Uriel29 · January 20, 2016 16:09
diff --git a/JoomlaNginx.conf b/JoomlaNginx.conf
 server {
 	######################################################################
 	## The Master .htaccess - NginX adaptation
 	##
 	## Version 3.3
 	##
 	## This file is designed to be the template NginX server configuration file
 	## for your Joomla! sites. You should go through all of its sections and
 	## modify it to match your site. Most notably, all instances of example.com
 	## and example\.com should be replaced with your real domain name.
 	##
 	## Some sections are too picky and may cause problems with legitimate requests.
 	## You are ultimately responsible for disabling them or writing exception rules
 	## for your requests. Most notably, the advanced server protection section will
 	## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
 	## sions which use non-standard scripts as their entry points. You must add
 	## exceptions for them manually.
 	##
 	## Some sections - depending on your server configuration - may cause your site
 	## to throw 500 Internal Server Error. The only way to figure out which one is
 	## causing it is trial and error.
 	##
 	## This is an adaptation of my Master .htaccess, a similar file which
 	## I have designed for Apache-based servers. This adaptation would not
 	## be possible without all the wonderful people who helped me write and
 	## test the original Master .htaccess, the Joomla! project which now
 	## recommends it in its official documentation wiki and the thousands
 	## of Admin Tools Professional subscribers who provided invaluable
 	## feedback on the Master .htaccess' performance across different servers.
 	##
 	## Have fun, stay safe.
 	##
 	## Nicholas K. Dionysopoulos
 	## Lead Developer, AkeebaBackup.com
 	##
 	######################################################################

 	######################################################################
 	## Basic server setup. Change to match YOUR system!
 	######################################################################
 	# -- Basic configuration
 	# ---- Port to listen to. For SSL sites change this to 443.
 	listen 80;

 	# ---- Domain name(s) of this site, separated by commas
 	server_name www.example.com example.com www.example.org example.org;
 	server_name_in_redirect off;

 	# ---- Site root path
 	root /usr/share/nginx/html/directory files site;
 	index index.php index.html index.htm default.html default.htm;
 	# Suporte a URLs amigaveis
 	location / {
 		try_files $uri $uri/ /index.php?$args;
 	}

 	# ---- Path to the access log
 	access_log /var/log/nginx/access.log;

 	# ---- Path to the error log
 	error_log /var/log/nginx/error.log;

 	# ---- Custom error pages. Each error page is four lines. The first one
 	#      defines which page will be shown for each error code. The next
 	#      three lines make sure that the error page cannot be accessed
 	#      directly over the web.
 	error_page 404 /errors/404.html;
 	location  /errors/404.html {
 		internal;
 	}

 	error_page 500 /errors/500.html;
 	location  /errors/500.html {
 		internal;
 	}

 	error_page 403 /errors/403.html;
 	location  /errors/403.html {
 		internal;
 	}

 	# if have fastcgi on
 	location ~ \.php$ {

 		fastcgi_index index.php;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/site$fastcgi_script_name;
 		fastcgi_pass 127.0.0.1:9000;

 		# Don't cache if our headers (or cookie) are present
 		proxy_no_cache $upstream_http_x_dont_cache_me $cookie_jnocache;
 		proxy_cache_bypass $upstream_http_x_dont_cache_me $cookie_jnocache  $http_pragma $http_authorization $cookie_nocache $arg_nocache;
 		# Ignore the standard no-cache headers - these will still be sent to the browser
 		proxy_ignore_headers X-Accel-Expires Expires Cache-Control;

 		# Don't send our custom header to the browser
 		proxy_hide_header X-Dont-Cache-Me;

 		# This next line is important if we're planning on caching for more than one site on the server
 		proxy_cache_key "$scheme$host$request_uri";

 		# Set cache key to include identifying components


 		fastcgi_ignore_headers Cache-Control Expires;
 		fastcgi_pass_header Set-Cookie;
 		fastcgi_pass_header Cookie;

