_hash_bucket_size 64; # server_name_in_redirect off; + limit_req_status 403; + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + include /etc/nginx/mime.types; include common/headers-http.conf; default_type application/octet-stream; @@ -41,12 +46,13 @@ http { # SSL Settings ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_session_timeout 10m; ssl_session_cache shared:SSL:20m; ssl_dhparam /etc/ssl/dhparam.pem; + ssl_ecdh_curve prime256v1:secp384r1:secp521r1; ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT'; ## # Logging Settings @@ -54,7 +60,9 @@ http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - + + open_log_file_cache max=1000 inactive=30s valid=1m; + log_format we_log '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' '$http_host "$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; diff --git a/templates/template-site-php b/templates/template-site-php index 9fd6aa9..8d485c5 100644 --- a/templates/template-site-php +++ b/templates/template-site-php @@ -1,4 +1,5 @@ +# WebinolyNginxServerStart server { listen 80; listen [::]:80; @@ -16,5 +17,6 @@ server { include common/locations.conf; include common/headers-http.conf; include common/headers-html.conf; - #include /var/www/domain.com/conf/nginx/*.conf; -} \ No newline at end of file + include /var/www/domain.com/*-nginx.conf; +} +# WebinolyNginxServerEnd