templates and conf updated

Nginx Conf updated. More protection to prevent DOS attacks. Skip cache for more cart and sitemap plugins.
2018-06-22 08:53:29 -06:00 · 2018-06-22 08:53:29 -06:00 · e0f7aeaf03
parent 4e28539fa4
commit e0f7aeaf03
10 changed files with 145 additions and 127 deletions
--- a/templates/nginx/22222
+++ b/templates/nginx/22222
@ -1,5 +1,6 @@
-# Webinoly admin NGINX CONFIGURATION
+# Webinoly Admin-Tools NGINX CONFIGURATION

+# WebinolyNginxServerStart
 server {

 	listen 22222 default_server deferred;
@ -8,16 +9,6 @@ server {
 	access_log   /var/log/nginx/22222.access.log we_log;
 	error_log    /var/log/nginx/22222.error.log;

-  #ssl on;
-  #ssl_certificate /var/www/22222/cert/22222.crt;
-  #ssl_certificate_key /var/www/22222/cert/22222.key;
-  #ssl_stapling on;
-  #ssl_stapling_verify on;
-  #ssl_trusted_certificate /var/www/22222/cert/chain.pem;
-  
-  # Force HTTP to HTTPS
-  #error_page 497 =200 https://$host:22222$request_uri;
-
 	root /var/www/22222/htdocs;
 	index index.php index.htm index.html;

@ -27,20 +18,18 @@ server {
 	# HTTP Authentication on port 22222
 	include common/acl.conf;

-  location / {
-    try_files $uri $uri/ /index.php?$args;
-  }
+	# PHP Support
+	include common/php.conf;
+	include common/locations.conf;

 	# Status pages
-  location /nginx_status {
+	location = /nginx_status {
 		stub_status on;
 		access_log off;
-  #  include common/acl.conf;
 	}
-  location ~ ^/(status|ping) {
+	location ~ ^/(status|ping)$ {
 		include fastcgi_params;
 		fastcgi_pass php;
-  #  include common/acl.conf;
 	}