 		## Add a cache miss/hit status header.
 		add_header X-Micro-Cache $upstream_cache_status;

 		## To avoid any interaction with the cache control headers we expire
 		## everything on this location immediately.
 		expires epoch;

 		## Cache locking mechanism for protecting the backend of too many
 		## simultaneous requests.
 	}



 	######################################################################
 	## SSL Configuration
 	##
 	## Only use this block if you are setting up the SSL (HTTPS) server
 	## definition of your site.
 	######################################################################
 	ssl on;
 	ssl_certificate /etc/ssl/localcerts/webserver.pem;
 	ssl_certificate_key /etc/ssl/localcerts/webserver.key;

 	ssl_session_timeout 5m;

 	ssl_protocols SSLv3 TLSv1;
 	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
 	ssl_prefer_server_ciphers on;

 	######################################################################
 	## The Kitchen Sink - An array of useful and performance-tuning options
 	######################################################################
 	# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
 	client_header_timeout 10;
 	client_body_timeout   10;
 	send_timeout          30;
 	keepalive_timeout     40 20;

 	# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
 	connection_pool_size        8192;
 	client_header_buffer_size   4k;
 	large_client_header_buffers 8 8k;
 	request_pool_size           8k;

 	# -- Performance, see http://wiki.nginx.org/HttpCoreModule
 	sendfile on;
 	sendfile_max_chunk 1m;
 	postpone_output 0;
 	tcp_nopush on;
 	tcp_nodelay off;

 	# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
 	output_buffers 8 32k;

 	# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
 	charset                 utf-8;
 	source_charset          utf-8;

 	# -- Security options, see http://wiki.nginx.org/HttpCoreModule
 	server_name_in_redirect off;
 	server_tokens off;
 	ignore_invalid_headers on;
 	# You may have to comment out the next line on multi-site installations
 	disable_symlinks if_not_owner;

 	######################################################################
 	## Redirect non-www to www
 	##
 	## If you enable this, disable the "Redirect www to non-www" below!
 	######################################################################
 	if ($host = 'example.com' ) {
 		rewrite ^/(.*)$ http://www.example.com/$1 permanent;
 	}

 	######################################################################
 	## Redirect www to non-www
 	##
 	## If you enable this, disable the "Redirect non-www to www" above!
 	######################################################################
 	if ($host = 'www.example.com' ) {
 		rewrite ^/(.*)$ http://example.com/$1 permanent;
 	}

 	######################################################################
 	## Redirect example.org to example.com
 	##
 	## Your server_name must include both the old and new domain names!
 	######################################################################
 	if ($host ~ "(www\.)?example.org$" ) {
 		rewrite ^/(.*)$ http://www.example.com/$1 permanent;
 	}

 	######################################################################
 	## CloudFlare support - see http://wiki.nginx.org/NginxHttpRealIpModule
 	## Comment out if you are not using the CloudFlare CDN
 	######################################################################
 	set_real_ip_from 204.93.240.0/24;
 	set_real_ip_from 204.93.177.0/24;
 	set_real_ip_from 199.27.128.0/21;
 	set_real_ip_from 173.245.48.0/20;
 	set_real_ip_from 103.22.200.0/22;
 	set_real_ip_from 141.101.64.0/18;
 	set_real_ip_from 108.162.192.0/18;
 	set_real_ip_from 190.93.240.0/20;
 	real_ip_header CF-Connecting-IP;

 	######################################################################
 	## Directory indices
 	## Forces index.php to be read before the index.htm(l) files
 	######################################################################
 	index index.php index.html index.htm;

 	######################################################################
 	## Status page - DISABLE THIS ON LIVE SITES!
 	######################################################################
 	location /nginx_status {
 		stub_status on;
 		access_log   off;
 		# Remember to change this to your PC's IP address
 		allow 192.168.0.1;
 	}

 	######################################################################
 	## Google Apps redirection
 	## This also shows how to redirect a directory to an external server
 	######################################################################
 	location ~* /mail {
 		rewrite ^ http://mail.google.com/a/example.com permanent;
 	}

 	######################################################################
 	## Block some common exploits
 	######################################################################
 	set $common_exploit 0;
 	if ($query_string ~ "proc/self/environ") {
 		set $common_exploit 1;
 	}
 	if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
 		set $common_exploit 1;
 	}
 	if ($query_string ~ "base64_(en|de)code\(.*\)") {
 		set $common_exploit 1;
 	}
 	if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
 		set $common_exploit 1;
 	}
 	if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
 		set $common_exploit 1;
 	}
 	if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
 		set $common_exploit 1;
 	}
 	if ($common_exploit = 1) {
 		return 403;
 	}

 	######################################################################
 	## File injection protection
 	######################################################################
 	set $file_injection 0;
 	if ($query_string ~ "[a-zA-Z0-9_]=http://") {
 		set $file_injection 1;
 	}
 	if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
 		set $file_injection 1;
 	}
 	if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
 		set $file_injection 1;
 	}
 	if ($file_injection = 1) {
 		return 403;
 	}

 	######################################################################
 	## SQL injection first line of defence (NOT comprehensive!)
 	######################################################################
 	set $sql_injection 0;
 	if ($query_string ~ "concat.*\(") {
 		set $sql_injection 1;
 	}
 	if ($query_string ~ "union.*select.*\(") {
 		set $sql_injection 1;
 	}
 	if ($query_string ~ "union.*all.*select.*") {
 		set $sql_injection 1;
 	}
 	if ($sql_injection = 1) {
 		return 403;
 	}

 	######################################################################
 	## Basic anti-spam
 	######################################################################
 	set $looks_like_spam 0;
 	if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
 		set $looks_like_spam 1;
 	}
 	if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
 		set $looks_like_spam 1;
 	}
 	if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
 		set $looks_like_spam 1;
 	}
 	if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
 		set $looks_like_spam 1;
 	}
 	if ($looks_like_spam = 1) {
 		return 403;
 	}

 	######################################################################
 	## Advanced server protection rules exceptions
 	##
 	## You will DEFINITELY need to add exceptions for a lot of extensions
 	## to work. Yeah, I have to write an illustrated guide at some point.
 	## However, if you can use Firebug or Google Chrome Web Developer
 	## window then you can find out the exceptions all by yourself. Use the
 	## following as a guide.
 	######################################################################
 	# Allow direct access to a specific PHP file
 	#location = /tmp/test.php {
 		#	fastcgi_pass $fastcgi_pass;
 		#	break;
 		#}

 		# Allow direct access to a specific static (non-PHP) file
 		#location = /administrator/test.png {
 			#	break;
 			#}


 			######################################################################
 			## Server protection
 			##
 			## Nothing on my site runs unless I say so!
 			######################################################################
 			# Allow media files in select back-end directories
 			location ~* ^/administrator/(components|modules|templates|images)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov|ttf|woff|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
 				break;
 			}

 			# Allow media files in select front-end directories
 			location ~* ^/(components|modules|templates|images|plugins|media|includes/js)/.*.(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|ico|mpe(eg?[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov|ttf|woff|eot|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
 				break;
 			}

 			# Allow access to the front-end index.php file
 			location = / {
 				try_files $uri $uri/ /index.php?q=$uri&$args;
 			}
 			location = /index.php {
 				fastcgi_pass $fastcgi_pass;
 				break;
 			}

 			# Allow access to the back-end index.php file
 			location = /administrator {
 				rewrite ^ /administrator/index.php last;
 			}
 			location = /administrator/ {
 				rewrite ^ /administrator/index.php last;
 			}
 			location = /administrator/index.php {
 				fastcgi_pass $fastcgi_pass;
 				break;
 			}