 	# Display menu at location /fpm/status/
@ -53,14 +42,5 @@ server {
 		fastcgi_pass $1;
 	}

-  location ~ \.php$ {
-    try_files $uri =404;
-    include fastcgi_params;
-    fastcgi_pass php;
-  }
-
-  location ~* \.(js|css|jpg|gif|png)$ {
-    root /var/www/22222/htdocs/;
-  }
-
 }
+# WebinolyNginxServerEnd
--- a/templates/nginx/common/locations.conf
+++ b/templates/nginx/common/locations.conf
@ -1,5 +1,6 @@
 # NGINX CONFIGURATION FOR COMMON LOCATION
 # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly
+
 # Basic locations files
 location = /favicon.ico {
 	access_log off;
@ -11,6 +12,7 @@ location = /robots.txt {
 	access_log off;
 	log_not_found off;
 }
+
 # Cache static files
 location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
 	include common/headers-http.conf;
@ -20,6 +22,7 @@ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gi
 	log_not_found off;
 	expires max;
 }
+
 # Security settings for better privacy
 # Deny hidden files
 location ~ /\.well-known {
@ -30,12 +33,14 @@ location ~ /\. {
 	access_log off;
 	log_not_found off;
 }
+
 # Deny backup extensions & log files
 location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
+
 # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
 if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
 	return 403;
--- a/templates/nginx/common/wpcommon.conf
+++ b/templates/nginx/common/wpcommon.conf
@ -1,18 +1,34 @@
 # WordPress COMMON SETTINGS
 # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly
+
 # Limit access to avoid brute force attack
+# https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html
+location = /wp-admin/load-styles.php {
+	limit_req zone=one burst=1 nodelay;
+	include common/acl.conf;
+	include fastcgi_params;
+	fastcgi_pass php;
+}
+location = /wp-admin/load-scripts.php {
+	limit_req zone=one burst=1 nodelay;
+	include common/acl.conf;
+	include fastcgi_params;
+	fastcgi_pass php;
+}
 location = /wp-login.php {
 	limit_req zone=one burst=1 nodelay;
 	include common/acl.conf;
 	include fastcgi_params;
 	fastcgi_pass php;
 }
+
 # Disable wp-config.txt
 location = /wp-config.txt {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
+
 # Disallow php in upload folder
 location /wp-content/uploads/ {
 	location ~ \.php$ {
@ -20,7 +36,8 @@ location /wp-content/uploads/ {
 		deny all;
 }
 }
-# Yoast sitemap
+
+# YoastSitemapStart - Yoast SEO Plugin
 	location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
 	rewrite ^(.*)/sitemap\.xml$ $1/sitemap_index.xml permanent;
 	rewrite ^.*/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last;
@ -34,3 +51,4 @@ location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
 	rewrite ^.*/video-sitemap\.xsl$ /index.php?xsl=video last;
 	access_log off;
 }
+# YoastSitemapEnd
--- a/templates/nginx/common/wpfc.conf
+++ b/templates/nginx/common/wpfc.conf
@ -1,5 +1,6 @@
 # WPFC NGINX CONFIGURATION
 # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly
+
 set $skip_cache 0;
 # POST requests and URL with a query string should always go to php
 if ($request_method = POST) {
@ -8,14 +9,17 @@ if ($request_method = POST) {
 if ($query_string != "") {
 	set $skip_cache 1;
 }
+
 # Don't cache URL containing the following segments
-if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
+if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|wp-.*.php|index.php|/feed/|.*sitemap.*\.xml)") {
 	set $skip_cache 1;
 }
+
 # Don't use the cache for logged in users or recent commenter or customer with items in cart
-if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart") {
+if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|[a-z0-9]+_items_in_cart") {
 	set $skip_cache 1;
 }
+
 # Use cached or actual file if they exists, Otherwise pass request to WordPress
 location / {
 	try_files $uri $uri/ /index.php?$args;
--- a/templates/nginx/common/wpsubdir.conf
+++ b/templates/nginx/common/wpsubdir.conf
@ -1,5 +1,6 @@
 # WPSUBDIRECTORY NGINX CONFIGURATION
 # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly
+
 if (!-e $request_filename) {
  # Redirect wp-admin to wp-admin/
  rewrite /wp-admin$ $scheme://$host$uri/ permanent;
--- a/templates/nginx/conf.d/blockips.conf
+++ b/templates/nginx/conf.d/blockips.conf
@ -1,2 +1 @@
-# Block IP Address
-# deny 1.1.1.1;
+# Block IP Address - (deny 1.1.1.1;)
--- a/templates/nginx/conf.d/fastcgi.conf
+++ b/templates/nginx/conf.d/fastcgi.conf
@ -9,3 +9,5 @@ fastcgi_buffer_size 32k;
 fastcgi_param SERVER_NAME $http_host;
 fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 fastcgi_keep_conn on;
+fastcgi_cache_background_update on;
+fastcgi_read_timeout 30s;
--- a/templates/nginx/conf.d/upstream.conf
+++ b/templates/nginx/conf.d/upstream.conf
@ -4,6 +4,5 @@ upstream php {
 	server 127.0.0.1:9000;
 }
 upstream debug {
-	# Debug Pool
 	server 127.0.0.1:9001;
 }
--- a/templates/nginx/nginx.conf
+++ b/templates/nginx/nginx.conf
@ -17,22 +17,27 @@ http {
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
-	
-	keepalive_timeout 20;
-	send_timeout 20;
-	types_hash_max_size 2048;
 	server_tokens off;
 	reset_timedout_connection on;
-	limit_req_status 403;
-	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
-	fastcgi_read_timeout 300;
+	
+	send_timeout 15;
+	keepalive_timeout 15;
+	
 	client_body_buffer_size 128k;
 	client_max_body_size 100m;
-	open_file_cache max=30000 inactive=1m;
+	client_body_timeout 15;
+	client_header_timeout 15;
+	
 	open_file_cache_valid 3m;
+	open_file_cache max=30000 inactive=1m;
+	
+	types_hash_max_size 2048;
 	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;

+	limit_req_status 403;
+	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+	
 	include /etc/nginx/mime.types;
 	include common/headers-http.conf;
 	default_type application/octet-stream;
@ -41,12 +46,13 @@ http {
 	# SSL Settings
 	##

-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_session_timeout 10m;
 	ssl_session_cache shared:SSL:20m;
 	ssl_dhparam /etc/ssl/dhparam.pem;
+	ssl_ecdh_curve prime256v1:secp384r1:secp521r1;
 	ssl_prefer_server_ciphers on;
-	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT;
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT';

 	##
 	# Logging Settings
@ -55,6 +61,8 @@ http {
 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;
 	
+	open_log_file_cache max=1000 inactive=30s valid=1m;
+	
 	log_format we_log '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
 	'$http_host "$request" $status $body_bytes_sent '
 	'"$http_referer" "$http_user_agent"';
--- a/templates/template-site-php
+++ b/templates/template-site-php
@ -1,4 +1,5 @@

+# WebinolyNginxServerStart
 server {
 	listen 80;
 	listen [::]:80;
@ -16,5 +17,6 @@ server {
 	include common/locations.conf;
 	include common/headers-http.conf;
 	include common/headers-html.conf;
-	#include /var/www/domain.com/conf/nginx/*.conf;
+	include /var/www/domain.com/*-nginx.conf;
 }
+# WebinolyNginxServerEnd