 			# Disable access to everything else.
 			#if need especify use:
 			#location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$
 			location ~* /.*$ {
 				# If it is a file, directory or symlink and I haven't deliberetaly
 				# enabled access to it, forbid any access to it!
 				if (-e $request_filename) {
 					return 403;
 				}
 				# In any other case, just treat as a SEF URL
 				try_files $uri $uri/ /index.php?q=$uri&$args;
 			}

 			######################################################################
 			## PHP Setup
 			######################################################################
 			include fastcgi_params;
 			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 			set $fastcgi_pass "unix:/var/run/php5-fpm-web.sock";
 			location ~ index.php$ {
 				fastcgi_pass $fastcgi_pass;
 			}

 			######################################################################
 			## Expiration control
 			##
 			## Optimises the expiration time
 			######################################################################
 			# CSS and JavaScript : 1 week
 			location ~* \.(css|js)$ {
 				expires 1w;
 				add_header  Cache-Control public;
 			}

 			# Image files : 1 month
 			location ~* \.(bmp|gif|jpg|jpeg|jp2|png|svg|tif|tiff|ico|wbmp|wbxml|smil)$ {
 				expires 1y;
 			}

 			# Document files : 1 month
 			location ~* \.(pdf|txt|xml|flv)$ {
 				expires 1y;
 			}

 			# Audio files : 1 month
 			location ~* \.(mid|midi|mp3|m4a|m4r|aif|aiff|ra|wav|voc|ogg)$ {
 				expires 1y;
 			}

 			# Video files : 1 month
 			location ~* \.(swf|vrml|avi|mkv|mpg|mpeg|mp4|m4v|mov|asf)$ {
 				expires 1y;
 			}

 			######################################################################
 			## User agent blocking
 			##
 			## Disables access to your site by user agent. Useful to block some
 			## bandwidth hoggers.
 			######################################################################
 			set $bad_ua 0;

 			# This also disables Akeeba Remote Control 2.5 and earlier
 			if ($http_user_agent ~ "Indy Library") {
 				set $bad_ua 1;
 			}

 			# Disabling Wget will also block the most common method to run CRON jobs
 			if ($http_user_agent ~ "Wget") {
 				set $bad_ua 1;
 			}

 			# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
 			if ($http_user_agent ~ "libwww-perl") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "Download Demon") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "GetRight") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "GetWeb!") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "Go!Zilla") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "Go-Ahead-Got-It") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "GrabNet") {
 				set $bad_ua 1;
 			}
 			if ($http_user_agent ~ "TurnitinBot") {
 				set $bad_ua 1;
 			}

 			# If you enable any of the above don't remove this. It's what blocks
 			# the bad user agents!
 			if ($bad_ua = 1) {
 				return 403;
 			}

 			######################################################################
 			## Automatic compression of static resources
 			## Compress text, html, javascript, css, xml and other static resources
 			## May kill access to your site for old versions of Internet Explorer
 			######################################################################
 			gzip                    on;
 			gzip_http_version       1.1;
 			gzip_vary               on;
 			gzip_comp_level 6;
 			gzip_proxied    any;
 			#gzip_min_length 1100;
 			gzip_types      text/plain text/html text/xml text/css application/xml application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript;
 			gzip_buffers    16 8k;

 			fastcgi_buffers 8 16k;
 			fastcgi_buffer_size 32k;
 			fastcgi_read_timeout 300;
 			fastcgi_send_timeout 300;

 			# Desabilita o gzip para alguns navegadores
 			gzip_disable    "MSIE [1-6].(?!.*SV1)";

 			client_header_timeout 60;
 			#client_header_buffer_size 1k;
 			#send_timeout 20;

 			location = /robots.txt {
 				allow all;
 				log_not_found off;
 				access_log off;
 			}
 		}
	server {
	######################################################################
	## The Master .htaccess - NginX adaptation
	##
	## Version 3.3
	##
	## This file is designed to be the template NginX server configuration file
	## for your Joomla! sites. You should go through all of its sections and
	## modify it to match your site. Most notably, all instances of example.com
	## and example\.com should be replaced with your real domain name.
	##
	## Some sections are too picky and may cause problems with legitimate requests.
	## You are ultimately responsible for disabling them or writing exception rules
	## for your requests. Most notably, the advanced server protection section will
	## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
	## sions which use non-standard scripts as their entry points. You must add
	## exceptions for them manually.
	##
	## Some sections - depending on your server configuration - may cause your site
	## to throw 500 Internal Server Error. The only way to figure out which one is
	## causing it is trial and error.
	##
	## This is an adaptation of my Master .htaccess, a similar file which
	## I have designed for Apache-based servers. This adaptation would not
	## be possible without all the wonderful people who helped me write and
	## test the original Master .htaccess, the Joomla! project which now
	## recommends it in its official documentation wiki and the thousands
	## of Admin Tools Professional subscribers who provided invaluable
	## feedback on the Master .htaccess' performance across different servers.
	##
	## Have fun, stay safe.
	##
	## Nicholas K. Dionysopoulos
	## Lead Developer, AkeebaBackup.com
	##
	######################################################################

	######################################################################
	## Basic server setup. Change to match YOUR system!
	######################################################################
	# -- Basic configuration
	# ---- Port to listen to. For SSL sites change this to 443.
	listen 80;

	# ---- Domain name(s) of this site, separated by commas
	server_name www.example.com example.com www.example.org example.org;
	server_name_in_redirect off;

	# ---- Site root path
	root /usr/share/nginx/html/directory files site;
	index index.php index.html index.htm default.html default.htm;
	# Suporte a URLs amigaveis
	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	# ---- Path to the access log
	access_log /var/log/nginx/access.log;

	# ---- Path to the error log
	error_log /var/log/nginx/error.log;

	# ---- Custom error pages. Each error page is four lines. The first one
	# defines which page will be shown for each error code. The next
	# three lines make sure that the error page cannot be accessed
	# directly over the web.
	error_page 404 /errors/404.html;
	location /errors/404.html {
	internal;
	}

	error_page 500 /errors/500.html;
	location /errors/500.html {
	internal;
	}

	error_page 403 /errors/403.html;
	location /errors/403.html {
	internal;
	}

	# if have fastcgi on
	location ~ \.php$ {

	fastcgi_index index.php;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/site$fastcgi_script_name;
	fastcgi_pass 127.0.0.1:9000;

	# Don't cache if our headers (or cookie) are present
	proxy_no_cache $upstream_http_x_dont_cache_me $cookie_jnocache;
	proxy_cache_bypass $upstream_http_x_dont_cache_me $cookie_jnocache $http_pragma $http_authorization $cookie_nocache $arg_nocache;
	# Ignore the standard no-cache headers - these will still be sent to the browser
	proxy_ignore_headers X-Accel-Expires Expires Cache-Control;

	# Don't send our custom header to the browser
	proxy_hide_header X-Dont-Cache-Me;

	# This next line is important if we're planning on caching for more than one site on the server
	proxy_cache_key "$scheme$host$request_uri";

	# Set cache key to include identifying components


	fastcgi_ignore_headers Cache-Control Expires;
	fastcgi_pass_header Set-Cookie;
	fastcgi_pass_header Cookie;

	## Add a cache miss/hit status header.
	add_header X-Micro-Cache $upstream_cache_status;

	## To avoid any interaction with the cache control headers we expire
	## everything on this location immediately.
	expires epoch;

	## Cache locking mechanism for protecting the backend of too many
	## simultaneous requests.
	}



	######################################################################
	## SSL Configuration
	##
	## Only use this block if you are setting up the SSL (HTTPS) server
	## definition of your site.
	######################################################################
	ssl on;
	ssl_certificate /etc/ssl/localcerts/webserver.pem;
	ssl_certificate_key /etc/ssl/localcerts/webserver.key;

	ssl_session_timeout 5m;

	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
	ssl_prefer_server_ciphers on;

	######################################################################
	## The Kitchen Sink - An array of useful and performance-tuning options
	######################################################################
	# -- Timeout handling, see http://wiki.nginx.org/HttpCoreModule
	client_header_timeout 10;
	client_body_timeout 10;
	send_timeout 30;
	keepalive_timeout 40 20;

	# -- Socket settings, see http://wiki.nginx.org/HttpCoreModule
	connection_pool_size 8192;
	client_header_buffer_size 4k;
	large_client_header_buffers 8 8k;
	request_pool_size 8k;

	# -- Performance, see http://wiki.nginx.org/HttpCoreModule
	sendfile on;
	sendfile_max_chunk 1m;
	postpone_output 0;
	tcp_nopush on;
	tcp_nodelay off;

	# -- Output buffering, see http://wiki.nginx.org/HttpCoreModule
	output_buffers 8 32k;

	# -- Character encoding, see http://wiki.nginx.org/HttpCharsetModule
	charset utf-8;
	source_charset utf-8;

	# -- Security options, see http://wiki.nginx.org/HttpCoreModule
	server_name_in_redirect off;
	server_tokens off;
	ignore_invalid_headers on;
	# You may have to comment out the next line on multi-site installations
	disable_symlinks if_not_owner;

	######################################################################
	## Redirect non-www to www
	##
	## If you enable this, disable the "Redirect www to non-www" below!
	######################################################################
	if ($host = 'example.com' ) {
	rewrite ^/(.*)$ http://www.example.com/$1 permanent;
	}

	######################################################################
	## Redirect www to non-www
	##
	## If you enable this, disable the "Redirect non-www to www" above!
	######################################################################
	if ($host = 'www.example.com' ) {
	rewrite ^/(.*)$ http://example.com/$1 permanent;
	}

	######################################################################
	## Redirect example.org to example.com
	##
	## Your server_name must include both the old and new domain names!
	######################################################################
	if ($host ~ "(www\.)?example.org$" ) {
	rewrite ^/(.*)$ http://www.example.com/$1 permanent;
	}

	######################################################################
	## CloudFlare support - see http://wiki.nginx.org/NginxHttpRealIpModule
	## Comment out if you are not using the CloudFlare CDN
	######################################################################
	set_real_ip_from 204.93.240.0/24;
	set_real_ip_from 204.93.177.0/24;
	set_real_ip_from 199.27.128.0/21;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 190.93.240.0/20;
	real_ip_header CF-Connecting-IP;

	######################################################################
	## Directory indices
	## Forces index.php to be read before the index.htm(l) files
	######################################################################
	index index.php index.html index.htm;

	######################################################################
	## Status page - DISABLE THIS ON LIVE SITES!
	######################################################################
	location /nginx_status {
	stub_status on;
	access_log off;
	# Remember to change this to your PC's IP address
	allow 192.168.0.1;
	}

	######################################################################
	## Google Apps redirection
	## This also shows how to redirect a directory to an external server
	######################################################################
	location ~* /mail {
	rewrite ^ http://mail.google.com/a/example.com permanent;
	}

	######################################################################
	## Block some common exploits
	######################################################################
	set $common_exploit 0;
	if ($query_string ~ "proc/self/environ") {
	set $common_exploit 1;
	}
	if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=\|\%3D)") {
	set $common_exploit 1;
	}
	if ($query_string ~ "base64_(en\|de)code\(.*\)") {
	set $common_exploit 1;
	}
	if ($query_string ~ "(<\|%3C).script.(>\|%3E)") {
	set $common_exploit 1;
	}
	if ($query_string ~ "GLOBALS(=\|\[\|\%[0-9A-Z]{0,2})") {
	set $common_exploit 1;
	}
	if ($query_string ~ "_REQUEST(=\|\[\|\%[0-9A-Z]{0,2})") {
	set $common_exploit 1;
	}
	if ($common_exploit = 1) {
	return 403;
	}

	######################################################################
	## File injection protection
	######################################################################
	set $file_injection 0;
	if ($query_string ~ "[a-zA-Z0-9_]=http://") {
	set $file_injection 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
	set $file_injection 1;
	}
	if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
	set $file_injection 1;
	}
	if ($file_injection = 1) {
	return 403;
	}

	######################################################################
	## SQL injection first line of defence (NOT comprehensive!)
	######################################################################
	set $sql_injection 0;
	if ($query_string ~ "concat.*\(") {
	set $sql_injection 1;
	}
	if ($query_string ~ "union.select.\(") {
	set $sql_injection 1;
	}
	if ($query_string ~ "union.all.select.*") {
	set $sql_injection 1;
	}
	if ($sql_injection = 1) {
	return 403;
	}

	######################################################################
	## Basic anti-spam
	######################################################################
	set $looks_like_spam 0;
	if ($query_string ~ "\b(ambien\|blue\spill\|cialis\|cocaine\|ejaculation\|erectile)\b") {
	set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(erections\|hoodia\|huronriveracres\|impotence\|levitra\|libido)\b") {
	set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(lipitor\|phentermin\|pro[sz]ac\|sandyauer\|tramadol\|troyhamby)\b") {
	set $looks_like_spam 1;
	}
	if ($query_string ~ "\b(ultram\|unicauca\|valium\|viagra\|vicodin\|xanax\|ypxaieo)\b") {
	set $looks_like_spam 1;
	}
	if ($looks_like_spam = 1) {
	return 403;
	}

	######################################################################
	## Advanced server protection rules exceptions
	##
	## You will DEFINITELY need to add exceptions for a lot of extensions
	## to work. Yeah, I have to write an illustrated guide at some point.
	## However, if you can use Firebug or Google Chrome Web Developer
	## window then you can find out the exceptions all by yourself. Use the
	## following as a guide.
	######################################################################
	# Allow direct access to a specific PHP file
	#location = /tmp/test.php {
	# fastcgi_pass $fastcgi_pass;
	# break;
	#}

	# Allow direct access to a specific static (non-PHP) file
	#location = /administrator/test.png {
	# break;
	#}


	######################################################################
	## Server protection
	##
	## Nothing on my site runs unless I say so!
	######################################################################
	# Allow media files in select back-end directories
	location ~* ^/administrator/(components\|modules\|templates\|images)/.*.(jp(e?g\|2)?\|png\|gif\|bmp\|css\|js\|swf\|html?\|ico\|mpe(eg?[34])\|avi\|wav\|og[gv]\|xlsx?\|docx?\|pptx?\|zip\|rar\|pdf\|xps\|txt\|7z\|svg\|od[tsp]\|flv\|mov\|ttf\|woff\|eot\|JPG\|JPEG\|PNG\|GIF\|CSS\|JS\|TTF\|WOFF\|EOT)$ {
	break;
	}

	# Allow media files in select front-end directories
	location ~* ^/(components\|modules\|templates\|images\|plugins\|media\|includes/js)/.*.(jp(e?g\|2)?\|png\|gif\|bmp\|css\|js\|swf\|html?\|ico\|mpe(eg?[34])\|avi\|wav\|og[gv]\|xlsx?\|docx?\|pptx?\|zip\|rar\|pdf\|xps\|txt\|7z\|svg\|od[tsp]\|flv\|mov\|ttf\|woff\|eot\|JPG\|JPEG\|PNG\|GIF\|CSS\|JS\|TTF\|WOFF\|EOT)$ {
	break;
	}

	# Allow access to the front-end index.php file
	location = / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	location = /index.php {
	fastcgi_pass $fastcgi_pass;
	break;
	}

	# Allow access to the back-end index.php file
	location = /administrator {
	rewrite ^ /administrator/index.php last;
	}
	location = /administrator/ {
	rewrite ^ /administrator/index.php last;
	}
	location = /administrator/index.php {
	fastcgi_pass $fastcgi_pass;
	break;
	}

	# Disable access to everything else.
	#if need especify use:
	#location ~* /(images\|cache\|media\|logs\|tmp)/.*\.(php\|pl\|py\|jsp\|asp\|sh\|cgi)$
	location ~* /.*$ {
	# If it is a file, directory or symlink and I haven't deliberetaly
	# enabled access to it, forbid any access to it!
	if (-e $request_filename) {
	return 403;
	}
	# In any other case, just treat as a SEF URL
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	######################################################################
	## PHP Setup
	######################################################################
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	set $fastcgi_pass "unix:/var/run/php5-fpm-web.sock";
	location ~ index.php$ {
	fastcgi_pass $fastcgi_pass;
	}

	######################################################################
	## Expiration control
	##
	## Optimises the expiration time
	######################################################################
	# CSS and JavaScript : 1 week
	location ~* \.(css\|js)$ {
	expires 1w;
	add_header Cache-Control public;
	}

	# Image files : 1 month
	location ~* \.(bmp\|gif\|jpg\|jpeg\|jp2\|png\|svg\|tif\|tiff\|ico\|wbmp\|wbxml\|smil)$ {
	expires 1y;
	}

	# Document files : 1 month
	location ~* \.(pdf\|txt\|xml\|flv)$ {
	expires 1y;
	}

	# Audio files : 1 month
	location ~* \.(mid\|midi\|mp3\|m4a\|m4r\|aif\|aiff\|ra\|wav\|voc\|ogg)$ {
	expires 1y;
	}

	# Video files : 1 month
	location ~* \.(swf\|vrml\|avi\|mkv\|mpg\|mpeg\|mp4\|m4v\|mov\|asf)$ {
	expires 1y;
	}

	######################################################################
	## User agent blocking
	##
	## Disables access to your site by user agent. Useful to block some
	## bandwidth hoggers.
	######################################################################
	set $bad_ua 0;

	# This also disables Akeeba Remote Control 2.5 and earlier
	if ($http_user_agent ~ "Indy Library") {
	set $bad_ua 1;
	}

	# Disabling Wget will also block the most common method to run CRON jobs
	if ($http_user_agent ~ "Wget") {
	set $bad_ua 1;
	}

	# Common bandwidth hoggers and hacking tools. Each rule is three lines, beginning with "if"
	if ($http_user_agent ~ "libwww-perl") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "Download Demon") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "GetRight") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "GetWeb!") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "Go!Zilla") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "Go-Ahead-Got-It") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "GrabNet") {
	set $bad_ua 1;
	}
	if ($http_user_agent ~ "TurnitinBot") {
	set $bad_ua 1;
	}

	# If you enable any of the above don't remove this. It's what blocks
	# the bad user agents!
	if ($bad_ua = 1) {
	return 403;
	}

	######################################################################
	## Automatic compression of static resources
	## Compress text, html, javascript, css, xml and other static resources
	## May kill access to your site for old versions of Internet Explorer
	######################################################################
	gzip on;
	gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_proxied any;
	#gzip_min_length 1100;
	gzip_types text/plain text/html text/xml text/css application/xml application/xhtml+xml application/xml+rss application/rss+xml application/x-javascript application/javascript text/javascript;
	gzip_buffers 16 8k;

	fastcgi_buffers 8 16k;
	fastcgi_buffer_size 32k;
	fastcgi_read_timeout 300;
	fastcgi_send_timeout 300;

	# Desabilita o gzip para alguns navegadores
	gzip_disable "MSIE [1-6].(?!.*SV1)";

	client_header_timeout 60;
	#client_header_buffer_size 1k;
	#send_timeout 20;

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}
	}